package org.craftercms.studio.impl.v2.service.security.internal;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.beans.ConstructorProperties;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.Temporal;
import java.time.temporal.TemporalUnit;
import java.util.Collection;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.commons.crypto.CryptoException;
import org.craftercms.commons.crypto.TextEncryptor;
import org.craftercms.commons.http.HttpUtils;
import org.craftercms.studio.api.v1.exception.ServiceLayerException;
import org.craftercms.studio.api.v1.exception.SiteNotFoundException;
import org.craftercms.studio.api.v2.dal.AuditLog;
import org.craftercms.studio.api.v2.dal.AuditLogConstants;
import org.craftercms.studio.api.v2.dal.RetryingDatabaseOperationFacade;
import org.craftercms.studio.api.v2.dal.SecurityDAO;
import org.craftercms.studio.api.v2.dal.Site;
import org.craftercms.studio.api.v2.dal.User;
import org.craftercms.studio.api.v2.service.audit.AuditService;
import org.craftercms.studio.api.v2.service.security.AccessTokenService;
import org.craftercms.studio.api.v2.service.security.UserService;
import org.craftercms.studio.api.v2.service.site.SitesService;
import org.craftercms.studio.api.v2.service.system.InstanceService;
import org.craftercms.studio.api.v2.utils.StudioConfiguration;
import org.craftercms.studio.api.v2.utils.spring.context.SystemStatusProvider;
import org.craftercms.studio.impl.v1.web.security.access.StudioAbstractAccessDecisionVoter;
import org.craftercms.studio.model.security.AccessToken;
import org.craftercms.studio.model.security.PersistentAccessToken;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.HmacKey;
import org.jose4j.keys.PbkdfKey;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.util.CookieGenerator;
import org.springframework.web.util.WebUtils;

/* loaded from: input_file:org/craftercms/studio/impl/v2/service/security/internal/AccessTokenServiceInternalImpl.class */
public class AccessTokenServiceInternalImpl implements AccessTokenService, InitializingBean {
    private static final Logger logger = LoggerFactory.getLogger(AccessTokenServiceInternalImpl.class);
    public static final String ACTIVITY_CACHE_CONFIG_KEY = "studio.security.activity.cache.config";
    private static final String CRAFTER_SITE_COOKIE_NAME = "crafterSite";
    private static final String JWE_ALGORITHM_HEADER_VALUE = "PBES2-HS512+A256KW";
    private static final String JWE_ENCRYPTION_METHOD_HEADER_VALUE = "A256CBC-HS512";
    protected final String issuer;
    protected final String[] validIssuers;
    protected String audience;
    protected final int accessTokenExpiration;
    protected final String signPassword;
    protected final String encryptPassword;
    protected final int sessionTimeout;
    protected final int inactivityTimeout;
    private CookieGenerator refreshTokenCookieGenerator;
    private CookieGenerator previewCookieGenerator;
    protected Cache<Long, Instant> userActivity;
    protected Key jwtSignKey;
    protected Key jwtEncryptKey;
    protected final SecurityDAO securityDao;
    protected final UserService userService;
    protected final InstanceService instanceService;
    protected final AuditService auditService;
    protected final StudioConfiguration studioConfiguration;
    protected final SitesService siteService;
    protected final RetryingDatabaseOperationFacade retryingDatabaseOperationFacade;
    protected final SystemStatusProvider systemStatusProvider;
    protected final TextEncryptor previewTokenEncryptor;

    @ConstructorProperties({"issuer", "validIssuers", "accessTokenExpiration", "signPassword", "encryptPassword", "sessionTimeout", "inactivityTimeout", "securityDao", "instanceService", "auditService", "studioConfiguration", "siteService", "retryingDatabaseOperationFacade", "systemStatusProvider", "previewTokenEncryptor", "userService"})
    public AccessTokenServiceInternalImpl(String str, String[] strArr, int i, String str2, String str3, int i2, int i3, SecurityDAO securityDAO, InstanceService instanceService, AuditService auditService, StudioConfiguration studioConfiguration, SitesService sitesService, RetryingDatabaseOperationFacade retryingDatabaseOperationFacade, SystemStatusProvider systemStatusProvider, TextEncryptor textEncryptor, UserService userService) {
        this.issuer = str;
        this.validIssuers = strArr;
        this.accessTokenExpiration = i;
        this.signPassword = str2;
        this.encryptPassword = str3;
        this.sessionTimeout = i2;
        this.inactivityTimeout = i3;
        this.securityDao = securityDAO;
        this.instanceService = instanceService;
        this.auditService = auditService;
        this.studioConfiguration = studioConfiguration;
        this.siteService = sitesService;
        this.retryingDatabaseOperationFacade = retryingDatabaseOperationFacade;
        this.systemStatusProvider = systemStatusProvider;
        this.previewTokenEncryptor = textEncryptor;
        this.userService = userService;
    }

