package com.yahoo.athenz.auth.impl;

import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.AuthorityKeyStore;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.token.RoleToken;
import com.yahoo.athenz.auth.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/RoleAuthority.class */
public class RoleAuthority implements Authority, AuthorityKeyStore {
    private static final Logger LOG = LoggerFactory.getLogger(RoleAuthority.class);
    public static final String SYS_AUTH_DOMAIN = "sys.auth";
    public static final String ZTS_SERVICE_NAME = "zts";
    private static final String USER_DOMAIN = "user";
    static final String ATHENZ_PROP_TOKEN_OFFSET = "athenz.auth.role.token_allowed_offset";
    static final String ATHENZ_PROP_USER_DOMAIN = "athenz.user_domain";
    public static final String HTTP_HEADER = "Athenz-Role-Auth";
    public static final String ATHENZ_PROP_ROLE_HEADER = "athenz.auth.role.header";
    private int allowedOffset;
    KeyStore keyStore = null;
    String userDomain;
    String headerName;

    public RoleAuthority() {
        this.allowedOffset = 300;
        this.userDomain = USER_DOMAIN;
        this.headerName = HTTP_HEADER;
        this.allowedOffset = Integer.parseInt(System.getProperty(ATHENZ_PROP_TOKEN_OFFSET, "300"));
        this.userDomain = System.getProperty("athenz.user_domain", USER_DOMAIN);
        this.headerName = System.getProperty(ATHENZ_PROP_ROLE_HEADER, HTTP_HEADER);
        if (this.allowedOffset < 0) {
            this.allowedOffset = 300;
        }
    }

    @Override // com.yahoo.athenz.auth.Authority
    public void initialize() {
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getDomain() {
        return SYS_AUTH_DOMAIN;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getHeader() {
        return this.headerName;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(String str, String str2, String str3, StringBuilder sb) {
        StringBuilder sb2 = sb == null ? new StringBuilder(512) : sb;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authenticating RoleToken: " + str);
        }
        try {
            RoleToken roleToken = new RoleToken(str);
            if (!str2.equals(roleToken.getIP()) && isWriteOperation(str3)) {
                String principal = roleToken.getPrincipal();
                int lastIndexOf = principal.lastIndexOf(46);
                if (lastIndexOf <= 0 || lastIndexOf == principal.length() - 1) {
                    sb2.append("RoleAuthority:authenticate failed: Invalid principal specified: ").append(principal).append(" : credential=").append(Token.getUnsignedToken(str));
                    LOG.error(sb2.toString());
                    return null;
                }
                if (principal.substring(0, lastIndexOf).equalsIgnoreCase(this.userDomain)) {
                    sb2.append("RoleAuthority:authenticate failed: IP Mismatch - token-ip(").append(roleToken.getIP()).append(") request-addr(").append(str2).append(") : credential=").append(Token.getUnsignedToken(str));
                    if (!LOG.isWarnEnabled()) {
                        return null;
                    }
                    LOG.warn(sb2.toString());
                    return null;
                }
            }
            if (roleToken.validate(this.keyStore.getPublicKey(SYS_AUTH_DOMAIN, ZTS_SERVICE_NAME, roleToken.getKeyId()), this.allowedOffset, false)) {
                SimplePrincipal simplePrincipal = (SimplePrincipal) SimplePrincipal.create(roleToken.getDomain().toLowerCase(), str, roleToken.getRoles(), this);
                simplePrincipal.setUnsignedCreds(roleToken.getUnsignedToken());
                return simplePrincipal;
            }
            sb2.append("RoleAuthority:authenticate failed: validation was not successful: credential=").append(Token.getUnsignedToken(str));
            if (!LOG.isWarnEnabled()) {
                return null;
            }
            LOG.warn(sb2.toString());
            return null;
        } catch (IllegalArgumentException e) {
            sb2.append("RoleAuthority:authenticate failed: Invalid token: exc=").append(e.getMessage()).append(" : credential=").append(Token.getUnsignedToken(str));
            LOG.error(sb2.toString());
            return null;
        }
    }

    boolean isWriteOperation(String str) {
        if (str == null) {
            return false;
        }
        return str.equalsIgnoreCase("PUT") || str.equalsIgnoreCase("POST") || str.equalsIgnoreCase("DELETE");
    }

    @Override // com.yahoo.athenz.auth.AuthorityKeyStore
    public void setKeyStore(KeyStore keyStore) {
        this.keyStore = keyStore;
    }
}
