package org.apache.pulsar.broker.authentication;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.SignatureException;
import java.io.IOException;
import java.security.Key;
import javax.naming.AuthenticationException;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/AuthenticationProviderToken.class */
public class AuthenticationProviderToken implements AuthenticationProvider {
    static final String HTTP_HEADER_NAME = "Authorization";
    static final String HTTP_HEADER_VALUE_PREFIX = "Bearer ";
    static final String CONF_TOKEN_SECRET_KEY = "tokenSecretKey";
    static final String CONF_TOKEN_PUBLIC_KEY = "tokenPublicKey";
    static final String CONF_TOKEN_AUTH_CLAIM = "tokenAuthClaim";
    static final String CONF_TOKEN_PUBLIC_ALG = "tokenPublicAlg";
    static final String TOKEN = "token";
    private Key validationKey;
    private String roleClaim;
    private SignatureAlgorithm publicKeyAlg;

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public void initialize(ServiceConfiguration serviceConfiguration) throws IOException, IllegalArgumentException {
        this.publicKeyAlg = getPublicKeyAlgType(serviceConfiguration);
        this.validationKey = getValidationKey(serviceConfiguration);
        this.roleClaim = getTokenRoleClaim(serviceConfiguration);
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public String getAuthMethodName() {
        return TOKEN;
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public String authenticate(AuthenticationDataSource authenticationDataSource) throws AuthenticationException {
        return parseToken(getToken(authenticationDataSource));
    }

    public static String getToken(AuthenticationDataSource authenticationDataSource) throws AuthenticationException {
        if (authenticationDataSource.hasDataFromCommand()) {
            return authenticationDataSource.getCommandData();
        }
        if (!authenticationDataSource.hasDataFromHttp()) {
            throw new AuthenticationException("No token credentials passed");
        }
        String httpHeader = authenticationDataSource.getHttpHeader(HTTP_HEADER_NAME);
        if (httpHeader == null || !httpHeader.startsWith(HTTP_HEADER_VALUE_PREFIX)) {
            throw new AuthenticationException("Invalid HTTP Authorization header");
        }
        return validateToken(httpHeader.substring(HTTP_HEADER_VALUE_PREFIX.length()));
    }

    private static String validateToken(String str) throws AuthenticationException {
        if (StringUtils.isNotBlank(str)) {
            return str;
        }
        throw new AuthenticationException("Blank token found");
    }

    private String parseToken(String str) throws AuthenticationException {
        try {
            return (String) ((Claims) Jwts.parser().setSigningKey(this.validationKey).parse(str).getBody()).get(this.roleClaim, String.class);
        } catch (JwtException e) {
            throw new AuthenticationException("Failed to authentication token: " + e.getMessage());
        }
    }

    private Key getValidationKey(ServiceConfiguration serviceConfiguration) throws IOException {
        if (serviceConfiguration.getProperty(CONF_TOKEN_SECRET_KEY) != null && StringUtils.isNotBlank((String) serviceConfiguration.getProperty(CONF_TOKEN_SECRET_KEY))) {
            return AuthTokenUtils.decodeSecretKey(AuthTokenUtils.readKeyFromUrl((String) serviceConfiguration.getProperty(CONF_TOKEN_SECRET_KEY)));
        }
        if (serviceConfiguration.getProperty(CONF_TOKEN_PUBLIC_KEY) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(CONF_TOKEN_PUBLIC_KEY))) {
            throw new IOException("No secret key was provided for token authentication");
        }
        return AuthTokenUtils.decodePublicKey(AuthTokenUtils.readKeyFromUrl((String) serviceConfiguration.getProperty(CONF_TOKEN_PUBLIC_KEY)), this.publicKeyAlg);
    }

    private String getTokenRoleClaim(ServiceConfiguration serviceConfiguration) throws IOException {
        return (serviceConfiguration.getProperty(CONF_TOKEN_AUTH_CLAIM) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(CONF_TOKEN_AUTH_CLAIM))) ? "sub" : (String) serviceConfiguration.getProperty(CONF_TOKEN_AUTH_CLAIM);
    }

    private SignatureAlgorithm getPublicKeyAlgType(ServiceConfiguration serviceConfiguration) throws IllegalArgumentException {
        if (serviceConfiguration.getProperty(CONF_TOKEN_PUBLIC_ALG) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(CONF_TOKEN_PUBLIC_ALG))) {
            return SignatureAlgorithm.RS256;
        }
        String str = (String) serviceConfiguration.getProperty(CONF_TOKEN_PUBLIC_ALG);
        try {
            return SignatureAlgorithm.forName(str);
        } catch (SignatureException e) {
            throw new IllegalArgumentException("invalid algorithm provided " + str, e);
        }
    }
}