    public void setAudience(String str) {
        this.audience = str;
    }

    public void afterPropertiesSet() {
        this.userActivity = CacheBuilder.from(this.studioConfiguration.getProperty(ACTIVITY_CACHE_CONFIG_KEY)).build();
        this.jwtSignKey = new HmacKey(this.signPassword.getBytes(StandardCharsets.UTF_8));
        this.jwtEncryptKey = new PbkdfKey(this.encryptPassword);
        this.refreshTokenCookieGenerator.setCookieHttpOnly(true);
        this.previewCookieGenerator.setCookieHttpOnly(true);
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public boolean hasValidRefreshToken(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie cookie = WebUtils.getCookie(httpServletRequest, this.refreshTokenCookieGenerator.getCookieName());
        String value = cookie != null ? cookie.getValue() : null;
        boolean z = StringUtils.isNotEmpty(value) && this.securityDao.validateRefreshToken(getUserId(authentication), value);
        if (!z) {
            SecurityContextHolder.clearContext();
            httpServletRequest.getSession().invalidate();
            this.refreshTokenCookieGenerator.removeCookie(httpServletResponse);
        }
        return z;
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void updateRefreshToken(Authentication authentication, HttpServletResponse httpServletResponse) {
        String uuid = UUID.randomUUID().toString();
        long userId = getUserId(authentication);
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.upsertRefreshToken(userId, uuid);
        });
        this.refreshTokenCookieGenerator.addCookie(httpServletResponse, uuid);
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void refreshPreviewCookie(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws ServiceLayerException {
        String cookieValue = HttpUtils.getCookieValue(CRAFTER_SITE_COOKIE_NAME, httpServletRequest);
        if (StringUtils.isEmpty(cookieValue)) {
            logger.debug("No site name found in '{}' cookie, removing preview cookie", CRAFTER_SITE_COOKIE_NAME);
            this.previewCookieGenerator.removeCookie(httpServletResponse);
        } else if (this.userService.isSiteMember(authentication.getName(), cookieValue)) {
            this.previewCookieGenerator.addCookie(httpServletResponse, createPreviewCookie(cookieValue));
            logger.debug("Refreshed preview cookie for user '{}'", authentication.getName());
        } else {
            logger.debug("User '{}' is not a member of site '{}', removing preview cookie", authentication.getName(), cookieValue);
            this.previewCookieGenerator.removeCookie(httpServletResponse);
            if (!z) {
                throw new SiteNotFoundException(cookieValue);
            }
        }
    }

