package org.apache.knox.gateway.service.knoxtoken;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.util.ByteUtils;
import java.nio.charset.StandardCharsets;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.time.Duration;
import java.time.format.DateTimeParseException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import javax.annotation.PostConstruct;
import javax.inject.Singleton;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.security.SubjectUtils;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.token.JWTokenAttributesBuilder;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenMetadata;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.TokenStateService;
import org.apache.knox.gateway.services.security.token.TokenUtils;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.services.security.token.impl.TokenMAC;
import org.apache.knox.gateway.util.JsonUtils;
import org.apache.knox.gateway.util.Tokens;

@Singleton
@Path(TokenResource.RESOURCE_PATH)
/* loaded from: input_file:org/apache/knox/gateway/service/knoxtoken/TokenResource.class */
public class TokenResource {
    static final String LIFESPAN = "lifespan";
    static final String COMMENT = "comment";
    private static final String EXPIRES_IN = "expires_in";
    private static final String TOKEN_TYPE = "token_type";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String TOKEN_ID = "token_id";
    private static final String PASSCODE = "passcode";
    private static final String MANAGED_TOKEN = "managed";
    private static final String TARGET_URL = "target_url";
    private static final String ENDPOINT_PUBLIC_CERT = "endpoint_public_cert";
    private static final String BEARER = "Bearer";
    private static final String TOKEN_TTL_PARAM = "knox.token.ttl";
    private static final String TOKEN_AUDIENCES_PARAM = "knox.token.audiences";
    private static final String TOKEN_TARGET_URL = "knox.token.target.url";
    static final String TOKEN_CLIENT_DATA = "knox.token.client.data";
    private static final String TOKEN_CLIENT_CERT_REQUIRED = "knox.token.client.cert.required";
    private static final String TOKEN_ALLOWED_PRINCIPALS = "knox.token.allowed.principals";
    private static final String TOKEN_SIG_ALG = "knox.token.sigalg";
    private static final String TOKEN_EXP_RENEWAL_INTERVAL = "knox.token.exp.renew-interval";
    private static final String TOKEN_EXP_RENEWAL_MAX_LIFETIME = "knox.token.exp.max-lifetime";
    private static final String TOKEN_EXP_TOKENGEN_ALLOWED_TSS_BACKENDS = "knox.token.exp.tokengen.allowed.tss.backends";
    private static final String TOKEN_RENEWER_WHITELIST = "knox.token.renewer.whitelist";
    private static final String TSS_STATUS_IS_MANAGEMENT_ENABLED = "tokenManagementEnabled";
    private static final String TSS_STATUS_CONFIFURED_BACKEND = "configuredTssBackend";
    private static final String TSS_STATUS_ACTUAL_BACKEND = "actualTssBackend";
    private static final String TSS_ALLOWED_BACKEND_FOR_TOKENGEN = "allowedTssForTokengen";
    private static final String TSS_MAXIMUM_LIFETIME_SECONDS = "maximumLifetimeSeconds";
    private static final String TSS_MAXIMUM_LIFETIME_TEXT = "maximumLifetimeText";
    private static final String LIFESPAN_INPUT_ENABLED_PARAM = "knox.token.lifespan.input.enabled";
    private static final String LIFESPAN_INPUT_ENABLED_TEXT = "lifespanInputEnabled";
    private static final long TOKEN_TTL_DEFAULT = 30000;
    static final String TOKEN_API_PATH = "knoxtoken/api/v1";
    static final String RESOURCE_PATH = "knoxtoken/api/v1/token";
    static final String GET_USER_TOKENS = "/getUserTokens";
    static final String GET_TSS_STATUS_PATH = "/getTssStatus";
    static final String RENEW_PATH = "/renew";
    static final String REVOKE_PATH = "/revoke";
    static final String ENABLE_PATH = "/enable";
    static final String DISABLE_PATH = "/disable";
    private static final String TARGET_ENDPOINT_PULIC_CERT_PEM = "knox.token.target.endpoint.cert.pem";
    private static TokenServiceMessages log = (TokenServiceMessages) MessagesFactory.get(TokenServiceMessages.class);
    private String tokenTTLAsText;
    private String tokenTargetUrl;
    private Map<String, Object> tokenClientDataMap;
    private boolean clientCertRequired;
    private String signatureAlgorithm;
    private String endpointPublicCert;
    private TokenStateService tokenStateService;
    private TokenMAC tokenMAC;
    private int tokenLimitPerUser;
    private List<String> allowedRenewers;

