package org.apache.knox.gateway.services.token.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.knox.gateway.GatewayResources;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.resources.ResourcesFactory;
import org.apache.knox.gateway.services.Service;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;

/* loaded from: input_file:org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.class */
public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
    private static final GatewayResources RESOURCES = (GatewayResources) ResourcesFactory.get(GatewayResources.class);
    private static final Set<String> SUPPORTED_SIG_ALGS = new HashSet();
    private AliasService aliasService;
    private KeystoreService keystoreService;
    private GatewayConfig config;
    private char[] cachedSigningKeyPassphrase;
    private RSAPrivateKey signingKey;

    public void setKeystoreService(KeystoreService keystoreService) {
        this.keystoreService = keystoreService;
    }

    public void setAliasService(AliasService aliasService) {
        this.aliasService = aliasService;
    }

    public JWT issueToken(Subject subject, String str) throws TokenServiceException {
        return issueToken((Principal) subject.getPrincipals().toArray()[0], str);
    }

    public JWT issueToken(Principal principal, String str) throws TokenServiceException {
        return issueToken(principal, (String) null, str);
    }

    public JWT issueToken(Principal principal, String str, long j) throws TokenServiceException {
        return issueToken(principal, (String) null, str, j);
    }

    public JWT issueToken(Principal principal, String str, String str2) throws TokenServiceException {
        return issueToken(principal, str, str2, -1L);
    }

    public JWT issueToken(Principal principal, String str, String str2, long j) throws TokenServiceException {
        ArrayList arrayList = null;
        if (str != null) {
            arrayList = new ArrayList();
            arrayList.add(str);
        }
        return issueToken(principal, arrayList, str2, j);
    }

    public JWT issueToken(Principal principal, List<String> list, String str, long j) throws TokenServiceException {
        return issueToken(principal, list, str, j, null, null, null);
    }

    private RSAPrivateKey getSigningKey(String str, String str2, char[] cArr) throws KeystoreServiceException, TokenServiceException {
        return cArr != null ? (RSAPrivateKey) this.keystoreService.getSigningKey(str, getSigningKeyAlias(str2), getSigningKeyPassphrase(cArr)) : this.signingKey;
    }

    public JWT issueToken(Principal principal, List<String> list, String str, long j, String str2, String str3, char[] cArr) throws TokenServiceException {
        String[] strArr = new String[4];
        strArr[0] = "KNOXSSO";
        strArr[1] = principal.getName();
        strArr[2] = null;
        if (j == -1) {
            strArr[3] = null;
        } else {
            strArr[3] = String.valueOf(j);
        }
        if (!SUPPORTED_SIG_ALGS.contains(str)) {
            throw new TokenServiceException("Cannot issue token - Unsupported algorithm");
        }
        JWTToken jWTToken = new JWTToken(str, strArr, list);
        try {
            jWTToken.sign(new RSASSASigner(getSigningKey(str2, str3, cArr), true));
            return jWTToken;
        } catch (KeystoreServiceException e) {
            throw new TokenServiceException(e);
        }
    }

    private char[] getSigningKeyPassphrase(char[] cArr) {
        return cArr != null ? cArr : this.cachedSigningKeyPassphrase;
    }

    private String getSigningKeyAlias() {
        String signingKeyAlias = this.config.getSigningKeyAlias();
        return signingKeyAlias == null ? "gateway-identity" : signingKeyAlias;
    }

    private String getSigningKeyAlias(String str) {
        return str != null ? str : getSigningKeyAlias();
    }

    public boolean verifyToken(JWT jwt) throws TokenServiceException {
        return verifyToken(jwt, null);
    }

    public boolean verifyToken(JWT jwt, RSAPublicKey rSAPublicKey) throws TokenServiceException {
        Key publicKey;
        if (rSAPublicKey == null) {
            try {
                publicKey = this.keystoreService.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey();
            } catch (KeyStoreException | KeystoreServiceException e) {
                throw new TokenServiceException("Cannot verify token.", e);
            }
        } else {
            publicKey = rSAPublicKey;
        }
        return jwt.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
    }

    public boolean verifyToken(JWT jwt, String str, String str2) throws TokenServiceException {
        boolean z = false;
        if (str2 != null && str != null) {
            try {
                JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(JWSAlgorithm.parse(str2), new RemoteJWKSet(new URL(str)));
                DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
                defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier());
                defaultJWTProcessor.process(jwt.toString(), (SecurityContext) null);
                z = true;
            } catch (BadJOSEException | JOSEException | MalformedURLException | ParseException e) {
                throw new TokenServiceException("Cannot verify token.", e);
            }
        }
        return z;
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        if (this.aliasService == null || this.keystoreService == null) {
            throw new ServiceLifecycleException("Alias or Keystore service is not set");
        }
        this.config = gatewayConfig;
    }

    public void start() throws ServiceLifecycleException {
        try {
            KeyStore signingKeystore = this.keystoreService.getSigningKeystore();
            if (signingKeystore == null) {
                throw new ServiceLifecycleException(RESOURCES.signingKeystoreNotAvailable(this.config.getSigningKeystorePath()));
            }
            try {
                this.cachedSigningKeyPassphrase = this.aliasService.getSigningKeyPassphrase();
                if (this.cachedSigningKeyPassphrase == null) {
                    throw new ServiceLifecycleException(RESOURCES.signingKeyPassphraseNotAvailable(this.config.getSigningKeyPassphraseAlias()));
                }
                String signingKeyAlias = getSigningKeyAlias();
                try {
                    Certificate certificate = signingKeystore.getCertificate(signingKeyAlias);
                    if (certificate == null) {
                        throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias));
                    }
                    PublicKey publicKey = certificate.getPublicKey();
                    if (publicKey == null) {
                        throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias));
                    }
                    if (!(publicKey instanceof RSAPublicKey)) {
                        throw new ServiceLifecycleException(RESOURCES.publicSigningKeyWrongType(signingKeyAlias));
                    }
                    try {
                        Key key = signingKeystore.getKey(signingKeyAlias, this.cachedSigningKeyPassphrase);
                        if (key == null) {
                            throw new ServiceLifecycleException(RESOURCES.privateSigningKeyNotFound(signingKeyAlias));
                        }
                        if (!(key instanceof RSAPrivateKey)) {
                            throw new ServiceLifecycleException(RESOURCES.privateSigningKeyWrongType(signingKeyAlias));
                        }
                        this.signingKey = (RSAPrivateKey) key;
                    } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
                        throw new ServiceLifecycleException(RESOURCES.privateSigningKeyNotFound(signingKeyAlias), e);
                    }
                } catch (KeyStoreException e2) {
                    throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias), e2);
                }
            } catch (AliasServiceException e3) {
                throw new ServiceLifecycleException(RESOURCES.signingKeyPassphraseNotAvailable(this.config.getSigningKeyPassphraseAlias()), e3);
            }
        } catch (KeystoreServiceException e4) {
            throw new ServiceLifecycleException(RESOURCES.signingKeystoreNotAvailable(this.config.getSigningKeystorePath()), e4);
        }
    }

    public void stop() throws ServiceLifecycleException {
    }

    static {
        SUPPORTED_SIG_ALGS.add("RS256");
        SUPPORTED_SIG_ALGS.add("RS384");
        SUPPORTED_SIG_ALGS.add("RS512");
        SUPPORTED_SIG_ALGS.add("PS256");
        SUPPORTED_SIG_ALGS.add("PS384");
        SUPPORTED_SIG_ALGS.add("PS512");
    }
}
