package org.gcube.common.authorization.utils.secret;

import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.gcube.com.fasterxml.jackson.databind.ObjectMapper;
import org.gcube.common.authorization.library.provider.AccessTokenProvider;
import org.gcube.common.authorization.library.provider.ClientInfo;
import org.gcube.common.authorization.library.provider.ExternalServiceInfo;
import org.gcube.common.authorization.library.provider.UserInfo;
import org.gcube.common.authorization.library.utils.Caller;
import org.gcube.common.authorization.utils.clientid.RenewalProvider;
import org.gcube.common.authorization.utils.user.KeycloakUser;
import org.gcube.common.authorization.utils.user.User;
import org.gcube.common.iam.OIDCBearerAuth;
import org.gcube.common.scope.impl.ScopeBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gcube/common/authorization/utils/secret/JWTSecret.class */
public class JWTSecret extends Secret {
    private static final Logger logger = LoggerFactory.getLogger(JWTSecret.class);
    public static final long TOLERANCE = TimeUnit.MILLISECONDS.toMillis(200);
    protected RenewalProvider renewalProvider;
    protected Set<String> roles;
    protected ClientInfo clientInfo;
    protected Caller caller;
    protected String context;
    protected OIDCBearerAuth oidcBearerAuth;

    public JWTSecret(String str) {
        super(10, str);
        this.oidcBearerAuth = OIDCBearerAuth.fromAccessTokenString(str);
    }

    private String getTokenString() {
        try {
            boolean isExpired = isExpired();
            long timeInMillis = Calendar.getInstance().getTimeInMillis();
            long longValue = (this.oidcBearerAuth.getAccessToken().getExp().longValue() * 1000) - TOLERANCE;
            if (!isExpired && timeInMillis >= longValue) {
                isExpired = true;
            }
            if (isExpired && this.renewalProvider != null) {
                try {
                    this.token = ((JWTSecret) this.renewalProvider.renew(getContext())).token;
                } catch (Exception e) {
                    logger.warn("Unable to renew the token with the RenewalProvider. I'll continue using the old token.", e);
                }
            }
        } catch (Exception e2) {
            logger.error("Unexpected error in the procedure to evaluate/refresh the current token. I'll continue using the old token.", e2);
        }
        return this.token;
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public void setToken() throws Exception {
        AccessTokenProvider.instance.set(getTokenString());
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public void resetToken() throws Exception {
        AccessTokenProvider.instance.reset();
    }

    protected Set<String> getRoles() throws Exception {
        if (this.roles == null) {
            this.roles = this.oidcBearerAuth.getRoles();
        }
        return this.roles;
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public ClientInfo getClientInfo() throws Exception {
        if (this.clientInfo == null) {
            User user = getUser();
            if (user.isApplication()) {
                this.clientInfo = new ExternalServiceInfo(user.getUsername(), "unknown");
            } else {
                this.clientInfo = new UserInfo(user.getUsername(), new ArrayList(user.getRoles()), user.getEmail(), user.getGivenName(), user.getFamilyName());
            }
        }
        return this.clientInfo;
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public Caller getCaller() throws Exception {
        if (this.caller == null) {
            this.caller = new Caller(getClientInfo(), "token");
        }
        return this.caller;
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public String getContext() throws Exception {
        if (this.context != null) {
            return this.context;
        }
        for (String str : this.oidcBearerAuth.getAccessToken().getAudience()) {
            if (str != null && str.compareTo("") != 0) {
                try {
                    this.context = new ScopeBean(URLDecoder.decode(str, StandardCharsets.UTF_8.toString())).toString();
                    return this.context;
                } catch (Exception e) {
                    logger.error("Invalid context name for audience {} in access token. Trying next one if any.", str, e);
                }
            }
        }
        throw new Exception("Invalid context in access token");
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public String getUsername() throws Exception {
        return this.oidcBearerAuth.getAccessToken().getPreferredUsername();
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public Map<String, String> getHTTPAuthorizationHeaders() {
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + getTokenString());
        return hashMap;
    }

    public void setRenewalProvider(RenewalProvider renewalProvider) {
        this.renewalProvider = renewalProvider;
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public boolean isExpired() throws Exception {
        return this.oidcBearerAuth.isExpired();
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public boolean isRefreshable() throws Exception {
        return this.oidcBearerAuth.canBeRefreshed();
    }

    @Override // org.gcube.common.authorization.utils.secret.Secret
    public User getUser() {
        if (this.user == null) {
            try {
                ObjectMapper objectMapper = new ObjectMapper();
                this.user = (User) objectMapper.readValue(objectMapper.writeValueAsString(this.oidcBearerAuth.getAccessToken()), KeycloakUser.class);
                this.user.setRoles(getRoles());
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        return this.user;
    }
}