    @Context
    HttpServletRequest request;

    @Context
    ServletContext context;
    private long tokenTTL = TOKEN_TTL_DEFAULT;
    private List<String> targetAudiences = new ArrayList();
    private List<String> allowedDNs = new ArrayList();
    private final Map<String, String> tokenStateServiceStatusMap = new HashMap();
    private Optional<Long> renewInterval = Optional.empty();
    private Optional<Long> maxTokenLifetime = Optional.empty();

    /* loaded from: input_file:org/apache/knox/gateway/service/knoxtoken/TokenResource$ErrorCode.class */
    public enum ErrorCode {
        UNKNOWN(0),
        CONFIGURATION_ERROR(10),
        UNAUTHORIZED(20),
        INTERNAL_ERROR(30),
        INVALID_TOKEN(40),
        UNKNOWN_TOKEN(50),
        ALREADY_DISABLED(60),
        ALREADY_ENABLED(70);

        private final int code;

        ErrorCode(int i) {
            this.code = i;
        }

        public int toInt() {
            return this.code;
        }

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static ErrorCode[] valuesCustom() {
            ErrorCode[] valuesCustom = values();
            int length = valuesCustom.length;
            ErrorCode[] errorCodeArr = new ErrorCode[length];
            System.arraycopy(valuesCustom, 0, errorCodeArr, 0, length);
            return errorCodeArr;
        }
    }

