package org.apache.knox.gateway.service.knoxtoken;

import java.security.KeyStoreException;
import java.security.Principal;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.annotation.PostConstruct;
import javax.inject.Singleton;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.codec.binary.Base64;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.security.SubjectUtils;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.TokenStateService;
import org.apache.knox.gateway.services.security.token.TokenUtils;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.util.JsonUtils;
import org.apache.knox.gateway.util.Tokens;

@Singleton
@Path(TokenResource.RESOURCE_PATH)
/* loaded from: input_file:org/apache/knox/gateway/service/knoxtoken/TokenResource.class */
public class TokenResource {
    private static final String EXPIRES_IN = "expires_in";
    private static final String TOKEN_TYPE = "token_type";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String TARGET_URL = "target_url";
    private static final String ENDPOINT_PUBLIC_CERT = "endpoint_public_cert";
    private static final String BEARER = "Bearer";
    private static final String TOKEN_TTL_PARAM = "knox.token.ttl";
    private static final String TOKEN_AUDIENCES_PARAM = "knox.token.audiences";
    private static final String TOKEN_TARGET_URL = "knox.token.target.url";
    private static final String TOKEN_CLIENT_DATA = "knox.token.client.data";
    private static final String TOKEN_CLIENT_CERT_REQUIRED = "knox.token.client.cert.required";
    private static final String TOKEN_ALLOWED_PRINCIPALS = "knox.token.allowed.principals";
    private static final String TOKEN_SIG_ALG = "knox.token.sigalg";
    private static final String TOKEN_EXP_RENEWAL_INTERVAL = "knox.token.exp.renew-interval";
    private static final String TOKEN_EXP_RENEWAL_MAX_LIFETIME = "knox.token.exp.max-lifetime";
    private static final String TOKEN_RENEWER_WHITELIST = "knox.token.renewer.whitelist";
    private static final long TOKEN_TTL_DEFAULT = 30000;
    static final String RESOURCE_PATH = "knoxtoken/api/v1/token";
    static final String RENEW_PATH = "/renew";
    static final String REVOKE_PATH = "/revoke";
    private static final String TARGET_ENDPOINT_PULIC_CERT_PEM = "knox.token.target.endpoint.cert.pem";
    private static TokenServiceMessages log = (TokenServiceMessages) MessagesFactory.get(TokenServiceMessages.class);
    private String tokenTargetUrl;
    private Map<String, Object> tokenClientDataMap;
    private boolean clientCertRequired;
    private String endpointPublicCert;
    private TokenStateService tokenStateService;
    private List<String> allowedRenewers;

    @Context
    HttpServletRequest request;

    @Context
    ServletContext context;
    private long tokenTTL = TOKEN_TTL_DEFAULT;
    private List<String> targetAudiences = new ArrayList();
    private List<String> allowedDNs = new ArrayList();
    private String signatureAlgorithm = "RS256";
    private Optional<Long> renewInterval = Optional.empty();
    private Optional<Long> maxTokenLifetime = Optional.empty();

