package si.irm.mm.ejb.user;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.time.LocalDate;
import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ejb.EJB;
import javax.ejb.LocalBean;
import javax.ejb.Stateless;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TemporalType;
import javax.persistence.TypedQuery;
import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jsoup.nodes.DocumentType;
import si.irm.common.enums.YesNoKey;
import si.irm.common.utils.DateUtils;
import si.irm.common.utils.Logger;
import si.irm.common.utils.NumberUtils;
import si.irm.common.utils.StringUtils;
import si.irm.common.utils.Utils;
import si.irm.mm.ejb.SettingsEJBLocal;
import si.irm.mm.ejb.util.UtilsEJBLocal;
import si.irm.mm.entities.NuserAccessToken;
import si.irm.mm.enums.SNastavitveNaziv;
import si.irm.mm.exceptions.CheckException;
import si.irm.mm.messages.TransKey;
import si.irm.mm.util.CommonUtils;
import si.irm.mm.util.QueryUtils;
import si.irm.mm.utils.data.MarinaProxy;

@LocalBean
@Stateless
/* loaded from: input_file:MarinaMaster.jar:si/irm/mm/ejb/user/UserAccessTokenEJB.class */
public class UserAccessTokenEJB implements UserAccessTokenEJBLocal {
    public static final String JWT_ISSUER = "marina-master.com";
    public static final String JWT_CLAIM_APP_CODE = "appcode";
    public static final String JWT_CLAIM_ID = "id";
    public static final String JWT_KEYID = "marina-master";
    public static final String ALGORITHM_IDENTIFIER = "RS512";
    private static final String RSA_ALGORITHM = "RSA";
    private static final int MIN_KEY_SIZE = 1024;
    private static final int DEFAULT_KEY_SIZE = 2048;
    private static final String KEY_FILENAME = "at_key.pem";
    private static final String EMPTY_TOKEN = ".";

    @PersistenceContext
    private EntityManager em;

    @EJB
    private UtilsEJBLocal utilsEJB;

    @EJB
    private SettingsEJBLocal settingsEJB;

    @Override // si.irm.mm.ejb.user.UserAccessTokenEJBLocal
    public NuserAccessToken getUserAccessTokenFromJWT(MarinaProxy marinaProxy, String str) {
        NuserAccessToken nuserAccessToken = null;
        try {
            nuserAccessToken = validateClaimsAndGetUserAccessToken(marinaProxy, verifyAndDecodeJWT(str, loadKeyPair(marinaProxy, false).getPrivate()));
        } catch (Exception e) {
            Logger.error("getUserAccessTokenFromJWT", CommonUtils.getFirstNonEmptyExceptionMessage(e), e);
        }
        return nuserAccessToken;
    }

    private NuserAccessToken validateClaimsAndGetUserAccessToken(MarinaProxy marinaProxy, JwtClaims jwtClaims) throws Exception {
        if (!"marina-master.com".equals(jwtClaims.getIssuer())) {
            Logger.error("validateClaimsAndGetUserAccessToken", "Invalid issuer: " + jwtClaims.getIssuer());
            return null;
        }
        Long longFromStringOrNull = NumberUtils.getLongFromStringOrNull(jwtClaims.getClaimValueAsString("id"));
        if (longFromStringOrNull == null) {
            Logger.error("validateClaimsAndGetUserAccessToken", "Invalid id: " + jwtClaims.getClaimValueAsString("id"));
            return null;
        }
        NuserAccessToken nuserAccessToken = (NuserAccessToken) this.utilsEJB.findEntity(NuserAccessToken.class, longFromStringOrNull);
        if (nuserAccessToken != null && YesNoKey.isEngYes(nuserAccessToken.getActive())) {
            if (claimsValidForUserAccessToken(nuserAccessToken, jwtClaims)) {
                return nuserAccessToken;
            }
            return null;
        }
        if (nuserAccessToken == null) {
            Logger.error("validateClaimsAndGetUserAccessToken", "User Access Token not found, id: " + longFromStringOrNull);
            return null;
        }
        Logger.error("validateClaimsAndGetUserAccessToken", "User Access Token is not active, id: " + longFromStringOrNull);
        return null;
    }

