package com.appiancorp.object.remote;

import com.appiancorp.ag.ExtendedGroupService;
import com.appiancorp.ag.constant.Constants;
import com.appiancorp.common.I18nUtils;
import com.appiancorp.common.ReactHashUtils;
import com.appiancorp.features.FeatureToggleClient;
import com.appiancorp.ix.analysis.index.IaType;
import com.appiancorp.object.remote.ia.RdoSearchService;
import com.appiancorp.security.auth.SecurityContext;
import com.appiancorp.security.auth.SecurityContextProvider;
import com.appiancorp.services.ServiceContext;
import com.appiancorp.suite.DeploymentEnvironmentConfiguration;
import com.appiancorp.suite.SuiteConfiguration;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.google.common.base.Strings;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Base64;
import java.util.BitSet;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.zip.GZIPOutputStream;
import org.apache.commons.lang3.StringUtils;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/object/remote/RemoteJwtSupplierImpl.class */
public class RemoteJwtSupplierImpl implements RemoteJwtSupplier {
    private static final Logger LOG = LoggerFactory.getLogger(RemoteJwtSupplier.class);
    public static final String REDUCE_JWT_FEATURE_TOGGLE_KEY = "ae.remote-frameworks.jwt-size.reduced";
    public static final String IS_APPIAN_ADMIN = "appian_is_admin";
    public static final String IS_APPIAN_DESIGNER = "appian_is_designer";
    public static final String APPIAN_GROUPS = "appian_groups";
    public static final String APPIAN_GROUPS_CLAIM_FORMAT = "appian_groups_format";
    public static final String APPIAN_API_BUNDLE = "appian_api_bundle";
    public static final String APPIAN_SITE_ID = "appian_site_id";
    public static final String APPIAN_CUSTOMER_ID = "appian_customer_id";
    public static final String APPIAN_SERVER_ID = "appian_server_id";
    public static final String APPIAN_USER_LOCALE = "appian_user_locale";
    public static final String APPIAN_USER_IS_RTL = "appian_user_is_rtl";
    public static final String APPIAN_USER_THEME_DATA = "appian_user_theme_data";
    public static final String APPIAN_USER_CALENDAR = "appian_user_calendar";
    public static final String APPIAN_USER_TIMEZONE = "appian_user_timezone";
    public static final String APPIAN_USER_FULL_NAME = "appian_user_full_name";
    public static final String CLIENT_CAPABILITIES_BITMAP = "client_capabilities_bitmap";
    public static final String CSRF = "csrf";
    public static final String SCOPES = "scopes";
    public static final String GROUPS_BITMAP_FORMAT = "BITMAP";
    private final SecurityContextProvider securityContextProvider;
    private final Supplier<String> baseUriSupplier;
    private final DeploymentEnvironmentConfiguration deploymentEnvConfig;
    private final RemoteDesignObjectConfiguration remoteDesignObjectConfig;
    private final RemoteFrameworksConfiguration remoteFrameworksConfiguration;
    protected final JwtSignerSelector jwtSignerSelector;
    private final Supplier<String> issuerSupplier;
    private final ExtendedGroupService extendedGroupService;
    private final RdoSearchService rdoSearchService;
    private final FeatureToggleClient featureToggleClient;

    public RemoteJwtSupplierImpl(SecurityContextProvider securityContextProvider, JwtSignerSelector jwtSignerSelector, ExtendedGroupService extendedGroupService, RdoSearchService rdoSearchService, FeatureToggleClient featureToggleClient) {
        this.jwtSignerSelector = jwtSignerSelector;
        this.securityContextProvider = securityContextProvider;
        this.extendedGroupService = extendedGroupService;
        this.rdoSearchService = rdoSearchService;
        this.featureToggleClient = featureToggleClient;
        this.baseUriSupplier = () -> {
            return ((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).getBaseUri();
        };
        this.deploymentEnvConfig = (DeploymentEnvironmentConfiguration) ConfigurationFactory.getConfiguration(DeploymentEnvironmentConfiguration.class);
        this.remoteDesignObjectConfig = (RemoteDesignObjectConfiguration) ConfigurationFactory.getConfiguration(RemoteDesignObjectConfiguration.class);
        this.remoteFrameworksConfiguration = (RemoteFrameworksConfiguration) ConfigurationFactory.getConfiguration(RemoteFrameworksConfiguration.class);
        this.issuerSupplier = () -> {
            return ((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).getServerAndPort();
        };
    }

