package org.kuali.coeus.sys.impl.auth;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.HmacKey;
import org.jose4j.lang.JoseException;
import org.kuali.coeus.sys.framework.auth.AuthConstants;
import org.kuali.coeus.sys.framework.auth.JwtService;
import org.kuali.rice.core.api.config.ConfigurationException;
import org.kuali.rice.core.api.config.property.ConfigurationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;

@Service("jwtService")
/* loaded from: input_file:org/kuali/coeus/sys/impl/auth/JwtServiceImpl.class */
public class JwtServiceImpl implements JwtService {
    private static final String SHARED_SECRET = "auth.filter.service2service.secret";
    private static final String SERVICE_2_SERVICE_ENABLED = "auth.filter.service2service.enabled";
    private static final String SINGLE_USE = "auth.filter.service2service.singleUse";
    private static final String UUID_CLAIM = "uuid";
    private static final String AUTHORIZATION_PREFIX = "Bearer ";

    @Autowired
    @Qualifier("kualiConfigurationService")
    private ConfigurationService configurationService;
    private Cache<String, String> usedTokens;

    @Override // org.kuali.coeus.sys.framework.auth.JwtService
    public boolean verifyToken(String str) {
        if (!isService2serviceEnabled()) {
            return false;
        }
        String jwtString = getJwtString(str);
        if (StringUtils.isEmpty(jwtString)) {
            return false;
        }
        return getSecrets().stream().anyMatch(str2 -> {
            return verifyToken(jwtString, str2);
        });
    }

    private boolean verifyToken(String str, String str2) {
        try {
            JwtClaims processToClaims = getJwtConsumer(str2).processToClaims(str);
            if (isSingleUse()) {
                return validateSingleUse(processToClaims);
            }
            return true;
        } catch (InvalidJwtException e) {
            return false;
        }
    }

    @Override // org.kuali.coeus.sys.framework.auth.JwtService
    public String createToken() {
        if (!isService2serviceEnabled()) {
            return getSystemAuthToken();
        }
        try {
            return createJsonWebSignature().getCompactSerialization();
        } catch (JoseException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private boolean validateSingleUse(JwtClaims jwtClaims) {
        String obj = jwtClaims.getClaimValue(UUID_CLAIM).toString();
        if (getUsedTokens().getIfPresent(obj) != null) {
            return false;
        }
        getUsedTokens().put(obj, obj);
        return true;
    }

    private JsonWebSignature createJsonWebSignature() {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(new HmacKey(getServiceSecret().getBytes()));
        jsonWebSignature.setAlgorithmHeaderValue("HS256");
        jsonWebSignature.setDoKeyValidation(false);
        jsonWebSignature.setPayload(createClaims().toJson());
        return jsonWebSignature;
    }

    private JwtClaims createClaims() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setExpirationTimeMinutesInTheFuture(1.0f);
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setClaim(UUID_CLAIM, UUID.randomUUID());
        return jwtClaims;
    }

    private String getJwtString(String str) {
        if (!StringUtils.startsWith(str, "Bearer ")) {
            return null;
        }
        String[] split = str.split(" ");
        if (split.length < 2) {
            return null;
        }
        return split[1];
    }

    protected boolean isService2serviceEnabled() {
        return getConfigurationService().getPropertyValueAsBoolean(SERVICE_2_SERVICE_ENABLED);
    }

    private String getServiceSecret() {
        return getSecrets().get(0);
    }

    protected String getConfiguredSecret() {
        return getConfigurationService().getPropertyValueAsString(SHARED_SECRET);
    }

    private List<String> getSecrets() {
        return (List) Optional.ofNullable(getConfiguredSecret()).map(str -> {
            return str.split(",");
        }).map(strArr -> {
            return (List) Stream.of((Object[]) strArr).map((v0) -> {
                return v0.trim();
            }).filter((v0) -> {
                return StringUtils.isNotBlank(v0);
            }).collect(Collectors.toList());
        }).orElseThrow(() -> {
            return new ConfigurationException("Missing configuration: auth.filter.service2service.secret");
        });
    }

    protected boolean isSingleUse() {
        return getConfigurationService().getPropertyValueAsBoolean(SINGLE_USE);
    }

    protected String getSystemAuthToken() {
        return getConfigurationService().getPropertyValueAsString(AuthConstants.AUTH_SYSTEM_TOKEN_PARAM);
    }

    public ConfigurationService getConfigurationService() {
        return this.configurationService;
    }

    public void setConfigurationService(ConfigurationService configurationService) {
        this.configurationService = configurationService;
    }

    private JwtConsumer getJwtConsumer(String str) {
        return new JwtConsumerBuilder().setVerificationKey(new HmacKey(str.getBytes())).setRelaxVerificationKeyValidation().build();
    }

    private Cache<String, String> getUsedTokens() {
        if (this.usedTokens == null) {
            this.usedTokens = CacheBuilder.newBuilder().maximumSize(10000L).expireAfterWrite(60L, TimeUnit.SECONDS).build();
        }
        return this.usedTokens;
    }
}