    private boolean claimsValidForUserAccessToken(NuserAccessToken nuserAccessToken, JwtClaims jwtClaims) throws Exception {
        if (!nuserAccessToken.getNuser().equals(jwtClaims.getSubject())) {
            Logger.error("claimsValidForUserAccessToken id = " + nuserAccessToken.getId(), "Subject mismatch: " + jwtClaims.getSubject());
            return false;
        }
        if (!nuserAccessToken.getAppCode().equals(jwtClaims.getClaimValue("appcode"))) {
            Logger.error("claimsValidForUserAccessToken id = " + nuserAccessToken.getId(), "App code mismatch: " + jwtClaims.getClaimValue("appcode"));
            return false;
        }
        if (!NumericDate.fromMilliseconds(nuserAccessToken.getValidFrom().getTime()).equals(jwtClaims.getNotBefore())) {
            Logger.error("claimsValidForUserAccessToken id = " + nuserAccessToken.getId(), "Valid from mismatch: " + jwtClaims.getNotBefore());
            return false;
        }
        if (!NumericDate.fromMilliseconds(nuserAccessToken.getValidTo().getTime()).equals(jwtClaims.getExpirationTime())) {
            Logger.error("claimsValidForUserAccessToken id = " + nuserAccessToken.getId(), "Valid to mismatch: " + jwtClaims.getExpirationTime());
            return false;
        }
        LocalDate now = LocalDate.now();
        if (now.isBefore(DateUtils.convertDateToLocalDate(nuserAccessToken.getValidFrom()))) {
            Logger.error("claimsValidForUserAccessToken id = " + nuserAccessToken.getId(), "Token is not valid yet: " + nuserAccessToken.getValidFrom());
            return false;
        }
        if (!now.isAfter(DateUtils.convertDateToLocalDate(nuserAccessToken.getValidTo()))) {
            return true;
        }
        Logger.error("claimsValidForUserAccessToken id = " + nuserAccessToken.getId(), "Token expired: " + nuserAccessToken.getValidTo());
        return false;
    }

    private JwtClaims verifyAndDecodeJWT(String str, PrivateKey privateKey) throws Exception {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setCompactSerialization(str);
        jsonWebEncryption.setKey(privateKey);
        return JwtClaims.parse(jsonWebEncryption.getPayload());
    }

    @Override // si.irm.mm.ejb.user.UserAccessTokenEJBLocal
    public void checkAndInsertOrUpdateUserAccessToken(MarinaProxy marinaProxy, NuserAccessToken nuserAccessToken) throws CheckException {
        setDefaultUserAccessTokenValues(marinaProxy, nuserAccessToken);
        checkUserAccessToken(marinaProxy, nuserAccessToken);
        if (nuserAccessToken.isNew()) {
            if (nuserAccessToken.getToken() == null) {
                nuserAccessToken.setToken(".");
            }
            this.utilsEJB.insertEntity(marinaProxy, nuserAccessToken);
        }
        generateToken(marinaProxy, nuserAccessToken);
        this.utilsEJB.updateEntity(marinaProxy, nuserAccessToken);
    }

    private void setDefaultUserAccessTokenValues(MarinaProxy marinaProxy, NuserAccessToken nuserAccessToken) throws CheckException {
        if (StringUtils.isBlank(nuserAccessToken.getActive())) {
            nuserAccessToken.setActive(YesNoKey.NO.engVal());
        }
    }

    private void generateToken(MarinaProxy marinaProxy, NuserAccessToken nuserAccessToken) throws CheckException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("marina-master.com");
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBefore(NumericDate.fromMilliseconds(nuserAccessToken.getValidFrom().getTime()));
        jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(nuserAccessToken.getValidTo().getTime()));
        jwtClaims.setSubject(nuserAccessToken.getNuser());
        jwtClaims.setClaim("appcode", nuserAccessToken.getAppCode());
        jwtClaims.setClaim("id", nuserAccessToken.getId());
        jwtClaims.setGeneratedJwtId();
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setPayload(jwtClaims.toJson());
            jsonWebEncryption.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
            jsonWebEncryption.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_256_GCM);
            jsonWebEncryption.setKey(loadKeyPair(marinaProxy, true).getPublic());
            jsonWebEncryption.setDoKeyValidation(false);
            String compactSerialization = jsonWebEncryption.getCompactSerialization();
            Logger.log("generateToken.JWT: " + compactSerialization);
            nuserAccessToken.setToken(compactSerialization);
        } catch (Exception e) {
            Logger.error("generateToken", CommonUtils.getFirstNonEmptyExceptionMessage(e), e);
            throw new CheckException(CommonUtils.getFirstNonEmptyExceptionMessage(e));
        }
    }

