package com.orientechnologies.orient.server.token;

import com.orientechnologies.common.exception.OException;
import com.orientechnologies.common.exception.OSystemException;
import com.orientechnologies.common.log.OLogManager;
import com.orientechnologies.common.util.OCommonConst;
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
import com.orientechnologies.orient.core.db.ODatabaseDocumentInternal;
import com.orientechnologies.orient.core.db.document.ODatabaseDocument;
import com.orientechnologies.orient.core.engine.local.OEngineLocalPaginated;
import com.orientechnologies.orient.core.engine.memory.OEngineMemory;
import com.orientechnologies.orient.core.id.ORecordId;
import com.orientechnologies.orient.core.metadata.security.OSecurityUser;
import com.orientechnologies.orient.core.metadata.security.OToken;
import com.orientechnologies.orient.core.metadata.security.OTokenException;
import com.orientechnologies.orient.core.metadata.security.jwt.OJwtHeader;
import com.orientechnologies.orient.core.metadata.security.jwt.OJwtPayload;
import com.orientechnologies.orient.core.metadata.security.jwt.OKeyProvider;
import com.orientechnologies.orient.core.record.impl.ODocument;
import com.orientechnologies.orient.core.security.OSecurityManager;
import com.orientechnologies.orient.core.serialization.OBase64Utils;
import com.orientechnologies.orient.server.OClientConnection;
import com.orientechnologies.orient.server.OServer;
import com.orientechnologies.orient.server.OTokenHandler;
import com.orientechnologies.orient.server.binary.impl.OBinaryToken;
import com.orientechnologies.orient.server.network.protocol.ONetworkProtocolData;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Random;
import java.util.UUID;
import javax.crypto.Mac;

/* loaded from: input_file:com/orientechnologies/orient/server/token/OTokenHandlerImpl.class */
public class OTokenHandlerImpl implements OTokenHandler {
    public static final String ENCRYPTION_ALGORITHM_DEFAULT = "HmacSHA256";
    private static String algorithm = ENCRYPTION_ALGORITHM_DEFAULT;
    private static final ThreadLocal<Mac> threadLocalMac = new MacThreadLocal();
    protected static final int JWT_DELIMITER = 46;
    private OBinaryTokenSerializer binarySerializer;
    private long sessionInMills;
    private OKeyProvider keyProvider;
    private Random keyGenerator;

    /* loaded from: input_file:com/orientechnologies/orient/server/token/OTokenHandlerImpl$MacThreadLocal.class */
    private static class MacThreadLocal extends ThreadLocal<Mac> {
        private MacThreadLocal() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Mac initialValue() {
            try {
                return Mac.getInstance(OTokenHandlerImpl.algorithm);
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalArgumentException("Can't find encryption algorithm '" + OTokenHandlerImpl.algorithm + "'", e);
            }
        }
    }

    public OTokenHandlerImpl(OServer oServer) {
        this.sessionInMills = 3600000L;
        this.keyGenerator = new Random();
        byte[] bArr = null;
        String valueAsString = OGlobalConfiguration.NETWORK_TOKEN_SECRETKEY.getValueAsString();
        valueAsString = (valueAsString == null || valueAsString.length() == 0) ? OGlobalConfiguration.OAUTH2_SECRETKEY.getValueAsString() : valueAsString;
        if (valueAsString != null && valueAsString.length() > 0) {
            bArr = OBase64Utils.decode(valueAsString, 16);
        }
        this.keyProvider = new DefaultKeyProvider(bArr == null ? OSecurityManager.instance().digestSHA256(String.valueOf(this.keyGenerator.nextLong())) : bArr);
        Long valueOf = Long.valueOf(OGlobalConfiguration.NETWORK_TOKEN_EXPIRE_TIMEOUT.getValueAsLong());
        if (valueOf != null) {
            this.sessionInMills = valueOf.longValue() * 1000 * 60;
        }
        String valueAsString2 = OGlobalConfiguration.NETWORK_TOKEN_ENCRIPTION_ALGORITHM.getValueAsString();
        if (valueAsString2 != null) {
            algorithm = valueAsString2;
        }
        try {
            Mac.getInstance(valueAsString2);
            this.binarySerializer = new OBinaryTokenSerializer(new String[]{OEngineLocalPaginated.NAME, OEngineMemory.NAME}, this.keyProvider.getKeys(), new String[]{algorithm}, new String[]{"OrientDB"});
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("Can't find encryption algorithm '" + valueAsString2 + "'", e);
        }
    }

