package com.yahoo.athenz.auth.token;

import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Base64;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/token/AccessToken.class */
public class AccessToken extends OAuth2Token {
    public static final String HDR_TOKEN_TYPE = "typ";
    public static final String HDR_TOKEN_JWT = "at+jwt";
    public static final String CLAIM_SCOPE = "scp";
    public static final String CLAIM_UID = "uid";
    public static final String CLAIM_CLIENT_ID = "client_id";
    public static final String CLAIM_CONFIRM = "cnf";
    public static final String CLAIM_PROXY = "proxy";
    public static final String CLAIM_CONFIRM_X509_HASH = "x5t#S256";
    private static final Logger LOG = LoggerFactory.getLogger(AccessToken.class);
    private static long ACCESS_TOKEN_CERT_OFFSET = 3600;
    private static Set<String> ACCESS_TOKEN_PROXY_PRINCIPALS = null;
    private String clientId;
    private String userId;
    private String proxyPrincipal;
    private List<String> scope;
    private LinkedHashMap<String, Object> confirm;

    public AccessToken() {
    }

    public AccessToken(String str, JwtsSigningKeyResolver jwtsSigningKeyResolver) {
        super(str, jwtsSigningKeyResolver);
        setAccessTokenFields();
    }

    public AccessToken(String str, PublicKey publicKey) {
        super(str, publicKey);
        setAccessTokenFields();
    }

    public AccessToken(String str, JwtsSigningKeyResolver jwtsSigningKeyResolver, X509Certificate x509Certificate) {
        this(str, jwtsSigningKeyResolver, x509Certificate, null);
    }

    public AccessToken(String str, JwtsSigningKeyResolver jwtsSigningKeyResolver, X509Certificate x509Certificate, String str2) {
        super(str, jwtsSigningKeyResolver);
        setAccessTokenFields();
        if (confirmMTLSBoundToken(x509Certificate, str2)) {
            return;
        }
        LOG.error("AccessToken: X.509 Certificate Confirmation failure");
        throw new CryptoException("X.509 Certificate Confirmation failure");
    }

    public static void setAccessTokenCertOffset(long j) {
        ACCESS_TOKEN_CERT_OFFSET = j;
    }

    public static void setAccessTokenProxyPrincipals(Set<String> set) {
        ACCESS_TOKEN_PROXY_PRINCIPALS = set;
    }

    void setAccessTokenFields() {
        Claims claims = (Claims) this.claims.getBody();
        setClientId((String) claims.get(CLAIM_CLIENT_ID, String.class));
        setUserId((String) claims.get(CLAIM_UID, String.class));
        setProxyPrincipal((String) claims.get(CLAIM_PROXY, String.class));
        setScope((List) claims.get(CLAIM_SCOPE, List.class));
        setConfirm((LinkedHashMap) claims.get(CLAIM_CONFIRM, LinkedHashMap.class));
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public String getProxyPrincipal() {
        return this.proxyPrincipal;
    }

    public void setProxyPrincipal(String str) {
        this.proxyPrincipal = str;
    }

    public String getUserId() {
        return this.userId;
    }

    public void setUserId(String str) {
        this.userId = str;
    }

    public List<String> getScope() {
        return this.scope;
    }

    public void setScope(List<String> list) {
        this.scope = list;
    }

    public LinkedHashMap<String, Object> getConfirm() {
        return this.confirm;
    }

    public void setConfirm(LinkedHashMap<String, Object> linkedHashMap) {
        this.confirm = linkedHashMap;
    }

    public void setConfirmEntry(String str, Object obj) {
        if (this.confirm == null) {
            this.confirm = new LinkedHashMap<>();
        }
        this.confirm.put(str, obj);
    }

    public void setConfirmX509CertHash(X509Certificate x509Certificate) {
        setConfirmEntry(CLAIM_CONFIRM_X509_HASH, getX509CertificateHash(x509Certificate));
    }

