package org.thingsboard.server.service.security.model.token;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ClaimsBuilder;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.Keys;
import java.beans.ConstructorProperties;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Component;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.data.id.CustomerId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UserId;
import org.thingsboard.server.common.data.security.Authority;
import org.thingsboard.server.common.data.security.model.JwtPair;
import org.thingsboard.server.common.data.security.model.JwtToken;
import org.thingsboard.server.service.security.auth.jwt.settings.JwtSettingsService;
import org.thingsboard.server.service.security.exception.JwtExpiredTokenException;
import org.thingsboard.server.service.security.model.SecurityUser;
import org.thingsboard.server.service.security.model.UserPrincipal;

@Component
/* loaded from: input_file:org/thingsboard/server/service/security/model/token/JwtTokenFactory.class */
public class JwtTokenFactory {
    private static final Logger log = LoggerFactory.getLogger(JwtTokenFactory.class);
    public static int KEY_LENGTH = Jwts.SIG.HS512.getKeyBitLength();
    private static final String SCOPES = "scopes";
    private static final String USER_ID = "userId";
    private static final String FIRST_NAME = "firstName";
    private static final String LAST_NAME = "lastName";
    private static final String ENABLED = "enabled";
    private static final String IS_PUBLIC = "isPublic";
    private static final String TENANT_ID = "tenantId";
    private static final String CUSTOMER_ID = "customerId";
    private static final String SESSION_ID = "sessionId";

    @Lazy
    private final JwtSettingsService jwtSettingsService;
    private volatile JwtParser jwtParser;
    private volatile SecretKey secretKey;

    public AccessJwtToken createAccessJwtToken(SecurityUser securityUser) {
        if (securityUser.getAuthority() == null) {
            throw new IllegalArgumentException("User doesn't have any privileges");
        }
        UserPrincipal userPrincipal = securityUser.getUserPrincipal();
        JwtBuilder upToken = setUpToken(securityUser, (List) securityUser.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList()), this.jwtSettingsService.getJwtSettings().getTokenExpirationTime().intValue());
        upToken.claim(FIRST_NAME, securityUser.getFirstName()).claim(LAST_NAME, securityUser.getLastName()).claim(ENABLED, Boolean.valueOf(securityUser.isEnabled())).claim("isPublic", Boolean.valueOf(userPrincipal.getType() == UserPrincipal.Type.PUBLIC_ID));
        if (securityUser.getTenantId() != null) {
            upToken.claim("tenantId", securityUser.getTenantId().getId().toString());
        }
        if (securityUser.getCustomerId() != null) {
            upToken.claim(CUSTOMER_ID, securityUser.getCustomerId().getId().toString());
        }
        return new AccessJwtToken(upToken.compact());
    }

    public SecurityUser parseAccessJwtToken(String str) {
        UserPrincipal userPrincipal;
        Claims claims = (Claims) parseTokenClaims(str).getPayload();
        String subject = claims.getSubject();
        List list = (List) claims.get(SCOPES, List.class);
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("JWT Token doesn't have any scopes");
        }
        SecurityUser securityUser = new SecurityUser(new UserId(UUID.fromString((String) claims.get("userId", String.class))));
        securityUser.setEmail(subject);
        securityUser.setAuthority(Authority.parse((String) list.get(0)));
        String str2 = (String) claims.get("tenantId", String.class);
        if (str2 != null) {
            securityUser.setTenantId(TenantId.fromUUID(UUID.fromString(str2)));
        } else if (securityUser.getAuthority() == Authority.SYS_ADMIN) {
            securityUser.setTenantId(TenantId.SYS_TENANT_ID);
        }
        String str3 = (String) claims.get(CUSTOMER_ID, String.class);
        if (str3 != null) {
            securityUser.setCustomerId(new CustomerId(UUID.fromString(str3)));
        }
        if (claims.get(SESSION_ID, String.class) != null) {
            securityUser.setSessionId((String) claims.get(SESSION_ID, String.class));
        }
        if (securityUser.getAuthority() != Authority.PRE_VERIFICATION_TOKEN) {
            securityUser.setFirstName((String) claims.get(FIRST_NAME, String.class));
            securityUser.setLastName((String) claims.get(LAST_NAME, String.class));
            securityUser.setEnabled(((Boolean) claims.get(ENABLED, Boolean.class)).booleanValue());
            userPrincipal = new UserPrincipal(((Boolean) claims.get("isPublic", Boolean.class)).booleanValue() ? UserPrincipal.Type.PUBLIC_ID : UserPrincipal.Type.USER_NAME, subject);
        } else {
            userPrincipal = new UserPrincipal(UserPrincipal.Type.USER_NAME, subject);
        }
        securityUser.setUserPrincipal(userPrincipal);
        return securityUser;
    }

