package org.dataone.bookkeeper.security;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import io.dropwizard.auth.AuthenticationException;
import io.dropwizard.setup.Environment;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.HttpsURLConnection;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dataone.bookkeeper.api.Customer;
import org.dataone.bookkeeper.config.DataONEConfiguration;
import org.dataone.bookkeeper.jdbi.CustomerStore;
import org.dataone.client.auth.AuthTokenSession;
import org.dataone.client.v2.CNode;
import org.dataone.client.v2.itk.D1Client;
import org.dataone.service.exceptions.BaseException;
import org.dataone.service.exceptions.NotImplemented;
import org.dataone.service.exceptions.ServiceFailure;
import org.dataone.service.types.v1.Group;
import org.dataone.service.types.v1.Person;
import org.dataone.service.types.v1.Subject;
import org.dataone.service.types.v1.SubjectInfo;
import org.jdbi.v3.core.Jdbi;

/* loaded from: input_file:org/dataone/bookkeeper/security/DataONEAuthHelper.class */
public class DataONEAuthHelper {
    private Log log = LogFactory.getLog(DataONEAuthHelper.class);
    private String cnBaseUrl;
    private String cnIdentityServiceEndpoint;
    private CustomerStore customerStore;
    private Environment environment;
    private DataONEConfiguration configuration;
    private CNode cn;
    private RSAPublicKey cnPublicKey;

    public DataONEAuthHelper() {
    }

    public DataONEAuthHelper(Environment environment, Jdbi jdbi, DataONEConfiguration dataONEConfiguration) {
        this.environment = environment;
        this.customerStore = (CustomerStore) jdbi.onDemand(CustomerStore.class);
        this.configuration = dataONEConfiguration;
    }

    public String getCnBaseUrl() {
        return this.cnBaseUrl;
    }

    public void setCnBaseUrl(String str) {
        this.cnBaseUrl = str;
    }

    public String getCnIdentityServiceEndpoint() {
        return this.cnIdentityServiceEndpoint;
    }

    public void setCnIdentityServiceEndpoint(String str) {
        this.cnIdentityServiceEndpoint = str;
    }

    public CustomerStore getCustomerStore() {
        return this.customerStore;
    }

    public void setCustomerStore(CustomerStore customerStore) {
        this.customerStore = customerStore;
    }

    public Environment getEnvironment() {
        return this.environment;
    }

    public void setEnvironment(Environment environment) {
        this.environment = environment;
    }

    public DataONEConfiguration getConfiguration() {
        return this.configuration;
    }

    public void setConfiguration(DataONEConfiguration dataONEConfiguration) {
        this.configuration = dataONEConfiguration;
    }

    public boolean verify(String str) throws AuthenticationException {
        boolean z = false;
        try {
            D1Client.setCN(this.configuration.getCnBaseUrl());
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(D1Client.getCN().getNodeBaseServiceUrl()).openConnection();
            httpsURLConnection.connect();
            Certificate certificate = httpsURLConnection.getServerCertificates()[0];
            if (certificate != null) {
                this.log.debug("Verifying token with CN certificate: " + certificate.toString());
                this.cnPublicKey = (RSAPublicKey) certificate.getPublicKey();
                SignedJWT parse = SignedJWT.parse(str);
                if (!parse.verify(new RSASSAVerifier(this.cnPublicKey))) {
                    this.log.debug("Verifying token with public key: " + this.cnPublicKey);
                    this.log.warn("Couldn't verify token with CN public key: " + str);
                    return false;
                }
                ZonedDateTime ofInstant = ZonedDateTime.ofInstant(Instant.now(), ZoneId.of("UTC"));
                this.log.debug(ofInstant);
                ZonedDateTime ofInstant2 = ZonedDateTime.ofInstant(parse.getJWTClaimsSet().getExpirationTime().toInstant(), ZoneId.of("UTC"));
                this.log.debug(ofInstant2);
                if (ofInstant.isAfter(ofInstant2)) {
                    this.log.warn("The token has expired: " + ofInstant2);
                } else {
                    z = true;
                }
            } else {
                this.log.error("Couldn't verify token.  The CN certificate is null.");
            }
            this.log.debug("Token is verified: " + z);
            return z;
        } catch (MalformedURLException e) {
            String str2 = "Couldn't verify the token. The CN URL is malformed: " + e.getMessage();
            this.log.warn(str2);
            throw new AuthenticationException(str2);
        } catch (IOException e2) {
            String str3 = "Couldn't verify the token. The CN returned connection failed: " + e2.getMessage();
            this.log.warn(str3);
            throw new AuthenticationException(str3);
        } catch (ServiceFailure e3) {
            String str4 = "Couldn't verify the token. The CN returned a ServiceFailure: " + e3.getMessage();
            this.log.warn(str4);
            throw new AuthenticationException(str4);
        } catch (ParseException e4) {
            String str5 = "Couldn't verify the token. The JWT library returned a parse exception: " + e4.getMessage();
            this.log.warn(str5);
            throw new AuthenticationException(str5);
        } catch (NotImplemented e5) {
            String str6 = "Couldn't verify the token. The CN returned a NotImplemented: " + e5.getMessage();
            this.log.warn(str6);
            throw new AuthenticationException(str6);
        } catch (JOSEException e6) {
            String str7 = "Couldn't verify the token. The JWT library returned an exception: " + e6.getMessage();
            this.log.warn(str7);
            throw new AuthenticationException(str7);
        }
    }