    @PostConstruct
    public void init() {
        String initParameter = this.context.getInitParameter(TOKEN_AUDIENCES_PARAM);
        if (initParameter != null) {
            for (String str : initParameter.split(",")) {
                this.targetAudiences.add(str.trim());
            }
        }
        this.clientCertRequired = "true".equals(this.context.getInitParameter(TOKEN_CLIENT_CERT_REQUIRED));
        String initParameter2 = this.context.getInitParameter(TOKEN_ALLOWED_PRINCIPALS);
        if (initParameter2 != null) {
            for (String str2 : initParameter2.split(";")) {
                this.allowedDNs.add(str2.replaceAll("\\s+", ""));
            }
        }
        String initParameter3 = this.context.getInitParameter(TOKEN_TTL_PARAM);
        if (initParameter3 != null) {
            try {
                this.tokenTTL = Long.parseLong(initParameter3);
                if (this.tokenTTL < -1 || this.tokenTTL + System.currentTimeMillis() < 0) {
                    log.invalidTokenTTLEncountered(initParameter3);
                    this.tokenTTL = TOKEN_TTL_DEFAULT;
                }
            } catch (NumberFormatException e) {
                log.invalidTokenTTLEncountered(initParameter3);
            }
        }
        this.tokenTargetUrl = this.context.getInitParameter(TOKEN_TARGET_URL);
        String initParameter4 = this.context.getInitParameter(TOKEN_CLIENT_DATA);
        if (initParameter4 != null) {
            this.tokenClientDataMap = new HashMap();
            addClientDataToMap(initParameter4.split(","), this.tokenClientDataMap);
        }
        String initParameter5 = this.context.getInitParameter(TOKEN_SIG_ALG);
        if (initParameter5 != null) {
            this.signatureAlgorithm = initParameter5;
        }
        String initParameter6 = this.context.getInitParameter(TARGET_ENDPOINT_PULIC_CERT_PEM);
        if (initParameter6 != null) {
            this.endpointPublicCert = initParameter6;
        }
        if (isServerManagedTokenStateEnabled()) {
            String topologyName = getTopologyName();
            log.serverManagedTokenStateEnabled(topologyName);
            this.tokenStateService = (TokenStateService) ((GatewayServices) this.context.getAttribute("org.apache.knox.gateway.gateway.services")).getService(ServiceType.TOKEN_STATE_SERVICE);
            String initParameter7 = this.context.getInitParameter(TOKEN_EXP_RENEWAL_INTERVAL);
            if (initParameter7 != null && !initParameter7.isEmpty()) {
                try {
                    this.renewInterval = Optional.of(Long.valueOf(Long.parseLong(initParameter7)));
                } catch (NumberFormatException e2) {
                    log.invalidConfigValue(topologyName, TOKEN_EXP_RENEWAL_INTERVAL, initParameter7, e2);
                }
            }
            String initParameter8 = this.context.getInitParameter(TOKEN_EXP_RENEWAL_MAX_LIFETIME);
            if (initParameter8 != null && !initParameter8.isEmpty()) {
                try {
                    this.maxTokenLifetime = Optional.of(Long.valueOf(Long.parseLong(initParameter8)));
                } catch (NumberFormatException e3) {
                    log.invalidConfigValue(topologyName, TOKEN_EXP_RENEWAL_MAX_LIFETIME, initParameter8, e3);
                }
            }
            this.allowedRenewers = new ArrayList();
            String initParameter9 = this.context.getInitParameter(TOKEN_RENEWER_WHITELIST);
            if (initParameter9 == null || initParameter9.isEmpty()) {
                log.noRenewersConfigured(topologyName);
                return;
            }
            for (String str3 : initParameter9.split(",")) {
                this.allowedRenewers.add(str3.trim());
            }
        }
    }

    private boolean isServerManagedTokenStateEnabled() {
        boolean z;
        String initParameter = this.context.getInitParameter("knox.token.exp.server-managed");
        if (initParameter == null || initParameter.isEmpty()) {
            GatewayConfig gatewayConfig = (GatewayConfig) this.context.getAttribute("org.apache.knox.gateway.config");
            z = gatewayConfig != null && gatewayConfig.isServerManagedTokenStateEnabled();
        } else {
            z = Boolean.valueOf(initParameter).booleanValue();
        }
        return z;
    }

    @GET
    @Produces({"application/json", "application/xml"})
    public Response doGet() {
        return getAuthenticationToken();
    }

    @POST
    @Produces({"application/json", "application/xml"})
    public Response doPost() {
        return getAuthenticationToken();
    }

