package io.hops.hopsworks.jwt;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.hops.hopsworks.jwt.dao.InvalidJwtFacade;
import io.hops.hopsworks.jwt.dao.JwtSigningKeyFacade;
import io.hops.hopsworks.jwt.exception.AccessException;
import io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException;
import io.hops.hopsworks.jwt.exception.InvalidationException;
import io.hops.hopsworks.jwt.exception.JWTException;
import io.hops.hopsworks.jwt.exception.NotRenewableException;
import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
import io.hops.hopsworks.jwt.exception.VerificationException;
import io.hops.hopsworks.persistence.entity.jwt.InvalidJwt;
import io.hops.hopsworks.persistence.entity.jwt.JwtSigningKey;
import java.security.NoSuchAlgorithmException;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import org.apache.commons.lang3.tuple.Pair;

@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
@Stateless
/* loaded from: input_file:WEB-INF/lib/hopsworks-jwt-3.0.0.jar:io/hops/hopsworks/jwt/JWTController.class */
public class JWTController {
    private static final Logger LOGGER = Logger.getLogger(JWTController.class.getName());

    @EJB
    private InvalidJwtFacade invalidJwtFacade;

    @EJB
    private AlgorithmFactory algorithmFactory;

    @EJB
    private JwtSigningKeyFacade jwtSigningKeyFacade;
    private static final String SERVICE_ONE_TIME_SIGNING_KEYNAME = "%s_%s__%d";

    public String createToken(JsonWebToken jsonWebToken, Map<String, Object> map) throws SigningKeyNotFoundException {
        return createToken(jsonWebToken.getKeyId(), jsonWebToken.getIssuer(), (String[]) jsonWebToken.getAudience().toArray(new String[0]), jsonWebToken.getExpiresAt(), jsonWebToken.getNotBefore(), jsonWebToken.getSubject(), map, jsonWebToken.getAlgorithm());
    }

    public String createToken(String str, String str2, String[] strArr, Date date, Date date2, String str3, Map<String, Object> map, SignatureAlgorithm signatureAlgorithm) throws SigningKeyNotFoundException {
        JWTCreator.Builder withSubject = JWT.create().withKeyId(str).withIssuer(str2).withAudience(strArr).withIssuedAt(new Date()).withExpiresAt(date).withNotBefore(date2).withJWTId(generateJti()).withSubject(str3);
        map.put(Constants.EXPIRY_LEEWAY, Integer.valueOf(getExpLeewayOrDefault(((Integer) map.getOrDefault(Constants.EXPIRY_LEEWAY, -1)).intValue())));
        return addClaims(withSubject, map).sign(this.algorithmFactory.getAlgorithm(signatureAlgorithm, str));
    }

    private JWTCreator.Builder addClaims(JWTCreator.Builder builder, Map<String, Object> map) {
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            Object value = entry.getValue();
            if (value.getClass().isArray()) {
                Class<?> componentType = value.getClass().getComponentType();
                if (String.class.equals(componentType)) {
                    builder = builder.withArrayClaim(entry.getKey(), (String[]) value);
                } else if (Integer.class.equals(componentType)) {
                    builder = builder.withArrayClaim(entry.getKey(), (Integer[]) value);
                } else if (Long.class.equals(componentType)) {
                    builder = builder.withArrayClaim(entry.getKey(), (Long[]) value);
                }
            } else if (Boolean.class.isInstance(value)) {
                builder = builder.withClaim(entry.getKey(), (Boolean) value);
            } else if (Integer.class.isInstance(value)) {
                builder = builder.withClaim(entry.getKey(), (Integer) value);
            } else if (Long.class.isInstance(value)) {
                builder = builder.withClaim(entry.getKey(), (Long) value);
            } else if (Double.class.isInstance(value)) {
                builder = builder.withClaim(entry.getKey(), (Double) value);
            } else if (String.class.isInstance(value)) {
                builder = builder.withClaim(entry.getKey(), (String) value);
            } else if (Date.class.isInstance(value)) {
                builder = builder.withClaim(entry.getKey(), (Date) value);
            }
        }
        return builder;
    }

