package com.facebook.presto.server.security;

import com.facebook.presto.spi.security.BasicPrincipal;
import com.google.common.base.CharMatcher;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.io.Files;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.UnsupportedJwtException;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.Principal;
import java.util.Base64;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.function.Function;
import javax.crypto.spec.SecretKeySpec;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/facebook/presto/server/security/JsonWebTokenAuthenticator.class */
public class JsonWebTokenAuthenticator implements Authenticator {
    private static final String DEFAULT_KEY = "default-key";
    private static final CharMatcher INVALID_KID_CHARS = CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('A', 'Z')).or(CharMatcher.inRange('0', '9')).or(CharMatcher.anyOf("_-")).negate();
    private static final String KEY_ID_VARIABLE = "${KID}";
    private final JwtParser jwtParser;
    private final Function<JwsHeader<?>, Key> keyLoader;

    /* loaded from: input_file:com/facebook/presto/server/security/JsonWebTokenAuthenticator$DynamicKeyLoader.class */
    private static class DynamicKeyLoader implements Function<JwsHeader<?>, Key> {
        private final String keyFile;
        private final ConcurrentMap<String, LoadedKey> keys = new ConcurrentHashMap();

        public DynamicKeyLoader(String str) {
            Objects.requireNonNull(str, "keyFile is null");
            Preconditions.checkArgument(str.contains(JsonWebTokenAuthenticator.KEY_ID_VARIABLE));
            this.keyFile = str;
        }

        @Override // java.util.function.Function
        public Key apply(JwsHeader<?> jwsHeader) {
            String keyId = getKeyId(jwsHeader);
            return this.keys.computeIfAbsent(keyId, this::loadKey).getKey(SignatureAlgorithm.forName(jwsHeader.getAlgorithm()));
        }

        private static String getKeyId(JwsHeader<?> jwsHeader) {
            String keyId = jwsHeader.getKeyId();
            return keyId == null ? JsonWebTokenAuthenticator.DEFAULT_KEY : JsonWebTokenAuthenticator.INVALID_KID_CHARS.replaceFrom((CharSequence) keyId, '_');
        }

        private LoadedKey loadKey(String str) {
            return JsonWebTokenAuthenticator.loadKeyFile(new File(this.keyFile.replace(JsonWebTokenAuthenticator.KEY_ID_VARIABLE, str)));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/server/security/JsonWebTokenAuthenticator$LoadedKey.class */
    public static class LoadedKey {
        private final Key publicKey;
        private final byte[] hmacKey;

        public LoadedKey(Key key) {
            this.publicKey = (Key) Objects.requireNonNull(key, "publicKey is null");
            this.hmacKey = null;
        }

        public LoadedKey(byte[] bArr) {
            this.hmacKey = (byte[]) Objects.requireNonNull(bArr, "hmacKey is null");
            this.publicKey = null;
        }

        public Key getKey(SignatureAlgorithm signatureAlgorithm) {
            if (signatureAlgorithm.isHmac()) {
                if (this.hmacKey == null) {
                    throw new UnsupportedJwtException(String.format("JWT is signed with %s, but no HMAC key is configured", signatureAlgorithm));
                }
                return new SecretKeySpec(this.hmacKey, signatureAlgorithm.getJcaName());
            }
            if (this.publicKey == null) {
                throw new UnsupportedJwtException(String.format("JWT is signed with %s, but no key is configured", signatureAlgorithm));
            }
            return this.publicKey;
        }
    }

    /* loaded from: input_file:com/facebook/presto/server/security/JsonWebTokenAuthenticator$StaticKeyLoader.class */
    private static class StaticKeyLoader implements Function<JwsHeader<?>, Key> {
        private final LoadedKey key;

        public StaticKeyLoader(String str) {
            Objects.requireNonNull(str, "keyFile is null");
            Preconditions.checkArgument(!str.contains(JsonWebTokenAuthenticator.KEY_ID_VARIABLE));
            this.key = JsonWebTokenAuthenticator.loadKeyFile(new File(str));
        }

        @Override // java.util.function.Function
        public Key apply(JwsHeader<?> jwsHeader) {
            return this.key.getKey(SignatureAlgorithm.forName(jwsHeader.getAlgorithm()));
        }
    }

    @Inject
    public JsonWebTokenAuthenticator(JsonWebTokenConfig jsonWebTokenConfig) {
        Objects.requireNonNull(jsonWebTokenConfig, "config is null");
        if (jsonWebTokenConfig.getKeyFile().contains(KEY_ID_VARIABLE)) {
            this.keyLoader = new DynamicKeyLoader(jsonWebTokenConfig.getKeyFile());
        } else {
            this.keyLoader = new StaticKeyLoader(jsonWebTokenConfig.getKeyFile());
        }
        JwtParser signingKeyResolver = Jwts.parser().setSigningKeyResolver(new SigningKeyResolver() { // from class: com.facebook.presto.server.security.JsonWebTokenAuthenticator.1
            @Override // io.jsonwebtoken.SigningKeyResolver
            public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                return (Key) JsonWebTokenAuthenticator.this.keyLoader.apply(jwsHeader);
            }

            @Override // io.jsonwebtoken.SigningKeyResolver
            public Key resolveSigningKey(JwsHeader jwsHeader, String str) {
                return (Key) JsonWebTokenAuthenticator.this.keyLoader.apply(jwsHeader);
            }
        });
        if (jsonWebTokenConfig.getRequiredIssuer() != null) {
            signingKeyResolver.requireIssuer(jsonWebTokenConfig.getRequiredIssuer());
        }
        if (jsonWebTokenConfig.getRequiredAudience() != null) {
            signingKeyResolver.requireAudience(jsonWebTokenConfig.getRequiredAudience());
        }
        this.jwtParser = signingKeyResolver;
    }

    @Override // com.facebook.presto.server.security.Authenticator
    public Principal authenticate(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String nullToEmpty = Strings.nullToEmpty(httpServletRequest.getHeader("Authorization"));
        int indexOf = nullToEmpty.indexOf(32);
        if (indexOf < 0 || !nullToEmpty.substring(0, indexOf).equalsIgnoreCase("bearer")) {
            throw needAuthentication(null);
        }
        String trim = nullToEmpty.substring(indexOf + 1).trim();
        if (trim.isEmpty()) {
            throw needAuthentication(null);
        }
        try {
            return new BasicPrincipal(this.jwtParser.parseClaimsJws(trim).getBody().getSubject());
        } catch (JwtException e) {
            throw needAuthentication(e.getMessage());
        } catch (RuntimeException e2) {
            throw new RuntimeException("Authentication error", e2);
        }
    }

    private static AuthenticationException needAuthentication(String str) {
        return new AuthenticationException(str, "Bearer realm=\"Presto\", token_type=\"JWT\"");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static LoadedKey loadKeyFile(File file) {
        if (!file.canRead()) {
            throw new SignatureException("Unknown signing key ID");
        }
        try {
            return new LoadedKey(PemReader.loadPublicKey(file));
        } catch (Exception e) {
            try {
                return new LoadedKey(Base64.getMimeDecoder().decode(Files.asCharSource(file, StandardCharsets.US_ASCII).read().getBytes(StandardCharsets.US_ASCII)));
            } catch (IOException e2) {
                throw new SignatureException("Unknown signing key id");
            }
        }
    }
}
