package org.apache.knox.gateway.service.knoxtoken;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.util.JsonUtils;

@Path(TokenResource.RESOURCE_PATH)
/* loaded from: input_file:org/apache/knox/gateway/service/knoxtoken/TokenResource.class */
public class TokenResource {
    private static final String EXPIRES_IN = "expires_in";
    private static final String TOKEN_TYPE = "token_type";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String TARGET_URL = "target_url";
    private static final String BEARER = "Bearer";
    private static final String TOKEN_TTL_PARAM = "knox.token.ttl";
    private static final String TOKEN_AUDIENCES_PARAM = "knox.token.audiences";
    private static final String TOKEN_TARGET_URL = "knox.token.target.url";
    private static final String TOKEN_CLIENT_DATA = "knox.token.client.data";
    private static final String TOKEN_CLIENT_CERT_REQUIRED = "knox.token.client.cert.required";
    private static final String TOKEN_ALLOWED_PRINCIPALS = "knox.token.allowed.principals";
    private static final String TOKEN_SIG_ALG = "knox.token.sigalg";
    private static final long TOKEN_TTL_DEFAULT = 30000;
    static final String RESOURCE_PATH = "knoxtoken/api/v1/token";
    private static TokenServiceMessages log = (TokenServiceMessages) MessagesFactory.get(TokenServiceMessages.class);
    private long tokenTTL = TOKEN_TTL_DEFAULT;
    private List<String> targetAudiences = new ArrayList();
    private String tokenTargetUrl = null;
    private Map<String, Object> tokenClientDataMap = null;
    private ArrayList<String> allowedDNs = new ArrayList<>();
    private boolean clientCertRequired = false;
    private String signatureAlgorithm = "RS256";

    @Context
    HttpServletRequest request;

    @Context
    HttpServletResponse response;

    @Context
    ServletContext context;

    @PostConstruct
    public void init() {
        String initParameter = this.context.getInitParameter(TOKEN_AUDIENCES_PARAM);
        if (initParameter != null) {
            for (String str : initParameter.split(",")) {
                this.targetAudiences.add(str.trim());
            }
        }
        this.clientCertRequired = "true".equals(this.context.getInitParameter(TOKEN_CLIENT_CERT_REQUIRED));
        String initParameter2 = this.context.getInitParameter(TOKEN_ALLOWED_PRINCIPALS);
        if (initParameter2 != null) {
            for (String str2 : initParameter2.split(";")) {
                this.allowedDNs.add(str2);
            }
        }
        String initParameter3 = this.context.getInitParameter(TOKEN_TTL_PARAM);
        if (initParameter3 != null) {
            try {
                this.tokenTTL = Long.parseLong(initParameter3);
                if (this.tokenTTL < -1 || this.tokenTTL + System.currentTimeMillis() < 0) {
                    log.invalidTokenTTLEncountered(initParameter3);
                    this.tokenTTL = TOKEN_TTL_DEFAULT;
                }
            } catch (NumberFormatException e) {
                log.invalidTokenTTLEncountered(initParameter3);
            }
        }
        this.tokenTargetUrl = this.context.getInitParameter(TOKEN_TARGET_URL);
        String initParameter4 = this.context.getInitParameter(TOKEN_CLIENT_DATA);
        if (initParameter4 != null) {
            this.tokenClientDataMap = new HashMap();
            addClientDataToMap(initParameter4.split(","), this.tokenClientDataMap);
        }
        String initParameter5 = this.context.getInitParameter(TOKEN_SIG_ALG);
        if (initParameter5 != null) {
            this.signatureAlgorithm = initParameter5;
        }
    }

    @GET
    @Produces({"application/json", "application/xml"})
    public Response doGet() {
        return getAuthenticationToken();
    }

    @POST
    @Produces({"application/json", "application/xml"})
    public Response doPost() {
        return getAuthenticationToken();
    }

    private X509Certificate extractCertificate(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (null == x509CertificateArr || x509CertificateArr.length <= 0) {
            return null;
        }
        return x509CertificateArr[0];
    }

    private Response getAuthenticationToken() {
        if (this.clientCertRequired) {
            X509Certificate extractCertificate = extractCertificate(this.request);
            if (extractCertificate == null) {
                return Response.status(403).entity("{ \"Unable to get token - client cert required.\" }").build();
            }
            if (!this.allowedDNs.contains(extractCertificate.getSubjectDN().getName())) {
                return Response.status(403).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
            }
        }
        JWTokenAuthority jWTokenAuthority = (JWTokenAuthority) ((GatewayServices) this.request.getServletContext().getAttribute("org.apache.knox.gateway.gateway.services")).getService("TokenService");
        Principal userPrincipal = this.request.getUserPrincipal();
        long expiry = getExpiry();
        try {
            JWT issueToken = this.targetAudiences.isEmpty() ? jWTokenAuthority.issueToken(userPrincipal, this.signatureAlgorithm, expiry) : jWTokenAuthority.issueToken(userPrincipal, this.targetAudiences, this.signatureAlgorithm, expiry);
            if (issueToken == null) {
                return Response.serverError().build();
            }
            String obj = issueToken.toString();
            HashMap hashMap = new HashMap();
            hashMap.put(ACCESS_TOKEN, obj);
            hashMap.put(TOKEN_TYPE, BEARER);
            hashMap.put(EXPIRES_IN, Long.valueOf(expiry));
            if (this.tokenTargetUrl != null) {
                hashMap.put(TARGET_URL, this.tokenTargetUrl);
            }
            if (this.tokenClientDataMap != null) {
                hashMap.putAll(this.tokenClientDataMap);
            }
            this.response.getWriter().write(JsonUtils.renderAsJsonString(hashMap));
            return Response.ok().build();
        } catch (TokenServiceException | IOException e) {
            log.unableToIssueToken(e);
            return Response.ok().entity("{ \"Unable to acquire token.\" }").build();
        }
    }

    void addClientDataToMap(String[] strArr, Map<String, Object> map) {
        for (String str : strArr) {
            String[] split = str.split("=");
            if (split.length == 2) {
                map.put(split[0], split[1]);
            }
        }
    }

    private long getExpiry() {
        return this.tokenTTL == -1 ? -1L : System.currentTimeMillis() + this.tokenTTL;
    }
}