    private String createPreviewCookie(String str) throws ServiceLayerException {
        try {
            return this.previewTokenEncryptor.encrypt(String.format("%s|%s", str, Long.valueOf(System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(this.previewCookieGenerator.getCookieMaxAge().intValue()))));
        } catch (CryptoException e) {
            throw new ServiceLayerException("Failed to encrypt preview cookie", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void deletePreviewCookie(HttpServletResponse httpServletResponse) {
        this.previewCookieGenerator.removeCookie(httpServletResponse);
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public AccessToken createTokens(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServiceLayerException {
        logger.debug("Create tokens for '{}'", authentication.getName());
        Instant now = Instant.now();
        Instant plus = now.plus(this.accessTokenExpiration, (TemporalUnit) ChronoUnit.MINUTES);
        String createToken = createToken(now, plus, authentication.getName(), null);
        updateRefreshToken(authentication, httpServletResponse);
        refreshPreviewCookie(authentication, httpServletRequest, httpServletResponse, true);
        AccessToken accessToken = new AccessToken();
        accessToken.setToken(createToken);
        accessToken.setExpiresAt(plus);
        return accessToken;
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void deleteRefreshToken(long j) {
        this.userActivity.invalidate(Long.valueOf(j));
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.deleteRefreshToken(j);
        });
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void deleteExpiredRefreshTokens() {
        if (!this.systemStatusProvider.isSystemReady()) {
            logger.debug("The system is not ready yet, skip the Refresh Token cleanup");
            return;
        }
        logger.debug("Clean up Refresh Tokens");
        List list = (List) this.userActivity.asMap().entrySet().stream().filter(entry -> {
            return ChronoUnit.MINUTES.between((Temporal) entry.getValue(), Instant.now()) > ((long) this.inactivityTimeout);
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toList());
        this.userActivity.invalidateAll(list);
        logger.debug("Deleted '{}' expired Refresh Tokens", Integer.valueOf(((Integer) this.retryingDatabaseOperationFacade.retry(() -> {
            return Integer.valueOf(this.securityDao.deleteExpiredTokens(this.sessionTimeout, list));
        })).intValue()));
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public PersistentAccessToken createAccessToken(String str, Instant instant) throws ServiceLayerException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        PersistentAccessToken persistentAccessToken = new PersistentAccessToken();
        persistentAccessToken.setLabel(str);
        persistentAccessToken.setExpiresAt(instant);
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.createAccessToken(getUserId(authentication), persistentAccessToken);
        });
        persistentAccessToken.setToken(createToken(Instant.now(), instant, authentication.getName(), Long.valueOf(persistentAccessToken.getId())));
        createAuditLog(authentication, persistentAccessToken.getId(), AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, AuditLogConstants.OPERATION_CREATE);
        return persistentAccessToken;
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public List<PersistentAccessToken> getAccessTokens() {
        return this.securityDao.getAccessTokens(getUserId(SecurityContextHolder.getContext().getAuthentication()));
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public PersistentAccessToken updateAccessToken(long j, boolean z) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        long userId = getUserId(authentication);
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.updateAccessToken(userId, j, z);
        });
        createAuditLog(authentication, j, AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, AuditLogConstants.OPERATION_UPDATE);
        return this.securityDao.getAccessTokenByUserIdAndTokenId(userId, j);
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void deleteAccessToken(long j) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.deleteAccessToken(getUserId(authentication), j);
        });
        createAuditLog(authentication, j, AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, AuditLogConstants.OPERATION_DELETE);
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void deleteUsersTokens(Collection<Long> collection) {
        collection.forEach(l -> {
            this.userActivity.invalidate(l);
        });
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.deleteRefreshTokens(collection);
        });
        this.retryingDatabaseOperationFacade.retry(() -> {
            this.securityDao.deleteUsersAccessTokens(collection);
        });
    }

    protected String getActualAudience() {
        return StringUtils.isNotEmpty(this.audience) ? this.audience : this.instanceService.getInstanceId();
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public String getUsername(String str) {
        try {
            JwtClaims processToClaims = new JwtConsumerBuilder().setEnableRequireEncryption().setRequireSubject().setExpectedIssuers(true, this.validIssuers).setExpectedAudience(new String[]{getActualAudience()}).setVerificationKey(this.jwtSignKey).setDecryptionKey(this.jwtEncryptKey).setJweAlgorithmConstraints(getAlgorithmConstraints()).build().processToClaims(str);
            String subject = processToClaims.getSubject();
            String jwtId = processToClaims.getJwtId();
            if (StringUtils.isNotEmpty(jwtId)) {
                long parseLong = Long.parseLong(jwtId);
                PersistentAccessToken accessTokenById = this.securityDao.getAccessTokenById(parseLong);
                if (accessTokenById == null) {
                    logger.info("Detected the usage of a deleted JWT with the ID '{}' for user '{}'", Long.valueOf(parseLong), subject);
                    createAuditLog(subject, parseLong, AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, AuditLogConstants.OPERATION_LOGIN_FAILED);
                    return null;
                }
                if (!accessTokenById.isEnabled()) {
                    logger.info("Detected the usage of a disabled JWT with the ID '{}' for user '{}'", Long.valueOf(parseLong), subject);
                    createAuditLog(subject, parseLong, AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, AuditLogConstants.OPERATION_LOGIN_FAILED);
                    return null;
                }
                logger.debug("Successfully validated JWT with ID '{}' for user '{}'", Long.valueOf(parseLong), subject);
                createAuditLog(subject, parseLong, AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, AuditLogConstants.OPERATION_LOGIN);
            } else {
                logger.debug("Successfully validated JWT with for user '{}'", subject);
            }
            return subject;
        } catch (InvalidJwtException | MalformedClaimException e) {
            logger.warn("Detected the usage of an invalid JWT. Message '{}'", e.getMessage());
            logger.debug("Invalid JWT", e);
            createAuditLog("JWT", -1L, AuditLogConstants.TARGET_TYPE_ACCESS_TOKEN, StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH, AuditLogConstants.OPERATION_LOGIN_FAILED);
            return null;
        }
    }

