package org.sakaiproject.rubrics.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Iterator;
import org.sakaiproject.component.api.ServerConfigurationService;
import org.sakaiproject.rubrics.RubricsConfiguration;
import org.sakaiproject.rubrics.logic.AuthenticatedRequestContext;
import org.sakaiproject.rubrics.logic.Role;
import org.sakaiproject.rubrics.security.exception.JwtTokenMalformedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/classes/org/sakaiproject/rubrics/security/JwtTokenUtil.class */
public class JwtTokenUtil implements Serializable {
    private static final Logger log = LoggerFactory.getLogger(JwtTokenUtil.class);
    private static final long serialVersionUID = -3301605591108950415L;
    private static final String JWT_ISSUER = "sakai";
    private static final String JWT_AUDIENCE = "rubrics";
    private static final String JWT_CUSTOM_CLAIM_TOOL_ID = "toolId";
    private static final String JWT_CUSTOM_CLAIM_SESSION_ID = "sessionId";
    private static final String JWT_CUSTOM_CLAIM_ROLES = "roles";
    private static final String JWT_CUSTOM_CLAIM_CONTEXT_ID = "contextId";
    private static final String JWT_CUSTOM_CLAIM_CONTEXT_TYPE = "contextType";

    @Autowired
    RubricsConfiguration rubricsConfiguration;

    @Autowired
    ServerConfigurationService serverConfigurationService;

    private JWT decodeToken(String str) {
        JWT jwt = null;
        try {
            jwt = JWT.decode(str);
            ServerConfigurationService serverConfigurationService = this.serverConfigurationService;
            RubricsConfiguration rubricsConfiguration = this.rubricsConfiguration;
            RubricsConfiguration rubricsConfiguration2 = this.rubricsConfiguration;
            JWT.require(Algorithm.HMAC256(serverConfigurationService.getString(RubricsConfiguration.RUBRICS_TOKEN_SIGNING_SHARED_SECRET_PROPERTY, RubricsConfiguration.RUBRICS_TOKEN_SIGNING_SHARED_SECRET_DEFAULT))).build().verify(str);
        } catch (JWTVerificationException | UnsupportedEncodingException e) {
            if (!e.getMessage().startsWith("The Token has expired on") || !isSakaiSessionStillValid(jwt.getClaim(JWT_CUSTOM_CLAIM_SESSION_ID).asString())) {
                throw new JwtTokenMalformedException(String.format("Error occurred while decoding access token '%s'", str), e);
            }
        }
        if (!jwt.getAudience().contains(JWT_AUDIENCE)) {
            throw new JwtTokenMalformedException(String.format("Access token denied for audience. Expected: ['%s'], Provided: %s, Token: %s", JWT_AUDIENCE, jwt.getAudience().toString(), str));
        }
        if (jwt.getIssuer().contentEquals(JWT_ISSUER)) {
            return jwt;
        }
        throw new JwtTokenMalformedException(String.format("Access token denied for issuer. Expected: ['%s'], Provided: %s, Token: %s", JWT_ISSUER, jwt.getIssuer().toString(), str));
    }

    public AuthenticatedRequestContext getAuthenticatedUser(String str) {
        try {
            JWT decodeToken = decodeToken(str);
            AuthenticatedRequestContext authenticatedRequestContext = new AuthenticatedRequestContext(decodeToken.getSubject(), decodeToken.getClaim(JWT_CUSTOM_CLAIM_TOOL_ID).asString(), decodeToken.getClaim(JWT_CUSTOM_CLAIM_CONTEXT_ID).asString(), decodeToken.getClaim(JWT_CUSTOM_CLAIM_CONTEXT_TYPE).asString());
            Iterator it = decodeToken.getClaim(JWT_CUSTOM_CLAIM_ROLES).asList(String.class).iterator();
            while (it.hasNext()) {
                authenticatedRequestContext.addAuthority(new SimpleGrantedAuthority(Role.fromPermissionKey((String) it.next()).name()));
            }
            if (authenticatedRequestContext.getAuthorities().size() == 0) {
                throw new JwtTokenMalformedException(String.format("Access token '%s' does not contain any roles", str));
            }
            return authenticatedRequestContext;
        } catch (Exception e) {
            throw new JwtTokenMalformedException(String.format(String.format("Error occurred while authenticating the user for token %s", str, e), new Object[0]));
        }
    }

    private boolean isSakaiSessionStillValid(String str) {
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(this.serverConfigurationService.getServerUrl() + "/sakai-ws/rest/sakai/checkSession?sessionid=" + str).openConnection();
            httpURLConnection.setRequestMethod("GET");
            if (httpURLConnection.getResponseCode() != 200) {
                throw new RuntimeException("Failed : HTTP error code : " + httpURLConnection.getResponseCode());
            }
            String readLine = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream())).readLine();
            httpURLConnection.disconnect();
            if (readLine != null) {
                return readLine.trim().equals(str.trim());
            }
            return false;
        } catch (MalformedURLException e) {
            log.debug("Error getting a rubric association " + e.getMessage());
            return false;
        } catch (IOException e2) {
            log.debug("Error getting a rubric association" + e2.getMessage());
            return false;
        }
    }
}