    RemoteJwtSupplierImpl(SecurityContextProvider securityContextProvider, JwtSignerSelector jwtSignerSelector, Supplier<String> supplier, Supplier<String> supplier2, ExtendedGroupService extendedGroupService, DeploymentEnvironmentConfiguration deploymentEnvironmentConfiguration, RemoteDesignObjectConfiguration remoteDesignObjectConfiguration, RemoteFrameworksConfiguration remoteFrameworksConfiguration, RdoSearchService rdoSearchService, FeatureToggleClient featureToggleClient) {
        this.jwtSignerSelector = jwtSignerSelector;
        this.securityContextProvider = securityContextProvider;
        this.extendedGroupService = extendedGroupService;
        this.rdoSearchService = rdoSearchService;
        this.baseUriSupplier = supplier2;
        this.deploymentEnvConfig = deploymentEnvironmentConfiguration;
        this.remoteDesignObjectConfig = remoteDesignObjectConfiguration;
        this.remoteFrameworksConfiguration = remoteFrameworksConfiguration;
        this.issuerSupplier = supplier;
        this.featureToggleClient = featureToggleClient;
    }

    @Override // com.appiancorp.object.remote.RemoteJwtSupplier
    public String getJwt(RemoteService remoteService, String[] strArr) {
        return getJwt(remoteService, null, new JSONObject(), strArr, Optional.empty());
    }

    @Override // com.appiancorp.object.remote.RemoteJwtSupplier
    public String getJwt(RemoteService remoteService, String[] strArr, IaType iaType) {
        return getJwt(remoteService, null, new JSONObject(), strArr, Optional.of(iaType));
    }

    @Override // com.appiancorp.object.remote.RemoteJwtSupplier
    public String getJwt(RemoteService remoteService, ServiceContext serviceContext, JSONObject jSONObject, String[] strArr, Optional<IaType> optional) {
        return getJwt(remoteService, serviceContext, jSONObject, strArr, optional, null);
    }

    @Override // com.appiancorp.object.remote.RemoteJwtSupplier
    public String getJwt(RemoteService remoteService, ServiceContext serviceContext, JSONObject jSONObject, String[] strArr, Optional<IaType> optional, String str) {
        SecurityContext securityContext = this.securityContextProvider.get();
        Instant now = Instant.now();
        String groupsBitmapValue = getGroupsBitmapValue(optional);
        String userToSystemUrl = remoteService.getUserToSystemUrl();
        String userUuid = securityContext.getUserUuid();
        boolean contains = Arrays.asList(strArr).contains("user");
        Date from = Date.from(now.plus(this.remoteFrameworksConfiguration.getS2SJwtLifetime().intValue(), (TemporalUnit) ChronoUnit.SECONDS));
        if (contains) {
            from = Date.from(now.plus(this.remoteFrameworksConfiguration.getJwtLifetime().intValue(), (TemporalUnit) ChronoUnit.SECONDS));
        }
        JWSHeader.Builder customParam = new JWSHeader.Builder(selectJwsAlgorithm(remoteService)).customParam(APPIAN_SITE_ID, Integer.valueOf(getSiteId())).customParam(APPIAN_CUSTOMER_ID, Integer.valueOf(this.deploymentEnvConfig.getCustomerId())).customParam(APPIAN_SERVER_ID, Integer.valueOf(this.deploymentEnvConfig.getServerId())).customParam(SCOPES, String.join(" ", strArr));
        JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().subject(userUuid).audience(userToSystemUrl).issuer(this.issuerSupplier.get()).notBeforeTime(Date.from(now)).expirationTime(from).claim(IS_APPIAN_ADMIN, Boolean.valueOf(securityContext.isSysAdmin())).claim(IS_APPIAN_DESIGNER, Boolean.valueOf(securityContext.getMemberGroupUuids().contains(Constants.UUID_GROUP_ROLE_DESIGNERS))).claim(APPIAN_GROUPS, groupsBitmapValue).claim(APPIAN_GROUPS_CLAIM_FORMAT, GROUPS_BITMAP_FORMAT).claim(APPIAN_API_BUNDLE, getJSApi()).claim(APPIAN_SITE_ID, Integer.valueOf(getSiteId())).claim(APPIAN_CUSTOMER_ID, Integer.valueOf(this.deploymentEnvConfig.getCustomerId())).claim(APPIAN_SERVER_ID, Integer.valueOf(this.deploymentEnvConfig.getServerId())).claim(CLIENT_CAPABILITIES_BITMAP, new String(remoteService.getLcpCapabilities().toByteArray(), StandardCharsets.UTF_8));
        if (contains) {
            claim.claim(CSRF, getCsrf(str));
        }
        claim.claim(APPIAN_USER_FULL_NAME, securityContext.getName()).claim(APPIAN_USER_LOCALE, (serviceContext == null || serviceContext.getLocale() == null) ? Locale.US.toString() : serviceContext.getLocale().toString()).claim(APPIAN_USER_IS_RTL, Boolean.valueOf(serviceContext != null && I18nUtils.isRtl(serviceContext.getLocale()))).claim(APPIAN_USER_THEME_DATA, jSONObject.toString()).claim(APPIAN_USER_CALENDAR, serviceContext == null ? "" : serviceContext.getCalendarID()).claim(APPIAN_USER_TIMEZONE, (serviceContext == null || serviceContext.getTimeZone() == null) ? "" : serviceContext.getTimeZone().getID());
        if (remoteService.jwtKeyId().isPresent()) {
            customParam.keyID(remoteService.jwtKeyId().get());
        }
        SignedJWT signedJWT = new SignedJWT(customParam.build(), claim.build());
        try {
            signedJWT.sign(selectJwsSigner(remoteService));
            return signedJWT.serialize();
        } catch (JOSEException e) {
            LOG.error(String.format("Unable to sign JWT for remote service %s", remoteService.getKey()), e);
            throw new RuntimeException((Throwable) e);
        }
    }

