package org.gridgain.internal.security.jwt;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.concurrent.CompletableFuture;
import org.apache.ignite.internal.event.EventListener;
import org.apache.ignite.internal.event.EventProducer;
import org.apache.ignite.internal.manager.ComponentContext;
import org.apache.ignite.internal.metastorage.MetaStorageManager;
import org.apache.ignite.internal.security.authentication.UserDetails;
import org.apache.ignite.internal.security.authentication.event.AuthenticationEvent;
import org.apache.ignite.internal.security.authentication.event.AuthenticationEventParameters;
import org.apache.ignite.internal.security.authentication.event.UserEventParameters;
import org.apache.ignite.internal.security.jwt.configuration.JwtConfiguration;
import org.apache.ignite.internal.util.ClusterNameProvider;
import org.apache.ignite.internal.util.CompletableFutures;
import org.apache.ignite.internal.util.NodeNameProvider;
import org.gridgain.internal.rbac.authorization.Authorizer;
import org.gridgain.internal.rbac.privileges.Action;
import org.gridgain.internal.rbac.privileges.Privilege;
import org.gridgain.internal.rbac.privileges.Selector;
import org.gridgain.internal.security.context.GridGainSecurity;
import org.gridgain.internal.security.jwt.exception.JwtValidationException;
import org.gridgain.internal.security.key.IgnitePrivateKey;
import org.gridgain.internal.security.key.NodeKeyManager;
import org.gridgain.internal.security.key.exception.KeyExpiredException;

/* loaded from: input_file:org/gridgain/internal/security/jwt/JwtTokenManager.class */
public class JwtTokenManager implements TokenManager {
    private static final String[] REQUIRED_CLAIMS = {Claim.CLUSTER_NAME, Claim.NODE_NAME, Claim.SUBJECT, Claim.ROLES, Claim.KEY_ID};
    private final ClusterNameProvider clusterNameProvider;
    private final NodeNameProvider nodeNameProvider;
    private final JwtConfiguration jwtConfiguration;
    private final NodeKeyManager keyManager;
    private final BlockList blockList;
    private final Authorizer authorizer;
    private final EventProducer<AuthenticationEvent, AuthenticationEventParameters> authEventProducer;
    private final EventListener<UserEventParameters> userRemovedListener = this::onUserRemoved;

    public JwtTokenManager(ClusterNameProvider clusterNameProvider, NodeNameProvider nodeNameProvider, JwtConfiguration jwtConfiguration, NodeKeyManager nodeKeyManager, MetaStorageManager metaStorageManager, Authorizer authorizer, EventProducer<AuthenticationEvent, AuthenticationEventParameters> eventProducer) {
        this.clusterNameProvider = clusterNameProvider;
        this.nodeNameProvider = nodeNameProvider;
        this.jwtConfiguration = jwtConfiguration;
        this.keyManager = nodeKeyManager;
        this.authorizer = authorizer;
        this.blockList = new BlockList(metaStorageManager, jwtConfiguration);
        this.authEventProducer = eventProducer;
    }

    @Override // org.gridgain.internal.security.jwt.TokenManager
    public String issueToken(UserDetails userDetails) {
        Instant now = Instant.now();
        IgnitePrivateKey<RSAPrivateKey> localPrivateKey = this.keyManager.getLocalPrivateKey();
        return JWT.create().withSubject(userDetails.username()).withIssuedAt(now).withExpiresAt(now.plusMillis(((Long) this.jwtConfiguration.ttl().value()).longValue())).withClaim(Claim.ROLES, new ArrayList(userDetails.roles())).withClaim(Claim.CLUSTER_NAME, this.clusterNameProvider.getName()).withClaim(Claim.NODE_NAME, this.nodeNameProvider.getName()).withClaim(Claim.KEY_ID, Integer.valueOf(localPrivateKey.metadata().id())).sign(Algorithm.RSA256((RSAPublicKey) null, localPrivateKey.key()));
    }

