package org.apache.nifi.web.security.jwt;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.UnsupportedJwtException;
import java.nio.charset.StandardCharsets;
import java.util.Calendar;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.admin.service.KeyService;
import org.apache.nifi.key.Key;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/web/security/jwt/JwtService.class */
public class JwtService {
    private static final Logger logger = LoggerFactory.getLogger(JwtService.class);
    private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.HS256;
    private static final String KEY_ID_CLAIM = "kid";
    private static final String USERNAME_CLAIM = "preferred_username";
    private final KeyService keyService;

    public JwtService(KeyService keyService) {
        this.keyService = keyService;
    }

    public String getAuthenticationFromToken(String str) throws JwtException {
        try {
            Jws<Claims> parseTokenFromBase64EncodedString = parseTokenFromBase64EncodedString(str);
            if (parseTokenFromBase64EncodedString == null) {
                throw new JwtException("Unable to parse token");
            }
            if (StringUtils.isEmpty(((Claims) parseTokenFromBase64EncodedString.getBody()).getSubject())) {
                throw new JwtException("No subject available in token");
            }
            if (StringUtils.isEmpty(((Claims) parseTokenFromBase64EncodedString.getBody()).getIssuer())) {
                throw new JwtException("No issuer available in token");
            }
            return ((Claims) parseTokenFromBase64EncodedString.getBody()).getSubject();
        } catch (JwtException e) {
            logger.debug("The Base64 encoded JWT: " + str);
            String localizedMessage = e.getLocalizedMessage();
            if (e.getCause() != null) {
                localizedMessage = localizedMessage + "\n\tCaused by: " + e.getCause().getLocalizedMessage();
            }
            if (logger.isDebugEnabled()) {
                logger.error("There was an error validating the JWT", e);
            } else {
                logger.error("There was an error validating the JWT");
                logger.error(localizedMessage);
            }
            throw e;
        }
    }

    private Jws<Claims> parseTokenFromBase64EncodedString(String str) throws JwtException {
        try {
            return Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { // from class: org.apache.nifi.web.security.jwt.JwtService.1
                public byte[] resolveSigningKeyBytes(JwsHeader jwsHeader, Claims claims) {
                    String subject = claims.getSubject();
                    Integer num = (Integer) claims.get(JwtService.KEY_ID_CLAIM, Integer.class);
                    Key key = JwtService.this.keyService.getKey(num.intValue());
                    if (key == null || key.getKey() == null) {
                        throw new UnsupportedJwtException("Unable to determine signing key for " + subject + " [kid: " + num + "]");
                    }
                    return key.getKey().getBytes(StandardCharsets.UTF_8);
                }
            }).parseClaimsJws(str);
        } catch (MalformedJwtException | UnsupportedJwtException | SignatureException | ExpiredJwtException | IllegalArgumentException | AdministrationException e) {
            throw new JwtException("Unable to validate the access token.", e);
        }
    }

    public String generateSignedToken(LoginAuthenticationToken loginAuthenticationToken) throws JwtException {
        if (loginAuthenticationToken == null) {
            throw new IllegalArgumentException("Cannot generate a JWT for a null authentication token");
        }
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(loginAuthenticationToken.getExpiration());
        Object principal = loginAuthenticationToken.getPrincipal();
        if (principal == null || StringUtils.isEmpty(principal.toString())) {
            String str = "Cannot generate a JWT for a token with an empty identity issued by " + loginAuthenticationToken.getIssuer();
            logger.error(str);
            throw new JwtException(str);
        }
        String obj = principal.toString();
        String name = loginAuthenticationToken.getName();
        try {
            Key orCreateKey = this.keyService.getOrCreateKey(obj);
            byte[] bytes = orCreateKey.getKey().getBytes(StandardCharsets.UTF_8);
            logger.trace("Generating JWT for " + loginAuthenticationToken);
            return Jwts.builder().setSubject(obj).setIssuer(loginAuthenticationToken.getIssuer()).setAudience(loginAuthenticationToken.getIssuer()).claim(USERNAME_CLAIM, name).claim(KEY_ID_CLAIM, Integer.valueOf(orCreateKey.getId())).setExpiration(calendar.getTime()).setIssuedAt(Calendar.getInstance().getTime()).signWith(SIGNATURE_ALGORITHM, bytes).compact();
        } catch (NullPointerException | AdministrationException e) {
            String str2 = "Could not retrieve the signing key for JWT for " + obj;
            logger.error(str2, e);
            throw new JwtException(str2, e);
        }
    }

    public void logOut(String str) {
        if (str == null || str.isEmpty()) {
            throw new JwtException("Log out failed: The user identity was not present in the request token to log out user.");
        }
        try {
            this.keyService.deleteKey(str);
        } catch (Exception e) {
            logger.error("Unable to log out user: " + str + ". Failed to remove their token from database.");
            throw e;
        }
    }
}