    public String createToken(String str, boolean z, String str2, String[] strArr, Date date, Date date2, String str3, Map<String, Object> map, SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException, SigningKeyNotFoundException, DuplicateSigningKeyException {
        return createToken((z ? createNewSigningKey(str, signatureAlgorithm) : getOrCreateSigningKey(str, signatureAlgorithm)).getId().toString(), str2, strArr, date, date2, str3, map, signatureAlgorithm);
    }

    public void invalidate(String str) throws InvalidationException {
        if (str == null || str.isEmpty()) {
            return;
        }
        try {
            DecodedJWT verifyToken = verifyToken(str, null);
            invalidateJWT(verifyToken.getId(), verifyToken.getExpiresAt(), getExpLeewayClaim(verifyToken));
        } catch (Exception e) {
        }
    }

    public int getExpLeewayClaim(DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim(Constants.EXPIRY_LEEWAY);
        if (claim == null || claim.isNull()) {
            return 60;
        }
        return getExpLeewayOrDefault(claim.asInt().intValue());
    }

    public int getExpLeewayOrDefault(int i) {
        if (i < 1) {
            return 60;
        }
        return i;
    }

    public boolean getRenewableClaim(DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim(Constants.RENEWABLE);
        if (claim == null || claim.isNull()) {
            return false;
        }
        return claim.asBoolean().booleanValue();
    }

    public String[] getRolesClaim(DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim(Constants.ROLES);
        return (claim == null || claim.isNull()) ? new String[0] : (String[]) claim.asArray(String.class);
    }

    public DecodedJWT decodeToken(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        return JWT.decode(str);
    }

    public DecodedJWT verifyToken(String str, String str2) throws SigningKeyNotFoundException, VerificationException {
        DecodedJWT decode = JWT.decode(str);
        DecodedJWT verifyToken = verifyToken(str, (str2 == null || str2.isEmpty()) ? decode.getIssuer() : str2, getExpLeewayClaim(decode), this.algorithmFactory.getAlgorithm(decode));
        if (isTokenInvalidated(verifyToken)) {
            throw new VerificationException("Invalidated token.");
        }
        return verifyToken;
    }

    public DecodedJWT verifyOneTimeToken(String str, String str2) throws SigningKeyNotFoundException, VerificationException, InvalidationException {
        DecodedJWT verifyToken = verifyToken(str, str2);
        invalidateJWT(verifyToken.getId(), verifyToken.getExpiresAt(), getExpLeewayClaim(verifyToken));
        return verifyToken;
    }

    public DecodedJWT verifyToken(String str, String str2, Set<String> set, Set<String> set2) throws SigningKeyNotFoundException, VerificationException, AccessException {
        JsonWebToken jsonWebToken = new JsonWebToken(JWT.decode(str));
        DecodedJWT verifyToken = verifyToken(str, (str2 == null || str2.isEmpty()) ? jsonWebToken.getIssuer() : str2, jsonWebToken.getExpLeeway(), this.algorithmFactory.getAlgorithm(jsonWebToken));
        if (isTokenInvalidated(verifyToken)) {
            throw new VerificationException("Invalidated token.");
        }
        HashSet hashSet = new HashSet(jsonWebToken.getRole());
        if (set2 != null && !set2.isEmpty() && !intersect(set2, hashSet)) {
            throw new AccessException("Client not authorized for this invocation.");
        }
        HashSet hashSet2 = new HashSet(jsonWebToken.getAudience());
        if (set == null || set.isEmpty() || intersect(set, hashSet2)) {
            return verifyToken;
        }
        throw new AccessException("Token not issued for this recipient.");
    }

