package fi.evolver.basics.spring.auth;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import fi.evolver.basics.spring.auth.entity.JwtToken;
import fi.evolver.basics.spring.http.HttpInterceptor;
import fi.evolver.utils.ContextUtils;
import fi.evolver.utils.attribute.ContextAttribute;
import fi.evolver.utils.collection.BoundedLinkedHashMap;
import fi.evolver.utils.timing.TimingUtils;
import java.time.Instant;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Service;
import org.springframework.util.Assert;

@ConditionalOnProperty({JwtAuthorizationService.ENV_AUTHORIZATION_SECRET})
@Service
/* loaded from: input_file:fi/evolver/basics/spring/auth/JwtAuthorizationService.class */
public class JwtAuthorizationService implements AuthorizationService {
    public static final String ENV_AUTHORIZATION_SECRET = "AUTHORIZATION_SECRET";
    private final Algorithm jwtAlgorithm = Algorithm.HMAC256(getAuthorizationSecret());
    private final JWTVerifier jwtVerifier;
    private final JwtTokenRepository jwtTokenRepository;
    private final String applicationName;
    private static final Logger LOG = LoggerFactory.getLogger(JwtAuthorizationService.class);
    private static final ContextAttribute<JwtToken> CONTEXT_AUTHORIZATION_PERMISSIONS = new ContextAttribute<>(JwtAuthorizationService.class.getSimpleName() + ".AuthorizationPermissions", JwtToken.class);
    private static final Pattern HEADER_REGEX = Pattern.compile("^Bearer (?<data>.*)$");
    private static final Map<String, CachedToken> cache = new BoundedLinkedHashMap(50, BoundedLinkedHashMap.Order.ACCESS);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fi/evolver/basics/spring/auth/JwtAuthorizationService$CachedToken.class */
    public static class CachedToken {
        private final Instant validUntil = Instant.now().plusSeconds(60);
        private final JwtToken token;

        public CachedToken(JwtToken jwtToken) {
            this.token = jwtToken;
        }

        public boolean isValid() {
            return Instant.now().isBefore(this.validUntil);
        }

        public JwtToken getToken() {
            return this.token;
        }
    }

    @Autowired
    public JwtAuthorizationService(JwtTokenRepository jwtTokenRepository, Environment environment) {
        this.jwtTokenRepository = jwtTokenRepository;
        this.applicationName = environment.getRequiredProperty("application.name.pretty").replaceAll("\\W", "");
        this.jwtVerifier = JWT.require(this.jwtAlgorithm).withIssuer(this.applicationName).build();
    }

    @Override // fi.evolver.basics.spring.auth.AuthorizationService
    public void authenticate(String str) {
        Assert.isTrue(ContextUtils.withinContext(), "Must have a context in order to authenticate");
        if (getAuthorizationToken().isPresent()) {
            throw new IllegalStateException("Nested authorization attempt: not supported for now");
        }
        JwtToken authorizeToken = authorizeToken(str);
        setAuthorizationToken(authorizeToken);
        HttpInterceptor.addMetadata("JwtId", authorizeToken.getJwtId());
        if (authorizeToken.isFullyAuthenticated()) {
            HttpInterceptor.CONTEXT_SOURCE_SYSTEM.set(authorizeToken.getOwner());
        }
    }

    @Override // fi.evolver.basics.spring.auth.AuthorizationService
    public boolean hasPermission(String str) {
        JwtToken orElse = getAuthorizationToken().orElse(JwtToken.UNKNOWN);
        boolean hasPermission = orElse.hasPermission(str);
        LOG.info("HasPermission: {} => {}", str, Boolean.valueOf(hasPermission));
        if (!hasPermission) {
            LOG.warn("Token {} missing permission {}", orElse.getJwtId(), str);
        }
        return hasPermission;
    }

    private static Optional<JwtToken> getAuthorizationToken() {
        return CONTEXT_AUTHORIZATION_PERMISSIONS.get();
    }

    private static void setAuthorizationToken(JwtToken jwtToken) {
        CONTEXT_AUTHORIZATION_PERMISSIONS.set(jwtToken);
    }

    private JwtToken authorizeToken(String str) {
        CachedToken cachedToken = cache.get(str);
        if (cachedToken != null && cachedToken.isValid()) {
            return cachedToken.getToken();
        }
        Optional<String> parseAuthorization = parseAuthorization(str);
        String str2 = JwtToken.DEFAULT_JWT_ID;
        if (parseAuthorization.isPresent()) {
            try {
                str2 = verifyJwtToken(parseAuthorization.get()).getId();
            } catch (RuntimeException e) {
                LOG.warn("Invalid JWT token", e);
                return JwtToken.INVALID;
            }
        }
        JwtToken fetchToken = fetchToken(str2);
        cache.put(str, new CachedToken(fetchToken));
        return fetchToken;
    }

    private JwtToken fetchToken(String str) {
        return this.jwtTokenRepository.findByJwtId(str).stream().findFirst().orElse(JwtToken.UNKNOWN);
    }

    private static Optional<String> parseAuthorization(String str) {
        if (str == null) {
            return Optional.empty();
        }
        Matcher matcher = HEADER_REGEX.matcher(str);
        if (matcher.find()) {
            return Optional.of(matcher.group("data"));
        }
        throw new IllegalArgumentException("Unsupported authorization");
    }

    public String generateJwtToken(String str) {
        TimingUtils.AutoCloser begin = TimingUtils.begin("JWT", new String[]{"Create"});
        try {
            String sign = JWT.create().withIssuer(this.applicationName).withIssuedAt(new Date()).withJWTId(str).sign(this.jwtAlgorithm);
            if (begin != null) {
                begin.close();
            }
            return sign;
        } catch (Throwable th) {
            if (begin != null) {
                try {
                    begin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private DecodedJWT verifyJwtToken(String str) {
        TimingUtils.AutoCloser begin = TimingUtils.begin("JWT", new String[]{"Verify"});
        try {
            DecodedJWT verify = this.jwtVerifier.verify(str);
            if (begin != null) {
                begin.close();
            }
            return verify;
        } catch (Throwable th) {
            if (begin != null) {
                try {
                    begin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String getAuthorizationSecret() {
        return System.getenv(ENV_AUTHORIZATION_SECRET);
    }
}
