package org.apache.knox.gateway.websockets;

import com.nimbusds.jose.JWSHeader;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
import org.apache.knox.gateway.provider.federation.jwt.filter.SignatureVerificationCache;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenMetadata;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.TokenStateService;
import org.apache.knox.gateway.services.security.token.TokenUtils;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.util.Tokens;

/* loaded from: input_file:org/apache/knox/gateway/websockets/JWTValidator.class */
public class JWTValidator {
    private static final String JWT_DEFAULT_ISSUER = "KNOXSSO";
    private static final String JWT_DEFAULT_SIGALG = "RS256";
    private static final JWTMessages jwtMessagesLog = (JWTMessages) MessagesFactory.get(JWTMessages.class);
    private final JWTokenAuthority authorityService;
    private final SignatureVerificationCache signatureVerificationCache;
    private final JWT token;
    private String expectedIssuer = JWT_DEFAULT_ISSUER;
    private String expectedSigAlg = JWT_DEFAULT_SIGALG;
    private RSAPublicKey publicKey;
    private TokenStateService tokenStateService;
    private final String displayableTokenId;
    private final String displayableToken;

    public JWTValidator(JWT jwt, JWTokenAuthority jWTokenAuthority, SignatureVerificationCache signatureVerificationCache) {
        this.authorityService = jWTokenAuthority;
        this.signatureVerificationCache = signatureVerificationCache;
        this.token = jwt;
        this.displayableTokenId = Tokens.getTokenIDDisplayText(TokenUtils.getTokenId(jwt));
        this.displayableToken = Tokens.getTokenDisplayText(jwt.toString());
    }

    public void setPublicKey(RSAPublicKey rSAPublicKey) {
        this.publicKey = rSAPublicKey;
    }

    public void setExpectedSigAlg(String str) {
        this.expectedSigAlg = str;
    }

    public void setExpectedIssuer(String str) {
        this.expectedIssuer = str;
    }

    public void setTokenStateService(TokenStateService tokenStateService) {
        this.tokenStateService = tokenStateService;
    }

    public JWT getToken() {
        return this.token;
    }

    public String getUsername() {
        return this.token.getSubject();
    }

    public boolean validate() {
        if (this.expectedIssuer.equals(this.token.getIssuer())) {
            try {
                if (tokenIsStillValid()) {
                    Date notBeforeDate = this.token.getNotBeforeDate();
                    if (notBeforeDate != null && !new Date().after(notBeforeDate)) {
                        jwtMessagesLog.notBeforeCheckFailed();
                    } else if (isTokenEnabled() && verifyTokenSignature()) {
                        return true;
                    }
                }
            } catch (UnknownTokenException e) {
                return false;
            }
        }
        jwtMessagesLog.unexpectedTokenIssuer(this.displayableToken, this.displayableTokenId);
        return false;
    }

    public boolean tokenIsStillValid() throws UnknownTokenException {
        Date serverManagedStateExpiration = getServerManagedStateExpiration();
        if (serverManagedStateExpiration == null) {
            serverManagedStateExpiration = this.token.getExpiresDate();
        }
        if (serverManagedStateExpiration == null || new Date().before(serverManagedStateExpiration)) {
            return true;
        }
        jwtMessagesLog.tokenHasExpired(this.displayableToken, this.displayableTokenId);
        this.signatureVerificationCache.removeSignatureVerificationRecord(this.token.toString());
        return false;
    }

    private Date getServerManagedStateExpiration() throws UnknownTokenException {
        Date date = null;
        if (this.tokenStateService != null) {
            long tokenExpiration = this.tokenStateService.getTokenExpiration(TokenUtils.getTokenId(this.token));
            if (tokenExpiration > 0) {
                date = new Date(tokenExpiration);
            }
        }
        return date;
    }

    private boolean isTokenEnabled() throws UnknownTokenException {
        TokenMetadata tokenMetadata = this.tokenStateService == null ? null : this.tokenStateService.getTokenMetadata(TokenUtils.getTokenId(this.token));
        if (tokenMetadata == null || tokenMetadata.isEnabled()) {
            return true;
        }
        jwtMessagesLog.disabledToken(this.displayableTokenId);
        return false;
    }

    private boolean verifyTokenSignature() {
        String obj = this.token.toString();
        boolean hasSignatureBeenVerified = this.signatureVerificationCache.hasSignatureBeenVerified(obj);
        if (!hasSignatureBeenVerified) {
            try {
                hasSignatureBeenVerified = this.publicKey != null ? this.authorityService.verifyToken(this.token, this.publicKey) : this.authorityService.verifyToken(this.token);
            } catch (TokenServiceException e) {
                jwtMessagesLog.unableToVerifyToken(e);
            }
            if (hasSignatureBeenVerified && this.expectedSigAlg != null) {
                try {
                    if (!JWSHeader.parse(this.token.getHeader()).getAlgorithm().getName().equals(this.expectedSigAlg)) {
                        hasSignatureBeenVerified = false;
                    }
                } catch (ParseException e2) {
                    jwtMessagesLog.unableToVerifyToken(e2);
                    hasSignatureBeenVerified = false;
                }
            }
            if (hasSignatureBeenVerified) {
                this.signatureVerificationCache.recordSignatureVerification(obj);
            }
        }
        if (!hasSignatureBeenVerified) {
            jwtMessagesLog.failedToVerifyTokenSignature(this.displayableToken, this.displayableTokenId);
        }
        return hasSignatureBeenVerified;
    }
}