    protected OTokenHandlerImpl() {
        this.sessionInMills = 3600000L;
        this.keyGenerator = new Random();
    }

    protected OTokenHandlerImpl(byte[] bArr, long j, String str) {
        this.sessionInMills = 3600000L;
        this.keyGenerator = new Random();
        this.keyProvider = new DefaultKeyProvider(bArr);
        algorithm = str;
        this.sessionInMills = j * 1000 * 60;
        this.binarySerializer = new OBinaryTokenSerializer(new String[]{OEngineLocalPaginated.NAME, OEngineMemory.NAME}, this.keyProvider.getKeys(), new String[]{algorithm}, new String[]{"OrientDB"});
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public OToken parseWebToken(byte[] bArr) {
        int i = -1;
        int i2 = -1;
        int i3 = 0;
        while (true) {
            if (i3 >= bArr.length) {
                break;
            }
            if (bArr[i3] == 46) {
                if (i != -1) {
                    i2 = i3;
                    break;
                }
                i = i3;
            }
            i3++;
        }
        if (i == -1) {
            throw new RuntimeException("Token data too short: missed header");
        }
        if (i2 == -1) {
            throw new RuntimeException("Token data too short: missed signature");
        }
        byte[] decode = OBase64Utils.decode(bArr, 0, i, 16);
        byte[] decode2 = OBase64Utils.decode(bArr, i + 1, i2 - (i + 1), 16);
        byte[] decode3 = OBase64Utils.decode(bArr, i2 + 1, bArr.length - (i2 + 1), 16);
        OrientJwtHeader deserializeWebHeader = deserializeWebHeader(decode);
        JsonWebToken jsonWebToken = new JsonWebToken(deserializeWebHeader, deserializeWebPayload(deserializeWebHeader.getType(), decode2));
        jsonWebToken.setIsVerified(verifyTokenSignature(deserializeWebHeader, bArr, 0, i2, decode3));
        return jsonWebToken;
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public boolean validateToken(OToken oToken, String str, String str2) {
        boolean z = false;
        if (!(oToken instanceof JsonWebToken)) {
            return false;
        }
        if (oToken.getDatabase().equalsIgnoreCase(str2) && oToken.isNowValid()) {
            z = true;
        }
        oToken.setIsValid(z);
        return z;
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public boolean validateBinaryToken(OToken oToken) {
        boolean z = false;
        long currentTimeMillis = System.currentTimeMillis();
        if (oToken.getExpiry() > currentTimeMillis && oToken.getExpiry() - (this.sessionInMills + 1) < currentTimeMillis) {
            z = true;
        }
        oToken.setIsValid(z);
        return z;
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public byte[] getSignedWebToken(ODatabaseDocument oDatabaseDocument, OSecurityUser oSecurityUser) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(1024);
        OrientJwtHeader orientJwtHeader = new OrientJwtHeader();
        orientJwtHeader.setAlgorithm("HS256");
        orientJwtHeader.setKeyId("");
        OJwtPayload createPayload = createPayload(oDatabaseDocument, oSecurityUser);
        orientJwtHeader.setType(getPayloadType(createPayload));
        try {
            byte[] serializeWebHeader = serializeWebHeader(orientJwtHeader);
            byteArrayOutputStream.write(OBase64Utils.encodeBytesToBytes(serializeWebHeader, 0, serializeWebHeader.length, 16));
            byteArrayOutputStream.write(46);
            byte[] serializeWebPayload = serializeWebPayload(createPayload);
            byteArrayOutputStream.write(OBase64Utils.encodeBytesToBytes(serializeWebPayload, 0, serializeWebPayload.length, 16));
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            byteArrayOutputStream.write(46);
            byte[] signToken = signToken(orientJwtHeader, byteArray);
            byteArrayOutputStream.write(OBase64Utils.encodeBytesToBytes(signToken, 0, signToken.length, 16));
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw OException.wrapException(new OSystemException("Error on token parsing"), e);
        }
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public byte[] getSignedBinaryToken(ODatabaseDocumentInternal oDatabaseDocumentInternal, OSecurityUser oSecurityUser, ONetworkProtocolData oNetworkProtocolData) {
        try {
            OBinaryToken oBinaryToken = new OBinaryToken();
            long currentTimeMillis = System.currentTimeMillis();
            OrientJwtHeader orientJwtHeader = new OrientJwtHeader();
            orientJwtHeader.setAlgorithm(algorithm);
            orientJwtHeader.setKeyId(this.keyProvider.getDefaultKey());
            orientJwtHeader.setType("OrientDB");
            oBinaryToken.setHeader(orientJwtHeader);
            if (oDatabaseDocumentInternal != null) {
                oBinaryToken.setDatabase(oDatabaseDocumentInternal.getName());
                oBinaryToken.setDatabaseType(oDatabaseDocumentInternal.getStorage().getUnderlying().getType());
            }
            if (oNetworkProtocolData.serverUser) {
                oBinaryToken.setServerUser(true);
                oBinaryToken.setUserName(oNetworkProtocolData.serverUsername);
            }
            if (oSecurityUser != null) {
                oBinaryToken.setUserRid(oSecurityUser.getIdentity().getIdentity());
            }
            oBinaryToken.setExpiry(currentTimeMillis + this.sessionInMills);
            oBinaryToken.setProtocolVersion(oNetworkProtocolData.protocolVersion);
            oBinaryToken.setSerializer(oNetworkProtocolData.serializationImpl);
            oBinaryToken.setDriverName(oNetworkProtocolData.driverName);
            oBinaryToken.setDriverVersion(oNetworkProtocolData.driverVersion);
            return serializeSignedToken(oBinaryToken);
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw OException.wrapException(new OSystemException("Error on token parsing"), e2);
        }
    }

