package com.appiancorp.oauth.inbound.authserver.tokens;

import com.appiancorp.common.monitoring.ProductMetricsAggregatedDataCollector;
import com.appiancorp.features.FeatureToggleClient;
import com.appiancorp.oauth.inbound.OAuthUserService;
import com.appiancorp.oauth.inbound.SuiteConfigurationAdapter;
import com.appiancorp.oauth.inbound.authserver.GrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.OAuthGroupServiceHelper;
import com.appiancorp.oauth.inbound.authserver.OAuthSiteEnvironmentService;
import com.appiancorp.oauth.inbound.authserver.clients.pm.ProcessMiningFrontEndClientConfig;
import com.appiancorp.oauth.inbound.authserver.exceptions.AccessTokenGenerationException;
import com.appiancorp.oauth.inbound.authserver.exceptions.GroupsSizeLimitException;
import com.google.common.annotations.VisibleForTesting;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.token.AccessTokenType;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Arrays;
import java.util.Base64;
import java.util.BitSet;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.zip.GZIPOutputStream;
import org.apache.commons.lang.time.DateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/oauth/inbound/authserver/tokens/AccessTokenFactoryImpl.class */
public class AccessTokenFactoryImpl implements TokenFactory<JWTClaimsSet> {
    private static final Logger LOG = LoggerFactory.getLogger(AccessTokenFactoryImpl.class);
    public static final String LOCALE_CLAIM_KEY = "locale";
    public static final String APPIAN_SITE_ID_CLAIM_KEY = "appian_site_id";
    public static final String CUSTOMER_ID_CLAIM_KEY = "customer_id";
    public static final String ROLES_CLAIM_KEY = "roles";
    public static final String TYPE_CLAIM_KEY = "typ";
    public static final String APPIAN_IS_ADMIN_CLAIM_KEY = "appian_is_admin";
    public static final String APPIAN_GROUPS_CLAIM_KEY = "appian_groups";
    public static final String APPIAN_GROUPS_FORMAT_CLAIM_KEY = "appian_groups_format";
    public static final String IS_S2S = "is_system";
    public static final String GROUPS_BITMAP_FORMAT = "BITMAP";
    public static final String SYSTEM_GROUP_IDS = "system_group_ids";
    private static final int JWT_SIZE_LIMIT_IN_BYTES = 7000;
    public static final String PRODUCT_METRICS_GROUP_IDS_COUNT = "processingMining.jwt.groupIdCount";
    public static final String PRODUCT_METRICS_GROUP_IDS_EXCEEDS_LIMIT_COUNT = "processingMining.jwt.groupIdLimitExceeded";
    private final OAuthSiteEnvironmentService siteEnvironmentService;
    private final ProcessMiningFrontEndClientConfig frontEndClientConfig;
    private final SuiteConfigurationAdapter suiteConfiguration;
    private final OAuthUserService userService;
    private final OAuthGroupServiceHelper oAuthGroupServiceHelper;
    private final FeatureToggleClient featureToggleClient;

    public AccessTokenFactoryImpl(OAuthSiteEnvironmentService oAuthSiteEnvironmentService, ProcessMiningFrontEndClientConfig processMiningFrontEndClientConfig, SuiteConfigurationAdapter suiteConfigurationAdapter, OAuthUserService oAuthUserService, OAuthGroupServiceHelper oAuthGroupServiceHelper, FeatureToggleClient featureToggleClient) {
        this.siteEnvironmentService = oAuthSiteEnvironmentService;
        this.frontEndClientConfig = processMiningFrontEndClientConfig;
        this.suiteConfiguration = suiteConfigurationAdapter;
        this.userService = oAuthUserService;
        this.oAuthGroupServiceHelper = oAuthGroupServiceHelper;
        this.featureToggleClient = featureToggleClient;
    }

