package org.sonatype.nexus.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.base.Preconditions;
import com.google.common.eventbus.Subscribe;
import com.google.inject.Provider;
import java.util.Date;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import javax.servlet.http.Cookie;
import org.apache.shiro.subject.Subject;
import org.sonatype.nexus.common.app.FeatureFlag;
import org.sonatype.nexus.common.app.FeatureFlags;
import org.sonatype.nexus.common.app.ManagedLifecycle;
import org.sonatype.nexus.common.event.EventAware;
import org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport;
import org.sonatype.nexus.security.jwt.JwtSecretChanged;
import org.sonatype.nexus.security.jwt.JwtVerificationException;
import org.sonatype.nexus.security.jwt.JwtVerifier;
import org.sonatype.nexus.security.jwt.SecretStore;

@Named
@Singleton
@ManagedLifecycle(phase = ManagedLifecycle.Phase.SECURITY)
@FeatureFlag(name = FeatureFlags.JWT_ENABLED)
/* loaded from: input_file:org/sonatype/nexus/security/JwtHelper.class */
public class JwtHelper extends StateGuardLifecycleSupport implements EventAware {
    public static final String JWT_COOKIE_NAME = "NXSESSIONID";
    public static final String ISSUER = "sonatype";
    public static final String REALM = "realm";
    public static final String USER = "user";
    public static final String USER_SESSION_ID = "userSessionId";
    private final int expirySeconds;
    private final String contextPath;
    private final Provider<SecretStore> secretStoreProvider;
    private JwtVerifier verifier;

    @Inject
    public JwtHelper(@Named("${nexus.jwt.expiry:-1800}") int i, @Named("${nexus-context-path}") String str, Provider<SecretStore> provider) {
        Preconditions.checkState(i >= 0, "JWT expiration period should be positive");
        this.expirySeconds = i;
        this.contextPath = (String) Preconditions.checkNotNull(str);
        this.secretStoreProvider = (Provider) Preconditions.checkNotNull(provider);
    }

    @Override // org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport
    protected void doStart() throws Exception {
        SecretStore secretStore = this.secretStoreProvider.get();
        if (!secretStore.getSecret().isPresent()) {
            secretStore.generateNewSecret();
        }
        this.verifier = new JwtVerifier(loadSecret());
    }

    public Cookie createJwtCookie(Subject subject) {
        Preconditions.checkNotNull(subject);
        return createJwtCookie(subject.getPrincipal().toString(), subject.getPrincipals().getRealmNames().stream().findFirst().orElse(null));
    }

    public Cookie verifyAndRefreshJwtCookie(String str) throws JwtVerificationException {
        Preconditions.checkNotNull(str);
        DecodedJWT verifyJwt = verifyJwt(str);
        return createJwtCookie(verifyJwt.getClaim("user").asString(), verifyJwt.getClaim(REALM).asString(), verifyJwt.getClaim(USER_SESSION_ID).asString());
    }

    public DecodedJWT verifyJwt(String str) throws JwtVerificationException {
        return this.verifier.verify(str);
    }

    public int getExpirySeconds() {
        return this.expirySeconds;
    }

    @Subscribe
    public void on(JwtSecretChanged jwtSecretChanged) {
        this.log.debug("JWT secret has changed. Reset the cookies");
        this.verifier = new JwtVerifier(loadSecret());
    }

    private Cookie createJwtCookie(String str, String str2) {
        return createJwtCookie(str, str2, UUID.randomUUID().toString());
    }

    private Cookie createJwtCookie(String str, String str2, String str3) {
        return createCookie(createToken(str, str2, str3));
    }

    private String createToken(String str, String str2, String str3) {
        Date date = new Date();
        return JWT.create().withIssuer(ISSUER).withClaim("user", str).withClaim(REALM, str2).withClaim(USER_SESSION_ID, str3).withIssuedAt(date).withExpiresAt(getExpiresAt(date)).sign(this.verifier.getAlgorithm());
    }

    private Cookie createCookie(String str) {
        Cookie cookie = new Cookie(JWT_COOKIE_NAME, str);
        cookie.setMaxAge(this.expirySeconds);
        cookie.setPath(this.contextPath);
        cookie.setHttpOnly(true);
        return cookie;
    }

    private Date getExpiresAt(Date date) {
        return new Date(date.getTime() + TimeUnit.SECONDS.toMillis(this.expirySeconds));
    }

    private String loadSecret() {
        return this.secretStoreProvider.get().getSecret().orElseThrow(() -> {
            return new IllegalStateException("JWT secret not found in datastore");
        });
    }
}
