package org.jfrog.access.server.service.token;

import com.google.common.collect.Lists;
import com.google.common.hash.Hashing;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.PostConstruct;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.jfrog.access.common.SubjectFQN;
import org.jfrog.access.server.audit.TokenAuditor;
import org.jfrog.access.server.config.AccessConfig;
import org.jfrog.access.server.config.AccessConfigKeys;
import org.jfrog.access.server.db.service.TokenStorageService;
import org.jfrog.access.server.exception.ForbiddenException;
import org.jfrog.access.server.exception.TokenExpiredException;
import org.jfrog.access.server.exception.TokenNotFoundException;
import org.jfrog.access.server.exception.UnauthorizedException;
import org.jfrog.access.server.model.Token;
import org.jfrog.access.server.model.TokenImpl;
import org.jfrog.access.server.service.CertificateService;
import org.jfrog.access.server.service.auth.AuthenticationService;
import org.jfrog.access.server.service.auth.AuthorizationService;
import org.jfrog.access.server.service.auth.model.AccessPrincipal;
import org.jfrog.access.server.service.auth.model.UserPrincipal;
import org.jfrog.access.token.JwtAccessToken;
import org.jfrog.access.token.JwtAccessTokenImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.support.CronTrigger;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/lib/access-server-core-2.0.1.jar:org/jfrog/access/server/service/token/TokenServiceImpl.class */
public class TokenServiceImpl implements TokenService, InternalTokenService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TokenServiceImpl.class);

    @Autowired
    private AccessConfig accessConfig;

    @Autowired
    private TokenStorageService tokenStorageService;

    @Autowired
    private TokenAuditor tokenAuditor;

    @Autowired
    private AuthenticationService authenticationService;

    @Autowired
    private AuthorizationService authorizationService;

    @Autowired
    private CertificateService certificateService;

    @Autowired
    private TaskScheduler taskScheduler;

    @PostConstruct
    private void init() {
        String string = this.accessConfig.getString(AccessConfigKeys.revokeExpiredTokensTaskCron);
        if ("-".equals(string)) {
            log.info("Task for revoking expired tokens is disabled.");
            return;
        }
        log.info("Scheduling task for revoking expired tokens using cron expression: {}", string);
        this.taskScheduler.schedule(this::revokeAllExpiredTokens, new CronTrigger(string));
    }

    @Override // org.jfrog.access.server.service.token.InternalTokenService
    public CreatedSignedToken createTokenInternal(@Nonnull TokenSpec tokenSpec) {
        CreatedToken doCreateToken = doCreateToken(tokenSpec);
        Token token = doCreateToken.getToken();
        this.tokenAuditor.tokenCreated(token);
        return new CreatedSignedToken(doCreateToken, buildAndSignAccessToken(token, tokenSpec));
    }

    @Override // org.jfrog.access.server.service.token.InternalTokenService
    public void revokeAllExpiredTokens() {
        long currentTimeMillis = System.currentTimeMillis();
        log.debug("Revoking all non refreshable tokens which are now expired (now={})", Long.valueOf(currentTimeMillis));
        int deleteAllTokensByExpiryAndRefreshable = this.tokenStorageService.deleteAllTokensByExpiryAndRefreshable(currentTimeMillis, false);
        long j = this.accessConfig.getLong(AccessConfigKeys.tokenRefreshExpiry) * 1000;
        long j2 = currentTimeMillis - j;
        log.debug("Revoking all refreshable tokens which have expired {} ms ago (expiry={})", Long.valueOf(j), Long.valueOf(j2));
        int deleteAllTokensByExpiryAndRefreshable2 = deleteAllTokensByExpiryAndRefreshable + this.tokenStorageService.deleteAllTokensByExpiryAndRefreshable(j2, true);
        if (deleteAllTokensByExpiryAndRefreshable2 > 0) {
            log.info("Revoked {} expired tokens.", Integer.valueOf(deleteAllTokensByExpiryAndRefreshable2));
        } else {
            log.debug("No expired tokens were found to revoke.");
        }
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    public CreatedSignedToken createToken(@Nonnull TokenSpec tokenSpec) {
        log.trace("Create token, subject={}, logged in={}", tokenSpec.getSubject(), getLoggedInName());
        this.authorizationService.assertCanCreateToken(tokenSpec);
        String effectiveSubjectFormattedName = getEffectiveSubjectFormattedName(tokenSpec.getSubject());
        tokenSpec.subject(effectiveSubjectFormattedName).owner(getEffectiveOwnerFormattedName());
        return createTokenInternal(tokenSpec);
    }

