package org.apache.ranger.authz.handler.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import java.net.URL;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.util.CertificateUtil;
import org.apache.ranger.authz.handler.RangerAuthHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.class */
public abstract class RangerJwtAuthHandler implements RangerAuthHandler {
    public static final String TYPE = "ranger-jwt";
    public static final String KEY_PROVIDER_URL = "jwks.provider-url";
    public static final String KEY_JWT_PUBLIC_KEY = "jwt.public-key";
    public static final String KEY_JWT_COOKIE_NAME = "jwt.cookie-name";
    public static final String KEY_JWT_AUDIENCES = "jwt.audiences";
    public static final String JWT_AUTHZ_PREFIX = "Bearer ";
    private static final Logger LOG = LoggerFactory.getLogger(RangerJwtAuthHandler.class);
    protected static String cookieName = "hadoop-jwt";
    private JWSVerifier verifier = null;
    private String jwksProviderUrl = null;
    protected List<String> audiences = null;
    protected JWKSource<SecurityContext> keySource = null;

    @Override // org.apache.ranger.authz.handler.RangerAuthHandler
    public void initialize(Properties properties) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("===>>> RangerJwtAuthHandler.initialize()");
        }
        this.jwksProviderUrl = properties.getProperty(KEY_PROVIDER_URL);
        if (!StringUtils.isBlank(this.jwksProviderUrl)) {
            this.keySource = new RemoteJWKSet(new URL(this.jwksProviderUrl));
        }
        String property = properties.getProperty(KEY_JWT_PUBLIC_KEY);
        if (StringUtils.isNotBlank(property)) {
            this.verifier = new RSASSAVerifier(CertificateUtil.parseRSAPublicKey(property));
        } else if (StringUtils.isBlank(this.jwksProviderUrl)) {
            throw new Exception("RangerJwtAuthHandler: Mandatory configs ('jwks.provider-url' & 'jwt.public-key') are missing, must provide atleast one.");
        }
        String property2 = properties.getProperty(KEY_JWT_COOKIE_NAME);
        if (property2 != null) {
            cookieName = property2;
        }
        String property3 = properties.getProperty(KEY_JWT_AUDIENCES);
        if (StringUtils.isNotBlank(property3)) {
            this.audiences = Arrays.asList(property3.split(","));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<<<=== RangerJwtAuthHandler.initialize()");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationToken authenticate(String str, String str2, String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("===>>> RangerJwtAuthHandler.authenticate()");
        }
        AuthenticationToken authenticationToken = null;
        if (shouldProceedAuth(str, str2)) {
            String jwt = getJWT(str, str2);
            if (StringUtils.isNotBlank(jwt)) {
                try {
                    SignedJWT parse = SignedJWT.parse(jwt);
                    if (validateToken(parse)) {
                        String trim = StringUtils.isNotBlank(str3) ? str3.trim() : parse.getJWTClaimsSet().getSubject();
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("RangerJwtAuthHandler.authenticate(): Issuing AuthenticationToken for user: [{}]", trim);
                            LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", parse.getJWTClaimsSet().getSubject(), str3);
                        }
                        authenticationToken = new AuthenticationToken(trim, trim, TYPE);
                    } else {
                        LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [{}] ", parse.serialize());
                    }
                } catch (ParseException e) {
                    LOG.warn("RangerJwtAuthHandler.authenticate(): Unable to parse the JWT token", e);
                }
            } else {
                LOG.warn("RangerJwtAuthHandler.authenticate(): JWT token not found.");
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<<<=== RangerJwtAuthHandler.authenticate()");
        }
        return authenticationToken;
    }

    protected String getJWT(String str, String str2) {
        String str3 = null;
        if (StringUtils.isNotBlank(str) && str.startsWith(JWT_AUTHZ_PREFIX)) {
            str3 = str.substring(JWT_AUTHZ_PREFIX.length());
        }
        if (StringUtils.isBlank(str3) && StringUtils.isNotBlank(str2)) {
            String[] split = str2.split("=");
            if (cookieName.equals(split[0])) {
                str3 = split[1];
            }
        }
        return str3;
    }

    protected boolean validateToken(SignedJWT signedJWT) {
        boolean validateExpiration = validateExpiration(signedJWT);
        boolean z = false;
        boolean z2 = false;
        if (validateExpiration) {
            z = validateSignature(signedJWT);
            if (z) {
                z2 = validateAudiences(signedJWT);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("expValid={}, sigValid={}, audValid={}", new Object[]{Boolean.valueOf(validateExpiration), Boolean.valueOf(z), Boolean.valueOf(z2)});
        }
        return z && z2 && validateExpiration;
    }

    protected boolean validateSignature(SignedJWT signedJWT) {
        boolean z = false;
        if (JWSObject.State.SIGNED == signedJWT.getState()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT token is in a SIGNED state");
            }
            if (signedJWT.getSignature() != null) {
                try {
                    if (StringUtils.isNotBlank(this.jwksProviderUrl)) {
                        getJwtProcessor(new JWSVerificationKeySelector(signedJWT.getHeader().getAlgorithm(), this.keySource)).process(signedJWT, (SecurityContext) null);
                        z = true;
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("JWT token has been successfully verified.");
                        }
                    } else if (this.verifier == null) {
                        LOG.warn("Cannot authenticate JWT token as neither JWKS provider URL nor public key provided.");
                    } else if (signedJWT.verify(this.verifier)) {
                        z = true;
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("JWT token has been successfully verified.");
                        }
                    } else {
                        LOG.warn("JWT signature verification failed.");
                    }
                } catch (JOSEException | BadJOSEException e) {
                    LOG.error("Error while validating signature.", e);
                }
            }
        }
        if (!z) {
            LOG.warn("Signature could not be verified.");
        }
        return z;
    }

    public abstract ConfigurableJWTProcessor<SecurityContext> getJwtProcessor(JWSKeySelector<SecurityContext> jWSKeySelector);

    protected boolean validateAudiences(SignedJWT signedJWT) {
        boolean z = false;
        try {
            List audience = signedJWT.getJWTClaimsSet().getAudience();
            if (this.audiences == null) {
                z = true;
            } else {
                Iterator it = audience.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (this.audiences.contains((String) it.next())) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("JWT token audience has been successfully validated.");
                        }
                        z = true;
                    }
                }
                if (!z) {
                    LOG.warn("JWT audience validation failed.");
                }
            }
        } catch (ParseException e) {
            LOG.warn("Unable to parse the JWT token.", e);
        }
        return z;
    }

    protected boolean validateExpiration(SignedJWT signedJWT) {
        boolean z = false;
        try {
            Date expirationTime = signedJWT.getJWTClaimsSet().getExpirationTime();
            if (expirationTime == null || new Date().before(expirationTime)) {
                z = true;
                if (LOG.isDebugEnabled()) {
                    LOG.debug("JWT token expiration date has been successfully validated.");
                }
            } else {
                LOG.warn("JWT token provided is expired.");
            }
        } catch (ParseException e) {
            LOG.warn("Failed to validate JWT expiry.", e);
        }
        return z;
    }

    public static boolean shouldProceedAuth(String str, String str2) {
        return (StringUtils.isNotBlank(str) && str.startsWith(JWT_AUTHZ_PREFIX)) || (StringUtils.isNotBlank(str2) && str2.startsWith(cookieName));
    }
}