    private DecodedJWT verifyToken(String str, String str2, int i, Algorithm algorithm) throws VerificationException {
        try {
            return JWT.require(algorithm).withIssuer(str2).acceptExpiresAt(i).build().verify(str);
        } catch (Exception e) {
            throw new VerificationException(e.getMessage());
        }
    }

    private boolean intersect(Collection collection, Collection collection2) {
        if (collection == null || collection.isEmpty() || collection2 == null || collection2.isEmpty()) {
            return false;
        }
        HashSet hashSet = new HashSet(collection);
        hashSet.retainAll(new HashSet(collection2));
        return !hashSet.isEmpty();
    }

    public boolean isTokenInvalidated(DecodedJWT decodedJWT) {
        return isTokenInvalidated(decodedJWT.getId());
    }

    private boolean isTokenInvalidated(String str) {
        return this.invalidJwtFacade.find(str) != null;
    }

    public String autoRenewToken(String str) throws SigningKeyNotFoundException, NotRenewableException, InvalidationException {
        return autoRenewToken(verifyTokenForRenewal(str), null);
    }

    public String autoRenewToken(DecodedJWT decodedJWT, String[] strArr) throws SigningKeyNotFoundException, NotRenewableException, InvalidationException {
        if (!getRenewableClaim(decodedJWT)) {
            throw new NotRenewableException("Token not renewable.");
        }
        if (new Date().before(decodedJWT.getExpiresAt())) {
            throw new NotRenewableException("Token not expired.");
        }
        long time = decodedJWT.getExpiresAt().getTime() - decodedJWT.getIssuedAt().getTime();
        JsonWebToken jsonWebToken = new JsonWebToken(decodedJWT);
        jsonWebToken.setExpiresAt(new Date(System.currentTimeMillis() + time));
        jsonWebToken.setNotBefore(new Date());
        HashMap hashMap = new HashMap(3);
        addDefaultClaimsIfMissing(hashMap, jsonWebToken.isRenewable(), getExpLeewayOrDefault(jsonWebToken.getExpLeeway()), strArr == null ? (String[]) jsonWebToken.getRole().toArray(new String[0]) : strArr);
        String createToken = createToken(jsonWebToken, hashMap);
        invalidateJWT(decodedJWT.getId(), decodedJWT.getExpiresAt(), jsonWebToken.getExpLeeway());
        return createToken;
    }

    public String renewToken(String str, Date date, Date date2, boolean z, Map<String, Object> map) throws SigningKeyNotFoundException, NotRenewableException, InvalidationException {
        return renewToken(str, date, date2, z, map, false);
    }

