package com.yahoo.athenz.auth.oauth;

import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.AuthorityKeyStore;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.impl.CertificateIdentity;
import com.yahoo.athenz.auth.impl.CertificateIdentityException;
import com.yahoo.athenz.auth.impl.CertificateIdentityParser;
import com.yahoo.athenz.auth.impl.SimplePrincipal;
import com.yahoo.athenz.auth.oauth.parser.OAuthJwtAccessTokenParser;
import com.yahoo.athenz.auth.oauth.parser.OAuthJwtAccessTokenParserFactory;
import com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken;
import com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException;
import com.yahoo.athenz.auth.oauth.util.OAuthAuthorityUtils;
import com.yahoo.athenz.auth.oauth.validator.DefaultOAuthJwtAccessTokenValidator;
import com.yahoo.athenz.auth.oauth.validator.OAuthJwtAccessTokenValidator;
import com.yahoo.athenz.auth.util.AthenzUtils;
import com.yahoo.athenz.auth.util.CryptoException;
import jakarta.servlet.http.HttpServletRequest;
import java.io.BufferedReader;
import java.io.FileReader;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/oauth/OAuthCertBoundJwtAccessTokenAuthority.class */
public class OAuthCertBoundJwtAccessTokenAuthority implements Authority, AuthorityKeyStore, KeyStore {
    private static final Logger LOG = LoggerFactory.getLogger(OAuthCertBoundJwtAccessTokenAuthority.class);
    private String authenticateChallenge = "Bearer realm=\"athenz.io\"";
    private KeyStore keyStore = null;
    private CertificateIdentityParser certificateIdentityParser = null;
    private OAuthJwtAccessTokenParser parser = null;
    private OAuthJwtAccessTokenValidator validator = null;
    Map<String, String> authorizedServices = null;
    private boolean shouldVerifyCertThumbprint = true;

    @Override // com.yahoo.athenz.auth.AuthorityKeyStore
    public void setKeyStore(KeyStore keyStore) {
        this.keyStore = keyStore;
    }

    @Override // com.yahoo.athenz.auth.KeyStore
    public String getPublicKey(String str, String str2, String str3) {
        return this.keyStore.getPublicKey(str, str2, str3);
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Authority.CredSource getCredSource() {
        return Authority.CredSource.REQUEST;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getAuthenticateChallenge() {
        return this.authenticateChallenge;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getDomain() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getHeader() {
        return OAuthAuthorityConsts.AUTH_HEADER;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(String str, String str2, String str3, StringBuilder sb) {
        return null;
    }

    private void reportError(String str, StringBuilder sb) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(str);
        }
        if (sb != null) {
            sb.append(str);
        }
    }

    private void processAuthorizedClientIds(String str, Map<String, Set<String>> map, Map<String, String> map2) {
        if (str == null || str.isEmpty()) {
            return;
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new FileReader(str));
            try {
                for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                    if (!readLine.isEmpty()) {
                        String trim = readLine.trim();
                        boolean z = false;
                        String[] split = trim.split(OAuthAuthorityConsts.CLIENT_ID_FIELD_DELIMITER);
                        if (split.length != 3) {
                            LOG.error("Skipping invalid client id entry {}", trim);
                            z = true;
                        }
                        int length = split.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if (split[i].isEmpty()) {
                                LOG.error("Skipping invalid client id entry {}", trim);
                                z = true;
                                break;
                            }
                            i++;
                        }
                        if (!z) {
                            Set<String> csvToSet = OAuthAuthorityUtils.csvToSet(split[0], ",");
                            if (csvToSet == null || csvToSet.contains("")) {
                                LOG.error("Skipping invalid client id entry {}", trim);
                            } else {
                                map.put(split[1], csvToSet);
                                map2.put(split[1], split[2]);
                            }
                        }
                    }
                }
                bufferedReader.close();
            } finally {
            }
        } catch (Exception e) {
            LOG.error("Unable to process client id list: {}", e.getMessage());
        }
    }