    private KeyPair loadKeyPair(MarinaProxy marinaProxy, boolean z) throws Exception {
        String marinaMarinaStringSetting = this.settingsEJB.getMarinaMarinaStringSetting(SNastavitveNaziv.AT_KEY_FILE);
        boolean z2 = false;
        if (marinaMarinaStringSetting == null || "".equals(marinaMarinaStringSetting.trim())) {
            marinaMarinaStringSetting = String.valueOf(System.getProperty("jboss.server.config.dir")) + "/" + KEY_FILENAME;
            z2 = true;
        }
        if (Files.exists(Paths.get(marinaMarinaStringSetting, new String[0]), new LinkOption[0])) {
            return loadKeyPairFromFile(marinaMarinaStringSetting);
        }
        if (!z || !z2 || getUserAccessTokenCount().compareTo((Long) 0L) > 0) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.ERROR_MFA_KEY_FILE_NOT_FOUND, marinaMarinaStringSetting));
        }
        generateNewKey(marinaMarinaStringSetting);
        return loadKeyPairFromFile(marinaMarinaStringSetting);
    }

    private Long getUserAccessTokenCount() {
        return (Long) QueryUtils.getSingleResultOrNull(this.em.createNamedQuery(NuserAccessToken.QUERY_NAME_COUNT_NON_EMPTY_TOKENS, Long.class));
    }

    private KeyPair loadKeyPairFromFile(String str) throws Exception {
        String str2 = new String(Files.readAllBytes(Paths.get(str, new String[0])));
        return new KeyPair(KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(extractKey(str2, DocumentType.PUBLIC_KEY)))), KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(extractKey(str2, "PRIVATE")))));
    }

    private static String extractKey(String str, String str2) throws IOException {
        Matcher matcher = Pattern.compile("-----BEGIN " + str2 + " KEY-----(.*?)-----END " + str2 + " KEY-----", 32).matcher(str);
        if (matcher.find()) {
            return matcher.group(1).replaceAll("\\s", "");
        }
        throw new IOException("Invalid " + str2 + " Key Format in PEM file");
    }

    private void generateNewKey(String str) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        Integer marinaMarinaIntegerSetting = this.settingsEJB.getMarinaMarinaIntegerSetting(SNastavitveNaziv.AT_KEY_SIZE);
        keyPairGenerator.initialize(Integer.valueOf((marinaMarinaIntegerSetting == null || marinaMarinaIntegerSetting.intValue() < 1024) ? 2048 : marinaMarinaIntegerSetting.intValue()).intValue(), new SecureRandom());
        saveKeyPairToFile(keyPairGenerator.generateKeyPair(), str);
    }

    private void saveKeyPairToFile(KeyPair keyPair, String str) throws Exception {
        Files.write(Paths.get(str, new String[0]), ("-----BEGIN PRIVATE KEY-----\n" + Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded()) + "\n-----END PRIVATE KEY-----\n\n-----BEGIN PUBLIC KEY-----\n" + Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded()) + "\n-----END PUBLIC KEY-----").getBytes(), new OpenOption[0]);
    }

    private void checkUserAccessToken(MarinaProxy marinaProxy, NuserAccessToken nuserAccessToken) throws CheckException {
        if (StringUtils.isBlank(nuserAccessToken.getNuser())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.USERNAME_NS)));
        }
        if (StringUtils.isBlank(nuserAccessToken.getAppCode())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.APPLICATION_NS)));
        }
        if (nuserAccessToken.getValidFrom() == null) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.VALID_FROM)));
        }
        if (nuserAccessToken.getValidTo() == null) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.VALID_TO)));
        }
        if (nuserAccessToken.getValidFrom().after(nuserAccessToken.getValidTo())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_LOWER_THAN_ANOTHER_VALUE, marinaProxy.getTranslation(TransKey.VALID_FROM), marinaProxy.getTranslation(TransKey.VALID_TO)));
        }
        if (StringUtils.isBlank(nuserAccessToken.getActive())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.ACTIVE_A_1SM)));
        }
    }