    public String renewToken(String str, Date date, Date date2, boolean z, Map<String, Object> map, boolean z2) throws SigningKeyNotFoundException, NotRenewableException, InvalidationException {
        DecodedJWT verifyTokenForRenewal = verifyTokenForRenewal(str);
        if (!z2 && new Date().before(verifyTokenForRenewal.getExpiresAt())) {
            throw new NotRenewableException("Token not expired.");
        }
        JsonWebToken jsonWebToken = new JsonWebToken(verifyTokenForRenewal);
        jsonWebToken.setExpiresAt(date);
        jsonWebToken.setNotBefore(date2);
        String createToken = createToken(jsonWebToken, addDefaultClaimsIfMissing(map, jsonWebToken.isRenewable(), getExpLeewayOrDefault(jsonWebToken.getExpLeeway()), (String[]) jsonWebToken.getRole().toArray(new String[1])));
        if (z) {
            invalidateJWT(verifyTokenForRenewal.getId(), verifyTokenForRenewal.getExpiresAt(), jsonWebToken.getExpLeeway());
        }
        return createToken;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v12, types: [java.time.LocalDateTime] */
    public Pair<String, String[]> renewServiceToken(String str, String str2, Date date, Date date2, Long l, String str3, List<String> list, List<String> list2, String str4, String str5, String str6, boolean z) throws JWTException, NoSuchAlgorithmException {
        HashMap hashMap = new HashMap(4);
        hashMap.put(Constants.RENEWABLE, false);
        hashMap.put(Constants.EXPIRY_LEEWAY, 3600);
        hashMap.put(Constants.ROLES, list.toArray(new String[1]));
        String serviceOneTimeJWTSigningKeyname = getServiceOneTimeJWTSigningKeyname(str3, str4);
        LocalDateTime computeNotBefore4ServiceRenewalTokens = computeNotBefore4ServiceRenewalTokens(date.toInstant().atZone(ZoneId.systemDefault()).toLocalDateTime());
        LocalDateTime plus = computeNotBefore4ServiceRenewalTokens.plus(l.longValue(), (TemporalUnit) ChronoUnit.MILLIS);
        JsonWebToken jsonWebToken = new JsonWebToken();
        jsonWebToken.setSubject(str3);
        jsonWebToken.setIssuer(str5);
        jsonWebToken.setAudience(list2);
        jsonWebToken.setKeyId(serviceOneTimeJWTSigningKeyname);
        jsonWebToken.setNotBefore(localDateTime2Date(computeNotBefore4ServiceRenewalTokens));
        jsonWebToken.setExpiresAt(localDateTime2Date(plus));
        try {
            String[] generateOneTimeTokens4ServiceJWTRenewal = generateOneTimeTokens4ServiceJWTRenewal(jsonWebToken, hashMap, str6);
            String signKeyID = getSignKeyID(generateOneTimeTokens4ServiceJWTRenewal[0]);
            DecodedJWT decodeToken = decodeToken(str2);
            hashMap.clear();
            hashMap.put(Constants.RENEWABLE, false);
            hashMap.put(Constants.SERVICE_JWT_RENEWAL_KEY_ID, signKeyID);
            hashMap.put(Constants.EXPIRY_LEEWAY, Integer.valueOf(getExpLeewayClaim(decodeToken)));
            String renewToken = renewToken(str2, date, date2, false, hashMap, z);
            invalidate(str);
            return Pair.of(renewToken, generateOneTimeTokens4ServiceJWTRenewal);
        } catch (JWTException | NoSuchAlgorithmException e) {
            if (serviceOneTimeJWTSigningKeyname != null) {
                deleteSigningKey(serviceOneTimeJWTSigningKeyname);
            }
            throw e;
        }
    }

    public void invalidateServiceToken(String str, String str2) {
        JwtSigningKey findSigningKeyById;
        DecodedJWT decodeToken = decodeToken(str);
        try {
            invalidate(str);
        } catch (InvalidationException e) {
            LOGGER.log(Level.WARNING, "Could not invalidate service JWT with ID " + decodeToken.getId() + ". Continuing with deleting signing key");
        }
        Claim claim = decodeToken.getClaim(Constants.SERVICE_JWT_RENEWAL_KEY_ID);
        if (claim == null || claim.isNull() || (findSigningKeyById = findSigningKeyById(Integer.valueOf(Integer.parseInt(claim.asString())))) == null || str2 == null || str2.equals(findSigningKeyById.getName()) || Constants.ONE_TIME_JWT_SIGNING_KEY_NAME.equals(findSigningKeyById.getName())) {
            return;
        }
        deleteSigningKey(findSigningKeyById.getName());
    }

    public String getSignKeyID(String str) {
        return decodeToken(str).getKeyId();
    }