    @PostConstruct
    public void init() throws AliasServiceException, ServiceLifecycleException, KeyLengthException {
        String initParameter = this.context.getInitParameter(TOKEN_AUDIENCES_PARAM);
        if (initParameter != null) {
            for (String str : initParameter.split(",")) {
                this.targetAudiences.add(str.trim());
            }
        }
        this.clientCertRequired = "true".equals(this.context.getInitParameter(TOKEN_CLIENT_CERT_REQUIRED));
        String initParameter2 = this.context.getInitParameter(TOKEN_ALLOWED_PRINCIPALS);
        if (initParameter2 != null) {
            for (String str2 : initParameter2.split(";")) {
                this.allowedDNs.add(str2.replaceAll("\\s+", ""));
            }
        }
        String initParameter3 = this.context.getInitParameter(TOKEN_TTL_PARAM);
        if (initParameter3 != null) {
            try {
                this.tokenTTL = Long.parseLong(initParameter3);
                if (this.tokenTTL < -1 || this.tokenTTL + System.currentTimeMillis() < 0) {
                    log.invalidTokenTTLEncountered(initParameter3);
                    this.tokenTTL = TOKEN_TTL_DEFAULT;
                }
            } catch (NumberFormatException e) {
                log.invalidTokenTTLEncountered(initParameter3);
            }
        }
        this.tokenTTLAsText = getTokenTTLAsText();
        this.tokenTargetUrl = this.context.getInitParameter(TOKEN_TARGET_URL);
        String initParameter4 = this.context.getInitParameter(TOKEN_CLIENT_DATA);
        if (initParameter4 != null) {
            this.tokenClientDataMap = new HashMap();
            addClientDataToMap(initParameter4.split(","), this.tokenClientDataMap);
        }
        setSignatureAlogrithm();
        String initParameter5 = this.context.getInitParameter(TARGET_ENDPOINT_PULIC_CERT_PEM);
        if (initParameter5 != null) {
            this.endpointPublicCert = initParameter5;
        }
        if (isServerManagedTokenStateEnabled()) {
            String topologyName = getTopologyName();
            log.serverManagedTokenStateEnabled(topologyName);
            GatewayServices gatewayServices = (GatewayServices) this.context.getAttribute("org.apache.knox.gateway.gateway.services");
            this.tokenStateService = (TokenStateService) gatewayServices.getService(ServiceType.TOKEN_STATE_SERVICE);
            GatewayConfig gatewayConfig = (GatewayConfig) this.context.getAttribute("org.apache.knox.gateway.config");
            this.tokenMAC = new TokenMAC(gatewayConfig.getKnoxTokenHashAlgorithm(), ((AliasService) gatewayServices.getService(ServiceType.ALIAS_SERVICE)).getPasswordFromAliasForGateway("knox.token.hash.key"));
            this.tokenLimitPerUser = gatewayConfig.getMaximumNumberOfTokensPerUser();
            String initParameter6 = this.context.getInitParameter(TOKEN_EXP_RENEWAL_INTERVAL);
            if (initParameter6 != null && !initParameter6.isEmpty()) {
                try {
                    this.renewInterval = Optional.of(Long.valueOf(Long.parseLong(initParameter6)));
                } catch (NumberFormatException e2) {
                    log.invalidConfigValue(topologyName, TOKEN_EXP_RENEWAL_INTERVAL, initParameter6, e2);
                }
            }
            String initParameter7 = this.context.getInitParameter(TOKEN_EXP_RENEWAL_MAX_LIFETIME);
            if (initParameter7 != null && !initParameter7.isEmpty()) {
                try {
                    this.maxTokenLifetime = Optional.of(Long.valueOf(Long.parseLong(initParameter7)));
                } catch (NumberFormatException e3) {
                    log.invalidConfigValue(topologyName, TOKEN_EXP_RENEWAL_MAX_LIFETIME, initParameter7, e3);
                }
            }
            this.allowedRenewers = new ArrayList();
            String initParameter8 = this.context.getInitParameter(TOKEN_RENEWER_WHITELIST);
            if (initParameter8 == null || initParameter8.isEmpty()) {
                log.noRenewersConfigured(topologyName);
            } else {
                for (String str3 : initParameter8.split(",")) {
                    this.allowedRenewers.add(str3.trim());
                }
            }
        }
        setTokenStateServiceStatusMap();
    }

    private String getTokenTTLAsText() {
        if (this.tokenTTL == -1) {
            return "Unlimited lifetime";
        }
        Duration ofMillis = Duration.ofMillis(this.tokenTTL);
        long days = ofMillis.toDays();
        long hours = days > 0 ? ofMillis.minusDays(days).toHours() : ofMillis.toHours();
        long minutes = ofMillis.toHours() > 0 ? ofMillis.minusHours(ofMillis.toHours()).toMinutes() : ofMillis.toMinutes();
        long seconds = ofMillis.toMinutes() > 0 ? ofMillis.minusMinutes(ofMillis.toMinutes()).getSeconds() : ofMillis.getSeconds();
        StringBuilder sb = new StringBuilder(32);
        if (days > 0) {
            sb.append(days).append(" days ");
        }
        if (hours > 0) {
            sb.append(hours).append(" hours ");
        }
        if (minutes > 0) {
            sb.append(minutes).append(" minutes ");
        }
        if (seconds > 0) {
            sb.append(seconds).append(" seconds");
        }
        return sb.toString();
    }

