package com.linkedin.venice.authentication.jwt;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.RequiredTypeException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.io.DecodingException;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.SignatureException;
import java.io.IOException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.Key;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.List;
import javax.crypto.SecretKey;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:com/linkedin/venice/authentication/jwt/AuthenticationProviderToken.class */
class AuthenticationProviderToken {
    private final JwtParser parser;
    private final String roleClaim;
    private final SignatureAlgorithm publicKeyAlg;
    private final String audienceClaim;
    private final String audience;

    /* loaded from: input_file:com/linkedin/venice/authentication/jwt/AuthenticationProviderToken$AuthenticationException.class */
    public static final class AuthenticationException extends Exception {
        public AuthenticationException(String str) {
            super(str);
        }
    }

    public AuthenticationProviderToken(TokenProperties tokenProperties) throws IOException, IllegalArgumentException {
        this.publicKeyAlg = getPublicKeyAlgType(tokenProperties);
        this.parser = Jwts.parserBuilder().setSigningKeyResolver(new JwksUriSigningKeyResolver(this.publicKeyAlg.getValue(), tokenProperties.getJwksHostsAllowlist(), getValidationKeyFromConfig(tokenProperties))).build();
        this.roleClaim = getTokenRoleClaim(tokenProperties);
        this.audienceClaim = getTokenAudienceClaim(tokenProperties);
        this.audience = getTokenAudience(tokenProperties);
        if (this.audienceClaim != null && this.audience == null) {
            throw new IllegalArgumentException("Token Audience Claim [" + this.audienceClaim + "] configured, but Audience stands for this broker not.");
        }
    }

    public String authenticate(String str) throws AuthenticationException {
        return getPrincipal(authenticateToken(str));
    }

    private Jwt<?, Claims> authenticateToken(String str) throws AuthenticationException {
        try {
            Jws parseClaimsJws = this.parser.parseClaimsJws(str);
            if (this.audienceClaim != null) {
                Object obj = ((Claims) parseClaimsJws.getBody()).get(this.audienceClaim);
                if (obj == null) {
                    throw new JwtException("Found null Audience in token, for claimed field: " + this.audienceClaim);
                }
                if (obj instanceof List) {
                    List list = (List) obj;
                    if (list.stream().noneMatch(str2 -> {
                        return str2.equals(this.audience);
                    })) {
                        throw new AuthenticationException("Audiences in token: [" + String.join(", ", list) + "] not contains this audience: " + this.audience);
                    }
                } else {
                    if (!(obj instanceof String)) {
                        throw new AuthenticationException("Audiences in token is not in expected format: " + obj);
                    }
                    if (!obj.equals(this.audience)) {
                        throw new AuthenticationException("Audiences in token: [" + obj + "] not contains this audience: " + this.audience);
                    }
                }
            }
            return parseClaimsJws;
        } catch (JwtException e) {
            throw new AuthenticationException("Failed to authentication token: " + e.getMessage());
        }
    }

    private String getPrincipal(Jwt<?, Claims> jwt) {
        try {
            return (String) ((Claims) jwt.getBody()).get(this.roleClaim, String.class);
        } catch (RequiredTypeException e) {
            List list = (List) ((Claims) jwt.getBody()).get(this.roleClaim, List.class);
            if (list == null || list.isEmpty() || !(list.get(0) instanceof String)) {
                return null;
            }
            return (String) list.get(0);
        }
    }

    private Key getValidationKeyFromConfig(TokenProperties tokenProperties) throws IOException {
        String secretKey = tokenProperties.getSecretKey();
        String publicKey = tokenProperties.getPublicKey();
        if (StringUtils.isNotBlank(secretKey)) {
            return decodeSecretKey(readKeyFromUrl(secretKey));
        }
        if (StringUtils.isNotBlank(publicKey)) {
            return decodePublicKey(readKeyFromUrl(publicKey), this.publicKeyAlg);
        }
        return null;
    }

    private static byte[] readKeyFromUrl(String str) throws IOException {
        if (str.startsWith("data:") || str.startsWith("file:")) {
            try {
                return IOUtils.toByteArray(new URL(str));
            } catch (IOException e) {
                throw e;
            } catch (Exception e2) {
                throw new IOException(e2);
            }
        }
        if (Files.exists(Paths.get(str, new String[0]), new LinkOption[0])) {
            return Files.readAllBytes(Paths.get(str, new String[0]));
        }
        if (!Base64.isBase64(str.getBytes())) {
            throw new IllegalArgumentException("Secret/Public Key file " + str + " doesn't exist");
        }
        try {
            return (byte[]) Decoders.BASE64.decode(str);
        } catch (DecodingException e3) {
            throw new IOException("Illegal base64 character or Key file " + str + " doesn't exist", e3);
        }
    }

    private static SecretKey decodeSecretKey(byte[] bArr) {
        return Keys.hmacShaKeyFor(bArr);
    }

    private String getTokenRoleClaim(TokenProperties tokenProperties) throws IOException {
        String authClaim = tokenProperties.getAuthClaim();
        return StringUtils.isNotBlank(authClaim) ? authClaim : "sub";
    }

    private SignatureAlgorithm getPublicKeyAlgType(TokenProperties tokenProperties) throws IllegalArgumentException {
        String publicAlg = tokenProperties.getPublicAlg();
        if (!StringUtils.isNotBlank(publicAlg)) {
            return SignatureAlgorithm.RS256;
        }
        try {
            return SignatureAlgorithm.forName(publicAlg);
        } catch (SignatureException e) {
            throw new IllegalArgumentException("invalid algorithm provided " + publicAlg, e);
        }
    }

    private static PublicKey decodePublicKey(byte[] bArr, SignatureAlgorithm signatureAlgorithm) throws IOException {
        try {
            return KeyFactory.getInstance(keyTypeForSignatureAlgorithm(signatureAlgorithm)).generatePublic(new X509EncodedKeySpec(bArr));
        } catch (Exception e) {
            throw new IOException("Failed to decode public key", e);
        }
    }

    private static String keyTypeForSignatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm.getFamilyName().equals("RSA")) {
            return "RSA";
        }
        if (signatureAlgorithm.getFamilyName().equals("ECDSA")) {
            return "EC";
        }
        throw new IllegalArgumentException("The " + signatureAlgorithm.name() + " algorithm does not support Key Pairs.");
    }

    private String getTokenAudienceClaim(TokenProperties tokenProperties) throws IllegalArgumentException {
        String audienceClaim = tokenProperties.getAudienceClaim();
        if (StringUtils.isNotBlank(audienceClaim)) {
            return audienceClaim;
        }
        return null;
    }

    private String getTokenAudience(TokenProperties tokenProperties) throws IllegalArgumentException {
        String audience = tokenProperties.getAudience();
        if (StringUtils.isNotBlank(audience)) {
            return audience;
        }
        return null;
    }
}
