package com.e2eq.framework.model.security.auth.provider.jwtToken;

import com.e2eq.framework.exceptions.ReferentialIntegrityViolationException;
import com.e2eq.framework.model.persistent.morphia.CredentialRepo;
import com.e2eq.framework.model.persistent.security.CredentialRefreshToken;
import com.e2eq.framework.model.persistent.security.CredentialUserIdPassword;
import com.e2eq.framework.model.persistent.security.DomainContext;
import com.e2eq.framework.model.security.auth.AuthProvider;
import com.e2eq.framework.model.security.auth.UserManagement;
import com.e2eq.framework.util.EncryptionUtils;
import com.e2eq.framework.util.TokenUtils;
import io.quarkus.logging.Log;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.jwt.auth.principal.JWTParser;
import io.smallrye.jwt.auth.principal.ParseException;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.jwt.JsonWebToken;

@ApplicationScoped
/* loaded from: input_file:com/e2eq/framework/model/security/auth/provider/jwtToken/CustomTokenAuthProvider.class */
public class CustomTokenAuthProvider implements AuthProvider, UserManagement {

    @ConfigProperty(name = "auth.jwt.secret")
    String secretKey;

    @ConfigProperty(name = "auth.jwt.expiration")
    Long expirationInMinutes;

    @ConfigProperty(name = "mp.jwt.verify.issuer")
    String issuer;

    @ConfigProperty(name = "com.b2bi.jwt.duration")
    Long durationInSeconds;

    @ConfigProperty(name = "quantum.realmConfig.systemRealm", defaultValue = "system-com")
    String systemRealm;

    @Inject
    JWTParser jwtParser;

    @Inject
    CredentialRepo credentialRepo;

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public String getName() {
        return "custom";
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public void createUser(String str, String str2, Set<String> set, DomainContext domainContext) throws SecurityException {
        if (str.length() > 17) {
            throw new SecurityException("Username too long must be smaller than 17 characters");
        }
        CredentialUserIdPassword credentialUserIdPassword = new CredentialUserIdPassword();
        credentialUserIdPassword.setUserId(str);
        if (!credentialUserIdPassword.getHashingAlgorithm().equalsIgnoreCase("BCrypt.default")) {
            throw new SecurityException("Unsupported hashing algorithm: " + credentialUserIdPassword.getHashingAlgorithm());
        }
        credentialUserIdPassword.setPasswordHash(EncryptionUtils.hashPassword(str2));
        credentialUserIdPassword.setDomainContext(domainContext);
        credentialUserIdPassword.setRoles((String[]) set.toArray(new String[set.size()]));
        credentialUserIdPassword.setLastUpdate(new Date());
        this.credentialRepo.save((CredentialRepo) credentialUserIdPassword);
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public boolean removeUser(String str) throws ReferentialIntegrityViolationException {
        Optional<CredentialUserIdPassword> findByUserId = this.credentialRepo.findByUserId(str);
        return findByUserId.isPresent() && this.credentialRepo.delete((CredentialRepo) findByUserId.get()) != 0;
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public void assignRoles(String str, Set<String> set) throws SecurityException {
        this.credentialRepo.findByUserId(str).ifPresentOrElse(credentialUserIdPassword -> {
            HashSet hashSet = new HashSet(Arrays.asList(credentialUserIdPassword.getRoles()));
            hashSet.addAll(set);
            credentialUserIdPassword.setRoles((String[]) hashSet.toArray(new String[hashSet.size()]));
            this.credentialRepo.save((CredentialRepo) credentialUserIdPassword);
        }, () -> {
            throw new SecurityException("User not found: " + str);
        });
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public void removeRoles(String str, Set<String> set) throws SecurityException {
        this.credentialRepo.findByUserId(str).ifPresentOrElse(credentialUserIdPassword -> {
            HashSet hashSet = new HashSet(Arrays.asList(credentialUserIdPassword.getRoles()));
            hashSet.removeAll(set);
            credentialUserIdPassword.setRoles((String[]) hashSet.toArray(new String[hashSet.size()]));
            this.credentialRepo.save((CredentialRepo) credentialUserIdPassword);
        }, () -> {
            throw new SecurityException("User not found: " + str);
        });
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public Set<String> getUserRoles(String str) throws SecurityException {
        HashSet hashSet = new HashSet();
        this.credentialRepo.findByUserId(str).ifPresentOrElse(credentialUserIdPassword -> {
            hashSet.addAll(Arrays.asList(credentialUserIdPassword.getRoles()));
        }, () -> {
            throw new SecurityException("User not found: " + str);
        });
        return hashSet;
    }

    @Override // com.e2eq.framework.model.security.auth.UserManagement
    public boolean userExists(String str) throws SecurityException {
        return this.credentialRepo.findByUserId(str).isPresent();
    }