    private void setTokenStateServiceStatusMap() {
        if (isServerManagedTokenStateEnabled()) {
            this.tokenStateServiceStatusMap.put(TSS_STATUS_IS_MANAGEMENT_ENABLED, "true");
            String serviceParameter = ((GatewayConfig) this.request.getServletContext().getAttribute("org.apache.knox.gateway.config")).getServiceParameter(ServiceType.TOKEN_STATE_SERVICE.getShortName(), "impl");
            String substring = StringUtils.isBlank(serviceParameter) ? "" : serviceParameter.substring(serviceParameter.lastIndexOf(46) + 1);
            String canonicalName = this.tokenStateService.getClass().getCanonicalName();
            String substring2 = canonicalName.substring(canonicalName.lastIndexOf(46) + 1);
            this.tokenStateServiceStatusMap.put(TSS_STATUS_CONFIFURED_BACKEND, substring);
            this.tokenStateServiceStatusMap.put(TSS_STATUS_ACTUAL_BACKEND, substring2);
            populateAllowedTokenStateBackendForTokenGenApp(substring2);
            this.tokenStateServiceStatusMap.put(TSS_MAXIMUM_LIFETIME_SECONDS, String.valueOf(this.tokenTTL == -1 ? this.tokenTTL : this.tokenTTL / 1000));
            this.tokenStateServiceStatusMap.put(TSS_MAXIMUM_LIFETIME_TEXT, this.tokenTTLAsText);
        } else {
            this.tokenStateServiceStatusMap.put(TSS_STATUS_IS_MANAGEMENT_ENABLED, "false");
        }
        String initParameter = this.context.getInitParameter(LIFESPAN_INPUT_ENABLED_PARAM);
        this.tokenStateServiceStatusMap.put(LIFESPAN_INPUT_ENABLED_TEXT, Boolean.valueOf(initParameter == null ? Boolean.TRUE.booleanValue() : Boolean.parseBoolean(initParameter)).toString());
    }

    private void populateAllowedTokenStateBackendForTokenGenApp(String str) {
        this.tokenStateServiceStatusMap.put(TSS_ALLOWED_BACKEND_FOR_TOKENGEN, "false");
        String initParameter = this.context.getInitParameter(TOKEN_EXP_TOKENGEN_ALLOWED_TSS_BACKENDS);
        if (initParameter == null || initParameter.isEmpty()) {
            if ("AliasBasedTokenStateService".equals(str) || "JDBCTokenStateService".equals(str)) {
                this.tokenStateServiceStatusMap.put(TSS_ALLOWED_BACKEND_FOR_TOKENGEN, "true");
                return;
            }
            return;
        }
        for (String str2 : initParameter.split(",")) {
            if (str2.trim().equals(str)) {
                this.tokenStateServiceStatusMap.put(TSS_ALLOWED_BACKEND_FOR_TOKENGEN, "true");
                return;
            }
        }
    }

    private void setSignatureAlogrithm() throws AliasServiceException, KeyLengthException {
        String initParameter = this.context.getInitParameter(TOKEN_SIG_ALG);
        GatewayConfig gatewayConfig = (GatewayConfig) this.request.getServletContext().getAttribute("org.apache.knox.gateway.config");
        AliasService aliasService = (AliasService) ((GatewayServices) this.request.getServletContext().getAttribute("org.apache.knox.gateway.gateway.services")).getService(ServiceType.ALIAS_SERVICE);
        this.signatureAlgorithm = TokenUtils.getSignatureAlgorithm(initParameter, aliasService, gatewayConfig.getSigningKeystoreName());
        char[] passwordFromAliasForGateway = aliasService.getPasswordFromAliasForGateway("gateway.signing.hmac.secret");
        if (passwordFromAliasForGateway != null && !isAlgCompatibleWithSecret(this.signatureAlgorithm, passwordFromAliasForGateway)) {
            throw new KeyLengthException(JWSAlgorithm.parse(this.signatureAlgorithm));
        }
    }

    private boolean isAlgCompatibleWithSecret(String str, char[] cArr) {
        return MACSigner.getCompatibleAlgorithms(ByteUtils.bitLength(cArr.length)).contains(JWSAlgorithm.parse(str));
    }

    private boolean isServerManagedTokenStateEnabled() {
        boolean z;
        String initParameter = this.context.getInitParameter("knox.token.exp.server-managed");
        if (initParameter == null || initParameter.isEmpty()) {
            GatewayConfig gatewayConfig = (GatewayConfig) this.context.getAttribute("org.apache.knox.gateway.config");
            z = gatewayConfig != null && gatewayConfig.isServerManagedTokenStateEnabled();
        } else {
            z = Boolean.valueOf(initParameter).booleanValue();
        }
        return z;
    }

