package org.apache.pulsar.broker.authentication;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.SignatureException;
import java.io.IOException;
import java.net.SocketAddress;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.net.ssl.SSLSession;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.common.api.AuthData;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/AuthenticationProviderToken.class */
public class AuthenticationProviderToken implements AuthenticationProvider {
    static final String HTTP_HEADER_NAME = "Authorization";
    static final String HTTP_HEADER_VALUE_PREFIX = "Bearer ";
    static final String CONF_TOKEN_SETTING_PREFIX = "";
    static final String CONF_TOKEN_SECRET_KEY = "tokenSecretKey";
    static final String CONF_TOKEN_PUBLIC_KEY = "tokenPublicKey";
    static final String CONF_TOKEN_AUTH_CLAIM = "tokenAuthClaim";
    static final String CONF_TOKEN_PUBLIC_ALG = "tokenPublicAlg";
    static final String CONF_TOKEN_AUDIENCE_CLAIM = "tokenAudienceClaim";
    static final String CONF_TOKEN_AUDIENCE = "tokenAudience";
    static final String TOKEN = "token";
    private Key validationKey;
    private String roleClaim;
    private SignatureAlgorithm publicKeyAlg;
    private String audienceClaim;
    private String audience;
    private String confTokenSecretKeySettingName;
    private String confTokenPublicKeySettingName;
    private String confTokenAuthClaimSettingName;
    private String confTokenPublicAlgSettingName;
    private String confTokenAudienceClaimSettingName;
    private String confTokenAudienceSettingName;

    /* loaded from: input_file:org/apache/pulsar/broker/authentication/AuthenticationProviderToken$TokenAuthenticationState.class */
    private static final class TokenAuthenticationState implements AuthenticationState {
        private final AuthenticationProviderToken provider;
        private AuthenticationDataSource authenticationDataSource;
        private Jwt<?, Claims> jwt;
        private final SocketAddress remoteAddress;
        private final SSLSession sslSession;
        private long expiration;

        TokenAuthenticationState(AuthenticationProviderToken authenticationProviderToken, AuthData authData, SocketAddress socketAddress, SSLSession sSLSession) throws AuthenticationException {
            this.provider = authenticationProviderToken;
            this.remoteAddress = socketAddress;
            this.sslSession = sSLSession;
            authenticate(authData);
        }

        @Override // org.apache.pulsar.broker.authentication.AuthenticationState
        public String getAuthRole() throws AuthenticationException {
            return this.provider.getPrincipal(this.jwt);
        }

        @Override // org.apache.pulsar.broker.authentication.AuthenticationState
        public AuthData authenticate(AuthData authData) throws AuthenticationException {
            String str = new String(authData.getBytes(), StandardCharsets.UTF_8);
            this.jwt = this.provider.authenticateToken(str);
            this.authenticationDataSource = new AuthenticationDataCommand(str, this.remoteAddress, this.sslSession);
            if (((Claims) this.jwt.getBody()).getExpiration() != null) {
                this.expiration = ((Claims) this.jwt.getBody()).getExpiration().getTime();
                return null;
            }
            this.expiration = Long.MAX_VALUE;
            return null;
        }

        @Override // org.apache.pulsar.broker.authentication.AuthenticationState
        public AuthenticationDataSource getAuthDataSource() {
            return this.authenticationDataSource;
        }

        @Override // org.apache.pulsar.broker.authentication.AuthenticationState
        public boolean isComplete() {
            return true;
        }

        @Override // org.apache.pulsar.broker.authentication.AuthenticationState
        public boolean isExpired() {
            return this.expiration < System.currentTimeMillis();
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public void initialize(ServiceConfiguration serviceConfiguration) throws IOException, IllegalArgumentException {
        String str = (String) serviceConfiguration.getProperty(CONF_TOKEN_SETTING_PREFIX);
        if (null == str) {
            str = CONF_TOKEN_SETTING_PREFIX;
        }
        this.confTokenSecretKeySettingName = str + CONF_TOKEN_SECRET_KEY;
        this.confTokenPublicKeySettingName = str + CONF_TOKEN_PUBLIC_KEY;
        this.confTokenAuthClaimSettingName = str + CONF_TOKEN_AUTH_CLAIM;
        this.confTokenPublicAlgSettingName = str + CONF_TOKEN_PUBLIC_ALG;
        this.confTokenAudienceClaimSettingName = str + CONF_TOKEN_AUDIENCE_CLAIM;
        this.confTokenAudienceSettingName = str + CONF_TOKEN_AUDIENCE;
        this.publicKeyAlg = getPublicKeyAlgType(serviceConfiguration);
        this.validationKey = getValidationKey(serviceConfiguration);
        this.roleClaim = getTokenRoleClaim(serviceConfiguration);
        this.audienceClaim = getTokenAudienceClaim(serviceConfiguration);
        this.audience = getTokenAudience(serviceConfiguration);
        if (this.audienceClaim != null && this.audience == null) {
            throw new IllegalArgumentException("Token Audience Claim [" + this.audienceClaim + "] configured, but Audience stands for this broker not.");
        }
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public String getAuthMethodName() {
        return TOKEN;
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public String authenticate(AuthenticationDataSource authenticationDataSource) throws AuthenticationException {
        return getPrincipal(authenticateToken(getToken(authenticationDataSource)));
    }