    protected long getUserId(Authentication authentication) {
        return ((User) authentication.getPrincipal()).getId();
    }

    protected String createToken(Instant instant, Instant instant2, String str, Long l) throws ServiceLayerException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(this.issuer);
        jwtClaims.setIssuedAt(NumericDate.fromMilliseconds(instant.toEpochMilli()));
        jwtClaims.setSubject(str);
        jwtClaims.setAudience(getActualAudience());
        if (instant2 != null) {
            jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(instant2.toEpochMilli()));
        }
        if (l != null) {
            jwtClaims.setJwtId(l.toString());
        }
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(jwtClaims.toJson());
            jsonWebSignature.setKey(this.jwtSignKey);
            jsonWebSignature.setAlgorithmHeaderValue("HS512");
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            AlgorithmConstraints algorithmConstraints = getAlgorithmConstraints();
            jsonWebEncryption.setAlgorithmConstraints(algorithmConstraints);
            jsonWebEncryption.setContentEncryptionAlgorithmConstraints(algorithmConstraints);
            jsonWebEncryption.setPayload(jsonWebSignature.getCompactSerialization());
            jsonWebEncryption.setAlgorithmHeaderValue(JWE_ALGORITHM_HEADER_VALUE);
            jsonWebEncryption.setEncryptionMethodHeaderParameter(JWE_ENCRYPTION_METHOD_HEADER_VALUE);
            jsonWebEncryption.setKey(this.jwtEncryptKey);
            jsonWebEncryption.setContentTypeHeaderValue("JWT");
            return jsonWebEncryption.getCompactSerialization();
        } catch (JoseException e) {
            throw new ServiceLayerException("Error generating JWT for user " + str, e);
        }
    }

    private AlgorithmConstraints getAlgorithmConstraints() {
        return new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{JWE_ALGORITHM_HEADER_VALUE, JWE_ENCRYPTION_METHOD_HEADER_VALUE});
    }

    protected void createAuditLog(Authentication authentication, long j, String str, String str2) {
        createAuditLog(authentication.getName(), j, str, str2);
    }

    protected void createAuditLog(String str, long j, String str2, String str3) {
        createAuditLog(str, j, str2, Long.toString(j), str3);
    }

    protected void createAuditLog(String str, long j, String str2, String str3, String str4) {
        try {
            Site site = this.siteService.getSite(this.studioConfiguration.getProperty(StudioConfiguration.CONFIGURATION_GLOBAL_SYSTEM_SITE));
            AuditLog createAuditLogEntry = AuditLog.createAuditLogEntry();
            createAuditLogEntry.setOperation(str4);
            createAuditLogEntry.setActorId(str);
            createAuditLogEntry.setSiteId(site.getId());
            createAuditLogEntry.setPrimaryTargetId(Long.toString(j));
            createAuditLogEntry.setPrimaryTargetType(str2);
            createAuditLogEntry.setPrimaryTargetValue(str3);
            this.auditService.insertAuditLog(createAuditLogEntry);
        } catch (SiteNotFoundException e) {
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.AccessTokenService
    public void updateUserActivity(Authentication authentication) {
        logger.debug("Update user activity for '{}'", authentication.getName());
        this.userActivity.put(Long.valueOf(getUserId(authentication)), Instant.now());
    }

    public void setRefreshTokenCookieGenerator(CookieGenerator cookieGenerator) {
        this.refreshTokenCookieGenerator = cookieGenerator;
    }

    public void setPreviewCookieGenerator(CookieGenerator cookieGenerator) {
        this.previewCookieGenerator = cookieGenerator;
    }
}
