package com.ontotext.graphdb.security;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.ontotext.graphdb.Config;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Map;
import java.util.Optional;
import java.util.Random;
import java.util.Spliterators;
import java.util.TreeMap;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
import org.apache.http.HttpEntityEnclosingRequest;
import org.apache.http.client.methods.HttpUriRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/ontotext/graphdb/security/TokenManager.class */
public class TokenManager {
    private static final String HMAC_ALGO = "HmacSHA256";
    private static final String SEPARATOR = ".";
    private static final Pattern SEPARATOR_PATTERN;
    private static Pattern SPACE_NORM;
    private static Logger LOGGER;
    private static final long MAX_TIMESTAMP_DELTA;
    private static TokenManager instance;
    private final Mac hmac;
    private final ObjectMapper objectMapper;
    private final boolean hasConfiguredSecret;
    private long timeOffset;
    private Cache<String, String> authenticatedSignatureCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static TokenManager getInstance() {
        if (instance == null) {
            instance = new TokenManager(0L);
        }
        return instance;
    }

    @VisibleForTesting
    TokenManager(long j) {
        byte[] bArr;
        this.timeOffset = j;
        try {
            String property = Config.getProperty("graphdb.auth.token.secret");
            if (StringUtils.isNotEmpty(property)) {
                this.hasConfiguredSecret = true;
                bArr = MessageDigest.getInstance("SHA-256").digest(property.getBytes("UTF-8"));
            } else {
                this.hasConfiguredSecret = false;
                byte[] bArr2 = new byte[16];
                new Random().nextBytes(bArr2);
                bArr = bArr2;
            }
            this.hmac = Mac.getInstance(HMAC_ALGO);
            this.hmac.init(new SecretKeySpec(bArr, HMAC_ALGO));
            this.objectMapper = new ObjectMapper();
            this.authenticatedSignatureCache = CacheBuilder.newBuilder().concurrencyLevel(4).maximumSize(10000L).expireAfterWrite(10L, TimeUnit.MINUTES).build();
        } catch (UnsupportedEncodingException | InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalStateException("Failed to initialize HMAC: " + e.getMessage(), e);
        }
    }

    public String createTokenForUser(TokenUser tokenUser) {
        try {
            byte[] writeValueAsBytes = this.objectMapper.writeValueAsBytes(tokenUser);
            return TokenConstants.AUTHORIZATION_TOKEN_PREFIX + toBase64(writeValueAsBytes) + "." + toBase64(createHmac(writeValueAsBytes));
        } catch (JsonProcessingException e) {
            throw new RuntimeException(e);
        }
    }

    public TokenUser parseUserFromToken(String str) {
        if (!str.startsWith(TokenConstants.AUTHORIZATION_TOKEN_PREFIX)) {
            return null;
        }
        String[] split = SEPARATOR_PATTERN.split(str.substring(TokenConstants.AUTHORIZATION_TOKEN_PREFIX.length()), 2);
        if (split.length != 2 || split[0].length() <= 0 || split[1].length() <= 0) {
            LOGGER.warn("Invalid auth token received. Possible tampering attempt.");
            return null;
        }
        try {
            byte[] fromBase64 = fromBase64(split[0]);
            if (Arrays.equals(createHmac(fromBase64), fromBase64(split[1]))) {
                return fromJSON(fromBase64);
            }
            LOGGER.warn("Auth token hash mismatch.");
            return null;
        } catch (RuntimeException e) {
            LOGGER.warn("Invalid auth token received. Possible tampering attempt.", (Throwable) e);
            return null;
        }
    }

    public boolean hasConfiguredSecret() {
        return this.hasConfiguredSecret;
    }

    public synchronized void setTokenSecretBytes(byte[] bArr) throws InvalidKeyException {
        if (!$assertionsDisabled && bArr.length <= 16) {
            throw new AssertionError("The provided token secret must be at least 16 bytes / 128 bits");
        }
        if (this.hasConfiguredSecret) {
            return;
        }
        this.hmac.init(new SecretKeySpec(bArr, HMAC_ALGO));
    }

    @VisibleForTesting
    static String getRequestSummary(String str, String str2, String str3, String str4, Stream<Map.Entry<String, String>> stream) {
        if (!$assertionsDisabled && str4 == null) {
            throw new AssertionError("The X-GraphDB-Timestamp header is needed for proper validation of signed requests");
        }
        Object[] objArr = new Object[5];
        objArr[0] = str2;
        objArr[1] = str4;
        objArr[2] = str3 == null ? "" : str3.toLowerCase();
        objArr[3] = ((TreeMap) stream.map(entry -> {
            return new AbstractMap.SimpleEntry(((String) entry.getKey()).toLowerCase(), SPACE_NORM.matcher((CharSequence) entry.getValue()).replaceAll(" "));
        }).filter(simpleEntry -> {
            return ((String) simpleEntry.getKey()).startsWith("x-graphdb");
        }).collect(Collectors.groupingBy((v0) -> {
            return v0.getKey();
        }, TreeMap::new, Collectors.mapping((v0) -> {
            return v0.getValue();
        }, Collectors.toList())))).entrySet().stream().map(entry2 -> {
            return ((String) entry2.getKey()) + ":" + String.join(",", (Iterable<? extends CharSequence>) entry2.getValue());
        }).collect(Collectors.joining("\n"));
        objArr[4] = str;
        return String.format("%s\n%s\n%s\n%s\n%s", objArr);
    }