    private byte[] serializeSignedToken(OBinaryToken oBinaryToken) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        this.binarySerializer.serialize(oBinaryToken, byteArrayOutputStream);
        byteArrayOutputStream.write(signToken(oBinaryToken.getHeader(), byteArrayOutputStream.toByteArray()));
        return byteArrayOutputStream.toByteArray();
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public ONetworkProtocolData getProtocolDataFromToken(OClientConnection oClientConnection, OToken oToken) {
        if (!(oToken instanceof OBinaryToken)) {
            return null;
        }
        OBinaryToken oBinaryToken = (OBinaryToken) oToken;
        ONetworkProtocolData oNetworkProtocolData = new ONetworkProtocolData();
        oNetworkProtocolData.protocolVersion = oBinaryToken.getProtocolVersion();
        oNetworkProtocolData.serializationImpl = oBinaryToken.getSerializer();
        oNetworkProtocolData.driverName = oBinaryToken.getDriverName();
        oNetworkProtocolData.driverVersion = oBinaryToken.getDriverVersion();
        oNetworkProtocolData.serverUser = oBinaryToken.isServerUser();
        oNetworkProtocolData.serverUsername = oBinaryToken.getUserName();
        oNetworkProtocolData.serverUsername = oBinaryToken.getUserName();
        oNetworkProtocolData.supportsPushMessages = oClientConnection.getData().supportsPushMessages;
        oNetworkProtocolData.collectStats = oClientConnection.getData().collectStats;
        return oNetworkProtocolData;
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public OToken parseBinaryToken(byte[] bArr) {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            OBinaryToken deserializeBinaryToken = deserializeBinaryToken(byteArrayInputStream);
            int length = bArr.length - byteArrayInputStream.available();
            byte[] bArr2 = new byte[byteArrayInputStream.available()];
            byteArrayInputStream.read(bArr2);
            deserializeBinaryToken.setIsVerified(verifyTokenSignature(deserializeBinaryToken.getHeader(), bArr, 0, length, bArr2));
            return deserializeBinaryToken;
        } catch (IOException e) {
            throw OException.wrapException(new OSystemException("Error on token parsing"), e);
        }
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public byte[] renewIfNeeded(OToken oToken) {
        if (oToken == null) {
            throw new IllegalArgumentException("Token is null");
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (oToken.getExpiry() - currentTimeMillis >= this.sessionInMills / 2 || oToken.getExpiry() < currentTimeMillis) {
            return OCommonConst.EMPTY_BYTE_ARRAY;
        }
        oToken.setExpiry(System.currentTimeMillis() + this.sessionInMills);
        try {
            if (oToken instanceof OBinaryToken) {
                return serializeSignedToken((OBinaryToken) oToken);
            }
            throw new OTokenException("renew of web token not supported");
        } catch (IOException e) {
            throw OException.wrapException(new OSystemException("Error on token parsing"), e);
        }
    }