    boolean confirmMTLSBoundToken(X509Certificate x509Certificate, String str) {
        if (x509Certificate == null) {
            LOG.error("confirmMTLSBoundToken: null certificate");
            return false;
        }
        String str2 = (String) getConfirmEntry(CLAIM_CONFIRM_X509_HASH);
        if (str2 == null) {
            LOG.error("confirmMTLSBoundToken: token does not have confirmation entry");
            return false;
        }
        if (confirmX509CertHash(x509Certificate, str2)) {
            return true;
        }
        String extractX509CertCommonName = Crypto.extractX509CertCommonName(x509Certificate);
        if (extractX509CertCommonName == null) {
            LOG.error("confirmMTLSBoundToken: null principal in certificate}");
            return false;
        }
        if (confirmX509CertPrincipal(x509Certificate, extractX509CertCommonName)) {
            return true;
        }
        return confirmX509ProxyPrincipal(extractX509CertCommonName, str, str2);
    }

    boolean confirmX509CertHash(X509Certificate x509Certificate, String str) {
        return str.equals(getX509CertificateHash(x509Certificate));
    }

    boolean confirmX509ProxyPrincipal(String str, String str2, String str3) {
        if (ACCESS_TOKEN_PROXY_PRINCIPALS == null || ACCESS_TOKEN_PROXY_PRINCIPALS.contains(str)) {
            return str3.equals(str2);
        }
        LOG.error("confirmX509ProxyPrincipal: unauthorized proxy principal: {}", str);
        return false;
    }

    boolean confirmX509CertPrincipal(X509Certificate x509Certificate, String str) {
        if (ACCESS_TOKEN_CERT_OFFSET == 0) {
            LOG.error("confirmX509CertPrincipal: check disabled");
            return false;
        }
        if (!str.equals(this.clientId)) {
            LOG.error("confirmX509CertPrincipal: Principal mismatch {} vs {}", str, this.clientId);
            return false;
        }
        long extractX509CertIssueTime = Crypto.extractX509CertIssueTime(x509Certificate);
        if (extractX509CertIssueTime < this.issueTime - 3600) {
            LOG.error("confirmX509CertPrincipal: Certificate: {} issued before token: {}", Long.valueOf(extractX509CertIssueTime), Long.valueOf(this.issueTime));
            return false;
        }
        if (extractX509CertIssueTime <= (this.issueTime + ACCESS_TOKEN_CERT_OFFSET) - 3600) {
            return true;
        }
        LOG.error("confirmX509CertPrincipal: Certificate: {} past configured offset {} for token: {}", new Object[]{Long.valueOf(extractX509CertIssueTime), Long.valueOf(ACCESS_TOKEN_CERT_OFFSET), Long.valueOf(this.issueTime)});
        return false;
    }

    String getX509CertificateHash(X509Certificate x509Certificate) {
        try {
            return Base64.getUrlEncoder().withoutPadding().encodeToString(Crypto.sha256(x509Certificate.getEncoded()));
        } catch (CryptoException | CertificateEncodingException e) {
            LOG.error("Unable to get X.509 certificate hash", e);
            return null;
        }
    }

    public Object getConfirmEntry(String str) {
        if (this.confirm == null) {
            return null;
        }
        return this.confirm.get(str);
    }

    public String getSignedToken(PrivateKey privateKey, String str, SignatureAlgorithm signatureAlgorithm) {
        return Jwts.builder().setSubject(this.subject).setIssuedAt(Date.from(Instant.ofEpochSecond(this.issueTime))).setExpiration(Date.from(Instant.ofEpochSecond(this.expiryTime))).setIssuer(this.issuer).setAudience(this.audience).claim(OAuth2Token.CLAIM_AUTH_TIME, Long.valueOf(this.authTime)).claim(OAuth2Token.CLAIM_VERSION, Integer.valueOf(this.version)).claim(CLAIM_SCOPE, this.scope).claim(CLAIM_UID, this.userId).claim(CLAIM_CLIENT_ID, this.clientId).claim(CLAIM_CONFIRM, this.confirm).claim(CLAIM_PROXY, this.proxyPrincipal).setHeaderParam(OAuth2Token.HDR_KEY_ID, str).setHeaderParam(HDR_TOKEN_TYPE, HDR_TOKEN_JWT).signWith(signatureAlgorithm, privateKey).compact();
    }
}