    @Override // com.yahoo.athenz.auth.Authority
    public void initialize() {
        this.authenticateChallenge = String.format("Bearer realm=\"%s\"", OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_AUTHN_CHALLENGE_REALM, "https://athenz.io"));
        this.certificateIdentityParser = new CertificateIdentityParser(OAuthAuthorityUtils.csvToSet(OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_CERT_EXCLUDED_PRINCIPALS, ""), ","), Boolean.valueOf(OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_CERT_EXCLUDE_ROLE_CERTIFICATES, "false")).booleanValue());
        String property = OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_PARSER_FACTORY_CLASS, "com.yahoo.athenz.auth.oauth.parser.DefaultOAuthJwtAccessTokenParserFactory");
        try {
            this.parser = ((OAuthJwtAccessTokenParserFactory) Class.forName(property).newInstance()).create(this);
            this.shouldVerifyCertThumbprint = Boolean.valueOf(OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_VERIFY_CERT_THUMBPRINT, "true")).booleanValue();
            String property2 = OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_AUTHORIZED_CLIENT_IDS_PATH, "");
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            processAuthorizedClientIds(property2, hashMap, hashMap2);
            this.authorizedServices = hashMap2;
            this.validator = new DefaultOAuthJwtAccessTokenValidator(OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_CLAIM_ISS, "https://athenz.io"), OAuthAuthorityUtils.csvToSet(OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_CLAIM_AUD, "https://zms.athenz.io"), ","), OAuthAuthorityUtils.csvToSet(OAuthAuthorityUtils.getProperty(OAuthAuthorityConsts.JA_PROP_CLAIM_SCOPE, "sys.auth:role.admin"), OAuthJwtAccessToken.SCOPE_DELIMITER), hashMap);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            LOG.error("Invalid OAuthJwtAccessTokenParserFactory class: {} error: {}", property, e.getMessage());
            throw new IllegalArgumentException("Invalid JWT parser class", e);
        }
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(HttpServletRequest httpServletRequest, StringBuilder sb) {
        StringBuilder sb2 = sb == null ? new StringBuilder(512) : sb;
        String extractHeaderToken = OAuthAuthorityUtils.extractHeaderToken(httpServletRequest);
        if (extractHeaderToken == null) {
            if (!LOG.isDebugEnabled()) {
                return null;
            }
            LOG.debug("OAuthCertBoundJwtAccessTokenAuthority:authenticate: no credentials, skip...");
            return null;
        }
        try {
            CertificateIdentity parse = this.certificateIdentityParser.parse(httpServletRequest);
            X509Certificate x509Certificate = parse.getX509Certificate();
            String principalName = parse.getPrincipalName();
            try {
                OAuthJwtAccessToken parse2 = this.parser.parse(extractHeaderToken);
                try {
                    this.validator.validate(parse2);
                    this.validator.validateClientId(parse2, principalName);
                    if (this.shouldVerifyCertThumbprint) {
                        this.validator.validateCertificateBinding(parse2, this.validator.getX509CertificateThumbprint(x509Certificate));
                    }
                    String[] splitPrincipalName = AthenzUtils.splitPrincipalName(parse2.getSubject());
                    if (splitPrincipalName == null) {
                        sb2.append("OAuthCertBoundJwtAccessTokenAuthority:authenticate: sub is not a valid service identity: got=").append(parse2.getSubject());
                        return null;
                    }
                    SimplePrincipal simplePrincipal = (SimplePrincipal) SimplePrincipal.create(splitPrincipalName[0], splitPrincipalName[1], extractHeaderToken, parse2.getIssuedAt(), this);
                    simplePrincipal.setUnsignedCreds(parse2.toString());
                    simplePrincipal.setX509Certificate(x509Certificate);
                    simplePrincipal.setApplicationId(principalName);
                    simplePrincipal.setAuthorizedService(this.authorizedServices.getOrDefault(principalName, principalName));
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: client certificate name={}", principalName);
                        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: valid user={}", simplePrincipal.toString());
                        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: unsignedCredentials={}", simplePrincipal.getUnsignedCredentials());
                        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: credentials={}", simplePrincipal.getCredentials());
                    }
                    return simplePrincipal;
                } catch (OAuthJwtAccessTokenException | CryptoException | CertificateEncodingException e) {
                    reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), sb2);
                    return null;
                }
            } catch (OAuthJwtAccessTokenException e2) {
                reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e2.getMessage(), sb2);
                return null;
            }
        } catch (CertificateIdentityException e3) {
            reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid certificate: " + e3.getMessage(), sb2);
            return null;
        }
    }
}
