package com.erudika.para.security;

import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.rest.Signer;
import com.erudika.para.utils.Config;
import com.erudika.para.utils.filters.CORSFilter;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/erudika/para/security/SecurityUtils.class */
public final class SecurityUtils {
    private static final Logger logger = LoggerFactory.getLogger(SecurityUtils.class);
    private static final Signer SIGNER = new Signer();

    private SecurityUtils() {
    }

    public static User getAuthenticatedUser() {
        return getAuthenticatedUser(SecurityContextHolder.getContext().getAuthentication());
    }

    public static User getAuthenticatedUser(Authentication authentication) {
        User user = null;
        if (authentication != null && authentication.isAuthenticated() && (authentication.getPrincipal() instanceof AuthenticatedUserDetails)) {
            user = ((AuthenticatedUserDetails) authentication.getPrincipal()).getUser();
        }
        return user;
    }

    public static App getAuthenticatedApp() {
        App app = null;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication.isAuthenticated() && (authentication.getPrincipal() instanceof App)) {
                app = (App) authentication.getPrincipal();
            }
        }
        return app;
    }

    public static App getAppFromJWTAuthentication() {
        App app = null;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication instanceof JWTAuthentication) {
                app = ((JWTAuthentication) authentication).getApp();
            }
        }
        return app;
    }

    public static App getAppFromLdapAuthentication() {
        App app = null;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            LDAPAuthentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication instanceof LDAPAuthentication) {
                app = authentication.getApp();
            }
        }
        return app;
    }

    public static void clearSession(HttpServletRequest httpServletRequest) {
        HttpSession session;
        SecurityContextHolder.clearContext();
        if (httpServletRequest == null || (session = httpServletRequest.getSession(false)) == null) {
            return;
        }
        session.invalidate();
    }

    public static boolean isValidJWToken(String str, SignedJWT signedJWT) {
        boolean z;
        if (str == null || signedJWT == null) {
            return false;
        }
        try {
            if (!signedJWT.verify(new MACVerifier(str))) {
                return false;
            }
            Date date = new Date();
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            Date expirationTime = jWTClaimsSet.getExpirationTime();
            Date notBeforeTime = jWTClaimsSet.getNotBeforeTime();
            boolean z2 = expirationTime == null || expirationTime.before(date);
            if (notBeforeTime != null) {
                if (!notBeforeTime.after(date)) {
                    z = false;
                    return z2 && !z;
                }
            }
            z = true;
            if (z2) {
            }
        } catch (ParseException e) {
            logger.warn((String) null, e);
            return false;
        } catch (JOSEException e2) {
            logger.warn((String) null, e2);
            return false;
        }
    }

    public static SignedJWT generateSuperJWToken(App app) {
        return generateJWToken(null, app);
    }

    public static SignedJWT generateJWToken(User user, App app) {
        if (app == null) {
            return null;
        }
        try {
            Date date = new Date();
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            String str = CORSFilter.DEFAULT_EXPOSED_HEADERS;
            builder.issueTime(date);
            builder.expirationTime(new Date(date.getTime() + (app.getTokenValiditySec().longValue() * 1000)));
            builder.notBeforeTime(date);
            builder.claim("refresh", Long.valueOf(getNextRefresh(app.getTokenValiditySec().longValue())));
            builder.claim("appid", app.getId());
            if (user != null) {
                builder.subject(user.getId());
                str = user.getTokenSecret();
            }
            MACSigner mACSigner = new MACSigner(app.getSecret() + str);
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), builder.build());
            signedJWT.sign(mACSigner);
            return signedJWT;
        } catch (JOSEException e) {
            logger.warn("Unable to sign JWT: {}.", e.getMessage());
            return null;
        }
    }

    private static long getNextRefresh(long j) {
        long j2 = Config.JWT_REFRESH_INTERVAL_SEC;
        if (j < 2 * j2) {
            j2 = j / 2;
        }
        return System.currentTimeMillis() + (j2 * 1000);
    }

    public static String[] getOAuthKeysForApp(App app, String str) {
        String removeEnd = StringUtils.removeEnd(str + CORSFilter.DEFAULT_EXPOSED_HEADERS, Config.SEPARATOR);
        String str2 = removeEnd + "_app_id";
        String str3 = removeEnd + "_secret";
        String[] strArr = {CORSFilter.DEFAULT_EXPOSED_HEADERS, CORSFilter.DEFAULT_EXPOSED_HEADERS};
        if (app != null) {
            Map settings = app.getSettings();
            if (settings.containsKey(str2) && settings.containsKey(str3)) {
                strArr[0] = settings.get(str2) + CORSFilter.DEFAULT_EXPOSED_HEADERS;
                strArr[1] = settings.get(str3) + CORSFilter.DEFAULT_EXPOSED_HEADERS;
            } else if (app.isRootApp()) {
                strArr[0] = Config.getConfigParam(str2, CORSFilter.DEFAULT_EXPOSED_HEADERS);
                strArr[1] = Config.getConfigParam(str3, CORSFilter.DEFAULT_EXPOSED_HEADERS);
            }
        }
        return strArr;
    }

