package org.apache.nifi.registry.web.security.authentication.jwt;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.UnsupportedJwtException;
import java.nio.charset.StandardCharsets;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
import org.apache.nifi.registry.security.key.Key;
import org.apache.nifi.registry.security.key.KeyService;
import org.apache.nifi.registry.web.security.authentication.exception.InvalidAuthenticationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.class */
public class JwtService {
    private static final String KEY_ID_CLAIM = "kid";
    private static final String USERNAME_CLAIM = "preferred_username";
    public static final String AUTHORIZATION = "Authorization";
    private final KeyService keyService;
    private static final Logger logger = LoggerFactory.getLogger(JwtService.class);
    private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.HS256;
    private static final Pattern tokenPattern = Pattern.compile("^Bearer (\\S*\\.\\S*\\.\\S*)$");

    @Autowired
    public JwtService(KeyService keyService) {
        this.keyService = keyService;
    }

    public String getAuthenticationFromToken(String str) throws JwtException {
        try {
            Jws<Claims> parseTokenFromBase64EncodedString = parseTokenFromBase64EncodedString(str);
            if (parseTokenFromBase64EncodedString == null) {
                throw new JwtException("Unable to parse token");
            }
            if (StringUtils.isEmpty(parseTokenFromBase64EncodedString.getBody().getSubject())) {
                throw new JwtException("No subject available in token");
            }
            if (StringUtils.isEmpty(parseTokenFromBase64EncodedString.getBody().getIssuer())) {
                throw new JwtException("No issuer available in token");
            }
            return parseTokenFromBase64EncodedString.getBody().getSubject();
        } catch (JwtException e) {
            logger.debug("The Base64 encoded JWT: " + str);
            logger.error("There was an error validating the JWT", e);
            throw e;
        }
    }

    private Jws<Claims> parseTokenFromBase64EncodedString(String str) throws JwtException {
        try {
            return Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { // from class: org.apache.nifi.registry.web.security.authentication.jwt.JwtService.1
                @Override // io.jsonwebtoken.SigningKeyResolverAdapter
                public byte[] resolveSigningKeyBytes(JwsHeader jwsHeader, Claims claims) {
                    String subject = claims.getSubject();
                    String str2 = (String) claims.get("kid", String.class);
                    Key key = JwtService.this.keyService.getKey(str2);
                    if (key == null || key.getKey() == null) {
                        throw new UnsupportedJwtException("Unable to determine signing key for " + subject + " [kid: " + str2 + "]");
                    }
                    return key.getKey().getBytes(StandardCharsets.UTF_8);
                }
            }).parseClaimsJws(str);
        } catch (ExpiredJwtException | MalformedJwtException | SignatureException | UnsupportedJwtException | IllegalArgumentException e) {
            throw new JwtException("Unable to validate the access token.", e);
        }
    }

    public String generateSignedToken(AuthenticationResponse authenticationResponse) throws JwtException {
        if (authenticationResponse == null) {
            throw new IllegalArgumentException("Cannot generate a JWT for a null authenticationResponse");
        }
        return generateSignedToken(authenticationResponse.getIdentity(), authenticationResponse.getUsername(), authenticationResponse.getIssuer(), authenticationResponse.getIssuer(), authenticationResponse.getExpiration());
    }

    public String generateSignedToken(String str, String str2, String str3, String str4, long j) throws JwtException {
        if (str == null || StringUtils.isEmpty(str)) {
            String str5 = str3 != null ? "Cannot generate a JWT for a token with an empty identity issued by " + str3 + "." : ".";
            logger.error(str5);
            throw new IllegalArgumentException(str5);
        }
        Calendar calendar = Calendar.getInstance();
        Calendar build = new Calendar.Builder().setInstant(calendar.getTimeInMillis() + validateTokenExpiration(j, str)).build();
        try {
            Key orCreateKey = this.keyService.getOrCreateKey(str);
            return Jwts.builder().setSubject(str).setIssuer(str3).setAudience(str4).claim("preferred_username", str2).claim("kid", orCreateKey.getId()).setIssuedAt(calendar.getTime()).setExpiration(build.getTime()).signWith(SIGNATURE_ALGORITHM, orCreateKey.getKey().getBytes(StandardCharsets.UTF_8)).compact();
        } catch (NullPointerException e) {
            String str6 = "Could not retrieve the signing key for JWT for " + str;
            logger.error(str6, e);
            throw new JwtException(str6, e);
        }
    }

    public void logOut(String str) {
        if (str == null || str.isEmpty()) {
            throw new JwtException("Log out failed: The user identity was not present in the request token to log out user.");
        }
        try {
            this.keyService.deleteKey(str);
            logger.info("Deleted token from database.");
        } catch (Exception e) {
            logger.error("Unable to log out user: " + str + ". Failed to remove their token from database.");
            throw e;
        }
    }

    private static long validateTokenExpiration(long j, String str) {
        long convert = TimeUnit.MILLISECONDS.convert(12L, TimeUnit.HOURS);
        long convert2 = TimeUnit.MILLISECONDS.convert(1L, TimeUnit.MINUTES);
        if (j > convert) {
            logger.warn(String.format("Max token expiration exceeded. Setting expiration to %s from %s for %s", Long.valueOf(convert), Long.valueOf(j), str));
            j = convert;
        } else if (j < convert2) {
            logger.warn(String.format("Min token expiration not met. Setting expiration to %s from %s for %s", Long.valueOf(convert2), Long.valueOf(j), str));
            j = convert2;
        }
        return j;
    }

    private static String describe(AuthenticationResponse authenticationResponse) {
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(authenticationResponse.getExpiration());
        long timeInMillis = calendar.getTimeInMillis() - Calendar.getInstance().getTimeInMillis();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss.SSS");
        simpleDateFormat.setTimeZone(calendar.getTimeZone());
        return "LoginAuthenticationToken for " + authenticationResponse.getUsername() + " issued by " + authenticationResponse.getIssuer() + " expiring at " + simpleDateFormat.format(calendar.getTime()) + " [" + authenticationResponse.getExpiration() + " ms, " + timeInMillis + " ms remaining]";
    }

    public void logOutUsingAuthHeader(String str) {
        logOut(getAuthenticationFromToken(getTokenFromHeader(str)));
    }

    public static String getTokenFromHeader(String str) {
        Matcher matcher = tokenPattern.matcher(str);
        if (matcher.matches()) {
            return matcher.group(1);
        }
        throw new InvalidAuthenticationException("JWT did not match expected pattern.");
    }
}