    public long getSessionInMills() {
        return this.sessionInMills;
    }

    @Override // com.orientechnologies.orient.server.OTokenHandler
    public boolean isEnabled() {
        return true;
    }

    protected OrientJwtHeader deserializeWebHeader(byte[] bArr) {
        ODocument oDocument = new ODocument();
        try {
            oDocument.fromJSON(new String(bArr, "UTF-8"));
            OrientJwtHeader orientJwtHeader = new OrientJwtHeader();
            orientJwtHeader.setType((String) oDocument.field("typ"));
            orientJwtHeader.setAlgorithm((String) oDocument.field("alg"));
            orientJwtHeader.setKeyId((String) oDocument.field("kid"));
            return orientJwtHeader;
        } catch (UnsupportedEncodingException e) {
            throw OException.wrapException(new OSystemException("Header is not encoded in UTF-8 format"), e);
        }
    }

    protected OJwtPayload deserializeWebPayload(String str, byte[] bArr) {
        if (!"OrientDB".equals(str)) {
            throw new OSystemException("Payload class not registered:" + str);
        }
        ODocument oDocument = new ODocument();
        try {
            oDocument.fromJSON(new String(bArr, "UTF-8"));
            OrientJwtPayload orientJwtPayload = new OrientJwtPayload();
            orientJwtPayload.setIssuer((String) oDocument.field("iss"));
            orientJwtPayload.setExpiry(((Long) oDocument.field("exp")).longValue());
            orientJwtPayload.setIssuedAt(((Long) oDocument.field("iat")).longValue());
            orientJwtPayload.setNotBefore(((Long) oDocument.field("nbf")).longValue());
            orientJwtPayload.setDatabase((String) oDocument.field("sub"));
            orientJwtPayload.setAudience((String) oDocument.field("aud"));
            orientJwtPayload.setTokenId((String) oDocument.field("jti"));
            orientJwtPayload.setUserRid(new ORecordId(((Integer) oDocument.field("uidc")).intValue(), ((Long) oDocument.field("uidp")).longValue()));
            orientJwtPayload.setDatabaseType((String) oDocument.field("bdtyp"));
            return orientJwtPayload;
        } catch (UnsupportedEncodingException e) {
            throw OException.wrapException(new OSystemException("Payload encoding format differs from UTF-8"), e);
        }
    }

    protected byte[] serializeWebHeader(OJwtHeader oJwtHeader) throws Exception {
        if (oJwtHeader == null) {
            throw new IllegalArgumentException("Token header is null");
        }
        ODocument oDocument = new ODocument();
        oDocument.field("typ", (Object) oJwtHeader.getType());
        oDocument.field("alg", (Object) oJwtHeader.getAlgorithm());
        oDocument.field("kid", (Object) oJwtHeader.getKeyId());
        return oDocument.toJSON().getBytes("UTF-8");
    }

