package org.wso2.carbon.dataservices.core.auth;

import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.apache.axiom.om.util.Base64;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.dataservices.core.DBUtils;
import org.wso2.carbon.dataservices.core.DataServiceFault;
import org.wso2.carbon.dataservices.core.sqlparser.LexicalConstants;

/* loaded from: input_file:org/wso2/carbon/dataservices/core/auth/JWTAuthorizationProvider.class */
public class JWTAuthorizationProvider implements AuthorizationProvider {
    private static final String HTTP_SERVLET_REQUEST = "transport.http.servletRequest";
    private static final String JWT_TOKEN_HEADER_NAME = "X-JWT-Assertion";
    private static final String UTF_8_ENCODING = "UTF-8";
    private String endUserClaim = null;
    private static final String ENDUSER_CLAIM = "http://wso2.org/claims/enduser";
    private static final String ENDUSER_CLAIM_PROPERTY_KEY = "claimUri";
    private static final String CLAIM_VALUE_SEPARATOR = "\":\"";
    private static final String ESCAPED_DOUBLE_QUOTATION = "\"";
    private static final String USERNAME = "username";
    private static final Log log = LogFactory.getLog(JWTAuthorizationProvider.class);
    private static ConcurrentHashMap<KeyStore, Certificate> publicCerts = new ConcurrentHashMap<>();
    private static ConcurrentHashMap<Integer, KeyStore> keyStores = new ConcurrentHashMap<>();

    @Override // org.wso2.carbon.dataservices.core.auth.AuthorizationProvider
    public String[] getUserRoles(MessageContext messageContext) throws DataServiceFault {
        return DBUtils.getUserRoles(getUsername(messageContext));
    }

    @Override // org.wso2.carbon.dataservices.core.auth.AuthorizationProvider
    public String[] getAllRoles() throws DataServiceFault {
        return DBUtils.getAllRoles(DBUtils.getCurrentUserTenantId());
    }

    @Override // org.wso2.carbon.dataservices.core.auth.AuthorizationProvider
    public String getUsername(MessageContext messageContext) throws DataServiceFault {
        try {
            return extractUsernameFromJWT(messageContext);
        } catch (UnsupportedEncodingException e) {
            log.debug("Error in retrieving user name from message context - " + e.getMessage(), e);
            throw new DataServiceFault(e, "Error in retrieving user name from message context - " + e.getMessage());
        } catch (AxisFault e2) {
            log.debug("Error in retrieving user name from message context - " + e2.getMessage(), e2);
            throw new DataServiceFault(e2, "Error in retrieving user name from message context - " + e2.getMessage());
        }
    }

    @Override // org.wso2.carbon.dataservices.core.auth.AuthorizationProvider
    public void init(Map<String, String> map) throws DataServiceFault {
        this.endUserClaim = map.get(ENDUSER_CLAIM_PROPERTY_KEY);
    }

    private String extractUsernameFromJWT(MessageContext messageContext) throws UnsupportedEncodingException, AxisFault {
        String header;
        String str;
        if (this.endUserClaim == null || this.endUserClaim.isEmpty()) {
            this.endUserClaim = ENDUSER_CLAIM;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageContext.getProperty(HTTP_SERVLET_REQUEST);
        if (httpServletRequest == null || (header = httpServletRequest.getHeader(JWT_TOKEN_HEADER_NAME)) == null || !validateSignature(header).booleanValue() || (str = new String(Base64.decode(header), UTF_8_ENCODING)) == null) {
            return null;
        }
        String[] split = str.split(this.endUserClaim + CLAIM_VALUE_SEPARATOR);
        String[] split2 = split[1].split(ESCAPED_DOUBLE_QUOTATION);
        System.out.println("tempStr4= " + split.toString());
        System.out.println("decoded=" + split2.toString());
        return split2[0];
    }

    private Boolean validateSignature(String str) throws AxisFault {
        String[] split = str.split("\\.");
        String str2 = split[0];
        String str3 = split[1];
        String str4 = split[2];
        String str5 = new String(Base64Utils.decode(str2));
        byte[] decode = Base64Utils.decode(str4);
        Matcher matcher = Pattern.compile("^[^:]*:[^:]*:[^:]*:\"(.+)\"}$").matcher(str5);
        String str6 = null;
        if (matcher.find()) {
            str6 = matcher.group(1);
        }
        byte[] decode2 = Base64Utils.decode(str6);
        KeyStore keyStore = getKeyStore();
        if (keyStore == null) {
            throw new AxisFault("No keystore found");
        }
        Certificate certificate = publicCerts.get(keyStore);
        if (certificate == null) {
            try {
                certificate = keyStore.getCertificate(getAliasForX509CertThumb(decode2, keyStore));
            } catch (KeyStoreException e) {
                throw new AxisFault("Error getting public certificate from keystore using alias");
            }
        }
        if (certificate == null) {
            throw new AxisFault("No public cert found");
        }
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(certificate);
            signature.update((str2 + LexicalConstants.DOT + str3).getBytes());
            boolean verify = signature.verify(decode);
            if (verify) {
                return Boolean.valueOf(verify);
            }
            throw new AxisFault("Signature validation failed");
        } catch (InvalidKeyException e2) {
            throw new AxisFault("Invalid Key");
        } catch (NoSuchAlgorithmException e3) {
            throw new AxisFault("SHA256withRSA cannot be found");
        } catch (SignatureException e4) {
            throw new AxisFault("Signature Object not initialized properly");
        }
    }

    private KeyStore getKeyStore() throws AxisFault {
        String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
        KeyStore keyStore = keyStores.get(Integer.valueOf(tenantId));
        if (keyStore == null) {
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
            try {
                if (tenantDomain.equals("carbon.super")) {
                    keyStore = keyStoreManager.getPrimaryKeyStore();
                } else {
                    keyStore = keyStoreManager.getKeyStore(tenantDomain.trim().replace(LexicalConstants.DOT, LexicalConstants.MINUS) + ".jks");
                }
            } catch (Exception e) {
                throw new AxisFault("Error getting keystore");
            }
        }
        return keyStore;
    }

    private String getAliasForX509CertThumb(byte[] bArr, KeyStore keyStore) throws AxisFault {
        Certificate certificate;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            try {
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                    if (certificateChain == null || certificateChain.length == 0) {
                        certificate = keyStore.getCertificate(nextElement);
                        if (certificate == null) {
                            return null;
                        }
                    } else {
                        certificate = certificateChain[0];
                    }
                    if (certificate instanceof X509Certificate) {
                        messageDigest.reset();
                        try {
                            messageDigest.update(certificate.getEncoded());
                            if (new String(bArr).equals(hexify(messageDigest.digest()))) {
                                return nextElement;
                            }
                        } catch (CertificateEncodingException e) {
                            throw new AxisFault("Error encoding certificate");
                        }
                    }
                }
                return null;
            } catch (KeyStoreException e2) {
                throw new AxisFault("KeyStore exception while getting alias for X509CertThumb");
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new AxisFault("noSHA1availabe");
        }
    }

    private String hexify(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            stringBuffer.append(cArr[(bArr[i] & 240) >> 4]);
            stringBuffer.append(cArr[bArr[i] & 15]);
        }
        return stringBuffer.toString();
    }
}