    @Override // org.apache.pulsar.broker.authentication.AuthenticationProvider
    public AuthenticationState newAuthState(AuthData authData, SocketAddress socketAddress, SSLSession sSLSession) throws AuthenticationException {
        return new TokenAuthenticationState(this, authData, socketAddress, sSLSession);
    }

    public static String getToken(AuthenticationDataSource authenticationDataSource) throws AuthenticationException {
        if (authenticationDataSource.hasDataFromCommand()) {
            return validateToken(authenticationDataSource.getCommandData());
        }
        if (!authenticationDataSource.hasDataFromHttp()) {
            throw new AuthenticationException("No token credentials passed");
        }
        String httpHeader = authenticationDataSource.getHttpHeader(HTTP_HEADER_NAME);
        if (httpHeader == null || !httpHeader.startsWith(HTTP_HEADER_VALUE_PREFIX)) {
            throw new AuthenticationException("Invalid HTTP Authorization header");
        }
        return validateToken(httpHeader.substring(HTTP_HEADER_VALUE_PREFIX.length()));
    }

    private static String validateToken(String str) throws AuthenticationException {
        if (StringUtils.isNotBlank(str)) {
            return str;
        }
        throw new AuthenticationException("Blank token found");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Jwt<?, Claims> authenticateToken(String str) throws AuthenticationException {
        try {
            Jws parseClaimsJws = Jwts.parserBuilder().setSigningKey(this.validationKey).build().parseClaimsJws(str);
            if (this.audienceClaim != null) {
                Object obj = ((Claims) parseClaimsJws.getBody()).get(this.audienceClaim);
                if (obj == null) {
                    throw new JwtException("Found null Audience in token, for claimed field: " + this.audienceClaim);
                }
                if (obj instanceof List) {
                    List list = (List) obj;
                    if (!list.stream().anyMatch(str2 -> {
                        return str2.equals(this.audience);
                    })) {
                        throw new AuthenticationException("Audiences in token: [" + String.join(", ", list) + "] not contains this broker: " + this.audience);
                    }
                } else {
                    if (!(obj instanceof String)) {
                        throw new AuthenticationException("Audiences in token is not in expected format: " + obj);
                    }
                    if (!obj.equals(this.audience)) {
                        throw new AuthenticationException("Audiences in token: [" + obj + "] not contains this broker: " + this.audience);
                    }
                }
            }
            return parseClaimsJws;
        } catch (JwtException e) {
            throw new AuthenticationException("Failed to authentication token: " + e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getPrincipal(Jwt<?, Claims> jwt) {
        return (String) ((Claims) jwt.getBody()).get(this.roleClaim, String.class);
    }

    private Key getValidationKey(ServiceConfiguration serviceConfiguration) throws IOException {
        if (serviceConfiguration.getProperty(this.confTokenSecretKeySettingName) != null && StringUtils.isNotBlank((String) serviceConfiguration.getProperty(this.confTokenSecretKeySettingName))) {
            return AuthTokenUtils.decodeSecretKey(AuthTokenUtils.readKeyFromUrl((String) serviceConfiguration.getProperty(this.confTokenSecretKeySettingName)));
        }
        if (serviceConfiguration.getProperty(this.confTokenPublicKeySettingName) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(this.confTokenPublicKeySettingName))) {
            throw new IOException("No secret key was provided for token authentication");
        }
        return AuthTokenUtils.decodePublicKey(AuthTokenUtils.readKeyFromUrl((String) serviceConfiguration.getProperty(this.confTokenPublicKeySettingName)), this.publicKeyAlg);
    }

    private String getTokenRoleClaim(ServiceConfiguration serviceConfiguration) throws IOException {
        return (serviceConfiguration.getProperty(this.confTokenAuthClaimSettingName) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(this.confTokenAuthClaimSettingName))) ? "sub" : (String) serviceConfiguration.getProperty(this.confTokenAuthClaimSettingName);
    }

    private SignatureAlgorithm getPublicKeyAlgType(ServiceConfiguration serviceConfiguration) throws IllegalArgumentException {
        if (serviceConfiguration.getProperty(this.confTokenPublicAlgSettingName) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(this.confTokenPublicAlgSettingName))) {
            return SignatureAlgorithm.RS256;
        }
        String str = (String) serviceConfiguration.getProperty(this.confTokenPublicAlgSettingName);
        try {
            return SignatureAlgorithm.forName(str);
        } catch (SignatureException e) {
            throw new IllegalArgumentException("invalid algorithm provided " + str, e);
        }
    }

    private String getTokenAudienceClaim(ServiceConfiguration serviceConfiguration) throws IllegalArgumentException {
        if (serviceConfiguration.getProperty(this.confTokenAudienceClaimSettingName) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(this.confTokenAudienceClaimSettingName))) {
            return null;
        }
        return (String) serviceConfiguration.getProperty(this.confTokenAudienceClaimSettingName);
    }

    private String getTokenAudience(ServiceConfiguration serviceConfiguration) throws IllegalArgumentException {
        if (serviceConfiguration.getProperty(this.confTokenAudienceSettingName) == null || !StringUtils.isNotBlank((String) serviceConfiguration.getProperty(this.confTokenAudienceSettingName))) {
            return null;
        }
        return (String) serviceConfiguration.getProperty(this.confTokenAudienceSettingName);
    }
}