    protected byte[] serializeWebPayload(OJwtPayload oJwtPayload) throws Exception {
        if (oJwtPayload == null) {
            throw new IllegalArgumentException("Token payload is null");
        }
        ODocument oDocument = new ODocument();
        oDocument.field("iss", (Object) oJwtPayload.getIssuer());
        oDocument.field("exp", (Object) Long.valueOf(oJwtPayload.getExpiry()));
        oDocument.field("iat", (Object) Long.valueOf(oJwtPayload.getIssuedAt()));
        oDocument.field("nbf", (Object) Long.valueOf(oJwtPayload.getNotBefore()));
        oDocument.field("sub", (Object) oJwtPayload.getDatabase());
        oDocument.field("aud", (Object) oJwtPayload.getAudience());
        oDocument.field("jti", (Object) oJwtPayload.getTokenId());
        oDocument.field("uidc", (Object) Integer.valueOf(((OrientJwtPayload) oJwtPayload).getUserRid().getClusterId()));
        oDocument.field("uidp", (Object) Long.valueOf(((OrientJwtPayload) oJwtPayload).getUserRid().getClusterPosition()));
        oDocument.field("bdtyp", (Object) ((OrientJwtPayload) oJwtPayload).getDatabaseType());
        return oDocument.toJSON().getBytes("UTF-8");
    }

    protected OJwtPayload createPayload(ODatabaseDocument oDatabaseDocument, OSecurityUser oSecurityUser) {
        if (oSecurityUser == null) {
            throw new IllegalArgumentException("User is null");
        }
        OrientJwtPayload orientJwtPayload = new OrientJwtPayload();
        orientJwtPayload.setAudience("OrientDB");
        orientJwtPayload.setDatabase(oDatabaseDocument.getName());
        orientJwtPayload.setUserRid(oSecurityUser.getDocument().getIdentity());
        long j = this.sessionInMills;
        long currentTimeMillis = System.currentTimeMillis();
        orientJwtPayload.setIssuedAt(currentTimeMillis);
        orientJwtPayload.setNotBefore(currentTimeMillis);
        orientJwtPayload.setUserName(oSecurityUser.getName());
        orientJwtPayload.setTokenId(UUID.randomUUID().toString());
        orientJwtPayload.setExpiry(currentTimeMillis + j);
        return orientJwtPayload;
    }

    protected String getPayloadType(OJwtPayload oJwtPayload) {
        return "OrientDB";
    }

    protected OKeyProvider getKeyProvider() {
        return this.keyProvider;
    }

    private boolean verifyTokenSignature(OJwtHeader oJwtHeader, byte[] bArr, int i, int i2, byte[] bArr2) {
        Mac mac = threadLocalMac.get();
        try {
            try {
                mac.init(getKeyProvider().getKey(oJwtHeader));
                mac.update(bArr, i, i2);
                boolean isEqual = MessageDigest.isEqual(mac.doFinal(), bArr2);
                if (!isEqual) {
                    OLogManager.instance().warn(this, "Token signature failure: %s", OBase64Utils.encodeBytes(bArr));
                }
                return isEqual;
            } catch (RuntimeException e) {
                throw e;
            } catch (Exception e2) {
                throw OException.wrapException(new OSystemException("Token signature cannot be verified"), e2);
            }
        } finally {
            mac.reset();
        }
    }

    private byte[] signToken(OJwtHeader oJwtHeader, byte[] bArr) {
        Mac mac = threadLocalMac.get();
        try {
            try {
                mac.init(getKeyProvider().getKey(oJwtHeader));
                byte[] doFinal = mac.doFinal(bArr);
                mac.reset();
                return doFinal;
            } catch (Exception e) {
                throw OException.wrapException(new OSystemException("Error on token parsing"), e);
            }
        } catch (Throwable th) {
            mac.reset();
            throw th;
        }
    }

    private OBinaryToken deserializeBinaryToken(InputStream inputStream) {
        try {
            return this.binarySerializer.deserialize(inputStream);
        } catch (Exception e) {
            throw OException.wrapException(new OSystemException("Cannot deserialize binary token"), e);
        }
    }
}