    private void setEffectiveAudience(TokenSpec tokenSpec) {
        ArrayList newArrayList;
        if (tokenSpec.getAudience().isEmpty()) {
            if (this.authenticationService.getLoggedInPrincipal() instanceof UserPrincipal) {
                String formattedName = this.accessConfig.getAccessServerId().getFormattedName();
                log.debug("Audience not specified, setting the service ID of the access server ID '{}' by default.", formattedName);
                newArrayList = Lists.newArrayList(formattedName);
            } else {
                log.debug("Audience not specified, setting the service ID of the owner '{}' by default.", tokenSpec.getOwner());
                newArrayList = Lists.newArrayList(SubjectFQN.fromFullyQualifiedName(tokenSpec.getOwner()).getServiceId().getFormattedName());
            }
            tokenSpec.audience(newArrayList);
        }
    }

    private String getEffectiveOwnerFormattedName() {
        return SubjectFQN.fromFullyQualifiedName(getLoggedInFormatedName()).getServiceId().getFormattedName();
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    public CreatedSignedToken refreshToken(@Nonnull String str, @Nonnull TokenSpec tokenSpec) {
        log.trace("Refresh token, subject={}, logged in={}", tokenSpec.getSubject(), getLoggedInName());
        this.authorizationService.assertCanCreateToken(tokenSpec);
        Optional<Token> findTokenByRefreshTokenHash = this.tokenStorageService.findTokenByRefreshTokenHash(hashRefreshToken(str));
        if (!findTokenByRefreshTokenHash.isPresent()) {
            throw new TokenNotFoundException("Token matching the provided refresh token was not found.");
        }
        if (isRefreshTokenExpired(findTokenByRefreshTokenHash.get())) {
            throw new TokenExpiredException("Refresh token expired.");
        }
        String effectiveSubjectFormattedName = getEffectiveSubjectFormattedName(tokenSpec.getSubject());
        String effectiveOwnerFormattedName = getEffectiveOwnerFormattedName();
        assertMatchingTokenOwnerAndSubject(findTokenByRefreshTokenHash.get(), effectiveOwnerFormattedName, effectiveSubjectFormattedName);
        tokenSpec.subject(effectiveSubjectFormattedName).owner(effectiveOwnerFormattedName);
        CreatedToken doCreateToken = doCreateToken(tokenSpec);
        this.tokenStorageService.deleteTokenById(findTokenByRefreshTokenHash.get().getId());
        this.tokenAuditor.tokenRefreshed(doCreateToken.getToken(), findTokenByRefreshTokenHash.get());
        return new CreatedSignedToken(doCreateToken, buildAndSignAccessToken(doCreateToken.getToken(), tokenSpec));
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    public void revokeTokenById(@Nonnull String str) {
        log.trace("Revoke token, tokenId={}, logged in={}", str, getLoggedInName());
        Token findTokenById = findTokenById(str);
        this.authorizationService.assertCanDeleteToken(findTokenById);
        deleteToken(findTokenById);
    }

    @Nonnull
    private Token findTokenById(@Nonnull String str) {
        Optional<Token> findTokenById = this.tokenStorageService.findTokenById(str);
        if (findTokenById.isPresent()) {
            return findTokenById.get();
        }
        log.trace("Token with ID '{}' does not exist.", str);
        throw new TokenNotFoundException("Token was not found for ID: " + str);
    }

    private void deleteToken(@Nonnull Token token) {
        this.tokenStorageService.deleteTokenById(token.getId());
        this.tokenAuditor.tokenRevoked(token);
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    public void revokeToken(String str) {
        Token token;
        try {
            String tokenId = JwtAccessTokenImpl.parseTokenValue(str).getTokenId();
            token = findTokenById(tokenId);
            log.debug("Found by access token the token to revoke: {}", tokenId);
        } catch (IllegalArgumentException e) {
            log.debug("Failed to parse the token value as access token, assuming a refresh token.", (Throwable) e);
            Optional<Token> tokenByRefreshToken = getTokenByRefreshToken(str);
            if (!tokenByRefreshToken.isPresent()) {
                log.debug("Token was not found also by refresh token (probably already revoked).");
                throw new TokenNotFoundException("Token not found.");
            }
            token = tokenByRefreshToken.get();
            log.debug("Found by refresh token the token to revoke: {}", token.getId());
        }
        deleteToken(token);
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    public boolean tokenExists(@Nonnull String str) {
        log.trace("Check token exists, tokenId={}, logged in={}", str, getLoggedInName());
        Optional<Token> findTokenById = this.tokenStorageService.findTokenById(str);
        if (!findTokenById.isPresent()) {
            return false;
        }
        Token token = findTokenById.get();
        try {
            this.authorizationService.assertCanReadTokens(token.getOwner());
            return true;
        } catch (ForbiddenException | UnauthorizedException e) {
            log.trace("Not allow to read token {} with owned by {}: {}", findTokenById, token.getOwner(), e.getMessage());
            return false;
        }
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    @Nonnull
    public List<Token> getTokensByOwner(@Nonnull String str) {
        log.trace("Getting all active tokens for owner '{}'", Objects.requireNonNull(str, "owner is required"));
        this.authorizationService.assertCanReadTokens(str);
        return this.tokenStorageService.getTokensByOwner(str);
    }

