package org.thingsboard.server.service.security.model.token;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.time.ZonedDateTime;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.thingsboard.server.common.data.id.CustomerId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UserId;
import org.thingsboard.server.common.data.security.Authority;
import org.thingsboard.server.config.JwtSettings;
import org.thingsboard.server.service.security.model.SecurityUser;
import org.thingsboard.server.service.security.model.UserPrincipal;

@Component
/* loaded from: input_file:org/thingsboard/server/service/security/model/token/JwtTokenFactory.class */
public class JwtTokenFactory {
    private static final String SCOPES = "scopes";
    private static final String USER_ID = "userId";
    private static final String FIRST_NAME = "firstName";
    private static final String LAST_NAME = "lastName";
    private static final String ENABLED = "enabled";
    private static final String IS_PUBLIC = "isPublic";
    private static final String TENANT_ID = "tenantId";
    private static final String CUSTOMER_ID = "customerId";
    private final JwtSettings settings;

    @Autowired
    public JwtTokenFactory(JwtSettings jwtSettings) {
        this.settings = jwtSettings;
    }

    public AccessJwtToken createAccessJwtToken(SecurityUser securityUser) {
        if (StringUtils.isBlank(securityUser.getEmail())) {
            throw new IllegalArgumentException("Cannot create JWT Token without username/email");
        }
        if (securityUser.getAuthority() == null) {
            throw new IllegalArgumentException("User doesn't have any privileges");
        }
        UserPrincipal userPrincipal = securityUser.getUserPrincipal();
        Claims subject = Jwts.claims().setSubject(userPrincipal.getValue());
        subject.put(SCOPES, securityUser.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList()));
        subject.put("userId", securityUser.getId().getId().toString());
        subject.put(FIRST_NAME, securityUser.getFirstName());
        subject.put(LAST_NAME, securityUser.getLastName());
        subject.put(ENABLED, Boolean.valueOf(securityUser.isEnabled()));
        subject.put("isPublic", Boolean.valueOf(userPrincipal.getType() == UserPrincipal.Type.PUBLIC_ID));
        if (securityUser.getTenantId() != null) {
            subject.put(TENANT_ID, securityUser.getTenantId().getId().toString());
        }
        if (securityUser.getCustomerId() != null) {
            subject.put("customerId", securityUser.getCustomerId().getId().toString());
        }
        ZonedDateTime now = ZonedDateTime.now();
        return new AccessJwtToken(Jwts.builder().setClaims(subject).setIssuer(this.settings.getTokenIssuer()).setIssuedAt(Date.from(now.toInstant())).setExpiration(Date.from(now.plusSeconds(this.settings.getTokenExpirationTime().intValue()).toInstant())).signWith(SignatureAlgorithm.HS512, this.settings.getTokenSigningKey()).compact(), subject);
    }

    public SecurityUser parseAccessJwtToken(RawAccessJwtToken rawAccessJwtToken) {
        Claims claims = (Claims) rawAccessJwtToken.parseClaims(this.settings.getTokenSigningKey()).getBody();
        String subject = claims.getSubject();
        List list = (List) claims.get(SCOPES, List.class);
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("JWT Token doesn't have any scopes");
        }
        SecurityUser securityUser = new SecurityUser(new UserId(UUID.fromString((String) claims.get("userId", String.class))));
        securityUser.setEmail(subject);
        securityUser.setAuthority(Authority.parse((String) list.get(0)));
        securityUser.setFirstName((String) claims.get(FIRST_NAME, String.class));
        securityUser.setLastName((String) claims.get(LAST_NAME, String.class));
        securityUser.setEnabled(((Boolean) claims.get(ENABLED, Boolean.class)).booleanValue());
        securityUser.setUserPrincipal(new UserPrincipal(((Boolean) claims.get("isPublic", Boolean.class)).booleanValue() ? UserPrincipal.Type.PUBLIC_ID : UserPrincipal.Type.USER_NAME, subject));
        String str = (String) claims.get(TENANT_ID, String.class);
        if (str != null) {
            securityUser.setTenantId(new TenantId(UUID.fromString(str)));
        }
        String str2 = (String) claims.get("customerId", String.class);
        if (str2 != null) {
            securityUser.setCustomerId(new CustomerId(UUID.fromString(str2)));
        }
        return securityUser;
    }

    public JwtToken createRefreshToken(SecurityUser securityUser) {
        if (StringUtils.isBlank(securityUser.getEmail())) {
            throw new IllegalArgumentException("Cannot create JWT Token without username/email");
        }
        ZonedDateTime now = ZonedDateTime.now();
        UserPrincipal userPrincipal = securityUser.getUserPrincipal();
        Claims subject = Jwts.claims().setSubject(userPrincipal.getValue());
        subject.put(SCOPES, Collections.singletonList(Authority.REFRESH_TOKEN.name()));
        subject.put("userId", securityUser.getId().getId().toString());
        subject.put("isPublic", Boolean.valueOf(userPrincipal.getType() == UserPrincipal.Type.PUBLIC_ID));
        return new AccessJwtToken(Jwts.builder().setClaims(subject).setIssuer(this.settings.getTokenIssuer()).setId(UUID.randomUUID().toString()).setIssuedAt(Date.from(now.toInstant())).setExpiration(Date.from(now.plusSeconds(this.settings.getRefreshTokenExpTime().intValue()).toInstant())).signWith(SignatureAlgorithm.HS512, this.settings.getTokenSigningKey()).compact(), subject);
    }

    public SecurityUser parseRefreshToken(RawAccessJwtToken rawAccessJwtToken) {
        Claims claims = (Claims) rawAccessJwtToken.parseClaims(this.settings.getTokenSigningKey()).getBody();
        String subject = claims.getSubject();
        List list = (List) claims.get(SCOPES, List.class);
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("Refresh Token doesn't have any scopes");
        }
        if (!((String) list.get(0)).equals(Authority.REFRESH_TOKEN.name())) {
            throw new IllegalArgumentException("Invalid Refresh Token scope");
        }
        UserPrincipal userPrincipal = new UserPrincipal(((Boolean) claims.get("isPublic", Boolean.class)).booleanValue() ? UserPrincipal.Type.PUBLIC_ID : UserPrincipal.Type.USER_NAME, subject);
        SecurityUser securityUser = new SecurityUser(new UserId(UUID.fromString((String) claims.get("userId", String.class))));
        securityUser.setUserPrincipal(userPrincipal);
        return securityUser;
    }
}