    public Optional<Token<JWTClaimsSet>> generateToken(String str, GrantedAuthorization grantedAuthorization) throws GroupsSizeLimitException {
        String userUuid = grantedAuthorization.getUserUuid();
        try {
            RSASSASigner rSASSASigner = new RSASSASigner(this.siteEnvironmentService.getPrivateKey());
            String audience = this.frontEndClientConfig.getAudience();
            String usernameFromUuidAsAdmin = this.userService.getUsernameFromUuidAsAdmin(userUuid);
            int accessTokenExpirationInSecs = this.frontEndClientConfig.getAccessTokenExpirationInSecs();
            Date from = Date.from(Instant.now());
            Optional role = this.oAuthGroupServiceHelper.getRole(usernameFromUuidAsAdmin);
            if (!role.isPresent()) {
                throw new AccessTokenGenerationException(String.format("No Process Mining role was found for user %s", usernameFromUuidAsAdmin));
            }
            JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().jwtID(UUID.randomUUID().toString()).audience(audience).expirationTime(DateUtils.addSeconds(from, accessTokenExpirationInSecs)).issueTime(from).issuer(this.suiteConfiguration.getBaseUri()).subject(userUuid).claim(LOCALE_CLAIM_KEY, this.userService.getUserLocale(usernameFromUuidAsAdmin).toString()).claim(APPIAN_SITE_ID_CLAIM_KEY, Integer.valueOf(this.siteEnvironmentService.getSiteId())).claim(CUSTOMER_ID_CLAIM_KEY, Integer.valueOf(this.siteEnvironmentService.getCustomerId())).claim(ROLES_CLAIM_KEY, Arrays.asList((String) role.get())).claim(TYPE_CLAIM_KEY, AccessTokenType.BEARER.getValue()).claim(IS_S2S, Boolean.valueOf(grantedAuthorization.isAuthorizationForSystemToSystem()));
            if (this.featureToggleClient.isFeatureEnabled("ae.iam.advanced-role-maps-for-process-mining")) {
                claim.claim(APPIAN_IS_ADMIN_CLAIM_KEY, Boolean.valueOf(this.userService.isSysAdmin(usernameFromUuidAsAdmin)));
                claim.claim(APPIAN_GROUPS_CLAIM_KEY, getGroupsBitmapValue(usernameFromUuidAsAdmin));
                claim.claim(APPIAN_GROUPS_FORMAT_CLAIM_KEY, GROUPS_BITMAP_FORMAT);
                claim.claim(SYSTEM_GROUP_IDS, this.oAuthGroupServiceHelper.getProcessMiningSystemGroupsIds());
            }
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).build(), claim.build());
            signedJWT.sign(rSASSASigner);
            AppianAccessToken appianAccessToken = new AppianAccessToken(signedJWT.serialize(), signedJWT.getJWTClaimsSet(), str);
            if (this.featureToggleClient.isFeatureEnabled("ae.iam.advanced-role-maps-for-process-mining")) {
                int length = appianAccessToken.getStringValue().getBytes(StandardCharsets.UTF_8).length;
                int size = this.oAuthGroupServiceHelper.getMemberGroups(usernameFromUuidAsAdmin).size();
                if (length >= JWT_SIZE_LIMIT_IN_BYTES) {
                    LOG.error("JWT Token size {} Bytes is larger than {} Bytes limit. User {} may be in too many groups to use Process Mining", new Object[]{Integer.valueOf(length), Integer.valueOf(JWT_SIZE_LIMIT_IN_BYTES), usernameFromUuidAsAdmin});
                    ProductMetricsAggregatedDataCollector.recordDataWithCount(PRODUCT_METRICS_GROUP_IDS_EXCEEDS_LIMIT_COUNT, size);
                    throw new GroupsSizeLimitException();
                }
                ProductMetricsAggregatedDataCollector.recordDataWithCount(PRODUCT_METRICS_GROUP_IDS_COUNT, size);
            }
            return Optional.of(appianAccessToken);
        } catch (GroupsSizeLimitException e) {
            throw e;
        } catch (Exception e2) {
            LOG.error("Failed to create access token for user uuid: {}", userUuid, e2);
            return Optional.empty();
        }
    }

    public Token<JWTClaimsSet> parse(String str) {
        throw new UnsupportedOperationException();
    }

    @VisibleForTesting
    protected String getGroupsBitmapValue(String str) {
        List list = (List) this.oAuthGroupServiceHelper.getMemberGroups(str).stream().map((v0) -> {
            return v0.intValue();
        }).sorted().collect(Collectors.toList());
        BitSet bitSet = new BitSet(list.isEmpty() ? 0 : ((Integer) list.get(list.size() - 1)).intValue());
        Stream stream = list.stream();
        bitSet.getClass();
        stream.forEach((v1) -> {
            r1.set(v1);
        });
        byte[] byteArray = bitSet.toByteArray();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            Throwable th = null;
            try {
                GZIPOutputStream gZIPOutputStream = new GZIPOutputStream((OutputStream) byteArrayOutputStream, true);
                gZIPOutputStream.write(byteArray, 0, byteArray.length);
                gZIPOutputStream.flush();
                gZIPOutputStream.close();
                byteArrayOutputStream.flush();
                byte[] byteArray2 = byteArrayOutputStream.toByteArray();
                if (byteArrayOutputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayOutputStream.close();
                    }
                }
                return Base64.getEncoder().encodeToString(byteArray2);
            } finally {
            }
        } catch (IOException e) {
            LOG.error("Failed to create groups bitmap for user: {}", str, e);
            throw new RuntimeException("Failed to create groups bitmap for user", e);
        }
    }
}
