package org.apache.iotdb.commons.auth.authorizer;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Scanner;
import java.util.UUID;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.role.LocalFileRoleManager;
import org.apache.iotdb.commons.auth.user.LocalFileUserManager;
import org.apache.iotdb.commons.conf.CommonConfig;
import org.apache.iotdb.commons.conf.CommonDescriptor;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.rpc.TSStatusCode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.class */
public class OpenIdAuthorizer extends BasicAuthorizer {
    public static final String IOTDB_ADMIN_ROLE_NAME = "iotdb_admin";
    public static final String OPENID_USER_PREFIX = "openid-";
    private final RSAPublicKey providerKey;
    private final Map<String, Claims> loggedClaims;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) OpenIdAuthorizer.class);
    private static final CommonConfig config = CommonDescriptor.getInstance().getConfig();

    public OpenIdAuthorizer() throws AuthException, ParseException, IOException, URISyntaxException {
        this(config.getOpenIdProviderUrl());
    }

    public OpenIdAuthorizer(JSONObject jSONObject) throws AuthException {
        super(new LocalFileUserManager(config.getUserFolder()), new LocalFileRoleManager(config.getRoleFolder()));
        this.loggedClaims = new HashMap();
        try {
            this.providerKey = RSAKey.parse(jSONObject).toRSAPublicKey();
            logger.info("Initialized with providerKey: {}", this.providerKey);
        } catch (JOSEException | java.text.ParseException e) {
            throw new AuthException(TSStatusCode.INIT_AUTH_ERROR, "Unable to get OIDC Provider Key from JWK " + jSONObject, e);
        }
    }

    public OpenIdAuthorizer(String str) throws AuthException, URISyntaxException, ParseException, IOException {
        this(getJwkFromProvider(str));
    }

    private static JSONObject getJwkFromProvider(String str) throws URISyntaxException, IOException, ParseException, AuthException {
        if (str == null) {
            throw new IllegalArgumentException("OpenID Connect Provider URI must be given!");
        }
        OIDCProviderMetadata fetchMetadata = fetchMetadata(str);
        logger.debug("Using Provider Metadata: {}", fetchMetadata);
        try {
            URL url = new URI(fetchMetadata.getJWKSetURI().toString()).toURL();
            logger.debug("Using url {}", url);
            return getProviderRsaJwk(url.openStream());
        } catch (IOException e) {
            throw new AuthException(TSStatusCode.INIT_AUTH_ERROR, "Unable to start the Auth", e);
        }
    }

    private static JSONObject getProviderRsaJwk(InputStream inputStream) throws ParseException {
        StringBuilder sb = new StringBuilder();
        Scanner scanner = new Scanner(inputStream);
        while (scanner.hasNext()) {
            try {
                sb.append(scanner.next());
            } catch (Throwable th) {
                try {
                    scanner.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        scanner.close();
        Iterator<Object> it = ((JSONArray) JSONObjectUtils.parse(sb.toString()).get("keys")).iterator();
        while (it.hasNext()) {
            JSONObject jSONObject = (JSONObject) it.next();
            if ("sig".equals(jSONObject.get("use")) && "RSA".equals(jSONObject.get("kty"))) {
                return jSONObject;
            }
        }
        return null;
    }

    private static OIDCProviderMetadata fetchMetadata(String str) throws URISyntaxException, IOException, ParseException {
        Scanner scanner = new Scanner(new URI(str).resolve(".well-known/openid-configuration").toURL().openStream());
        try {
            String next = scanner.useDelimiter("\\A").hasNext() ? scanner.next() : "";
            scanner.close();
            return OIDCProviderMetadata.parse(next);
        } catch (Throwable th) {
            try {
                scanner.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public boolean login(String str, String str2) throws AuthException {
        if (str2 != null && !str2.isEmpty()) {
            logger.error("JWT Login failed as a non-empty Password was given username (token): {}, password: {}", str, str2);
            return false;
        }
        if (str == null || str.isEmpty()) {
            logger.error("JWT Login failed as a Username (token) was empty!");
            return false;
        }
        try {
            Claims validateToken = validateToken(str);
            logger.debug("JWT was validated successfully!");
            logger.debug("ID: {}", validateToken.getId());
            logger.debug("Subject: {}", validateToken.getSubject());
            logger.debug("Issuer: {}", validateToken.getIssuer());
            logger.debug("Expiration: {}", validateToken.getExpiration());
            String username = getUsername(validateToken);
            if (!super.listAllUsers().contains(username)) {
                logger.info("User {} logs in for first time, storing it locally!", username);
                super.createUser(username, UUID.randomUUID().toString());
            }
            this.loggedClaims.put(getUsername(validateToken), validateToken);
            return true;
        } catch (JwtException e) {
            logger.error("Unable to login the user wit jwt {}", str2, e);
            return false;
        }
    }

    public String getIoTDBUserName(String str) {
        Claims validateToken = validateToken(str);
        logger.debug("JWT was validated successfully!");
        logger.debug("ID: {}", validateToken.getId());
        logger.debug("Subject: {}", validateToken.getSubject());
        logger.debug("Issuer: {}", validateToken.getIssuer());
        logger.debug("Expiration: {}", validateToken.getExpiration());
        return getUsername(validateToken);
    }

    private Claims validateToken(String str) {
        return Jwts.parser().setAllowedClockSkewSeconds(9223372036854775L).setSigningKey(this.providerKey).parseClaimsJws(str).getBody();
    }

    private String getUsername(Claims claims) {
        return OPENID_USER_PREFIX + claims.getSubject();
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void createUser(String str, String str2) {
        throwUnsupportedOperationException();
    }

    private void throwUnsupportedOperationException() {
        throw new UnsupportedOperationException("This operation is not supported for JWT Auth Provider!");
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void deleteUser(String str) {
        throwUnsupportedOperationException();
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer
    public boolean isAdmin(String str) {
        Claims validateToken;
        if (this.loggedClaims.containsKey(str)) {
            validateToken = this.loggedClaims.get(str);
        } else {
            try {
                validateToken = validateToken(str);
            } catch (JwtException e) {
                logger.warn("Unable to validate token {}!", str, e);
                return false;
            }
        }
        if (((List) ((Map) validateToken.get("realm_access")).get("roles")).contains(IOTDB_ADMIN_ROLE_NAME)) {
            return true;
        }
        logger.warn("Given Token has no admin rights, is there a ROLE with name {} in 'realm_access' role set?", IOTDB_ADMIN_ROLE_NAME);
        return false;
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public boolean checkUserPrivileges(String str, PartialPath partialPath, int i) throws AuthException {
        return isAdmin(str);
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void updateUserPassword(String str, String str2) {
        throwUnsupportedOperationException();
    }
}
