package com.erudika.para.server.security;

import com.erudika.para.core.App;
import com.erudika.para.core.ParaObject;
import com.erudika.para.core.User;
import com.erudika.para.core.rest.Signer;
import com.erudika.para.core.utils.CoreUtils;
import com.erudika.para.core.utils.Para;
import com.erudika.para.core.utils.Utils;
import com.erudika.para.server.security.filters.SAMLAuthFilter;
import com.erudika.para.server.utils.BufferedRequestWrapper;
import com.erudika.para.server.utils.filters.CORSFilter;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/erudika/para/server/security/SecurityUtils.class */
public final class SecurityUtils {
    private static final Logger logger = LoggerFactory.getLogger(SecurityUtils.class);

    private SecurityUtils() {
    }

    public static User getAuthenticatedUser() {
        return getAuthenticatedUser(SecurityContextHolder.getContext().getAuthentication());
    }

    public static User getAuthenticatedUser(Authentication authentication) {
        User user = null;
        if (authentication != null && authentication.isAuthenticated() && (authentication.getPrincipal() instanceof AuthenticatedUserDetails)) {
            user = ((AuthenticatedUserDetails) authentication.getPrincipal()).getUser();
        }
        return user;
    }

    public static App getAuthenticatedApp() {
        App app = null;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication.isAuthenticated() && (authentication.getPrincipal() instanceof App)) {
                app = (App) authentication.getPrincipal();
            }
        }
        return app;
    }

    public static App getAppFromJWTAuthentication() {
        App app = null;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication instanceof JWTAuthentication) {
                app = ((JWTAuthentication) authentication).getApp();
            }
        }
        return app;
    }

    public static App getAppFromLdapAuthentication() {
        App app = null;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            LDAPAuthentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication instanceof LDAPAuthentication) {
                app = authentication.getApp();
            }
        }
        return app;
    }

    public static App getPrincipalApp() {
        App authenticatedApp = getAuthenticatedApp();
        if (authenticatedApp != null) {
            return authenticatedApp;
        }
        App appFromJWTAuthentication = getAppFromJWTAuthentication();
        if (appFromJWTAuthentication != null) {
            return appFromJWTAuthentication;
        }
        App appFromLdapAuthentication = getAppFromLdapAuthentication();
        if (appFromLdapAuthentication != null) {
            return appFromLdapAuthentication;
        }
        User authenticatedUser = getAuthenticatedUser();
        if (authenticatedUser != null) {
            return Para.getDAO().read(Para.getConfig().getRootAppIdentifier(), App.id(authenticatedUser.getAppid()));
        }
        logger.warn("Unauthenticated request - app not found in security context.");
        return null;
    }

    public static boolean checkImplicitAppPermissions(App app, ParaObject paraObject) {
        if (app == null || paraObject == null) {
            return false;
        }
        return isNotAnApp(paraObject.getType()) || app.getId().equals(paraObject.getId()) || app.isRootApp();
    }

    public static boolean isNotAnApp(String str) {
        return !StringUtils.equals(str, Utils.type(App.class));
    }

    public static boolean checkIfUserCanModifyObject(App app, ParaObject paraObject) {
        User authenticatedUser = getAuthenticatedUser();
        if (authenticatedUser == null || app == null || paraObject == null || !app.permissionsContainOwnKeyword(authenticatedUser, paraObject)) {
            return true;
        }
        return authenticatedUser.canModify(paraObject);
    }

    public static void clearSession(HttpServletRequest httpServletRequest) {
        HttpSession session;
        SecurityContextHolder.clearContext();
        if (httpServletRequest == null || (session = httpServletRequest.getSession(false)) == null) {
            return;
        }
        session.invalidate();
    }