    @VisibleForTesting
    static String getRequestSummary(HttpUriRequest httpUriRequest) {
        HttpEntity entity;
        Header firstHeader = httpUriRequest.getFirstHeader("Content-Type");
        Header firstHeader2 = httpUriRequest.getFirstHeader(TokenConstants.TIMESTAMP_HEADER_NAME);
        if (firstHeader == null && (httpUriRequest instanceof HttpEntityEnclosingRequest) && (entity = ((HttpEntityEnclosingRequest) httpUriRequest).getEntity()) != null) {
            firstHeader = entity.getContentType();
        }
        return getRequestSummary(httpUriRequest.getURI().getPath(), httpUriRequest.getMethod(), firstHeader == null ? null : firstHeader.getValue(), firstHeader2 == null ? null : firstHeader2.getValue(), Stream.of((Object[]) httpUriRequest.getAllHeaders()).map(header -> {
            return new AbstractMap.SimpleEntry(header.getName(), header.getValue());
        }));
    }

    public void signRequest(HttpUriRequest httpUriRequest) {
        httpUriRequest.setHeader(TokenConstants.TIMESTAMP_HEADER_NAME, newTimestamp());
        httpUriRequest.setHeader("Authorization", signWithKeyword(getRequestSummary(httpUriRequest)));
    }

    @VisibleForTesting
    static String getRequestSummary(HttpServletRequest httpServletRequest) {
        return getRequestSummary(httpServletRequest.getServletPath() + ((String) Optional.ofNullable(httpServletRequest.getPathInfo()).orElse("")), httpServletRequest.getMethod(), httpServletRequest.getHeader("Content-Type"), httpServletRequest.getHeader(TokenConstants.TIMESTAMP_HEADER_NAME), enumerationAsStream(httpServletRequest.getHeaderNames()).flatMap(str -> {
            return enumerationAsStream(httpServletRequest.getHeaders(str)).map(str -> {
                return new AbstractMap.SimpleEntry(str, str);
            });
        }));
    }

    public boolean verifyRequest(HttpServletRequest httpServletRequest, String str) {
        String header = httpServletRequest.getHeader(TokenConstants.TIMESTAMP_HEADER_NAME);
        if (header == null) {
            LOGGER.warn("Invalid authentication signature: missing timestamp.");
            return false;
        }
        if (Math.abs((System.currentTimeMillis() - Long.parseLong(header)) + this.timeOffset) > MAX_TIMESTAMP_DELTA) {
            LOGGER.warn("Invalid authentication signature: signature expired.");
            return false;
        }
        if (!verifyWithKeyword(getRequestSummary(httpServletRequest), str)) {
            LOGGER.warn("Invalid authentication signature: signature mismatch.");
            return false;
        }
        String remoteAddr = httpServletRequest.getRemoteAddr();
        String ifPresent = this.authenticatedSignatureCache.getIfPresent(str);
        if (ifPresent == null) {
            this.authenticatedSignatureCache.put(str, remoteAddr);
            LOGGER.debug("Signature authentication OK.");
            return true;
        }
        if (ifPresent.equals(remoteAddr)) {
            LOGGER.debug("Signature authentication OK (cached IP).");
            return true;
        }
        LOGGER.warn("Invalid authentication signature: signature already used.");
        return false;
    }

    private String sign(String str) {
        return toBase64(createHmac(str.getBytes()));
    }

    private boolean verify(String str, String str2) {
        return toBase64(createHmac(str.getBytes())).equals(str2);
    }

    private String signWithKeyword(String str) {
        return TokenConstants.AUTHORIZATION_SIGNATURE_PREFIX + sign(str);
    }

    private boolean verifyWithKeyword(String str, String str2) {
        if (str2.startsWith(TokenConstants.AUTHORIZATION_SIGNATURE_PREFIX)) {
            return verify(str, str2.substring(TokenConstants.AUTHORIZATION_SIGNATURE_PREFIX.length()));
        }
        return false;
    }

    private String newTimestamp() {
        return Long.toString(System.currentTimeMillis() + this.timeOffset);
    }

    private synchronized byte[] createHmac(byte[] bArr) {
        return this.hmac.doFinal(bArr);
    }

    private String toBase64(byte[] bArr) {
        return DatatypeConverter.printBase64Binary(bArr);
    }

    private byte[] fromBase64(String str) {
        return DatatypeConverter.parseBase64Binary(str);
    }

    private TokenUser fromJSON(byte[] bArr) {
        try {
            return (TokenUser) this.objectMapper.readValue(new ByteArrayInputStream(bArr), TokenUser.class);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    private static <T> Stream<T> enumerationAsStream(final Enumeration<T> enumeration) {
        return StreamSupport.stream(new Spliterators.AbstractSpliterator<T>(Long.MAX_VALUE, 16) { // from class: com.ontotext.graphdb.security.TokenManager.1
            @Override // java.util.Spliterator
            public boolean tryAdvance(Consumer<? super T> consumer) {
                if (!enumeration.hasMoreElements()) {
                    return false;
                }
                consumer.accept((Object) enumeration.nextElement());
                return true;
            }

            @Override // java.util.Spliterator
            public void forEachRemaining(Consumer<? super T> consumer) {
                while (enumeration.hasMoreElements()) {
                    consumer.accept((Object) enumeration.nextElement());
                }
            }
        }, false);
    }

    static {
        $assertionsDisabled = !TokenManager.class.desiredAssertionStatus();
        SEPARATOR_PATTERN = Pattern.compile(Pattern.quote("."));
        SPACE_NORM = Pattern.compile("\\s+");
        LOGGER = LoggerFactory.getLogger((Class<?>) TokenManager.class);
        MAX_TIMESTAMP_DELTA = TimeUnit.MINUTES.toMillis(2L);
    }
}