    @GET
    @Produces({"application/json", "application/xml"})
    public Response doGet() {
        return getAuthenticationToken();
    }

    @POST
    @Produces({"application/json", "application/xml"})
    public Response doPost() {
        return getAuthenticationToken();
    }

    @GET
    @Produces({"application/json", "application/xml"})
    @Path(GET_USER_TOKENS)
    public Response getUserTokens(@QueryParam("userName") String str) {
        if (this.tokenStateService == null) {
            return Response.status(Response.Status.SERVICE_UNAVAILABLE).entity("{\n  \"error\": \"Token management is not configured\"\n}\n").build();
        }
        return Response.status(Response.Status.OK).entity(JsonUtils.renderAsJsonString(Collections.singletonMap("tokens", this.tokenStateService.getTokens(str)))).build();
    }

    @GET
    @Produces({"application/json"})
    @Path(GET_TSS_STATUS_PATH)
    public Response getTokenStateServiceStatus() {
        return Response.status(Response.Status.OK).entity(JsonUtils.renderAsJsonString(this.tokenStateServiceStatusMap)).build();
    }

    @Produces({"application/json"})
    @Path(RENEW_PATH)
    @PUT
    public Response renew(String str) {
        Response build;
        long j = 0;
        String str2 = "";
        ErrorCode errorCode = ErrorCode.UNKNOWN;
        Response.Status status = Response.Status.BAD_REQUEST;
        if (this.tokenStateService == null) {
            try {
                JWTToken jWTToken = new JWTToken(str);
                log.renewalDisabled(getTopologyName(), Tokens.getTokenDisplayText(str), Tokens.getTokenIDDisplayText(TokenUtils.getTokenId(jWTToken)));
                j = Long.parseLong(jWTToken.getExpires());
            } catch (ParseException e) {
                log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(str), e);
                str2 = safeGetMessage(e);
                errorCode = ErrorCode.INVALID_TOKEN;
            } catch (Exception e2) {
                str2 = safeGetMessage(e2);
                errorCode = ErrorCode.INTERNAL_ERROR;
            }
        } else {
            String currentEffectivePrincipalName = SubjectUtils.getCurrentEffectivePrincipalName();
            if (this.allowedRenewers.contains(currentEffectivePrincipalName)) {
                try {
                    JWTToken jWTToken2 = new JWTToken(str);
                    j = this.tokenStateService.renewToken(jWTToken2, this.renewInterval.orElse(Long.valueOf(this.tokenStateService.getDefaultRenewInterval())).longValue());
                    log.renewedToken(getTopologyName(), Tokens.getTokenDisplayText(str), Tokens.getTokenIDDisplayText(TokenUtils.getTokenId(jWTToken2)), currentEffectivePrincipalName);
                } catch (ParseException e3) {
                    log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(str), e3);
                    errorCode = ErrorCode.INVALID_TOKEN;
                    str2 = safeGetMessage(e3);
                } catch (Exception e4) {
                    str2 = safeGetMessage(e4);
                    errorCode = ErrorCode.INTERNAL_ERROR;
                }
            } else {
                status = Response.Status.FORBIDDEN;
                str2 = "Caller (" + currentEffectivePrincipalName + ") not authorized to renew tokens.";
                errorCode = ErrorCode.UNAUTHORIZED;
            }
        }
        if (str2.isEmpty()) {
            build = Response.status(Response.Status.OK).entity("{\n  \"renewed\": \"true\",\n  \"expires\": \"" + j + "\"\n}\n").build();
        } else {
            log.badRenewalRequest(getTopologyName(), Tokens.getTokenDisplayText(str), str2);
            build = Response.status(status).entity("{\n  \"renewed\": \"false\",\n  \"error\": \"" + str2 + "\",\n  \"code\": " + errorCode.toInt() + "\n}\n").build();
        }
        return build;
    }

