package io.gravitee.am.management.handlers.management.api.authentication.provider.generator;

import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.common.utils.SecureRandomString;
import io.gravitee.am.identityprovider.api.User;
import io.gravitee.am.jwt.JWTBuilder;
import io.gravitee.am.management.handlers.management.api.preview.PreviewBuilder;
import io.gravitee.node.api.configuration.Configuration;
import jakarta.servlet.http.Cookie;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;

/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/provider/generator/JWTGenerator.class */
public class JWTGenerator implements InitializingBean {
    public static final String AM_CLAIMS_ORG = "org";
    public static final String JWT_EXPIRE_AFTER_KEY = "jwt.expire-after";
    private final Logger LOGGER = LoggerFactory.getLogger(JWTGenerator.class);
    private static final String DEFAULT_JWT_COOKIE_NAME = "Auth-Graviteeio-AM";
    private static final boolean DEFAULT_JWT_COOKIE_SECURE = false;
    private static final String DEFAULT_JWT_COOKIE_PATH = "/";
    private static final String DEFAULT_JWT_COOKIE_DOMAIN = "";
    private static final int DEFAULT_JWT_EXPIRE_AFTER = 604800;

    @Value("${jwt.cookie-name:Auth-Graviteeio-AM}")
    private String authCookieName;

    @Autowired
    @Qualifier("managementJwtBuilder")
    private JWTBuilder jwtBuilder;

    @Autowired
    private Configuration configuration;
    public static final String AM_CLAIMS_LOGINS = "login_count";
    private static final Set<String> ALLOWED_CLAIMS = Set.of("org", "preferred_username", "family_name", "given_name", PreviewBuilder.FACTOR_NAME, "email", "sub", "roles", AM_CLAIMS_LOGINS);

    public Cookie generateCookie(String str, String str2, boolean z) {
        Cookie cookie = new Cookie(str, str2);
        cookie.setHttpOnly(z);
        cookie.setSecure(((Boolean) this.configuration.getProperty("jwt.cookie-secure", Boolean.class, false)).booleanValue());
        cookie.setPath(this.configuration.getProperty("jwt.cookie-path", "/"));
        cookie.setDomain(this.configuration.getProperty("jwt.cookie-domain", ""));
        cookie.setMaxAge(str2 == null ? 0 : ((Integer) this.configuration.getProperty(JWT_EXPIRE_AFTER_KEY, Integer.class, 604800)).intValue());
        return cookie;
    }

    public Cookie generateCookie(User user) {
        int intValue = ((Integer) this.configuration.getProperty(JWT_EXPIRE_AFTER_KEY, Integer.class, 604800)).intValue();
        Cookie generateCookie = generateCookie(this.authCookieName, "Bearer " + generateToken(user, new Date(System.currentTimeMillis() + (intValue * 1000))), true);
        generateCookie.setMaxAge(intValue);
        return generateCookie;
    }

    public Map<String, Object> generateToken(User user) {
        Date date = new Date(System.currentTimeMillis() + (((Integer) this.configuration.getProperty(JWT_EXPIRE_AFTER_KEY, Integer.class, 604800)).intValue() * 1000));
        String generateToken = generateToken(user, date);
        HashMap hashMap = new HashMap();
        hashMap.put("access_token", generateToken);
        hashMap.put("token_type", "bearer");
        hashMap.put("expires_at", date.toString());
        return hashMap;
    }

    private String generateToken(User user, Date date) {
        try {
            JWT jwt = new JWT();
            jwt.setJti(SecureRandomString.generate());
            jwt.setIat(Instant.now().getEpochSecond());
            jwt.setSub(user.getId());
            jwt.setExp(date.toInstant().getEpochSecond());
            jwt.put("preferred_username", user.getUsername());
            user.getAdditionalInformation().entrySet().stream().filter(entry -> {
                return ALLOWED_CLAIMS.contains(entry.getKey());
            }).forEach(entry2 -> {
                jwt.put((String) entry2.getKey(), entry2.getValue());
            });
            return this.jwtBuilder.sign(jwt);
        } catch (Exception e) {
            this.LOGGER.error("An error occurs while creating JWT token", e);
            return null;
        }
    }

    public Cookie getClearCookie() {
        Cookie cookie = new Cookie(this.configuration.getProperty("jwt.cookie-name", DEFAULT_JWT_COOKIE_NAME), (String) null);
        cookie.setSecure(((Boolean) this.configuration.getProperty("jwt.cookie-secure", Boolean.class, false)).booleanValue());
        cookie.setPath(this.configuration.getProperty("jwt.cookie-path", "/"));
        cookie.setDomain(this.configuration.getProperty("jwt.cookie-domain", ""));
        cookie.setMaxAge(0);
        return cookie;
    }

    public void afterPropertiesSet() {
        if ("s3cR3t4grAv1t3310AMS1g1ingDftK3y".equals(signingKeySecret())) {
            this.LOGGER.warn("");
            this.LOGGER.warn("##############################################################");
            this.LOGGER.warn("#                      SECURITY WARNING                      #");
            this.LOGGER.warn("##############################################################");
            this.LOGGER.warn("");
            this.LOGGER.warn("You still use the default jwt secret.");
            this.LOGGER.warn("This known secret can be used to impersonate anyone.");
            this.LOGGER.warn("Please change this value, or ask your administrator to do it !");
            this.LOGGER.warn("");
            this.LOGGER.warn("##############################################################");
            this.LOGGER.warn("");
        }
    }

    private String signingKeySecret() {
        return this.configuration.getProperty("jwt.secret", "s3cR3t4grAv1t3310AMS1g1ingDftK3y");
    }
}
