package com.yahoo.athenz.auth.impl;

import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.AuthorityKeyStore;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.token.PrincipalToken;
import com.yahoo.athenz.auth.token.Token;
import com.yahoo.athenz.auth.util.CryptoException;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/PrincipalAuthority.class */
public class PrincipalAuthority implements Authority, AuthorityKeyStore {
    private static final String USER_DOMAIN = "user";
    private static final String SYS_AUTH_DOMAIN = "sys.auth";
    private static final String ZMS_SERVICE = "zms";
    private static final String ZTS_SERVICE = "zts";
    static final String ATHENZ_PROP_TOKEN_OFFSET = "athenz.auth.principal.token_allowed_offset";
    private static final String ATHENZ_PROP_IP_CHECK_MODE = "athenz.auth.principal.remote_ip_check_mode";
    private static final String ATHENZ_PROP_USER_DOMAIN = "athenz.user_domain";
    public static final String HTTP_HEADER = "Athenz-Principal-Auth";
    public static final String ATHENZ_AUTH_CHALLENGE = "AthenzPrincipalToken realm=\"athenz\"";
    public static final String ATHENZ_PROP_PRINCIPAL_HEADER = "athenz.auth.principal.header";
    private static final Logger LOG = LoggerFactory.getLogger(PrincipalAuthority.class);
    private int allowedOffset;
    private KeyStore keyStore = null;
    IpCheckMode ipCheckMode = IpCheckMode.valueOf(System.getProperty(ATHENZ_PROP_IP_CHECK_MODE, IpCheckMode.OPS_WRITE.toString()));
    final String userDomain = System.getProperty("athenz.user_domain", USER_DOMAIN);
    private String headerName = System.getProperty(ATHENZ_PROP_PRINCIPAL_HEADER, HTTP_HEADER);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.yahoo.athenz.auth.impl.PrincipalAuthority$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/athenz/auth/impl/PrincipalAuthority$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$athenz$auth$impl$PrincipalAuthority$IpCheckMode = new int[IpCheckMode.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$athenz$auth$impl$PrincipalAuthority$IpCheckMode[IpCheckMode.OPS_ALL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$yahoo$athenz$auth$impl$PrincipalAuthority$IpCheckMode[IpCheckMode.OPS_WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/auth/impl/PrincipalAuthority$IpCheckMode.class */
    public enum IpCheckMode {
        OPS_ALL,
        OPS_WRITE,
        OPS_NONE
    }

    public PrincipalAuthority() {
        this.allowedOffset = Integer.parseInt(System.getProperty(ATHENZ_PROP_TOKEN_OFFSET, "300"));
        if (this.allowedOffset < 0) {
            this.allowedOffset = 300;
        }
    }

    @Override // com.yahoo.athenz.auth.Authority
    public void initialize() {
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getDomain() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getHeader() {
        return this.headerName;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getAuthenticateChallenge() {
        return ATHENZ_AUTH_CHALLENGE;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(String str, String str2, String str3, StringBuilder sb) {
        StringBuilder sb2 = sb == null ? new StringBuilder(512) : sb;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authenticating PrincipalToken: " + str);
        }
        try {
            PrincipalToken principalToken = new PrincipalToken(str);
            StringBuilder sb3 = new StringBuilder(512);
            if (!principalToken.isValidAuthorizedServiceToken(sb3)) {
                sb2.append("PrincipalAuthority:authenticate: Invalid authorized service token: ");
                sb2.append((CharSequence) sb3).append(" : credential=").append(Token.getUnsignedToken(str));
                return null;
            }
            String lowerCase = principalToken.getDomain().toLowerCase();
            String lowerCase2 = principalToken.getName().toLowerCase();
            String keyService = principalToken.getKeyService();
            boolean equals = lowerCase.equals(this.userDomain);
            String publicKey = getPublicKey(lowerCase, lowerCase2, keyService, principalToken.getKeyId(), equals);
            boolean isWriteOperation = isWriteOperation(str3);
            if (!principalToken.validate(publicKey, this.allowedOffset, !isWriteOperation, sb3)) {
                sb2.append("PrincipalAuthority:authenticate: service token validation failure: ");
                sb2.append((CharSequence) sb3).append(" : credential=").append(Token.getUnsignedToken(str));
                return null;
            }
            String str4 = null;
            if (principalToken.getAuthorizedServiceSignature() != null) {
                str4 = validateAuthorizeService(principalToken, sb3);
                if (str4 == null) {
                    sb2.append("PrincipalAuthority:authenticate: validation of authorized service failure: ").append((CharSequence) sb3).append(" : credential=").append(Token.getUnsignedToken(str));
                    return null;
                }
            }
            if (equals && !remoteIpCheck(str2, isWriteOperation, principalToken, str4)) {
                sb2.append("PrincipalAuthority:authenticate: IP Mismatch - token (").append(principalToken.getIP()).append(") request (").append(str2).append(")");
                LOG.error(sb2.toString());
                return null;
            }
            SimplePrincipal simplePrincipal = (SimplePrincipal) SimplePrincipal.create(lowerCase, lowerCase2, str, principalToken.getTimestamp(), this);
            simplePrincipal.setUnsignedCreds(principalToken.getUnsignedToken());
            simplePrincipal.setAuthorizedService(str4);
            simplePrincipal.setOriginalRequestor(principalToken.getOriginalRequestor());
            simplePrincipal.setKeyService(keyService);
            simplePrincipal.setIP(principalToken.getIP());
            simplePrincipal.setKeyId(principalToken.getKeyId());
            return simplePrincipal;
        } catch (IllegalArgumentException e) {
            sb2.append("PrincipalAuthority:authenticate: Invalid token: exc=").append(e.getMessage()).append(" : credential=").append(Token.getUnsignedToken(str));
            LOG.error(sb2.toString());
            return null;
        }
    }

