package com.atlassian.jira.security.jwt;

import com.atlassian.annotations.VisibleForTesting;
import com.atlassian.jira.config.properties.ApplicationProperties;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Date;
import java.util.Objects;
import java.util.function.Supplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/security/jwt/ImageAttachmentJwtTokenService.class */
public class ImageAttachmentJwtTokenService {

    @VisibleForTesting
    public static final long TOKENS_DISABLED = 0;

    @VisibleForTesting
    public static final long DEFAULT_TOKENS_EXPIRY_SEVEN_DAYS_IN_HOURS = 168;
    private static final Logger logger = LoggerFactory.getLogger(ImageAttachmentJwtTokenService.class);
    private final ImageAttachmentJwtSecretKeyService imageAttachmentJwtSecretKeyService;
    private final ApplicationProperties applicationProperties;
    private final Supplier<Long> currentTimeSecondsProvider;
    private static final String ABSOLUTE_REQUEST_URL_PARAMETER_NAME = "absRequestUrl";

    public ImageAttachmentJwtTokenService(ImageAttachmentJwtSecretKeyService imageAttachmentJwtSecretKeyService, ApplicationProperties applicationProperties) {
        this(imageAttachmentJwtSecretKeyService, applicationProperties, () -> {
            return Long.valueOf(System.currentTimeMillis() / 1000);
        });
    }

    @VisibleForTesting
    protected ImageAttachmentJwtTokenService(ImageAttachmentJwtSecretKeyService imageAttachmentJwtSecretKeyService, ApplicationProperties applicationProperties, Supplier<Long> supplier) {
        this.imageAttachmentJwtSecretKeyService = (ImageAttachmentJwtSecretKeyService) Objects.requireNonNull(imageAttachmentJwtSecretKeyService);
        this.applicationProperties = (ApplicationProperties) Objects.requireNonNull(applicationProperties);
        this.currentTimeSecondsProvider = (Supplier) Objects.requireNonNull(supplier);
    }

    private SignedJWT getVerifiedAndSignedJwtFrom(String str) throws JOSEException, ImageAttachmentJwtGenerateSecretException, ParseException, ImageAttachmentJwtSecurityException {
        SignedJWT parse = SignedJWT.parse(str);
        if (parse.verify(new MACVerifier(this.imageAttachmentJwtSecretKeyService.generateOrGetSecretKey()))) {
            return parse;
        }
        throw new ImageAttachmentJwtSecurityException("Token was not verified with success");
    }

    private ImageAttachmentJwtToken signedJwtToImageAttachmentJwtToken(SignedJWT signedJWT) throws ParseException {
        JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
        long time = jWTClaimsSet.getExpirationTime().getTime();
        long time2 = jWTClaimsSet.getIssueTime().getTime();
        return new ImageAttachmentJwtTokenBuilder().setAbsoluteRequestUrl(jWTClaimsSet.getStringClaim(ABSOLUTE_REQUEST_URL_PARAMETER_NAME)).setUserName(jWTClaimsSet.getSubject()).setIsTokenValid(this.currentTimeSecondsProvider.get().longValue() * 1000 < time).setCreatedAtMillis(Long.valueOf(time2)).build();
    }

    public ImageAttachmentJwtToken parseToken(String str) throws ImageAttachmentJwtParseException, ImageAttachmentJwtGenerateSecretException, ImageAttachmentJwtSecurityException {
        try {
            return signedJwtToImageAttachmentJwtToken(getVerifiedAndSignedJwtFrom(str));
        } catch (ImageAttachmentJwtGenerateSecretException e) {
            logger.warn("Could not create secret for generating jwtToken", e);
            throw e;
        } catch (ImageAttachmentJwtSecurityException e2) {
            logger.warn("Could not verify jwtToken", e2);
            throw e2;
        } catch (ParseException e3) {
            logger.warn("Could not parse jwtToken", e3);
            throw new ImageAttachmentJwtParseException(e3.getMessage());
        } catch (Exception e4) {
            throw new ImageAttachmentJwtParseException(e4);
        } catch (JOSEException e5) {
            logger.warn("Could not verify jwtToken", e5);
            throw new ImageAttachmentJwtSecurityException(e5.getMessage());
        }
    }

    public String generateToken(ImageAttachmentJwtTokenGenerateParams imageAttachmentJwtTokenGenerateParams) throws ImageAttachmentJwtGenerateSecretException {
        try {
            MACSigner mACSigner = new MACSigner(this.imageAttachmentJwtSecretKeyService.generateOrGetSecretKey());
            long longValue = this.currentTimeSecondsProvider.get().longValue() * 1000;
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), new JWTClaimsSet.Builder().subject(imageAttachmentJwtTokenGenerateParams.getUserName()).expirationTime(new Date(longValue + (imageAttachmentJwtTokenGenerateParams.getHowManySecondsValid().longValue() * 1000))).issueTime(new Date(longValue)).claim(ABSOLUTE_REQUEST_URL_PARAMETER_NAME, imageAttachmentJwtTokenGenerateParams.getAbsoluteRequestUrl()).build());
            signedJWT.sign(mACSigner);
            return signedJWT.serialize();
        } catch (Exception e) {
            throw new ImageAttachmentJwtGenerateSecretException(e);
        }
    }

    public boolean isImageAttachmentJwtTokenEnabled() {
        return getTokenExpiryHours().longValue() > 0;
    }

    public Long getTokenExpiryHours() {
        String string = this.applicationProperties.getString("jira.security.image.attachment.jwt.tokens.expiry.hours");
        if (string == null) {
            return 168L;
        }
        try {
            return Long.valueOf(string);
        } catch (NumberFormatException e) {
            logger.error("Invalid value of property named %s=%s, integer expected", "jira.security.image.attachment.jwt.tokens.expiry.hours", string);
            return 0L;
        }
    }
}