    @Produces({"application/json"})
    @Path(REVOKE_PATH)
    @DELETE
    public Response revoke(String str) {
        Response build;
        String str2 = "";
        ErrorCode errorCode = ErrorCode.UNKNOWN;
        Response.Status status = Response.Status.BAD_REQUEST;
        if (this.tokenStateService == null) {
            str2 = "Token revocation support is not configured";
            errorCode = ErrorCode.CONFIGURATION_ERROR;
        } else {
            try {
                String currentEffectivePrincipalName = SubjectUtils.getCurrentEffectivePrincipalName();
                String tokenId = getTokenId(str);
                if (triesToRevokeOwnToken(tokenId, currentEffectivePrincipalName) || this.allowedRenewers.contains(currentEffectivePrincipalName)) {
                    this.tokenStateService.revokeToken(tokenId);
                    log.revokedToken(getTopologyName(), Tokens.getTokenDisplayText(str), Tokens.getTokenIDDisplayText(tokenId), currentEffectivePrincipalName);
                } else {
                    status = Response.Status.FORBIDDEN;
                    str2 = "Caller (" + currentEffectivePrincipalName + ") not authorized to revoke tokens.";
                    errorCode = ErrorCode.UNAUTHORIZED;
                }
            } catch (ParseException e) {
                log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(str), e);
                str2 = safeGetMessage(e);
                errorCode = ErrorCode.INVALID_TOKEN;
            } catch (UnknownTokenException e2) {
                str2 = safeGetMessage(e2);
                errorCode = ErrorCode.UNKNOWN_TOKEN;
            }
        }
        if (str2.isEmpty()) {
            build = Response.status(Response.Status.OK).entity("{\n  \"revoked\": \"true\"\n}\n").build();
        } else {
            log.badRevocationRequest(getTopologyName(), Tokens.getTokenDisplayText(str), str2);
            build = Response.status(status).entity("{\n  \"revoked\": \"false\",\n  \"error\": \"" + str2 + "\",\n  \"code\": " + errorCode.toInt() + "\n}\n").build();
        }
        return build;
    }

    private boolean triesToRevokeOwnToken(String str, String str2) throws UnknownTokenException {
        TokenMetadata tokenMetadata = this.tokenStateService.getTokenMetadata(str);
        return StringUtils.isNotBlank(str2) && str2.equals(tokenMetadata == null ? "" : tokenMetadata.getUserName());
    }

    private String getTokenId(String str) throws ParseException {
        try {
            UUID.fromString(str);
            return str;
        } catch (IllegalArgumentException e) {
            return TokenUtils.getTokenId(new JWTToken(str));
        }
    }

    @Produces({"application/json"})
    @Path(ENABLE_PATH)
    @PUT
    public Response enable(String str) {
        return setTokenEnabledFlag(str, true);
    }

    @Produces({"application/json"})
    @Path(DISABLE_PATH)
    @PUT
    public Response disable(String str) {
        return setTokenEnabledFlag(str, false);
    }

