package org.apache.hadoop.security.authentication.util;

import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.InvalidParameterException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import org.apache.hadoop.shaded.com.auth0.jwk.JwkException;
import org.apache.hadoop.shaded.com.auth0.jwk.UrlJwkProvider;
import org.apache.hadoop.shaded.com.auth0.jwt.JWT;
import org.apache.hadoop.shaded.com.auth0.jwt.algorithms.Algorithm;
import org.apache.hadoop.shaded.com.auth0.jwt.interfaces.DecodedJWT;
import org.apache.hadoop.shaded.javax.servlet.http.Cookie;
import org.apache.hadoop.shaded.javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/security/authentication/util/JWTUtils.class */
public class JWTUtils {
    private static Logger LOG = LoggerFactory.getLogger(JWTUtils.class);

    public static boolean validateToken(DecodedJWT decodedJWT) throws InvalidParameterException {
        try {
            DecodedJWT verifyToken = verifyToken(decodedJWT);
            if (verifyToken == null) {
                LOG.warn("Token validation failed.");
            }
            boolean validateAudiences = validateAudiences(decodedJWT);
            if (!validateAudiences) {
                LOG.warn("Audience validation failed.");
            }
            boolean validateExpiration = validateExpiration(decodedJWT);
            if (!validateExpiration) {
                LOG.info("Expiration validation failed.");
            }
            return verifyToken != null && validateAudiences && validateExpiration;
        } catch (Exception e) {
            LOG.error("Exception while validating/introspecting jwt token, check debug logs for more details");
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            e.printStackTrace();
            return false;
        }
    }

    public static DecodedJWT verifyToken(DecodedJWT decodedJWT) throws InvalidParameterException {
        try {
            return JWT.require(getSigntureAlgorithm(SsoConfigurationUtil.getInstance().getJwsSsoAlgorithm(), loadPublicKey(decodedJWT))).withIssuer(decodedJWT.getIssuer()).build().verify(decodedJWT);
        } catch (Exception e) {
            if (LOG.isDebugEnabled()) {
                e.printStackTrace();
            }
            LOG.error("Unable to authenticate: {}", e.getMessage());
            throw new InvalidParameterException("Unable to authenticate: " + e.getMessage());
        }
    }

    private static Algorithm getSigntureAlgorithm(String str, RSAPublicKey rSAPublicKey) {
        Algorithm RSA256;
        boolean z = -1;
        switch (str.hashCode()) {
            case 78251122:
                if (str.equals("RS256")) {
                    z = 2;
                    break;
                }
                break;
            case 78252174:
                if (str.equals("RS384")) {
                    z = false;
                    break;
                }
                break;
            case 78253877:
                if (str.equals("RS512")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                RSA256 = Algorithm.RSA384(rSAPublicKey, (RSAPrivateKey) null);
                break;
            case true:
                RSA256 = Algorithm.RSA512(rSAPublicKey, (RSAPrivateKey) null);
                break;
            case true:
            default:
                RSA256 = Algorithm.RSA256(rSAPublicKey, (RSAPrivateKey) null);
                break;
        }
        return RSA256;
    }

    private static RSAPublicKey loadPublicKey(DecodedJWT decodedJWT) throws JwkException, MalformedURLException {
        return (RSAPublicKey) new UrlJwkProvider(new URL(getKeycloakCertificateUrl(decodedJWT))).get(decodedJWT.getKeyId()).getPublicKey();
    }

    private static String getKeycloakCertificateUrl(DecodedJWT decodedJWT) {
        return decodedJWT.getIssuer() + "/protocol/openid-connect/certs";
    }

    private static boolean validateExpiration(DecodedJWT decodedJWT) {
        boolean z = false;
        Date asDate = decodedJWT.getClaim("exp").asDate();
        if (asDate == null || new Date().before(asDate)) {
            LOG.debug("JWT token expiration date has been successfully validated");
            z = true;
        } else {
            LOG.warn("JWT expiration date validation failed.");
        }
        return z;
    }

    private static boolean validateAudiences(DecodedJWT decodedJWT) {
        boolean z = false;
        List asList = decodedJWT.getClaim("aud").asList(String.class);
        if (SsoConfigurationUtil.getInstance().getAudiences().isEmpty()) {
            z = true;
        } else {
            Iterator it = asList.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (SsoConfigurationUtil.getInstance().getAudiences().contains((String) it.next())) {
                    LOG.debug("JWT token audience has been successfully validated");
                    z = true;
                    break;
                }
            }
            if (!z) {
                LOG.warn("JWT audience validation failed.");
            }
        }
        return z;
    }

    public static String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        String cookieName = SsoConfigurationUtil.getInstance().getCookieName();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookieName.equals(cookie.getName())) {
                    LOG.info("{} cookie has been found and is being processed", cookieName);
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    public static String constructURLWithHostname(String str) {
        try {
            URI uri = new URI(str);
            InetAddress byName = InetAddress.getByName(new URL(str).getHost());
            if (str.contains(byName.getHostAddress())) {
                return replaceHostInUrl(uri, byName.getHostName() + ":" + uri.getPort());
            }
        } catch (Exception e) {
            LOG.warn("Can't create new URL from request hostname {}. Use URL from request.", str);
        }
        return str;
    }

    public static String replaceHostInUrl(URI uri, String str) {
        try {
            return new URI(uri.getScheme().toLowerCase(Locale.US), str, uri.getPath(), uri.getQuery(), uri.getFragment()).toString();
        } catch (URISyntaxException e) {
            LOG.warn("Can't create new URI with hostname for host {}", str);
            e.printStackTrace();
            return uri.toString();
        }
    }
}
