package com.kcloud.ms.authentication.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Base64;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.commons.lang3.RandomStringUtils;
import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.JsonParser;
import org.springframework.security.oauth2.common.util.JsonParserFactory;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.util.Assert;

/* loaded from: input_file:com/kcloud/ms/authentication/jwt/CustomeJwtAccessTokenConverter.class */
public class CustomeJwtAccessTokenConverter extends JwtAccessTokenConverter {
    private KeyPair keyPair;
    private JWSSigner signer;
    private JWSHeader header;
    private String verifierKey;
    private SignatureVerifier verifier;
    private JsonParser objectMapper = JsonParserFactory.create();
    private String keyId = RandomStringUtils.random(32, false, true);

    public Map<String, String> getKey() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("alg", JWSAlgorithm.RS256.getName());
        linkedHashMap.put("value", this.verifierKey);
        return linkedHashMap;
    }

    public CustomeJwtAccessTokenConverter(KeyPair keyPair) {
        this.keyPair = keyPair;
        PrivateKey privateKey = keyPair.getPrivate();
        Assert.state(privateKey instanceof RSAPrivateKey, "KeyPair must be an RSA ");
        this.signer = new RSASSASigner((RSAPrivateKey) privateKey);
        this.header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
        this.verifierKey = "-----BEGIN PUBLIC KEY-----\n" + new String(Base64.getEncoder().encode(((RSAPublicKey) keyPair.getPublic()).getEncoded())) + "\n-----END PUBLIC KEY-----";
    }

    public OAuth2AccessToken enhance(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(oAuth2AccessToken);
        LinkedHashMap linkedHashMap = new LinkedHashMap(oAuth2AccessToken.getAdditionalInformation());
        String value = defaultOAuth2AccessToken.getValue();
        if (linkedHashMap.containsKey("jti")) {
            value = (String) linkedHashMap.get("jti");
        } else {
            linkedHashMap.put("jti", value);
        }
        ExpiringOAuth2RefreshToken refreshToken = defaultOAuth2AccessToken.getRefreshToken();
        if (refreshToken != null) {
            DefaultOAuth2AccessToken defaultOAuth2AccessToken2 = new DefaultOAuth2AccessToken(oAuth2AccessToken);
            defaultOAuth2AccessToken2.setValue(refreshToken.getValue());
            defaultOAuth2AccessToken2.setExpiration((Date) null);
            try {
                Map<String, Object> decode = decode(refreshToken.getValue());
                if (decode.containsKey("jti")) {
                    defaultOAuth2AccessToken2.setValue(decode.get("jti").toString());
                }
            } catch (IllegalArgumentException e) {
            }
            LinkedHashMap linkedHashMap2 = new LinkedHashMap(oAuth2AccessToken.getAdditionalInformation());
            linkedHashMap2.put("jti", defaultOAuth2AccessToken2.getValue());
            linkedHashMap2.put("ati", value);
            defaultOAuth2AccessToken2.setAdditionalInformation(linkedHashMap2);
            DefaultExpiringOAuth2RefreshToken defaultOAuth2RefreshToken = new DefaultOAuth2RefreshToken(encode(defaultOAuth2AccessToken2, oAuth2Authentication));
            if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
                Date expiration = refreshToken.getExpiration();
                defaultOAuth2AccessToken2.setExpiration(expiration);
                defaultOAuth2RefreshToken = new DefaultExpiringOAuth2RefreshToken(encode(defaultOAuth2AccessToken2, oAuth2Authentication), expiration);
            }
            defaultOAuth2AccessToken.setRefreshToken(defaultOAuth2RefreshToken);
        }
        defaultOAuth2AccessToken.setAdditionalInformation(linkedHashMap);
        defaultOAuth2AccessToken.setValue(encode(defaultOAuth2AccessToken, oAuth2Authentication));
        return defaultOAuth2AccessToken;
    }

    protected String encode(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        try {
            JWSObject jWSObject = new JWSObject(this.header, new Payload(this.objectMapper.formatMap(super.getAccessTokenConverter().convertAccessToken(oAuth2AccessToken, oAuth2Authentication))));
            jWSObject.sign(this.signer);
            return jWSObject.serialize();
        } catch (Exception e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    protected Map<String, Object> decode(String str) {
        try {
            JWSObject parse = JWSObject.parse(str);
            if (parse.verify(new RSASSAVerifier((RSAPublicKey) this.keyPair.getPublic()))) {
                return parse.getPayload().toJSONObject();
            }
            throw new InvalidTokenException("TOKEN已过期");
        } catch (JOSEException e) {
            throw new InvalidTokenException("token 签名验证失败");
        } catch (ParseException e2) {
            throw new IllegalArgumentException("Cannot convert access token to JSON");
        }
    }
}