    public static Map<String, String> getLdapSettingsForApp(App app) {
        HashMap hashMap = new HashMap();
        if (app != null) {
            hashMap.put("security.ldap.server_url", "ldap://localhost:8389/");
            hashMap.put("security.ldap.active_directory_domain", CORSFilter.DEFAULT_EXPOSED_HEADERS);
            hashMap.put("security.ldap.base_dn", "dc=springframework,dc=org");
            hashMap.put("security.ldap.bind_dn", CORSFilter.DEFAULT_EXPOSED_HEADERS);
            hashMap.put("security.ldap.bind_pass", CORSFilter.DEFAULT_EXPOSED_HEADERS);
            hashMap.put("security.ldap.user_search_base", CORSFilter.DEFAULT_EXPOSED_HEADERS);
            hashMap.put("security.ldap.user_search_filter", "(cn={0})");
            hashMap.put("security.ldap.user_dn_pattern", "uid={0},ou=people");
            hashMap.put("security.ldap.password_attribute", "userPassword");
            Map settings = app.getSettings();
            for (Map.Entry entry : hashMap.entrySet()) {
                if (settings.containsKey(entry.getKey())) {
                    entry.setValue(settings.get(entry.getKey()) + CORSFilter.DEFAULT_EXPOSED_HEADERS);
                } else if (app.isRootApp()) {
                    entry.setValue(Config.getConfigParam((String) entry.getKey(), (String) entry.getValue()));
                }
            }
        }
        return hashMap;
    }

    public static UserAuthentication checkIfActive(UserAuthentication userAuthentication, User user, boolean z) {
        if (userAuthentication == null || user == null || user.getIdentifier() == null) {
            if (z) {
                throw new BadCredentialsException("Bad credentials.");
            }
            logger.error("Bad credentials.");
            return null;
        }
        if (user.getActive().booleanValue()) {
            return userAuthentication;
        }
        if (z) {
            throw new LockedException("Account " + user.getId() + " is locked.");
        }
        logger.error("Account {} is locked.", user.getId());
        return null;
    }

    public static boolean isValidSignature(HttpServletRequest httpServletRequest, String str) {
        BufferedInputStream bufferedInputStream;
        if (httpServletRequest == null || StringUtils.isBlank(str)) {
            return false;
        }
        String header = httpServletRequest.getHeader("Authorization");
        String substringAfter = StringUtils.substringAfter(header, "Signature=");
        String substringBetween = StringUtils.substringBetween(header, "SignedHeaders=", ",");
        String substringBefore = StringUtils.substringBefore(StringUtils.substringBetween(header, "Credential=", ","), "/");
        if (StringUtils.isBlank(header)) {
            substringAfter = httpServletRequest.getParameter("X-Amz-Signature");
            substringBetween = httpServletRequest.getParameter("X-Amz-SignedHeaders");
            substringBefore = StringUtils.substringBefore(httpServletRequest.getParameter("X-Amz-Credential"), "/");
        }
        HashSet hashSet = new HashSet(Arrays.asList(substringBetween.split(";")));
        HashMap hashMap = new HashMap();
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String lowerCase = ((String) headerNames.nextElement()).toLowerCase();
            if (hashSet.contains(lowerCase)) {
                hashMap.put(lowerCase, httpServletRequest.getHeader(lowerCase));
            }
        }
        HashMap hashMap2 = new HashMap();
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            hashMap2.put(entry.getKey(), ((String[]) entry.getValue())[0]);
        }
        String requestURI = httpServletRequest.getRequestURI();
        String removeEndIgnoreCase = StringUtils.removeEndIgnoreCase(httpServletRequest.getRequestURL().toString(), requestURI);
        String method = httpServletRequest.getMethod();
        try {
            bufferedInputStream = new BufferedInputStream(httpServletRequest.getInputStream());
            if (bufferedInputStream.available() <= 0) {
                bufferedInputStream = null;
            }
        } catch (IOException e) {
            logger.error((String) null, e);
            bufferedInputStream = null;
        }
        return StringUtils.equals(substringAfter, StringUtils.substringAfter((String) SIGNER.sign(method, removeEndIgnoreCase, requestURI, hashMap, hashMap2, bufferedInputStream, substringBefore, str).get("Authorization"), "Signature="));
    }
}
