package org.gorpipe.gor.auth;

import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.List;
import net.logstash.logback.argument.StructuredArguments;
import org.gorpipe.exceptions.GorSystemException;
import org.gorpipe.gor.auth.utils.OAuthHandler;
import org.gorpipe.gor.auth.utils.PlatformGorAuthCache;
import org.gorpipe.security.cred.CsaApiService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gorpipe/gor/auth/PlatformAuth.class */
public class PlatformAuth extends GorAuth {
    private static final Logger log = LoggerFactory.getLogger(PlatformAuth.class);
    private static final Logger auditLog = LoggerFactory.getLogger("audit." + PlatformAuth.class.getName());
    private PlatformGorAuthCache gorAuthInfoCache;
    private static final String REALM_ACCESS = "realm_access";
    private static final String ROLES = "roles";
    private static final String SUB = "sub";
    private ObjectMapper objectMapper;
    private String userKey;
    private OAuthHandler oAuthHandler;
    private boolean useRolesFromToken;

    /* JADX INFO: Access modifiers changed from: protected */
    public PlatformAuth(AuthConfig authConfig, CsaApiService csaApiService, OAuthHandler oAuthHandler) throws GorSystemException {
        super(authConfig, csaApiService);
        this.securityPolicy = SecurityPolicy.PLATFORM;
        this.objectMapper = new ObjectMapper();
        this.userKey = authConfig.getPlatformUserKey();
        this.gorAuthInfoCache = new PlatformGorAuthCache();
        this.oAuthHandler = oAuthHandler;
        this.useRolesFromToken = authConfig.userRolesFromToken();
    }

    @Override // org.gorpipe.gor.auth.GorAuth
    public GorAuthInfo getGorAuthInfo(String str) {
        GorAuthInfo gorAuthInfo = this.gorAuthInfoCache.get(str);
        if (gorAuthInfo == null) {
            try {
                log.debug("Parsing platform token {}", str);
                PlatformSessionKey platformSessionKey = (PlatformSessionKey) this.objectMapper.readValue(getSessionKey(str), PlatformSessionKey.class);
                String accessToken = platformSessionKey.getAccessToken();
                String project = platformSessionKey.getProject();
                if (accessToken == null) {
                    log.error("ERROR: Access Token is null in PLATFORM security policy");
                    return null;
                }
                if (project == null) {
                    log.error("ERROR: Project is null in PLATFORM security policy");
                    return null;
                }
                DecodedJWT verifyAccessToken = verifyAccessToken(accessToken, platformSessionKey);
                if (verifyAccessToken == null) {
                    return null;
                }
                String username = getUsername(verifyAccessToken);
                long expiration = getExpiration(verifyAccessToken);
                gorAuthInfo = updateGorAuthInfo(new GeneralAuthInfo(0, project, username, getSub(verifyAccessToken), getUserRoles(verifyAccessToken), 0, expiration));
                this.gorAuthInfoCache.add(str, gorAuthInfo, expiration);
            } catch (Exception e) {
                throw new GorSystemException(e);
            }
        }
        return gorAuthInfo;
    }

    private String getSub(DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim(SUB);
        if (claim != null) {
            return claim.asString();
        }
        return null;
    }

    private String getUsername(DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim(this.userKey);
        if (claim != null) {
            return claim.asString();
        }
        return null;
    }

    private long getExpiration(DecodedJWT decodedJWT) {
        return decodedJWT.getExpiresAt().getTime();
    }

    private List<String> getUserRoles(DecodedJWT decodedJWT) {
        return (List) decodedJWT.getClaim("realm_access").asMap().get("roles");
    }

    private String getSessionKey(String str) {
        int indexOf = str.indexOf("|||");
        return indexOf > 0 ? str.substring(0, indexOf) : str;
    }

    private DecodedJWT verifyAccessToken(String str, PlatformSessionKey platformSessionKey) {
        try {
            return this.oAuthHandler.verifyAccessToken(str);
        } catch (TokenExpiredException e) {
            String asString = this.oAuthHandler.decodeToken(str).getClaim(this.userKey).asString();
            log.error(e.getMessage(), e);
            auditLog.info(e.getMessage(), new Object[]{StructuredArguments.value("username", asString), StructuredArguments.value("project", platformSessionKey.getProject()), StructuredArguments.value("source", platformSessionKey.getSource()), StructuredArguments.value("security-policy", platformSessionKey.getSecurityPolicy())});
            return null;
        } catch (SignatureVerificationException e2) {
            String asString2 = this.oAuthHandler.decodeToken(str).getClaim(this.userKey).asString();
            log.error("ERROR: Unable to verify the signature of the access token", e2);
            auditLog.info("ERROR: Unable to verify the signature of the access token", new Object[]{StructuredArguments.value("username", asString2), StructuredArguments.value("project", platformSessionKey.getProject()), StructuredArguments.value("source", platformSessionKey.getSource()), StructuredArguments.value("security-policy", platformSessionKey.getSecurityPolicy())});
            return null;
        }
    }
}