    @Override // org.jfrog.access.server.service.token.TokenService
    public Optional<Token> getTokenByRefreshToken(@Nonnull String str) {
        return this.tokenStorageService.findTokenByRefreshTokenHash(hashRefreshToken(str));
    }

    private String getLoggedInName() {
        return this.authenticationService.getLoggedInPrincipal().getName();
    }

    @Nonnull
    private String getLoggedInFormatedName() {
        return this.authorizationService.getLoggedIn().orElseThrow(() -> {
            return new IllegalStateException("Cannot get owner formatted name without a logged in user/service");
        });
    }

    private String getEffectiveSubjectFormattedName(@Nullable String str) {
        return str == null ? getLoggedInSubjectFormattedName() : str;
    }

    private String getLoggedInSubjectFormattedName() {
        Principal loggedInPrincipal = this.authenticationService.getLoggedInPrincipal();
        if (loggedInPrincipal instanceof AccessPrincipal) {
            return ((AccessPrincipal) loggedInPrincipal).getFormattedName();
        }
        throw new IllegalStateException("Should not get here if the logged in is not an access principal");
    }

    private void assertMatchingTokenOwnerAndSubject(Token token, String str, String str2) {
        if (!str.equals(token.getOwner())) {
            throw new ForbiddenException("Only the owner of the token can refresh the token.");
        }
        if (str2.equals(token.getSubject())) {
            return;
        }
        log.debug("Subject name in the token and in the request do not match. token={}, request={}", token.getSubject(), str2);
        throw new ForbiddenException("The subject in the existing token and the provided subject don't match.");
    }

    private boolean isRefreshTokenExpired(Token token) {
        long j = this.accessConfig.getLong(AccessConfigKeys.tokenRefreshExpiry) * 1000;
        return token.getExpiry() > 0 && j > 0 && System.currentTimeMillis() > token.getExpiry() + j;
    }

    private CreatedToken doCreateToken(@Nonnull TokenSpec tokenSpec) {
        setEffectiveAudience(tokenSpec);
        Optional<Long> optionalExpiryTime = getOptionalExpiryTime(setEffectiveExpiresIn(tokenSpec));
        String uuid = tokenSpec.isRefreshable() ? UUID.randomUUID().toString() : null;
        TokenImpl.Builder refreshToken = TokenImpl.builder().subject(tokenSpec.getSubject()).owner(tokenSpec.getOwner()).refreshToken(hashRefreshToken(uuid));
        refreshToken.getClass();
        optionalExpiryTime.ifPresent((v1) -> {
            r1.expiry(v1);
        });
        return new CreatedToken(tokenSpec, this.tokenStorageService.saveToken(refreshToken.build()), uuid);
    }

    private long setEffectiveExpiresIn(TokenSpec tokenSpec) {
        if (tokenSpec.getExpiresIn() == null) {
            tokenSpec.expiresIn(Long.valueOf(this.accessConfig.getLong(AccessConfigKeys.tokenDefaultExpiry)));
        }
        return tokenSpec.getExpiresIn().longValue();
    }

    @Nullable
    private String hashRefreshToken(@Nullable String str) {
        if (str == null) {
            return null;
        }
        return Hashing.sha256().hashBytes(Hashing.sha256().hashString(str, Charsets.US_ASCII).asBytes()).toString();
    }

    private void assertAccessAdminAudience(@Nonnull TokenSpec tokenSpec) {
        List<String> audience = tokenSpec.getAudience();
        String formattedName = this.accessConfig.getAccessServerId().getFormattedName();
        if (audience.isEmpty()) {
            tokenSpec.audience(Collections.singletonList(formattedName));
        } else if (audience.size() != 1 || !formattedName.equals(audience.get(0))) {
            throw new ForbiddenException("The audience of an access admin token can only be the access server. (requested audience=" + audience + ")");
        }
    }

    private JwtAccessToken buildAndSignAccessToken(@Nonnull Token token, @Nonnull TokenSpec tokenSpec) {
        String id = token.getId();
        if (StringUtils.isBlank(id)) {
            throw new IllegalStateException("Token has no ID");
        }
        JwtAccessTokenImpl.Builder audience = JwtAccessTokenImpl.builder().tokenId(id).subject(token.getSubject()).issuer(token.getOwner()).scope(tokenSpec.getScope()).payload(tokenSpec.getPayload()).audience(tokenSpec.getAudience());
        if (token.getExpiry() > 0) {
            audience.expiry(token.getExpiry());
        }
        return audience.buildAndSign(this.certificateService.getPrivateKey(), this.certificateService.getRootCertificate());
    }

    private Optional<Long> getOptionalExpiryTime(long j) {
        return j <= 0 ? Optional.empty() : Optional.of(Long.valueOf(getExpiryTime(j)));
    }

    private long getExpiryTime(long j) {
        return System.currentTimeMillis() + (j * 1000);
    }
}
