package tv.hd3g.authkit.mod.service;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.SignatureException;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Date;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import tv.hd3g.authkit.mod.dto.LoggedUserTagsTokenDto;
import tv.hd3g.authkit.mod.dto.SetupTOTPTokenDto;
import tv.hd3g.authkit.mod.exception.NotAcceptableSecuredTokenException;

@Service
/* loaded from: input_file:tv/hd3g/authkit/mod/service/SecuredTokenServiceImpl.class */
public class SecuredTokenServiceImpl implements SecuredTokenService {
    private static final Logger log = LoggerFactory.getLogger(SecuredTokenServiceImpl.class);
    public static final String TOKEN_TYPE = "JWT";
    public static final String TOKEN_AUDIENCE = "authkit";
    public static final String TOKEN_ISSUER_FORM = "form";
    public static final String TOKEN_ISSUER_LOGIN = "loggedUser";
    public static final String TOKEN_ISSUER_SECUREDREQUEST = "UsrSecRq";
    public static final String TOKEN_ISSUER_SETUPTOTP = "setupTOTP";
    private static final String CLAIM_FORMNAME = "formname";
    private final byte[] secret;

    public SecuredTokenServiceImpl(@Value("${authkit.jwt_secret}") String str) {
        this.secret = Base64.getDecoder().decode(str.getBytes(StandardCharsets.UTF_8));
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String simpleFormGenerateToken(String str, Duration duration) {
        return Jwts.builder().signWith(Keys.hmacShaKeyFor(this.secret), SignatureAlgorithm.HS512).setHeaderParam("typ", TOKEN_TYPE).setIssuer(TOKEN_ISSUER_FORM).setAudience(TOKEN_AUDIENCE).setExpiration(new Date(System.currentTimeMillis() + duration.toMillis())).claim(CLAIM_FORMNAME, str).compact();
    }