    @Override // org.gridgain.internal.security.jwt.TokenManager
    public UserDetails validateAndExtractDetails(String str) {
        DecodedJWT parseToken = parseToken(str);
        if (isRevoked(str, parseToken.getSubject(), parseToken.getIssuedAtAsInstant())) {
            throw new JwtValidationException("Failed to validate JWT token: token is revoked");
        }
        return new UserDetails(parseToken.getSubject(), "Unknown", new HashSet(parseToken.getClaim(Claim.ROLES).asList(String.class)));
    }

    private DecodedJWT parseToken(String str) {
        try {
            DecodedJWT decode = JWT.decode(str);
            verifyClaims(decode);
            verifySignature(decode);
            return decode;
        } catch (KeyExpiredException e) {
            throw new JwtValidationException("Failed to validate JWT token: key is expired", e);
        } catch (SignatureVerificationException e2) {
            throw new JwtValidationException("Failed to verify JWT token signature", e2);
        } catch (JwtValidationException e3) {
            throw e3;
        } catch (TokenExpiredException e4) {
            throw new JwtValidationException("Failed to validate JWT token: token is expired on " + e4.getExpiredOn(), e4);
        } catch (Exception e5) {
            throw new JwtValidationException("Failed to validate JWT token: " + e5.getMessage(), e5);
        } catch (JWTDecodeException e6) {
            throw new JwtValidationException("Failed to decode JWT token", e6);
        }
    }

    private static void verifyClaims(DecodedJWT decodedJWT) {
        for (String str : REQUIRED_CLAIMS) {
            if (decodedJWT.getClaim(str).isMissing()) {
                throw new JwtValidationException("Failed to validate JWT token: claim " + str + " is missing");
            }
        }
    }

    private void verifySignature(DecodedJWT decodedJWT) {
        int intValue = decodedJWT.getClaim(Claim.KEY_ID).asInt().intValue();
        JWT.require(Algorithm.RSA256(this.keyManager.getPublicKey(decodedJWT.getClaim(Claim.NODE_NAME).asString(), intValue).key(), (RSAPrivateKey) null)).build().verify(decodedJWT);
    }

    private boolean isRevoked(String str, String str2, Instant instant) {
        return this.blockList.isTokenRevoked(str, str2, instant);
    }

    @Override // org.gridgain.internal.security.jwt.TokenManager
    public CompletableFuture<Void> revokeToken(String str) {
        DecodedJWT parseToken = parseToken(str);
        return this.authorizer.authorizeThenCompose(Privilege.builder().action(Action.REVOKE_TOKEN).selector(Selector.user(parseToken.getSubject())).build(), () -> {
            return this.blockList.revokeToken(parseToken.getToken(), parseToken.getExpiresAtAsInstant());
        });
    }

    @Override // org.gridgain.internal.security.jwt.TokenManager
    public CompletableFuture<Void> revokeAllTokens(String str) {
        return this.authorizer.authorizeThenCompose(Privilege.builder().action(Action.REVOKE_TOKEN).selector(Selector.user(str)).build(), () -> {
            return this.blockList.revokeTokensIssuedBefore(str, Instant.now());
        });
    }

    public CompletableFuture<Void> startAsync(ComponentContext componentContext) {
        this.blockList.start();
        this.authEventProducer.listen(AuthenticationEvent.USER_REMOVED, this.userRemovedListener);
        return CompletableFutures.nullCompletedFuture();
    }

    private CompletableFuture<Boolean> onUserRemoved(UserEventParameters userEventParameters) {
        return ((CompletableFuture) GridGainSecurity.bypass(() -> {
            return revokeAllTokens(userEventParameters.username());
        })).thenApply(r2 -> {
            return false;
        });
    }

    public CompletableFuture<Void> stopAsync(ComponentContext componentContext) {
        this.blockList.stop();
        this.authEventProducer.removeListener(AuthenticationEvent.USER_REMOVED, this.userRemovedListener);
        return CompletableFutures.nullCompletedFuture();
    }
}