    @POST
    @Produces({"application/json"})
    @Path(RENEW_PATH)
    public Response renew(String str) {
        Response build;
        long j = 0;
        String str2 = "";
        Response.Status status = Response.Status.BAD_REQUEST;
        if (this.tokenStateService == null) {
            try {
                JWTToken jWTToken = new JWTToken(str);
                log.renewalDisabled(getTopologyName(), Tokens.getTokenDisplayText(str), TokenUtils.getTokenId(jWTToken));
                j = Long.parseLong(jWTToken.getExpires());
            } catch (ParseException e) {
                log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(str), e);
                str2 = safeGetMessage(e);
            } catch (Exception e2) {
                str2 = safeGetMessage(e2);
            }
        } else {
            String currentEffectivePrincipalName = SubjectUtils.getCurrentEffectivePrincipalName();
            if (this.allowedRenewers.contains(currentEffectivePrincipalName)) {
                try {
                    JWTToken jWTToken2 = new JWTToken(str);
                    j = this.tokenStateService.renewToken(jWTToken2, this.renewInterval.orElse(Long.valueOf(this.tokenStateService.getDefaultRenewInterval())).longValue());
                    log.renewedToken(getTopologyName(), Tokens.getTokenDisplayText(str), TokenUtils.getTokenId(jWTToken2), currentEffectivePrincipalName);
                } catch (ParseException e3) {
                    log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(str), e3);
                    str2 = safeGetMessage(e3);
                } catch (Exception e4) {
                    str2 = safeGetMessage(e4);
                }
            } else {
                status = Response.Status.FORBIDDEN;
                str2 = "Caller (" + currentEffectivePrincipalName + ") not authorized to renew tokens.";
            }
        }
        if (str2.isEmpty()) {
            build = Response.status(Response.Status.OK).entity("{\n  \"renewed\": \"true\",\n  \"expires\": \"" + j + "\"\n}\n").build();
        } else {
            log.badRenewalRequest(getTopologyName(), Tokens.getTokenDisplayText(str), str2);
            build = Response.status(status).entity("{\n  \"renewed\": \"false\",\n  \"error\": \"" + str2 + "\"\n}\n").build();
        }
        return build;
    }

    @POST
    @Produces({"application/json"})
    @Path(REVOKE_PATH)
    public Response revoke(String str) {
        Response build;
        String str2 = "";
        Response.Status status = Response.Status.BAD_REQUEST;
        if (this.tokenStateService == null) {
            str2 = "Token revocation support is not configured";
        } else {
            String currentEffectivePrincipalName = SubjectUtils.getCurrentEffectivePrincipalName();
            if (this.allowedRenewers.contains(currentEffectivePrincipalName)) {
                try {
                    JWTToken jWTToken = new JWTToken(str);
                    this.tokenStateService.revokeToken(jWTToken);
                    log.revokedToken(getTopologyName(), Tokens.getTokenDisplayText(str), TokenUtils.getTokenId(jWTToken), currentEffectivePrincipalName);
                } catch (UnknownTokenException e) {
                    str2 = safeGetMessage(e);
                } catch (ParseException e2) {
                    log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(str), e2);
                    str2 = safeGetMessage(e2);
                }
            } else {
                status = Response.Status.FORBIDDEN;
                str2 = "Caller (" + currentEffectivePrincipalName + ") not authorized to revoke tokens.";
            }
        }
        if (str2.isEmpty()) {
            build = Response.status(Response.Status.OK).entity("{\n  \"revoked\": \"true\"\n}\n").build();
        } else {
            log.badRevocationRequest(getTopologyName(), Tokens.getTokenDisplayText(str), str2);
            build = Response.status(status).entity("{\n  \"revoked\": \"false\",\n  \"error\": \"" + str2 + "\"\n}\n").build();
        }
        return build;
    }

    private X509Certificate extractCertificate(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (null == x509CertificateArr || x509CertificateArr.length <= 0) {
            return null;
        }
        return x509CertificateArr[0];
    }

