package org.apache.hadoop.gateway.services.token.impl;

import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.hadoop.gateway.config.GatewayConfig;
import org.apache.hadoop.gateway.services.Service;
import org.apache.hadoop.gateway.services.ServiceLifecycleException;
import org.apache.hadoop.gateway.services.security.AliasService;
import org.apache.hadoop.gateway.services.security.AliasServiceException;
import org.apache.hadoop.gateway.services.security.KeystoreService;
import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;

/* loaded from: input_file:org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.class */
public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
    private static String SIGNING_KEY_PASSPHRASE = "signing.key.passphrase";
    private AliasService as = null;
    private KeystoreService ks = null;
    String signingKeyAlias = null;

    public void setKeystoreService(KeystoreService keystoreService) {
        this.ks = keystoreService;
    }

    public void setAliasService(AliasService aliasService) {
        this.as = aliasService;
    }

    public JWTToken issueToken(Subject subject, String str) throws TokenServiceException {
        return issueToken((Principal) subject.getPrincipals().toArray()[0], str);
    }

    public JWTToken issueToken(Principal principal, String str) throws TokenServiceException {
        return issueToken(principal, (String) null, str);
    }

    /* renamed from: issueToken, reason: merged with bridge method [inline-methods] */
    public JWTToken m24issueToken(Principal principal, String str, long j) throws TokenServiceException {
        return issueToken(principal, (String) null, str, j);
    }

    public JWTToken issueToken(Principal principal, String str, String str2) throws TokenServiceException {
        return issueToken(principal, str, str2, -1L);
    }

    public JWTToken issueToken(Principal principal, String str, String str2, long j) throws TokenServiceException {
        ArrayList arrayList = null;
        if (str != null) {
            arrayList = new ArrayList();
            arrayList.add(str);
        }
        return issueToken(principal, arrayList, str2, j);
    }

    public JWTToken issueToken(Principal principal, List<String> list, String str, long j) throws TokenServiceException {
        String[] strArr = new String[4];
        strArr[0] = "KNOXSSO";
        strArr[1] = principal.getName();
        strArr[2] = null;
        if (j == -1) {
            strArr[3] = null;
        } else {
            strArr[3] = String.valueOf(j);
        }
        if (!"RS256".equals(str)) {
            throw new TokenServiceException("Cannot issue token - Unsupported algorithm");
        }
        JWTToken jWTToken = new JWTToken("RS256", strArr, list);
        try {
            try {
                jWTToken.sign(new RSASSASigner((RSAPrivateKey) this.ks.getSigningKey(getSigningKeyAlias(), getSigningKeyPassphrase())));
                return jWTToken;
            } catch (KeystoreServiceException e) {
                throw new TokenServiceException(e);
            }
        } catch (AliasServiceException e2) {
            throw new TokenServiceException(e2);
        }
    }

    private char[] getSigningKeyPassphrase() throws AliasServiceException {
        char[] passwordFromAliasForGateway = this.as.getPasswordFromAliasForGateway(SIGNING_KEY_PASSPHRASE);
        if (passwordFromAliasForGateway == null) {
            passwordFromAliasForGateway = this.as.getGatewayIdentityPassphrase();
        }
        return passwordFromAliasForGateway;
    }

    private String getSigningKeyAlias() {
        return this.signingKeyAlias == null ? "gateway-identity" : this.signingKeyAlias;
    }

    public boolean verifyToken(JWTToken jWTToken) throws TokenServiceException {
        try {
            return jWTToken.verify(new RSASSAVerifier((RSAPublicKey) this.ks.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey()));
        } catch (KeystoreServiceException e) {
            throw new TokenServiceException("Cannot verify token.", e);
        } catch (KeyStoreException e2) {
            throw new TokenServiceException("Cannot verify token.", e2);
        }
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        if (this.as == null || this.ks == null) {
            throw new ServiceLifecycleException("Alias or Keystore service is not set");
        }
        this.signingKeyAlias = gatewayConfig.getSigningKeyAlias();
        try {
            char[] passwordFromAliasForGateway = this.as.getPasswordFromAliasForGateway(SIGNING_KEY_PASSPHRASE);
            if (passwordFromAliasForGateway == null || ((RSAPrivateKey) this.ks.getSigningKey(getSigningKeyAlias(), passwordFromAliasForGateway)) != null) {
            } else {
                throw new ServiceLifecycleException("Provisioned passphrase cannot be used to acquire signing key.");
            }
        } catch (KeystoreServiceException e) {
            throw new ServiceLifecycleException("Provisioned signing key passphrase cannot be acquired.", e);
        } catch (AliasServiceException e2) {
            throw new ServiceLifecycleException("Provisioned signing key passphrase cannot be acquired.", e2);
        }
    }

    public void start() throws ServiceLifecycleException {
    }

    public void stop() throws ServiceLifecycleException {
    }
}