    private Response setTokenEnabledFlag(String str, boolean z) {
        String str2 = "";
        ErrorCode errorCode = ErrorCode.UNKNOWN;
        if (this.tokenStateService == null) {
            str2 = "Unable to " + (z ? "enable" : "disable") + " tokens because token management is not configured";
            errorCode = ErrorCode.CONFIGURATION_ERROR;
        } else {
            try {
                TokenMetadata tokenMetadata = this.tokenStateService.getTokenMetadata(str);
                if (z && tokenMetadata.isEnabled()) {
                    str2 = "Token is already enabled";
                    errorCode = ErrorCode.ALREADY_ENABLED;
                } else if (z || tokenMetadata.isEnabled()) {
                    tokenMetadata.setEnabled(z);
                    this.tokenStateService.addMetadata(str, tokenMetadata);
                } else {
                    str2 = "Token is already disabled";
                    errorCode = ErrorCode.ALREADY_DISABLED;
                }
            } catch (UnknownTokenException e) {
                str2 = safeGetMessage(e);
                errorCode = ErrorCode.UNKNOWN_TOKEN;
            }
        }
        if (str2.isEmpty()) {
            return Response.status(Response.Status.OK).entity("{\n  \"setEnabledFlag\": \"true\",\n  \"isEnabled\": \"" + z + "\"\n}\n").build();
        }
        log.badSetEnabledFlagRequest(getTopologyName(), Tokens.getTokenIDDisplayText(str), str2);
        return Response.status(Response.Status.BAD_REQUEST).entity("{\n  \"setEnabledFlag\": \"false\",\n  \"error\": \"" + str2 + "\",\n  \"code\": " + errorCode.toInt() + "\n}\n").build();
    }

    private X509Certificate extractCertificate(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            return null;
        }
        return x509CertificateArr[0];
    }

    private Response getAuthenticationToken() {
        KeystoreService keystoreService;
        if (this.clientCertRequired) {
            X509Certificate extractCertificate = extractCertificate(this.request);
            if (extractCertificate == null) {
                return Response.status(Response.Status.FORBIDDEN).entity("{ \"Unable to get token - client cert required.\" }").build();
            }
            if (!this.allowedDNs.contains(extractCertificate.getSubjectDN().getName().replaceAll("\\s+", ""))) {
                return Response.status(Response.Status.FORBIDDEN).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
            }
        }
        GatewayServices gatewayServices = (GatewayServices) this.request.getServletContext().getAttribute("org.apache.knox.gateway.gateway.services");
        JWTokenAuthority jWTokenAuthority = (JWTokenAuthority) gatewayServices.getService(ServiceType.TOKEN_SERVICE);
        Principal userPrincipal = this.request.getUserPrincipal();
        long expiry = getExpiry();
        if (this.endpointPublicCert == null && (keystoreService = (KeystoreService) gatewayServices.getService(ServiceType.KEYSTORE_SERVICE)) != null) {
            try {
                this.endpointPublicCert = Base64.encodeBase64String(keystoreService.getCertificateForGateway().getEncoded());
            } catch (KeyStoreException | KeystoreServiceException | CertificateEncodingException e) {
                log.unableToAcquireCertForEndpointClients(e);
            }
        }
        String str = null;
        int lastIndexOf = this.request.getRequestURL().lastIndexOf("/");
        if (lastIndexOf > 1) {
            str = String.valueOf(this.request.getRequestURL().substring(0, lastIndexOf)) + JWKSResource.JWKS_PATH;
        }
        if (this.tokenStateService != null && this.tokenLimitPerUser != -1 && this.tokenStateService.getTokens(userPrincipal.getName()).size() >= this.tokenLimitPerUser) {
            log.tokenLimitExceeded(userPrincipal.getName());
            return Response.status(Response.Status.FORBIDDEN).entity("{ \"Unable to get token - token limit exceeded.\" }").build();
        }
        try {
            boolean z = this.tokenStateService != null;
            JWTokenAttributesBuilder jWTokenAttributesBuilder = new JWTokenAttributesBuilder();
            jWTokenAttributesBuilder.setPrincipal(userPrincipal).setAlgorithm(this.signatureAlgorithm).setExpires(expiry).setManaged(z).setJku(str);
            if (!this.targetAudiences.isEmpty()) {
                jWTokenAttributesBuilder.setAudiences(this.targetAudiences);
            }
            JWT issueToken = jWTokenAuthority.issueToken(jWTokenAttributesBuilder.build());
            if (issueToken == null) {
                return Response.serverError().build();
            }
            String obj = issueToken.toString();
            String tokenId = TokenUtils.getTokenId(issueToken);
            log.issuedToken(getTopologyName(), Tokens.getTokenDisplayText(obj), Tokens.getTokenIDDisplayText(tokenId));
            HashMap hashMap = new HashMap();
            hashMap.put(ACCESS_TOKEN, obj);
            hashMap.put(TOKEN_ID, tokenId);
            hashMap.put(MANAGED_TOKEN, String.valueOf(z));
            hashMap.put(TOKEN_TYPE, BEARER);
            hashMap.put(EXPIRES_IN, Long.valueOf(expiry));
            if (this.tokenTargetUrl != null) {
                hashMap.put(TARGET_URL, this.tokenTargetUrl);
            }
            if (this.tokenClientDataMap != null) {
                hashMap.putAll(this.tokenClientDataMap);
            }
            if (this.endpointPublicCert != null) {
                hashMap.put(ENDPOINT_PUBLIC_CERT, this.endpointPublicCert);
            }
            String uuid = UUID.randomUUID().toString();
            hashMap.put(PASSCODE, generatePasscodeField(tokenId, uuid));
            String renderAsJsonString = JsonUtils.renderAsJsonString(hashMap);
            if (this.tokenStateService != null) {
                long currentTimeMillis = System.currentTimeMillis();
                this.tokenStateService.addToken(tokenId, currentTimeMillis, expiry, this.maxTokenLifetime.orElse(Long.valueOf(this.tokenStateService.getDefaultMaxLifetimeDuration())).longValue());
                String parameter = this.request.getParameter(COMMENT);
                TokenMetadata tokenMetadata = new TokenMetadata(userPrincipal.getName(), StringUtils.isBlank(parameter) ? null : parameter);
                tokenMetadata.setPasscode(this.tokenMAC.hash(tokenId, currentTimeMillis, userPrincipal.getName(), uuid));
                this.tokenStateService.addMetadata(tokenId, tokenMetadata);
                log.storedToken(getTopologyName(), Tokens.getTokenDisplayText(obj), Tokens.getTokenIDDisplayText(tokenId));
            }
            return Response.ok().entity(renderAsJsonString).build();
        } catch (TokenServiceException e2) {
            log.unableToIssueToken(e2);
            return Response.ok().entity("{ \"Unable to acquire token.\" }").build();
        }
    }