    private Response getAuthenticationToken() {
        KeystoreService keystoreService;
        if (this.clientCertRequired) {
            X509Certificate extractCertificate = extractCertificate(this.request);
            if (extractCertificate == null) {
                return Response.status(Response.Status.FORBIDDEN).entity("{ \"Unable to get token - client cert required.\" }").build();
            }
            if (!this.allowedDNs.contains(extractCertificate.getSubjectDN().getName().replaceAll("\\s+", ""))) {
                return Response.status(Response.Status.FORBIDDEN).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
            }
        }
        GatewayServices gatewayServices = (GatewayServices) this.request.getServletContext().getAttribute("org.apache.knox.gateway.gateway.services");
        JWTokenAuthority jWTokenAuthority = (JWTokenAuthority) gatewayServices.getService(ServiceType.TOKEN_SERVICE);
        Principal userPrincipal = this.request.getUserPrincipal();
        long expiry = getExpiry();
        if (this.endpointPublicCert == null && (keystoreService = (KeystoreService) gatewayServices.getService(ServiceType.KEYSTORE_SERVICE)) != null) {
            try {
                this.endpointPublicCert = Base64.encodeBase64String(keystoreService.getCertificateForGateway().getEncoded());
            } catch (KeyStoreException | KeystoreServiceException | CertificateEncodingException e) {
                log.unableToAcquireCertForEndpointClients(e);
            }
        }
        try {
            JWT issueToken = this.targetAudiences.isEmpty() ? jWTokenAuthority.issueToken(userPrincipal, this.signatureAlgorithm, expiry) : jWTokenAuthority.issueToken(userPrincipal, this.targetAudiences, this.signatureAlgorithm, expiry);
            if (issueToken == null) {
                return Response.serverError().build();
            }
            String obj = issueToken.toString();
            String tokenId = TokenUtils.getTokenId(issueToken);
            log.issuedToken(getTopologyName(), Tokens.getTokenDisplayText(obj), tokenId);
            HashMap hashMap = new HashMap();
            hashMap.put(ACCESS_TOKEN, obj);
            hashMap.put(TOKEN_TYPE, BEARER);
            hashMap.put(EXPIRES_IN, Long.valueOf(expiry));
            if (this.tokenTargetUrl != null) {
                hashMap.put(TARGET_URL, this.tokenTargetUrl);
            }
            if (this.tokenClientDataMap != null) {
                hashMap.putAll(this.tokenClientDataMap);
            }
            if (this.endpointPublicCert != null) {
                hashMap.put(ENDPOINT_PUBLIC_CERT, this.endpointPublicCert);
            }
            String renderAsJsonString = JsonUtils.renderAsJsonString(hashMap);
            if (this.tokenStateService != null) {
                this.tokenStateService.addToken(tokenId, System.currentTimeMillis(), expiry, this.maxTokenLifetime.orElse(Long.valueOf(this.tokenStateService.getDefaultMaxLifetimeDuration())).longValue());
                log.storedToken(getTopologyName(), Tokens.getTokenDisplayText(obj), tokenId);
            }
            return Response.ok().entity(renderAsJsonString).build();
        } catch (TokenServiceException e2) {
            log.unableToIssueToken(e2);
            return Response.ok().entity("{ \"Unable to acquire token.\" }").build();
        }
    }

    void addClientDataToMap(String[] strArr, Map<String, Object> map) {
        for (String str : strArr) {
            String[] split = str.split("=");
            if (split.length == 2) {
                map.put(split[0], split[1]);
            }
        }
    }

    private long getExpiry() {
        return this.tokenTTL == -1 ? -1L : System.currentTimeMillis() + this.tokenTTL;
    }

    private String getTopologyName() {
        return (String) this.context.getAttribute("org.apache.knox.gateway.gateway.cluster");
    }

    private String safeGetMessage(Throwable th) {
        String message = th.getMessage();
        return message != null ? message : "null";
    }
}