    public static boolean isValidJWToken(String str, SignedJWT signedJWT) {
        boolean z;
        try {
            if (StringUtils.isBlank(str) || signedJWT == null || !signedJWT.verify(new MACVerifier(str))) {
                return false;
            }
            Date date = new Date();
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            Date expirationTime = jWTClaimsSet.getExpirationTime();
            Date notBeforeTime = jWTClaimsSet.getNotBeforeTime();
            boolean z2 = expirationTime == null || expirationTime.before(date);
            if (notBeforeTime != null) {
                if (notBeforeTime.after(date)) {
                    z = true;
                    return z2 && !z;
                }
            }
            z = false;
            if (z2) {
            }
        } catch (ParseException e) {
            logger.warn((String) null, e);
            return false;
        } catch (JOSEException e2) {
            logger.warn((String) null, e2);
            return false;
        }
    }

    public static SignedJWT generateSuperJWToken(App app) {
        return generateJWToken(null, app);
    }

    public static SignedJWT generateJWToken(User user, App app) {
        if (app == null) {
            return null;
        }
        try {
            Date date = new Date();
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            String str = CORSFilter.DEFAULT_EXPOSED_HEADERS;
            builder.issueTime(date);
            builder.expirationTime(new Date(date.getTime() + (app.getTokenValiditySec().longValue() * 1000)));
            builder.notBeforeTime(date);
            builder.claim("refresh", Long.valueOf(getNextRefresh(app.getTokenValiditySec().longValue())));
            builder.claim("appid", app.getId());
            if (user != null) {
                if ("true".equals(Para.getConfig().getSettingForApp(app, "security.one_session_per_user", "true"))) {
                    user.resetTokenSecret();
                    CoreUtils.getInstance().overwrite(app.getAppIdentifier(), user);
                }
                builder.subject(user.getId());
                builder.claim("idp", user.getIdentityProvider());
                str = user.getTokenSecret();
            }
            MACSigner mACSigner = new MACSigner(app.getSecret() + str);
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), builder.build());
            signedJWT.sign(mACSigner);
            return signedJWT;
        } catch (JOSEException e) {
            logger.warn("Unable to sign JWT: {}.", e.getMessage());
            return null;
        }
    }

    public static SignedJWT generateIdToken(User user, App app) {
        if (app == null || user == null) {
            return null;
        }
        try {
            Date date = new Date();
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            builder.issueTime(date);
            builder.expirationTime(new Date(date.getTime() + (Para.getConfig().idTokenExpiresAfterSec() * 1000)));
            builder.notBeforeTime(date);
            builder.claim("appid", app.getId());
            builder.claim("name", user.getName());
            builder.claim("email", user.getEmail());
            builder.claim("identifier", user.getIdentifier());
            if (StringUtils.startsWithIgnoreCase(user.getPicture(), "http")) {
                builder.claim("picture", user.getPicture());
            } else {
                builder.claim("picture", "https://gravatar.com/avatar/" + Utils.md5(user.getEmail()) + "?size=400&d=retro&r=pg");
            }
            builder.subject(user.getId());
            MACSigner mACSigner = new MACSigner(app.getSecret() + user.getTokenSecret());
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), builder.build());
            signedJWT.sign(mACSigner);
            return signedJWT;
        } catch (JOSEException e) {
            logger.warn("Unable to sign JWT: {}.", e.getMessage());
            return null;
        }
    }

    private static long getNextRefresh(long j) {
        long jwtRefreshIntervalSec = Para.getConfig().jwtRefreshIntervalSec();
        if (j < 2 * jwtRefreshIntervalSec) {
            jwtRefreshIntervalSec = j / 2;
        }
        return System.currentTimeMillis() + (jwtRefreshIntervalSec * 1000);
    }

    public static UserAuthentication checkIfActive(UserAuthentication userAuthentication, User user, boolean z) {
        if (userAuthentication == null || user == null || user.getIdentifier() == null) {
            if (z) {
                throw new BadCredentialsException("Bad credentials.");
            }
            logger.debug("Bad credentials. {}", userAuthentication);
            return null;
        }
        if (user.getActive().booleanValue()) {
            return userAuthentication;
        }
        if (z) {
            throw new LockedException("Account " + user.getId() + " (" + user.getAppid() + "/" + user.getIdentifier() + ") is locked.");
        }
        logger.warn("Account {} ({}/{}) is locked.", new Object[]{user.getId(), user.getAppid(), user.getIdentifier()});
        return null;
    }