    boolean remoteIpCheck(String str, boolean z, PrincipalToken principalToken, String str2) {
        boolean z2 = true;
        switch (AnonymousClass1.$SwitchMap$com$yahoo$athenz$auth$impl$PrincipalAuthority$IpCheckMode[this.ipCheckMode.ordinal()]) {
            case CryptoException.CRYPTO_ERROR /* 1 */:
                if (!str.equals(principalToken.getIP())) {
                    z2 = false;
                    break;
                }
                break;
            case CryptoException.CERT_HASH_MISMATCH /* 2 */:
                if (z && !str.equals(principalToken.getIP()) && str2 == null) {
                    z2 = false;
                    break;
                }
                break;
        }
        return z2;
    }

    String getPublicKey(String str, String str2, String str3, String str4, boolean z) {
        String str5 = str;
        String str6 = str2;
        if (str3 == null || str3.isEmpty()) {
            if (z) {
                str5 = "sys.auth";
                str6 = ZMS_SERVICE;
            }
        } else if (str3.equals(ZMS_SERVICE)) {
            str5 = "sys.auth";
            str6 = ZMS_SERVICE;
        } else if (str3.equals("zts")) {
            str5 = "sys.auth";
            str6 = "zts";
        }
        return this.keyStore.getPublicKey(str5, str6, str4);
    }

    boolean isWriteOperation(String str) {
        if (str == null) {
            return false;
        }
        return str.equalsIgnoreCase("PUT") || str.equalsIgnoreCase("POST") || str.equalsIgnoreCase("DELETE");
    }

    String getAuthorizedServiceName(List<String> list, String str) {
        String str2 = str;
        if (str2 == null) {
            if (list.size() != 1) {
                LOG.error("getAuthorizedServiceName() failed: No authorized service name specified");
                return null;
            }
            str2 = list.get(0);
        } else if (!list.contains(str2)) {
            LOG.error("getAuthorizedServiceName() failed: Invalid authorized service name specified:" + str2);
            return null;
        }
        return str2;
    }

    String validateAuthorizeService(PrincipalToken principalToken, StringBuilder sb) {
        StringBuilder sb2 = sb == null ? new StringBuilder(512) : sb;
        String authorizedServiceName = principalToken.getAuthorizedServiceName();
        if (authorizedServiceName == null) {
            List<String> authorizedServices = principalToken.getAuthorizedServices();
            if (authorizedServices == null || authorizedServices.size() != 1) {
                sb2.append("PrincipalAuthority:validateAuthorizeService: ").append("No service name and services list empty OR contains multiple entries: token=").append(principalToken.getUnsignedToken());
                return null;
            }
            authorizedServiceName = authorizedServices.get(0);
        }
        int lastIndexOf = authorizedServiceName.lastIndexOf(46);
        if (lastIndexOf <= 0 || lastIndexOf == authorizedServiceName.length() - 1) {
            sb2.append("PrincipalAuthority:validateAuthorizeService: ").append("failed: token=").append(principalToken.getUnsignedToken()).append(" : Invalid authorized service name specified=").append(authorizedServiceName);
            LOG.error(sb2.toString());
            return null;
        }
        String publicKey = this.keyStore.getPublicKey(authorizedServiceName.substring(0, lastIndexOf), authorizedServiceName.substring(lastIndexOf + 1), principalToken.getAuthorizedServiceKeyId());
        StringBuilder sb3 = new StringBuilder(512);
        if (principalToken.validateForAuthorizedService(publicKey, sb3)) {
            return authorizedServiceName;
        }
        sb2.append("PrincipalAuthority:validateAuthorizeService: token validation for authorized service failed: ").append((CharSequence) sb3);
        return null;
    }

    @Override // com.yahoo.athenz.auth.AuthorityKeyStore
    public void setKeyStore(KeyStore keyStore) {
        this.keyStore = keyStore;
    }
}