    public SubjectInfo getSubjectInfo(String str, String str2) throws BaseException {
        AuthTokenSession authTokenSession = new AuthTokenSession(str);
        Subject subject = new Subject();
        subject.setValue(str2);
        authTokenSession.setSubject(subject);
        D1Client.setCN(this.configuration.getCnBaseUrl());
        this.cn = D1Client.getCN();
        return this.cn.getSubjectInfo(authTokenSession, authTokenSession.getSubject());
    }

    public String getTokenSubject(String str) throws ParseException {
        return SignedJWT.parse(str).getJWTClaimsSet().getSubject();
    }

    public Customer createCustomerFromSubject(String str) throws AuthenticationException {
        Customer customer = new Customer();
        customer.setSubject(str);
        try {
            customer.setSubjectInfo(getSubjectInfo(null, customer.getSubject()));
            return customer;
        } catch (BaseException e) {
            AuthenticationException authenticationException = new AuthenticationException("Couldn't retrieve subject from DataONE: '" + customer.getSubject() + "'.");
            authenticationException.initCause(e);
            throw authenticationException;
        }
    }

    public Customer getCustomerWithSubjectInfo(String str) throws AuthenticationException {
        try {
            String tokenSubject = getTokenSubject(str);
            Customer findCustomerBySubject = getCustomerStore().findCustomerBySubject(tokenSubject);
            if (findCustomerBySubject == null) {
                this.log.info("A customer record doesn't exist yet for " + tokenSubject + ". Creating a new customer.");
                findCustomerBySubject = new Customer();
                findCustomerBySubject.setSubject(tokenSubject);
            }
            try {
                findCustomerBySubject.setSubjectInfo(getSubjectInfo(str, findCustomerBySubject.getSubject()));
                return findCustomerBySubject;
            } catch (BaseException e) {
                AuthenticationException authenticationException = new AuthenticationException("Couldn't retrieve subject from DataONE: '" + findCustomerBySubject.getSubject() + "'.");
                authenticationException.initCause(e);
                throw authenticationException;
            }
        } catch (ParseException e2) {
            throw new AuthenticationException("Couldn't parse the given token: " + e2.getMessage());
        }
    }

    public boolean isAdmin(String str) {
        return getConfiguration().getAdminSubjects().contains(str);
    }

    public boolean isBookkeeperAdmin(String str) {
        return getConfiguration().getBookkeeperAdminSubjects().contains(str);
    }

    public Set<String> filterByAssociatedSubjects(Customer customer, Set<String> set) {
        SubjectInfo subjectInfo = customer.getSubjectInfo();
        HashSet hashSet = new HashSet();
        if (subjectInfo != null) {
            List groupList = subjectInfo.getGroupList();
            List personList = subjectInfo.getPersonList();
            for (String str : set) {
                Iterator it = groupList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (((Group) it.next()).getSubject().getValue().equals(str)) {
                        hashSet.add(str);
                        break;
                    }
                }
                Iterator it2 = personList.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (((Person) it2.next()).getSubject().getValue().equals(str)) {
                        hashSet.add(str);
                        break;
                    }
                }
            }
        }
        return hashSet;
    }

    public Set<String> getAssociatedSubjects(Customer customer) {
        SubjectInfo subjectInfo = customer.getSubjectInfo();
        HashSet hashSet = new HashSet();
        if (subjectInfo != null) {
            List groupList = subjectInfo.getGroupList();
            List personList = subjectInfo.getPersonList();
            Iterator it = groupList.iterator();
            while (it.hasNext()) {
                hashSet.add(((Group) it.next()).getSubject().getValue());
            }
            Iterator it2 = personList.iterator();
            while (it2.hasNext()) {
                hashSet.add(((Person) it2.next()).getSubject().getValue());
            }
        }
        return hashSet;
    }
}