    private String generatePasscodeField(String str, String str2) {
        return Base64.encodeBase64String((String.valueOf(Base64.encodeBase64String(str.getBytes(StandardCharsets.UTF_8))) + "::" + Base64.encodeBase64String(str2.getBytes(StandardCharsets.UTF_8))).getBytes(StandardCharsets.UTF_8));
    }

    void addClientDataToMap(String[] strArr, Map<String, Object> map) {
        for (String str : strArr) {
            String[] split = str.split("=", 2);
            if (split.length == 2) {
                map.put(split[0], split[1]);
            }
        }
    }

    private long getExpiry() {
        long j = this.tokenTTL;
        String parameter = this.request.getParameter(LIFESPAN);
        if (parameter != null && !parameter.isEmpty()) {
            try {
                long millis = Duration.parse(parameter).toMillis();
                if (this.tokenTTL == -1) {
                    j = millis;
                } else if (millis <= this.tokenTTL) {
                    j = millis;
                }
            } catch (DateTimeParseException e) {
                log.invalidLifetimeValue(parameter);
            }
        } else if (this.tokenTTL == -1) {
            return -1L;
        }
        return System.currentTimeMillis() + j;
    }

    private String getTopologyName() {
        return (String) this.context.getAttribute("org.apache.knox.gateway.gateway.cluster");
    }

    private String safeGetMessage(Throwable th) {
        String message = th.getMessage();
        return message != null ? message : "null";
    }
}