    @Override // si.irm.mm.ejb.user.UserAccessTokenEJBLocal
    public Long getUserAccessTokenFilterResultsCount(MarinaProxy marinaProxy, NuserAccessToken nuserAccessToken) {
        return (Long) QueryUtils.getSingleResultOrNull(setParametersAndReturnQuery(marinaProxy, Long.class, nuserAccessToken, createQueryStringWithoutSortCondition(nuserAccessToken, true)));
    }

    @Override // si.irm.mm.ejb.user.UserAccessTokenEJBLocal
    public List<NuserAccessToken> getUserAccessTokenFilterResultList(MarinaProxy marinaProxy, int i, int i2, NuserAccessToken nuserAccessToken, LinkedHashMap<String, Boolean> linkedHashMap) {
        return QueryUtils.getResultList(setParametersAndReturnQuery(marinaProxy, NuserAccessToken.class, nuserAccessToken, String.valueOf(createQueryStringWithoutSortCondition(nuserAccessToken, false)) + getSortCriteria(marinaProxy, "N", linkedHashMap)), i, i2);
    }

    public String getSortCriteria(MarinaProxy marinaProxy, String str, LinkedHashMap<String, Boolean> linkedHashMap) {
        if (!Utils.isNullOrEmpty(linkedHashMap)) {
            return QueryUtils.createSortCriteria(str, "id", linkedHashMap);
        }
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        linkedHashMap2.put("nuser", true);
        return QueryUtils.createSortCriteria(str, "id", linkedHashMap2);
    }

    private <T> TypedQuery<T> setParametersAndReturnQuery(MarinaProxy marinaProxy, Class<T> cls, NuserAccessToken nuserAccessToken, String str) {
        TypedQuery<T> createQuery = this.em.createQuery(str, cls);
        if (!StringUtils.isBlank(nuserAccessToken.getAppCode())) {
            createQuery.setParameter("appCode", nuserAccessToken.getAppCode());
        }
        if (!StringUtils.isBlank(nuserAccessToken.getNuser())) {
            createQuery.setParameter("nuser", nuserAccessToken.getNuser());
        }
        if (nuserAccessToken.getValidFrom() != null) {
            createQuery.setParameter("validFrom", nuserAccessToken.getValidFrom(), TemporalType.DATE);
        }
        if (nuserAccessToken.getValidTo() != null) {
            createQuery.setParameter("validTo", nuserAccessToken.getValidTo(), TemporalType.DATE);
        }
        if (StringUtils.getBoolFromStr(nuserAccessToken.getActive(), true)) {
            createQuery.setParameter("active", nuserAccessToken.getActive());
        }
        return createQuery;
    }

    private String createQueryStringWithoutSortCondition(NuserAccessToken nuserAccessToken, boolean z) {
        StringBuilder sb = new StringBuilder();
        if (z) {
            sb.append("SELECT COUNT(N) FROM NuserAccessToken N ");
        } else {
            sb.append("SELECT N FROM NuserAccessToken N ");
        }
        String str = " WHERE ";
        if (!StringUtils.isBlank(nuserAccessToken.getAppCode())) {
            sb.append(str).append(" N.appCode = :appCode ");
            str = " AND ";
        }
        if (!StringUtils.isBlank(nuserAccessToken.getNuser())) {
            sb.append(str).append(" N.nuser = :nuser ");
            str = " AND ";
        }
        if (nuserAccessToken.getValidFrom() != null) {
            sb.append(str).append(" N.validFrom = :validFrom ");
            str = " AND ";
        }
        if (nuserAccessToken.getValidTo() != null) {
            sb.append(str).append(" N.validTo = :validTo ");
            str = " AND ";
        }
        if (StringUtils.getBoolFromStr(nuserAccessToken.getActive(), true)) {
            sb.append(str).append(" N.active = :active ");
        }
        return sb.toString();
    }
}