    private Jws<Claims> extractToken(String str, String str2) throws NotAcceptableSecuredTokenException {
        try {
            Jws<Claims> parseClaimsJws = Jwts.parserBuilder().setSigningKey(this.secret).build().parseClaimsJws(str);
            log.debug("Check token: {}", parseClaimsJws);
            String type = parseClaimsJws.getHeader().getType();
            if (!TOKEN_TYPE.equals(type)) {
                log.warn("Invalid token type: {}", type);
                throw new NotAcceptableSecuredTokenException.BadUseSecuredTokenInvalidType(type, TOKEN_TYPE);
            }
            Claims claims = (Claims) parseClaimsJws.getBody();
            if (str2 != null) {
                String issuer = claims.getIssuer();
                if (!str2.equals(issuer)) {
                    log.warn("Invalid token issuer: {}", issuer);
                    throw new NotAcceptableSecuredTokenException.BadUseSecuredTokenInvalidIssuer(issuer, str2);
                }
            }
            String audience = claims.getAudience();
            if (TOKEN_AUDIENCE.equals(audience)) {
                return parseClaimsJws;
            }
            log.warn("Invalid token audience: {}", audience);
            throw new NotAcceptableSecuredTokenException.BadUseSecuredTokenInvalidAudience(audience, TOKEN_AUDIENCE);
        } catch (MalformedJwtException e) {
            log.warn("Parse invalid JWT: {}", e.getMessage());
            throw new NotAcceptableSecuredTokenException.InvalidFormatSecuredToken();
        } catch (UnsupportedJwtException e2) {
            log.warn("Parse unsupported JWT: {}", e2.getMessage());
            throw new NotAcceptableSecuredTokenException.InvalidFormatSecuredToken();
        } catch (IllegalArgumentException e3) {
            log.warn("Parse empty or null JWT: {}", e3.getMessage());
            throw new NotAcceptableSecuredTokenException.InvalidFormatSecuredToken();
        } catch (ExpiredJwtException e4) {
            log.warn("Parse expired JWT: {}", e4.getMessage());
            throw new NotAcceptableSecuredTokenException.ExpiredSecuredToken();
        } catch (SignatureException e5) {
            log.warn("Parse JWT with invalid signature: {}", e5.getMessage());
            throw new NotAcceptableSecuredTokenException.BrokenSecuredToken();
        }
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public void simpleFormCheckToken(String str, String str2) throws NotAcceptableSecuredTokenException {
        String str3 = (String) ((Claims) extractToken(str2, TOKEN_ISSUER_FORM).getBody()).get(CLAIM_FORMNAME, String.class);
        if (str.equals(str3)) {
            return;
        }
        log.warn("Invalid token form: {}", str3);
        throw new NotAcceptableSecuredTokenException.BadUseSecuredTokenInvalidForm(str3, TOKEN_ISSUER_FORM);
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String loggedUserRightsGenerateToken(String str, Duration duration, Set<String> set, String str2) {
        return Jwts.builder().signWith(Keys.hmacShaKeyFor(this.secret), SignatureAlgorithm.HS512).setHeaderParam("typ", TOKEN_TYPE).setIssuer(TOKEN_ISSUER_LOGIN).setAudience(TOKEN_AUDIENCE).setSubject(str).setExpiration(new Date(System.currentTimeMillis() + duration.toMillis())).claim("tags", set).claim("host", str2).compact();
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public LoggedUserTagsTokenDto loggedUserRightsExtractToken(String str, boolean z) throws NotAcceptableSecuredTokenException {
        Claims claims = (Claims) extractToken(str, TOKEN_ISSUER_LOGIN).getBody();
        ArrayList arrayList = (ArrayList) claims.get("tags", ArrayList.class);
        return new LoggedUserTagsTokenDto(claims.getSubject(), (Set) arrayList.stream().map(obj -> {
            return (String) obj;
        }).collect(Collectors.toUnmodifiableSet()), claims.getExpiration(), z, claims.containsKey("host") ? (String) claims.get("host", String.class) : null);
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String securedRedirectRequestGenerateToken(String str, Duration duration, String str2) {
        return Jwts.builder().signWith(Keys.hmacShaKeyFor(this.secret), SignatureAlgorithm.HS512).setHeaderParam("typ", TOKEN_TYPE).setIssuer("UsrSecRq/" + str2).setAudience(TOKEN_AUDIENCE).setSubject(str).setExpiration(new Date(System.currentTimeMillis() + duration.toMillis())).compact();
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String securedRedirectRequestExtractToken(String str, String str2) throws NotAcceptableSecuredTokenException {
        return ((Claims) extractToken(str, "UsrSecRq/" + str2).getBody()).getSubject();
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String userFormGenerateToken(String str, String str2, Duration duration) {
        return Jwts.builder().signWith(Keys.hmacShaKeyFor(this.secret), SignatureAlgorithm.HS512).setHeaderParam("typ", TOKEN_TYPE).setIssuer(TOKEN_ISSUER_FORM).setAudience(TOKEN_AUDIENCE).setSubject(str2).setExpiration(new Date(System.currentTimeMillis() + duration.toMillis())).claim(CLAIM_FORMNAME, str).compact();
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String userFormExtractTokenUUID(String str, String str2) throws NotAcceptableSecuredTokenException {
        Claims claims = (Claims) extractToken(str2, TOKEN_ISSUER_FORM).getBody();
        if (str.equals((String) claims.get(CLAIM_FORMNAME, String.class))) {
            return claims.getSubject();
        }
        log.warn("Invalid token form: {}", str);
        throw new NotAcceptableSecuredTokenException.BadUseSecuredTokenInvalidForm(str, TOKEN_ISSUER_FORM);
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public String setupTOTPGenerateToken(String str, Duration duration, String str2, List<String> list) {
        return Jwts.builder().signWith(Keys.hmacShaKeyFor(this.secret), SignatureAlgorithm.HS512).setHeaderParam("typ", TOKEN_TYPE).setIssuer(TOKEN_ISSUER_SETUPTOTP).setAudience(TOKEN_AUDIENCE).setSubject(str).setExpiration(new Date(System.currentTimeMillis() + duration.toMillis())).claim("secret", str2).claim("backupCodes", list).compact();
    }

    @Override // tv.hd3g.authkit.mod.service.SecuredTokenService
    public SetupTOTPTokenDto setupTOTPExtractToken(String str) throws NotAcceptableSecuredTokenException {
        Claims claims = (Claims) extractToken(str, TOKEN_ISSUER_SETUPTOTP).getBody();
        return new SetupTOTPTokenDto(claims.getSubject(), (String) claims.get("secret", String.class), (Set) ((ArrayList) claims.get("backupCodes", ArrayList.class)).stream().map(obj -> {
            return (String) obj;
        }).collect(Collectors.toUnmodifiableSet()));
    }
}