    public JwtToken createRefreshToken(SecurityUser securityUser) {
        return new AccessJwtToken(setUpToken(securityUser, Collections.singletonList(Authority.REFRESH_TOKEN.name()), this.jwtSettingsService.getJwtSettings().getRefreshTokenExpTime().intValue()).claim("isPublic", Boolean.valueOf(securityUser.getUserPrincipal().getType() == UserPrincipal.Type.PUBLIC_ID)).id(UUID.randomUUID().toString()).compact());
    }

    public SecurityUser parseRefreshToken(String str) {
        Claims claims = (Claims) parseTokenClaims(str).getPayload();
        String subject = claims.getSubject();
        List list = (List) claims.get(SCOPES, List.class);
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("Refresh Token doesn't have any scopes");
        }
        if (!((String) list.get(0)).equals(Authority.REFRESH_TOKEN.name())) {
            throw new IllegalArgumentException("Invalid Refresh Token scope");
        }
        UserPrincipal userPrincipal = new UserPrincipal(((Boolean) claims.get("isPublic", Boolean.class)).booleanValue() ? UserPrincipal.Type.PUBLIC_ID : UserPrincipal.Type.USER_NAME, subject);
        SecurityUser securityUser = new SecurityUser(new UserId(UUID.fromString((String) claims.get("userId", String.class))));
        securityUser.setUserPrincipal(userPrincipal);
        if (claims.get(SESSION_ID, String.class) != null) {
            securityUser.setSessionId((String) claims.get(SESSION_ID, String.class));
        }
        return securityUser;
    }

    public JwtToken createPreVerificationToken(SecurityUser securityUser, Integer num) {
        JwtBuilder claim = setUpToken(securityUser, Collections.singletonList(Authority.PRE_VERIFICATION_TOKEN.name()), num.intValue()).claim("tenantId", securityUser.getTenantId().toString());
        if (securityUser.getCustomerId() != null) {
            claim.claim(CUSTOMER_ID, securityUser.getCustomerId().toString());
        }
        return new AccessJwtToken(claim.compact());
    }

    public void reload() {
        getSecretKey(true);
        getJwtParser(true);
    }

    private JwtBuilder setUpToken(SecurityUser securityUser, List<String> list, long j) {
        if (StringUtils.isBlank(securityUser.getEmail())) {
            throw new IllegalArgumentException("Cannot create JWT Token without username/email");
        }
        ClaimsBuilder add = Jwts.claims().subject(securityUser.getUserPrincipal().getValue()).add("userId", securityUser.getId().getId().toString()).add(SCOPES, list);
        if (securityUser.getSessionId() != null) {
            add.add(SESSION_ID, securityUser.getSessionId());
        }
        ZonedDateTime now = ZonedDateTime.now();
        add.expiration(Date.from(now.plusSeconds(j).toInstant()));
        return Jwts.builder().claims((Map) add.build()).issuer(this.jwtSettingsService.getJwtSettings().getTokenIssuer()).issuedAt(Date.from(now.toInstant())).signWith(getSecretKey(false), Jwts.SIG.HS512);
    }

    public Jws<Claims> parseTokenClaims(String str) {
        try {
            return getJwtParser(false).parseSignedClaims(str);
        } catch (UnsupportedJwtException | MalformedJwtException | IllegalArgumentException e) {
            log.debug("Invalid JWT Token", e);
            throw new BadCredentialsException("Invalid JWT token: ", e);
        } catch (SignatureException | ExpiredJwtException e2) {
            log.debug("JWT Token is expired", e2);
            throw new JwtExpiredTokenException(str, "JWT Token expired", e2);
        }
    }

    public JwtPair createTokenPair(SecurityUser securityUser) {
        securityUser.setSessionId(UUID.randomUUID().toString());
        return new JwtPair(createAccessJwtToken(securityUser).getToken(), createRefreshToken(securityUser).getToken());
    }

    private SecretKey getSecretKey(boolean z) {
        if (this.secretKey == null || z) {
            synchronized (this) {
                if (this.secretKey == null || z) {
                    this.secretKey = new SecretKeySpec(Base64.getDecoder().decode(this.jwtSettingsService.getJwtSettings().getTokenSigningKey()), "HmacSHA512");
                }
            }
        }
        return this.secretKey;
    }

    private JwtParser getJwtParser(boolean z) {
        if (this.jwtParser == null || z) {
            synchronized (this) {
                if (this.jwtParser == null || z) {
                    this.jwtParser = Jwts.parser().verifyWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(this.jwtSettingsService.getJwtSettings().getTokenSigningKey()))).build();
                }
            }
        }
        return this.jwtParser;
    }

    @ConstructorProperties({"jwtSettingsService"})
    public JwtTokenFactory(@Lazy JwtSettingsService jwtSettingsService) {
        this.jwtSettingsService = jwtSettingsService;
    }
}