    public static boolean isValidSignature(HttpServletRequest httpServletRequest, String str) {
        ServletInputStream servletInputStream;
        if (httpServletRequest == null || StringUtils.isBlank(str)) {
            return false;
        }
        String header = httpServletRequest.getHeader("Authorization");
        String substringAfter = StringUtils.substringAfter(header, "Signature=");
        String substringBetween = StringUtils.substringBetween(header, "SignedHeaders=", ",");
        String substringBefore = StringUtils.substringBefore(StringUtils.substringBetween(header, "Credential=", ","), "/");
        if (StringUtils.isBlank(header)) {
            substringAfter = httpServletRequest.getParameter("X-Amz-Signature");
            substringBetween = httpServletRequest.getParameter("X-Amz-SignedHeaders");
            substringBefore = StringUtils.substringBefore(httpServletRequest.getParameter("X-Amz-Credential"), "/");
        }
        HashSet hashSet = new HashSet(Arrays.asList(substringBetween.split(";")));
        HashMap hashMap = new HashMap();
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String lowerCase = ((String) headerNames.nextElement()).toLowerCase();
            if (hashSet.contains(lowerCase)) {
                hashMap.put(lowerCase, httpServletRequest.getHeader(lowerCase));
            }
        }
        HashMap hashMap2 = new HashMap();
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            hashMap2.put((String) entry.getKey(), ((String[]) entry.getValue())[0]);
        }
        String requestURI = httpServletRequest.getRequestURI();
        String removeEndIgnoreCase = StringUtils.removeEndIgnoreCase(httpServletRequest.getRequestURL().toString(), requestURI);
        String method = httpServletRequest.getMethod();
        try {
            servletInputStream = httpServletRequest instanceof BufferedRequestWrapper ? httpServletRequest.getInputStream() : new BufferedRequestWrapper(httpServletRequest).getInputStream();
        } catch (IOException e) {
            logger.error((String) null, e);
            servletInputStream = null;
        }
        String substringAfter2 = StringUtils.substringAfter((String) new Signer().sign(method, removeEndIgnoreCase, requestURI, hashMap, hashMap2, servletInputStream, substringBefore, str).get("Authorization"), "Signature=");
        boolean equals = StringUtils.equals(substringAfter, substringAfter2);
        if (Para.getConfig().debugRequestSignaturesEnabled()) {
            logger.info("Incoming client signature for request {} {}: {} == {} calculated by server, matching: {}", new Object[]{method, requestURI, substringAfter, substringAfter2, Boolean.valueOf(equals)});
        }
        return equals;
    }

    public static String getRedirectUrl(HttpServletRequest httpServletRequest) {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (!StringUtils.isBlank(httpServletRequest.getParameter("appid"))) {
            stringBuffer = stringBuffer + "?appid=" + httpServletRequest.getParameter("appid");
        }
        return !StringUtils.isBlank(httpServletRequest.getHeader("X-Forwarded-Proto")) ? httpServletRequest.getHeader("X-Forwarded-Proto") + stringBuffer.substring(stringBuffer.indexOf(58)) : !StringUtils.isBlank(httpServletRequest.getHeader("CloudFront-Forwarded-Proto")) ? httpServletRequest.getHeader("CloudFront-Forwarded-Proto") + stringBuffer.substring(stringBuffer.indexOf(58)) : stringBuffer;
    }

    public static String getAppidFromAuthRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("state");
        String parameter2 = httpServletRequest.getParameter("appid");
        if (!StringUtils.isBlank(parameter) || !StringUtils.isBlank(parameter2)) {
            return !StringUtils.isBlank(parameter2) ? StringUtils.trimToNull(parameter2) : StringUtils.trimToNull(parameter);
        }
        if (StringUtils.startsWith(httpServletRequest.getRequestURI(), "/saml_auth/")) {
            return StringUtils.trimToNull(httpServletRequest.getRequestURI().substring(SAMLAuthFilter.SAML_ACTION.length() + 1));
        }
        return null;
    }
}
