package org.apache.nifi.web.security.knox;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/web/security/knox/KnoxService.class */
public class KnoxService {
    private static final Logger logger = LoggerFactory.getLogger(KnoxService.class);
    private KnoxConfiguration configuration;
    private JWSVerifier verifier;
    private String knoxUrl;
    private Set<String> audiences;

    public KnoxService(KnoxConfiguration knoxConfiguration) {
        this.configuration = knoxConfiguration;
        if (knoxConfiguration.isKnoxEnabled()) {
            this.knoxUrl = knoxConfiguration.getKnoxUrl();
            if (StringUtils.isBlank(this.knoxUrl)) {
                throw new RuntimeException("Knox URL is required when Apache Knox SSO support is enabled.");
            }
            if (StringUtils.isBlank(knoxConfiguration.getKnoxCookieName())) {
                throw new RuntimeException("Knox Cookie Name is required when Apache Knox SSO support is enabled.");
            }
            this.verifier = new RSASSAVerifier(knoxConfiguration.getKnoxPublicKey());
            this.audiences = knoxConfiguration.getAudiences();
        }
    }

    public boolean isKnoxEnabled() {
        return this.configuration.isKnoxEnabled();
    }

    public String getKnoxUrl() {
        if (this.configuration.isKnoxEnabled()) {
            return this.knoxUrl;
        }
        throw new IllegalStateException("Apache Knox SSO is not enabled.");
    }

    public String getAuthenticationFromToken(String str) throws ParseException, JOSEException {
        if (!this.configuration.isKnoxEnabled()) {
            throw new IllegalStateException("Apache Knox SSO is not enabled.");
        }
        SignedJWT parse = SignedJWT.parse(str);
        if (!validateToken(parse)) {
            throw new InvalidAuthenticationException("The Knox JWT token is not valid.");
        }
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        if (jWTClaimsSet != null) {
            return jWTClaimsSet.getSubject();
        }
        logger.info("Claims set is missing from Knox JWT.");
        throw new InvalidAuthenticationException("The Knox JWT token is not valid.");
    }

    private boolean validateToken(SignedJWT signedJWT) throws JOSEException, ParseException {
        return validateSignature(signedJWT) && validateAudience(signedJWT) && validateExpiration(signedJWT);
    }

    private boolean validateSignature(SignedJWT signedJWT) throws JOSEException {
        boolean z = false;
        if (JWSObject.State.SIGNED.equals(signedJWT.getState()) && signedJWT.getSignature() != null) {
            z = signedJWT.verify(this.verifier);
        }
        if (!z) {
            logger.error("The Knox JWT has an invalid signature.");
        }
        return z;
    }

    private boolean validateAudience(SignedJWT signedJWT) throws ParseException {
        if (this.audiences == null) {
            return true;
        }
        JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
        if (jWTClaimsSet == null) {
            logger.error("Claims set is missing from Knox JWT.");
            return false;
        }
        List audience = jWTClaimsSet.getAudience();
        if (audience == null) {
            logger.error("Audience is missing from the Knox JWT.");
            return false;
        }
        boolean z = false;
        Iterator it = audience.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (this.audiences.contains((String) it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            logger.error(String.format("The Knox JWT does not have the required audience(s). Required one of [%s]. Present in JWT [%s].", StringUtils.join(this.audiences, ", "), StringUtils.join(audience, ", ")));
        }
        return z;
    }

    private boolean validateExpiration(SignedJWT signedJWT) throws ParseException {
        boolean z = false;
        JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
        if (jWTClaimsSet == null) {
            logger.error("Claims set is missing from Knox JWT.");
            return false;
        }
        Date date = new Date();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime == null || date.before(expirationTime)) {
            z = true;
        }
        if (!z) {
            logger.error("The Knox JWT is expired.");
        }
        return z;
    }
}
