package com.atlassian.confluence.plugins.synchrony.service;

import com.atlassian.config.ConfigurationException;
import com.atlassian.confluence.pages.PageManager;
import com.atlassian.confluence.plugins.synchrony.config.SynchronyConfigurationManager;
import com.atlassian.confluence.security.Permission;
import com.atlassian.confluence.security.PermissionManager;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.confluence.user.UserAccessor;
import com.atlassian.plugin.spring.scanner.annotation.imports.ComponentImport;
import com.google.common.annotations.VisibleForTesting;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component("synchrony-token-generator")
/* loaded from: input_file:com/atlassian/confluence/plugins/synchrony/service/SynchronyJsonWebTokenGenerator.class */
public class SynchronyJsonWebTokenGenerator {
    private final PermissionManager permissionManager;
    private final UserAccessor userAccessor;
    private final PageManager pageManager;
    private final SynchronyConfigurationManager synchronyConfigurationManager;
    public static final long TOKEN_EXPIRY_TIME = TimeUnit.HOURS.toSeconds(24);
    public static final long TOKEN_EXPIRY_LEEWAY = TimeUnit.MINUTES.toSeconds(15);

    @Autowired
    public SynchronyJsonWebTokenGenerator(@ComponentImport PermissionManager permissionManager, @ComponentImport UserAccessor userAccessor, @ComponentImport PageManager pageManager, SynchronyConfigurationManager synchronyConfigurationManager) {
        this.permissionManager = permissionManager;
        this.userAccessor = userAccessor;
        this.pageManager = pageManager;
        this.synchronyConfigurationManager = synchronyConfigurationManager;
    }

    public String create(Long l, ConfluenceUser confluenceUser) throws Exception {
        if (!this.synchronyConfigurationManager.registerWithSynchrony()) {
            throw new ConfigurationException("This instance could not be registered with Synchrony.");
        }
        if (this.synchronyConfigurationManager.getSynchronyPublicKey() == null && !this.synchronyConfigurationManager.retrievePublicKey()) {
            throw new ConfigurationException("Could not retrieve Synchrony public key.");
        }
        String synchronyPublicKey = this.synchronyConfigurationManager.getSynchronyPublicKey();
        String configuredAppID = this.synchronyConfigurationManager.getConfiguredAppID();
        if (configuredAppID == null) {
            throw new ConfigurationException("Stored AppID is null, this instance may not have been configured.");
        }
        String appSecret = this.synchronyConfigurationManager.getAppSecret();
        String externalServiceUrl = this.synchronyConfigurationManager.getExternalServiceUrl();
        String passphrase = this.synchronyConfigurationManager.getPassphrase();
        if (passphrase == null) {
            this.synchronyConfigurationManager.generateStorePassphraseIfMissing();
            passphrase = this.synchronyConfigurationManager.getPassphrase();
            if (passphrase == null) {
                throw new ConfigurationException("Could not lazily generate a passphrase.");
            }
        }
        SignedJWT signedJWTFromClaims = signedJWTFromClaims(makeClaims(configuredAppID, externalServiceUrl, getAccessData(l, configuredAppID, getPermission(l, confluenceUser)), getSessionData(confluenceUser), confluenceUser, passphrase), appSecret);
        return this.synchronyConfigurationManager.isSynchronyEncryptionEnabled() ? encryptSignedJWT(signedJWTFromClaims, synchronyPublicKey).serialize() : signedJWTFromClaims.serialize();
    }

    @VisibleForTesting
    protected JWTClaimsSet makeClaims(String str, String str2, Map<String, Object> map, Map<String, Object> map2, ConfluenceUser confluenceUser, String str3) {
        long seconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
        HashMap hashMap = new HashMap();
        if (confluenceUser != null) {
            hashMap.put("userKey", confluenceUser.getKey().getStringValue());
        }
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.issuer(str);
        builder.audience(str2);
        builder.claim("access", map);
        builder.claim("iat", Long.valueOf(seconds));
        builder.claim("exp", Long.valueOf(seconds + TimeUnit.HOURS.toSeconds(24L)));
        builder.claim("sub", confluenceUser == null ? null : confluenceUser.getKey().toString());
        builder.claim("session", map2);
        builder.claim("revisionMeta", hashMap);
        if (this.synchronyConfigurationManager.isSynchronyEncryptionEnabled()) {
            builder.claim("passphrase", str3);
        }
        return builder.build();
    }

    private SignedJWT signedJWTFromClaims(JWTClaimsSet jWTClaimsSet, String str) throws Exception {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), jWTClaimsSet);
        signedJWT.sign(new MACSigner(str.getBytes()));
        return signedJWT;
    }

    private JWEObject encryptSignedJWT(SignedJWT signedJWT, String str) throws Exception {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT").build(), new Payload(signedJWT));
        jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.decodeBase64(str)))));
        return jWEObject;
    }

    private String getPermission(Long l, ConfluenceUser confluenceUser) {
        return this.permissionManager.hasPermission(confluenceUser, Permission.EDIT, this.pageManager.getAbstractPage(l.longValue())) ? "full" : "";
    }

    private Map<String, Object> getAccessData(Long l, String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("/data/" + str + "/confluence-" + l, str2);
        hashMap.put("/data/" + str + "/confluence-" + l + "-title", str2);
        return hashMap;
    }

    private Map<String, Object> getSessionData(ConfluenceUser confluenceUser) {
        HashMap hashMap = new HashMap();
        hashMap.put("fullname", confluenceUser == null ? null : confluenceUser.getFullName());
        hashMap.put("name", confluenceUser == null ? null : confluenceUser.getName());
        hashMap.put("avatarURL", this.userAccessor.getUserProfilePicture(confluenceUser).getDownloadPath());
        return hashMap;
    }
}