    public String[] generateOneTimeTokens4ServiceJWTRenewal(JsonWebToken jsonWebToken, Map<String, Object> map, String str) throws NoSuchAlgorithmException, SigningKeyNotFoundException {
        String[] strArr = new String[5];
        SignatureAlgorithm valueOf = SignatureAlgorithm.valueOf(Constants.ONE_TIME_JWT_SIGNATURE_ALGORITHM);
        String[] strArr2 = (String[]) jsonWebToken.getAudience().toArray(new String[1]);
        try {
            strArr[0] = createToken(jsonWebToken.getKeyId(), true, jsonWebToken.getIssuer(), strArr2, jsonWebToken.getExpiresAt(), jsonWebToken.getNotBefore(), jsonWebToken.getSubject(), map, valueOf);
        } catch (DuplicateSigningKeyException e) {
            LOGGER.log(Level.FINE, "Signing key already exist for service JWT key " + jsonWebToken.getKeyId() + ". Removing old one");
            if (str != null && !str.equals(jsonWebToken.getKeyId()) && !Constants.ONE_TIME_JWT_SIGNING_KEY_NAME.equals(jsonWebToken.getKeyId())) {
                deleteSigningKey(jsonWebToken.getKeyId());
            }
            try {
                strArr[0] = createToken(jsonWebToken.getKeyId(), true, jsonWebToken.getIssuer(), strArr2, jsonWebToken.getExpiresAt(), jsonWebToken.getNotBefore(), jsonWebToken.getSubject(), map, valueOf);
            } catch (DuplicateSigningKeyException e2) {
            }
        }
        for (int i = 1; i < strArr.length; i++) {
            try {
                strArr[i] = createToken(jsonWebToken.getKeyId(), false, jsonWebToken.getIssuer(), strArr2, jsonWebToken.getExpiresAt(), jsonWebToken.getNotBefore(), jsonWebToken.getSubject(), map, valueOf);
            } catch (DuplicateSigningKeyException e3) {
            }
        }
        return strArr;
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.time.ZonedDateTime] */
    private Date localDateTime2Date(LocalDateTime localDateTime) {
        return Date.from(localDateTime.atZone(ZoneId.systemDefault()).toInstant());
    }

    public LocalDateTime computeNotBefore4ServiceRenewalTokens(LocalDateTime localDateTime) {
        return localDateTime.minus(3L, (TemporalUnit) ChronoUnit.MINUTES).isBefore(LocalDateTime.now()) ? localDateTime.minus(3L, (TemporalUnit) ChronoUnit.MILLIS) : localDateTime.minus(3L, (TemporalUnit) ChronoUnit.MINUTES);
    }

    public String getServiceOneTimeJWTSigningKeyname(String str, String str2) {
        return String.format(SERVICE_ONE_TIME_SIGNING_KEYNAME, str, str2, Long.valueOf(System.currentTimeMillis()));
    }

    public Map<String, Object> addDefaultClaimsIfMissing(Map<String, Object> map, boolean z, int i, String[] strArr) {
        if (map == null) {
            map = new HashMap(3);
            map.put(Constants.RENEWABLE, Boolean.valueOf(z));
            map.put(Constants.EXPIRY_LEEWAY, Integer.valueOf(i));
            map.put(Constants.ROLES, strArr);
        } else {
            map.putIfAbsent(Constants.RENEWABLE, Boolean.valueOf(z));
            map.putIfAbsent(Constants.EXPIRY_LEEWAY, Integer.valueOf(i));
            map.putIfAbsent(Constants.ROLES, strArr);
        }
        return map;
    }

    public DecodedJWT verifyTokenForRenewal(String str) throws SigningKeyNotFoundException, NotRenewableException {
        try {
            return verifyToken(str, null);
        } catch (VerificationException e) {
            throw new NotRenewableException(e.getMessage());
        }
    }

    private void invalidateJWT(String str, Date date, int i) throws InvalidationException {
        try {
            this.invalidJwtFacade.persist(new InvalidJwt(str, date, i));
        } catch (Exception e) {
            throw new InvalidationException("Could not persist token.", e.getCause());
        }
    }

    public boolean passedRenewal(DecodedJWT decodedJWT) {
        return passedRenewal(decodedJWT.getExpiresAt(), getExpLeewayClaim(decodedJWT));
    }