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public AuthProvider.LoginResponse login(String str, String str2) {
        try {
            Optional<CredentialUserIdPassword> credentials = getCredentials(str, str2);
            if (!credentials.isPresent()) {
                return new AuthProvider.LoginResponse(false, new AuthProvider.LoginNegativeResponse(str, 400, 404, "Invalid credentials", "NotFound", "Credentials not found"));
            }
            CredentialUserIdPassword credentialUserIdPassword = credentials.get();
            if (!credentialUserIdPassword.getHashingAlgorithm().equalsIgnoreCase("BCrypt.default")) {
                throw new UnsupportedOperationException("Unsupported hashing algorithm: " + credentialUserIdPassword.getHashingAlgorithm());
            }
            if (!EncryptionUtils.checkPassword(str2, credentialUserIdPassword.getPasswordHash())) {
                return new AuthProvider.LoginResponse(false, new AuthProvider.LoginNegativeResponse(str, 400, 401, "Invalid credentials", "Invalid credentials", "credentials did not match"));
            }
            String generateUserToken = TokenUtils.generateUserToken(credentialUserIdPassword.getUserId(), new HashSet(Arrays.asList(credentialUserIdPassword.getRoles())), TokenUtils.expiresAt(this.durationInSeconds.longValue()), this.issuer);
            return new AuthProvider.LoginResponse(true, new AuthProvider.LoginPositiveResponse(str, validateAccessToken(generateUserToken), new HashSet(Arrays.asList(credentialUserIdPassword.getRoles())), generateUserToken, generateRefreshToken(credentialUserIdPassword.getUserId(), generateUserToken, TokenUtils.currentTimeInSecs() + this.durationInSeconds.longValue() + 10), TokenUtils.currentTimeInSecs() + this.durationInSeconds.longValue()));
        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            return new AuthProvider.LoginResponse(false, new AuthProvider.LoginNegativeResponse(str, 400, 500, e.getMessage(), e.getClass().getName(), e.toString()));
        }
    }

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public AuthProvider.LoginResponse refreshTokens(String str) {
        SecurityIdentity validateAccessToken = validateAccessToken(str);
        String name = validateAccessToken.getPrincipal().getName();
        String generateAuthToken = generateAuthToken(name);
        try {
            return new AuthProvider.LoginResponse(true, new AuthProvider.LoginPositiveResponse(name, validateAccessToken, validateAccessToken.getRoles(), generateAuthToken, generateRefreshToken(name, generateAuthToken, this.durationInSeconds.longValue()), TokenUtils.currentTimeInSecs() + this.durationInSeconds.longValue()));
        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            return new AuthProvider.LoginResponse(false, new AuthProvider.LoginNegativeResponse(name, 400, 500, e.getMessage(), e.getClass().getName(), e.toString()));
        }
    }

    @Override // com.e2eq.framework.model.security.auth.AuthProvider
    public SecurityIdentity validateAccessToken(String str) {
        try {
            JsonWebToken parse = this.jwtParser.parse(str);
            return buildIdentity(parse.getSubject(), new HashSet(parse.getGroups()));
        } catch (ParseException e) {
            Log.error("Token validation failed", e);
            throw new SecurityException("Invalid token");
        }
    }

    private String generateAuthToken(String str) {
        try {
            Date date = new Date();
            Date date2 = new Date(date.getTime() + (this.expirationInMinutes.longValue() * 60 * 1000));
            String encodeToString = Base64.getUrlEncoder().encodeToString("{\"alg\":\"HS256\",\"typ\":\"JWT\"}".getBytes());
            Base64.Encoder urlEncoder = Base64.getUrlEncoder();
            long time = date.getTime() / 1000;
            long time2 = date2.getTime() / 1000;
            String encodeToString2 = urlEncoder.encodeToString(("{\"sub\":\"" + str + "\",\"iat\":" + time + ",\"exp\":" + urlEncoder + "}").getBytes());
            return encodeToString + "." + encodeToString2 + "." + sign(encodeToString + "." + encodeToString2, this.secretKey);
        } catch (Exception e) {
            throw new RuntimeException("Failed to generate auth token", e);
        }
    }

    private String sign(String str, String str2) throws Exception {
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(new SecretKeySpec(str2.getBytes(), "HmacSHA256"));
        return Base64.getUrlEncoder().withoutPadding().encodeToString(mac.doFinal(str.getBytes()));
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [com.e2eq.framework.model.persistent.security.CredentialRefreshToken$CredentialRefreshTokenBuilder] */
    private String generateRefreshToken(String str, String str2, long j) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        String generateRefreshToken = TokenUtils.generateRefreshToken(str, TokenUtils.currentTimeInSecs() + j + 10, this.issuer);
        CredentialRefreshToken.builder().userId(str).refreshToken(generateRefreshToken).accessToken(str2).creationDate(new Date()).lastRefreshDate(new Date()).expirationDate(new Date(System.currentTimeMillis() + (j * 1000) + 10)).mo8build();
        return generateRefreshToken;
    }

    private Optional<CredentialUserIdPassword> getCredentials(String str, String str2) {
        return this.credentialRepo.findByUserId(str);
    }

    private SecurityIdentity buildIdentity(String str, Set<String> set) {
        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
        builder.setPrincipal(() -> {
            return str;
        });
        Objects.requireNonNull(builder);
        set.forEach(builder::addRole);
        builder.addAttribute("token_type", "custom");
        builder.addAttribute("auth_time", Long.valueOf(System.currentTimeMillis()));
        return builder.build();
    }
}
