package org.apache.pulsar.broker.authentication;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import com.yahoo.athenz.auth.token.RoleToken;
import com.yahoo.athenz.zpe.AuthZpeClient;
import java.io.IOException;
import java.net.SocketAddress;
import java.security.PublicKey;
import java.util.List;
import javax.naming.AuthenticationException;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.metrics.AuthenticationMetrics;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.class */
public class AuthenticationProviderAthenz implements AuthenticationProvider {
    private static final String DOMAIN_NAME_LIST = "athenzDomainNames";
    private static final String SYS_PROP_DOMAIN_NAME_LIST = "pulsar.athenz.domain.names";
    private static final String SYS_PROP_ALLOWED_OFFSET = "pulsar.athenz.role.token_allowed_offset";
    private List<String> domainNameList = null;
    private int allowedOffset = 30;
    private static final Logger log = LoggerFactory.getLogger(AuthenticationProviderAthenz.class);

    public void initialize(ServiceConfiguration serviceConfiguration) throws IOException {
        String property;
        if (serviceConfiguration.getProperty(DOMAIN_NAME_LIST) != null) {
            property = (String) serviceConfiguration.getProperty(DOMAIN_NAME_LIST);
        } else {
            if (StringUtils.isEmpty(System.getProperty(SYS_PROP_DOMAIN_NAME_LIST))) {
                throw new IOException("No athenz domain name specified");
            }
            property = System.getProperty(SYS_PROP_DOMAIN_NAME_LIST);
        }
        this.domainNameList = Lists.newArrayList(property.split(","));
        log.info("Supported domain names for athenz: {}", this.domainNameList);
        if (!StringUtils.isEmpty(System.getProperty(SYS_PROP_ALLOWED_OFFSET))) {
            try {
                this.allowedOffset = Integer.parseInt(System.getProperty(SYS_PROP_ALLOWED_OFFSET));
                if (this.allowedOffset < 0) {
                    throw new IOException("Allowed offset for athenz role token verification must not be negative");
                }
            } catch (NumberFormatException e) {
                throw new IOException("Invalid allowed offset for athenz role token verification specified", e);
            }
        }
        log.info("Allowed offset for athenz role token verification: {} sec", Integer.valueOf(this.allowedOffset));
    }

    public String getAuthMethodName() {
        return "athenz";
    }

    public String authenticate(AuthenticationDataSource authenticationDataSource) throws AuthenticationException {
        String httpHeader;
        String principal;
        try {
            if (!authenticationDataSource.hasDataFromPeer()) {
                throw new AuthenticationException("Authentication data source does not have a client address");
            }
            SocketAddress peerAddress = authenticationDataSource.getPeerAddress();
            if (authenticationDataSource.hasDataFromCommand()) {
                httpHeader = authenticationDataSource.getCommandData();
            } else {
                if (!authenticationDataSource.hasDataFromHttp()) {
                    throw new AuthenticationException("Authentication data source does not have a role token");
                }
                httpHeader = authenticationDataSource.getHttpHeader(AuthZpeClient.ZPE_TOKEN_HDR);
            }
            if (httpHeader == null) {
                throw new AuthenticationException("Athenz token is null, can't authenticate");
            }
            if (httpHeader.isEmpty()) {
                throw new AuthenticationException("Athenz RoleToken is empty, Server is Using Athenz Authentication");
            }
            if (log.isDebugEnabled()) {
                log.debug("Athenz RoleToken : [{}] received from Client: {}", httpHeader, peerAddress);
            }
            RoleToken roleToken = new RoleToken(httpHeader);
            if (!this.domainNameList.contains(roleToken.getDomain())) {
                throw new AuthenticationException(String.format("Athenz RoleToken Domain mismatch, Expected: %s, Found: %s", this.domainNameList.toString(), roleToken.getDomain()));
            }
            synchronized (this) {
                PublicKey ztsPublicKey = AuthZpeClient.getZtsPublicKey(roleToken.getKeyId());
                if (ztsPublicKey == null) {
                    throw new AuthenticationException("Unable to retrieve ZTS Public Key");
                }
                if (!roleToken.validate(ztsPublicKey, this.allowedOffset, false, (StringBuilder) null)) {
                    throw new AuthenticationException(String.format("Athenz Role Token Not Authenticated from Client: %s", peerAddress));
                }
                log.debug("Athenz Role Token : {}, Authenticated for Client: {}", httpHeader, peerAddress);
                AuthenticationMetrics.authenticateSuccess(getClass().getSimpleName(), getAuthMethodName());
                principal = roleToken.getPrincipal();
            }
            return principal;
        } catch (AuthenticationException e) {
            AuthenticationMetrics.authenticateFailure(getClass().getSimpleName(), getAuthMethodName(), e.getMessage());
            throw e;
        }
    }

    public void close() throws IOException {
    }

    @VisibleForTesting
    int getAllowedOffset() {
        return this.allowedOffset;
    }
}
