package io.gravitee.policy.generatejwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.IOUtils;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.gravitee.common.utils.UUID;
import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.generatejwt.alg.Signature;
import io.gravitee.policy.generatejwt.configuration.GenerateJwtPolicyConfiguration;
import io.gravitee.policy.generatejwt.configuration.X509CertificateChain;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.xml.bind.DatatypeConverter;

/* loaded from: input_file:io/gravitee/policy/generatejwt/GenerateJwtPolicy.class */
public class GenerateJwtPolicy {
    static final String CONTEXT_ATTRIBUTE_JWT_GENERATED = "jwt.generated";
    private final GenerateJwtPolicyConfiguration configuration;
    private static final Map<String, RSASSASigner> signers = new HashMap();
    private static List<Base64> certificateChain = new ArrayList();

    public GenerateJwtPolicy(GenerateJwtPolicyConfiguration generateJwtPolicyConfiguration) {
        this.configuration = generateJwtPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        try {
            MACSigner mACSigner = null;
            JWSHeader jWSHeader = null;
            if (this.configuration.getSignature() == null || this.configuration.getSignature() == Signature.RSA_RS256) {
                mACSigner = getSigner(sha1(this.configuration.getContent()));
                JWSHeader.Builder keyID = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(this.configuration.getKid());
                if (this.configuration.getX509CertificateChain() == X509CertificateChain.X5C) {
                    keyID.x509CertChain(certificateChain);
                }
                jWSHeader = keyID.build();
            } else if (this.configuration.getSignature() == Signature.HMAC_HS256 || this.configuration.getSignature() == Signature.HMAC_HS384 || this.configuration.getSignature() == Signature.HMAC_HS512) {
                jWSHeader = new JWSHeader.Builder(this.configuration.getSignature().getAlg()).keyID(this.configuration.getKid()).build();
                mACSigner = new MACSigner(this.configuration.getContent());
            }
            SignedJWT signedJWT = new SignedJWT(jWSHeader, buildClaims(executionContext));
            signedJWT.sign(mACSigner);
            executionContext.setAttribute(CONTEXT_ATTRIBUTE_JWT_GENERATED, signedJWT.serialize());
            policyChain.doNext(request, response);
        } catch (Exception e) {
            policyChain.failWith(PolicyResult.failure("Unable to generate JWT token: " + e.getMessage()));
        }
    }

    private RSASSASigner getSigner(String str) throws Exception {
        RSASSASigner rSASSASigner = signers.get(str);
        if (rSASSASigner == null) {
            switch (this.configuration.getKeyResolver()) {
                case PEM:
                    rSASSASigner = new RSASSASigner(JWK.parseFromPEMEncodedObjects(IOUtils.readInputStreamToString(readFile(), Charset.defaultCharset())));
                    break;
                case JKS:
                    KeyStore keyStore = KeyStore.getInstance("JKS");
                    if (this.configuration.getStorepass() != null) {
                        keyStore.load(readFile(), this.configuration.getStorepass().toCharArray());
                        addCertificateChain(keyStore, this.configuration);
                    }
                    rSASSASigner = new RSASSASigner(((KeyStore.PrivateKeyEntry) keyStore.getEntry(this.configuration.getAlias(), new KeyStore.PasswordProtection(this.configuration.getKeypass().toCharArray()))).getPrivateKey(), true);
                    break;
                case PKCS12:
                    KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
                    if (this.configuration.getStorepass() != null) {
                        keyStore2.load(readFile(), this.configuration.getStorepass().toCharArray());
                        addCertificateChain(keyStore2, this.configuration);
                    }
                    rSASSASigner = new RSASSASigner(((KeyStore.PrivateKeyEntry) keyStore2.getEntry(this.configuration.getAlias(), new KeyStore.PasswordProtection(this.configuration.getStorepass().toCharArray()))).getPrivateKey(), true);
                    break;
                case INLINE:
                    rSASSASigner = new RSASSASigner(JWK.parseFromPEMEncodedObjects(this.configuration.getContent()));
                    break;
            }
            signers.put(str, rSASSASigner);
        }
        return rSASSASigner;
    }

    private void addCertificateChain(KeyStore keyStore, GenerateJwtPolicyConfiguration generateJwtPolicyConfiguration) throws KeyStoreException {
        certificateChain = (List) Arrays.stream(keyStore.getCertificateChain(generateJwtPolicyConfiguration.getAlias())).map(certificate -> {
            try {
                return Base64.encode(certificate.getEncoded());
            } catch (CertificateEncodingException e) {
                throw new IllegalArgumentException("Failed to encode certificate.", e);
            }
        }).collect(Collectors.toList());
    }

    private JWTClaimsSet buildClaims(ExecutionContext executionContext) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        Instant now = Instant.now();
        builder.issueTime(Date.from(now));
        String templatizeString = templatizeString(executionContext, this.configuration.getId());
        if (templatizeString == null || templatizeString.isEmpty()) {
            builder.jwtID(UUID.random().toString());
        } else {
            builder.jwtID(templatizeString);
        }
        if (this.configuration.getAudiences() != null) {
            if (this.configuration.getAudiences().size() == 1) {
                builder.audience(templatizeString(executionContext, this.configuration.getAudiences().get(0)));
            } else {
                builder.audience((List) this.configuration.getAudiences().stream().map(str -> {
                    return templatizeString(executionContext, str);
                }).collect(Collectors.toList()));
            }
        }
        String templatizeString2 = templatizeString(executionContext, this.configuration.getSubject());
        if (templatizeString2 != null && !templatizeString2.isEmpty()) {
            builder.subject(templatizeString2);
        }
        String templatizeString3 = templatizeString(executionContext, this.configuration.getIssuer());
        if (templatizeString3 != null && !templatizeString3.isEmpty()) {
            builder.issuer(templatizeString3);
        }
        if (this.configuration.getExpiresIn() > 0) {
            builder.expirationTime(Date.from(now.plus(this.configuration.getExpiresIn(), (TemporalUnit) ChronoUnit.valueOf(this.configuration.getExpiresInUnit().name()))));
        }
        if (this.configuration.getCustomClaims() != null && !this.configuration.getCustomClaims().isEmpty()) {
            this.configuration.getCustomClaims().forEach(claim -> {
                builder.claim(claim.getName(), templatizeObject(executionContext, claim.getValue()));
            });
        }
        return builder.build();
    }

    private Object templatizeObject(ExecutionContext executionContext, String str) {
        return (str == null || str.isEmpty()) ? str : executionContext.getTemplateEngine().getValue(str, Object.class);
    }

    private String templatizeString(ExecutionContext executionContext, String str) {
        return (str == null || str.isEmpty()) ? str : executionContext.getTemplateEngine().convert(str);
    }

    private InputStream readFile() throws FileNotFoundException {
        return new FileInputStream(this.configuration.getContent());
    }

    public String sha1(String str) {
        String str2 = null;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(str.getBytes(Charset.defaultCharset()), 0, str.length());
            str2 = DatatypeConverter.printHexBinary(messageDigest.digest());
        } catch (NoSuchAlgorithmException e) {
        }
        return str2;
    }
}
