package org.eclipse.scout.rt.shared.servicetunnel.http;

import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.Principal;
import javax.security.auth.Subject;
import org.eclipse.scout.rt.platform.ApplicationScoped;
import org.eclipse.scout.rt.platform.BEANS;
import org.eclipse.scout.rt.platform.config.CONFIG;
import org.eclipse.scout.rt.platform.security.JwtPrincipal;
import org.eclipse.scout.rt.platform.security.SamlPrincipal;
import org.eclipse.scout.rt.platform.security.SecurityUtility;
import org.eclipse.scout.rt.platform.util.StringUtility;
import org.eclipse.scout.rt.security.IAccessControlService;
import org.eclipse.scout.rt.shared.SharedConfigProperties;

@ApplicationScoped
/* loaded from: input_file:org/eclipse/scout/rt/shared/servicetunnel/http/DefaultAuthTokenSigner.class */
public class DefaultAuthTokenSigner {
    public static final String JWT_IDENTIFIER = "jwt";
    public static final String SAML_IDENTIFIER = "saml";

    protected long getTokenTimeToLive() {
        return ((Long) CONFIG.getPropertyValue(SharedConfigProperties.AuthTokenTimeToLiveProperty.class)).longValue();
    }

    protected byte[] getPrivateKey() {
        return (byte[]) CONFIG.getPropertyValue(SharedConfigProperties.AuthTokenPrivateKeyProperty.class);
    }

    protected String getDefaultUserId() {
        return ((IAccessControlService) BEANS.get(IAccessControlService.class)).getUserIdOfCurrentSubject();
    }

    public boolean isEnabled() {
        return getPrivateKey() != null;
    }

    public <T extends DefaultAuthToken> T createDefaultSignedToken(Class<T> cls) {
        if (!isEnabled()) {
            return null;
        }
        String defaultUserId = getDefaultUserId();
        if (StringUtility.isNullOrEmpty(defaultUserId)) {
            return null;
        }
        DefaultAuthToken defaultAuthToken = (DefaultAuthToken) BEANS.get(cls);
        defaultAuthToken.withUserId(defaultUserId);
        appendCustomArgs(defaultAuthToken);
        return (T) sign(defaultAuthToken);
    }

    protected void appendCustomArgs(DefaultAuthToken defaultAuthToken) {
        JwtPrincipal selectUserPrincipal = selectUserPrincipal();
        if (selectUserPrincipal instanceof JwtPrincipal) {
            JwtPrincipal jwtPrincipal = selectUserPrincipal;
            defaultAuthToken.withCustomArgs(JWT_IDENTIFIER, jwtPrincipal.getJwtTokenString(), jwtPrincipal.getAccessToken(), jwtPrincipal.getRefreshToken());
        } else if (selectUserPrincipal instanceof SamlPrincipal) {
            defaultAuthToken.withCustomArgs(SAML_IDENTIFIER, ((SamlPrincipal) selectUserPrincipal).getSessionIndex());
        }
    }

    protected Principal selectUserPrincipal() {
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject == null) {
            return null;
        }
        return subject.getPrincipals().stream().findFirst().orElse(null);
    }

    public <T extends DefaultAuthToken> T sign(T t) {
        t.withValidUntil(System.currentTimeMillis() + getTokenTimeToLive());
        if (isEnabled()) {
            t.withSignature(signature(t));
        }
        return t;
    }

    protected byte[] signature(DefaultAuthToken defaultAuthToken) {
        return SecurityUtility.createSignature(getPrivateKey(), defaultAuthToken.write(false).getBytes(StandardCharsets.UTF_8));
    }
}