    private static String getCsrf(String str) {
        return StringUtils.isBlank(str) ? String.valueOf(UUID.randomUUID()) : str;
    }

    private String getGroupsBitmapValue(Optional<IaType> optional) {
        Set<Long> mo77getMemberGroups = this.extendedGroupService.getCachedCredentials().mo77getMemberGroups();
        if (this.featureToggleClient.isFeatureEnabled(REDUCE_JWT_FEATURE_TOGGLE_KEY)) {
            if (optional.isPresent()) {
                mo77getMemberGroups.retainAll(this.rdoSearchService.getReferencedGroupIds(this.rdoSearchService.getTypedUuids(optional.get())));
            } else {
                mo77getMemberGroups = Collections.EMPTY_SET;
            }
        }
        List list = (List) mo77getMemberGroups.stream().map((v0) -> {
            return v0.intValue();
        }).sorted().collect(Collectors.toList());
        BitSet bitSet = new BitSet(list.isEmpty() ? 0 : ((Integer) list.get(list.size() - 1)).intValue());
        Stream stream = list.stream();
        bitSet.getClass();
        stream.forEach((v1) -> {
            r1.set(v1);
        });
        byte[] byteArray = bitSet.toByteArray();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            GZIPOutputStream gZIPOutputStream = new GZIPOutputStream((OutputStream) byteArrayOutputStream, true);
            gZIPOutputStream.write(byteArray, 0, byteArray.length);
            gZIPOutputStream.flush();
            gZIPOutputStream.close();
            byteArrayOutputStream.flush();
            return Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public JWSAlgorithm selectJwsAlgorithm(RemoteService remoteService) {
        return remoteService.customJwtSigningAlgorithmSelector().orElse(this.jwtSignerSelector).selectAlgorithm(remoteService);
    }

    public JWSSigner selectJwsSigner(RemoteService remoteService) {
        return remoteService.customJwtSigningAlgorithmSelector().orElse(this.jwtSignerSelector).selectSigner(remoteService);
    }

    private String getJSApi() {
        String reactHash = ReactHashUtils.getReactHash(false);
        return this.baseUriSupplier.get() + "/tempo/ui/sail-client/remote_interface_api" + (Strings.isNullOrEmpty(reactHash) ? ".nocache.js" : "-" + reactHash + ".cache.js");
    }

    private int getSiteId() {
        return this.remoteDesignObjectConfig.getSiteIdOverride().orElse(Integer.valueOf(this.deploymentEnvConfig.getSiteId())).intValue();
    }
}