    public boolean passedRenewal(Date date, int i) {
        return new Date(date.getTime() + (i * 1000)).before(new Date());
    }

    public String generateJti() {
        String uuid = UUID.randomUUID().toString();
        InvalidJwt find = this.invalidJwtFacade.find(uuid);
        while (find != null) {
            uuid = UUID.randomUUID().toString();
            find = this.invalidJwtFacade.find(uuid);
        }
        return uuid;
    }

    public JwtSigningKey getOrCreateSigningKey(String str, SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException {
        return this.jwtSigningKeyFacade.getOrCreateSigningKey(str, signatureAlgorithm);
    }

    public JwtSigningKey createNewSigningKey(String str, SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException, DuplicateSigningKeyException {
        return this.jwtSigningKeyFacade.createNewSigningKey(str, signatureAlgorithm);
    }

    public void deleteSigningKey(String str) {
        this.jwtSigningKeyFacade.remove(str);
    }

    public JwtSigningKey findSigningKeyById(Integer num) {
        return this.jwtSigningKeyFacade.find(num);
    }

    public int cleanupInvalidTokens() {
        int i = 0;
        for (InvalidJwt invalidJwt : this.invalidJwtFacade.findExpired()) {
            if (passedRenewal(invalidJwt.getExpirationTime(), invalidJwt.getRenewableForSec())) {
                this.invalidJwtFacade.remove(invalidJwt);
                i++;
            }
        }
        return i;
    }

    public boolean markOldSigningKeys() {
        JwtSigningKey findByName = this.jwtSigningKeyFacade.findByName(Constants.ONE_TIME_JWT_SIGNING_KEY_NAME);
        Calendar calendar = Calendar.getInstance();
        calendar.add(5, -1);
        if (findByName == null || !findByName.getCreatedOn().before(calendar.getTime())) {
            return false;
        }
        removeMarkedKeys();
        this.jwtSigningKeyFacade.renameSigningKey(findByName, Constants.OLD_ONE_TIME_JWT_SIGNING_KEY_NAME);
        try {
            this.jwtSigningKeyFacade.getOrCreateSigningKey(Constants.ONE_TIME_JWT_SIGNING_KEY_NAME, SignatureAlgorithm.HS256);
            return true;
        } catch (NoSuchAlgorithmException e) {
            LOGGER.log(Level.SEVERE, (String) null, (Throwable) e);
            return true;
        }
    }

    public void removeMarkedKeys() {
        JwtSigningKey findByName = this.jwtSigningKeyFacade.findByName(Constants.OLD_ONE_TIME_JWT_SIGNING_KEY_NAME);
        if (findByName != null) {
            this.jwtSigningKeyFacade.remove(findByName);
        }
    }

    public String getSigningKeyForELK(SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException {
        return getOrCreateSigningKey(Constants.ELK_SIGNING_KEY_NAME, signatureAlgorithm).getSecret();
    }

    public String createTokenForELK(String str, String str2, Map<String, Object> map, Date date, SignatureAlgorithm signatureAlgorithm) throws DuplicateSigningKeyException, NoSuchAlgorithmException, SigningKeyNotFoundException {
        return createToken(Constants.ELK_SIGNING_KEY_NAME, false, str2, null, date, null, str.toLowerCase(), map, signatureAlgorithm);
    }

    public String getSigningKeyForProxy(SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException {
        return getOrCreateSigningKey(Constants.PROXY_SIGNING_KEY_NAME, signatureAlgorithm).getSecret();
    }

    public String createTokenForProxy(String str, String str2, String[] strArr, Map<String, Object> map, Date date, SignatureAlgorithm signatureAlgorithm) throws DuplicateSigningKeyException, NoSuchAlgorithmException, SigningKeyNotFoundException {
        return createToken(Constants.PROXY_SIGNING_KEY_NAME, false, str2, strArr, date, new Date(), str.toLowerCase(), map, signatureAlgorithm);
    }
}
