package org.wso2.carbon.webapp.authenticator.framework.authenticator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import java.util.StringTokenizer;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.registry.core.service.TenantRegistryLoader;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.CarbonUtils;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticatorFrameworkDataHolder;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;

/* loaded from: input_file:org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.class */
public class JWTAuthenticator implements WebappAuthenticator {
    private static final String SIGNED_JWT_AUTH_USERNAME = "http://wso2.org/claims/enduser";
    private static final String SIGNED_JWT_AUTH_TENANT_ID = "http://wso2.org/claims/enduserTenantId";
    private static final String JWT_AUTHENTICATOR = "JWT";
    private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion";
    private static final String DEFAULT_TRUST_STORE_LOCATION = "Security.TrustStore.Location";
    private static final String DEFAULT_TRUST_STORE_PASSWORD = "Security.TrustStore.Password";
    private Properties properties;
    private static final Log log = LogFactory.getLog(JWTAuthenticator.class);
    private static final Map<IssuerAlias, PublicKey> publicKeyHolder = new HashMap();

    /* loaded from: input_file:org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator$IssuerAlias.class */
    private class IssuerAlias {
        private String issuer;
        private String tenantDomain;
        private final String DEFAULT_ISSUER = "default";

        public IssuerAlias(String str) {
            this.DEFAULT_ISSUER = "default";
            this.issuer = "default";
            this.tenantDomain = str;
        }

        public IssuerAlias(String str, String str2) {
            this.DEFAULT_ISSUER = "default";
            this.issuer = str;
            this.tenantDomain = str2;
        }

        public int hashCode() {
            return (31 * this.issuer.hashCode()) + ("@" + this.tenantDomain).hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof IssuerAlias) && this.issuer.equals(((IssuerAlias) obj).issuer) && this.tenantDomain == ((IssuerAlias) obj).tenantDomain;
        }
    }

    private static void loadTenantRegistry(int i) throws RegistryException {
        TenantRegistryLoader tenantRegistryLoader = AuthenticatorFrameworkDataHolder.getInstance().getTenantRegistryLoader();
        AuthenticatorFrameworkDataHolder.getInstance().getTenantIndexingLoader().loadTenantIndex(i);
        tenantRegistryLoader.loadTenantRegistry(i);
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public void init() {
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public boolean canHandle(Request request) {
        String header = request.getHeader(JWT_ASSERTION_HEADER);
        return (header == null || header.isEmpty()) ? false : true;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public AuthenticationInfo authenticate(Request request, Response response) {
        String requestURI = request.getRequestURI();
        AuthenticationInfo authenticationInfo = new AuthenticationInfo();
        if (requestURI == null || "".equals(requestURI)) {
            authenticationInfo.setStatus(WebappAuthenticator.Status.CONTINUE);
        }
        if (requestURI == null) {
            requestURI = "";
        }
        String nextToken = new StringTokenizer(requestURI, "/").nextToken();
        if (nextToken == null || "".equals(nextToken)) {
            authenticationInfo.setStatus(WebappAuthenticator.Status.CONTINUE);
        }
        try {
            try {
                try {
                    try {
                        try {
                            SignedJWT parse = SignedJWT.parse(request.getHeader(JWT_ASSERTION_HEADER));
                            String stringClaim = parse.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME);
                            String tenantDomain = MultitenantUtils.getTenantDomain(stringClaim);
                            int parseInt = Integer.parseInt(parse.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_TENANT_ID));
                            String issuer = parse.getJWTClaimsSet().getIssuer();
                            PrivilegedCarbonContext.startTenantFlow();
                            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain);
                            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(parseInt);
                            PublicKey publicKey = publicKeyHolder.get(new IssuerAlias(issuer, tenantDomain));
                            if (publicKey == null) {
                                loadTenantRegistry(parseInt);
                                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(parseInt);
                                if ("carbon.super".equals(tenantDomain)) {
                                    String property = this.properties.getProperty(issuer);
                                    if (property == null || property.isEmpty()) {
                                        authenticationInfo.setStatus(WebappAuthenticator.Status.FAILURE);
                                        PrivilegedCarbonContext.endTenantFlow();
                                        return authenticationInfo;
                                    }
                                    ServerConfiguration serverConfiguration = CarbonUtils.getServerConfiguration();
                                    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                                    keyStore.load(new FileInputStream(serverConfiguration.getFirstProperty(DEFAULT_TRUST_STORE_LOCATION)), serverConfiguration.getFirstProperty(DEFAULT_TRUST_STORE_PASSWORD).toCharArray());
                                    publicKey = keyStore.getCertificate(property).getPublicKey();
                                } else {
                                    publicKey = keyStoreManager.getKeyStore(tenantDomain.trim().replace('.', '-') + ".jks").getCertificate(tenantDomain).getPublicKey();
                                }
                                if (publicKey != null) {
                                    publicKeyHolder.put(new IssuerAlias(tenantDomain), publicKey);
                                }
                            }
                            if (parse.verify(new RSASSAVerifier((RSAPublicKey) publicKey))) {
                                String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(stringClaim);
                                if (parseInt == -1) {
                                    log.error("tenantDomain is not valid. username : " + tenantAwareUsername + ", tenantDomain : " + tenantDomain);
                                } else if (AuthenticatorFrameworkDataHolder.getInstance().getRealmService().getTenantUserRealm(parseInt).getUserStoreManager().isExistingUser(tenantAwareUsername)) {
                                    authenticationInfo.setTenantId(parseInt);
                                    authenticationInfo.setUsername(tenantAwareUsername);
                                    authenticationInfo.setTenantDomain(tenantDomain);
                                    authenticationInfo.setStatus(WebappAuthenticator.Status.CONTINUE);
                                }
                            } else {
                                authenticationInfo.setStatus(WebappAuthenticator.Status.FAILURE);
                            }
                            PrivilegedCarbonContext.endTenantFlow();
                        } catch (Exception e) {
                            log.error("Error occurred while verifying the JWT header.", e);
                            PrivilegedCarbonContext.endTenantFlow();
                        }
                    } catch (ParseException e2) {
                        log.error("Error occurred while parsing the JWT header.", e2);
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                } catch (UserStoreException e3) {
                    log.error("Error occurred while obtaining the user.", e3);
                    PrivilegedCarbonContext.endTenantFlow();
                }
            } catch (JOSEException e4) {
                log.error("Error occurred while verifying the JWT header.", e4);
                PrivilegedCarbonContext.endTenantFlow();
            }
            return authenticationInfo;
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public String getName() {
        return JWT_AUTHENTICATOR;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public Properties getProperties() {
        return this.properties;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public void setProperties(Properties properties) {
        this.properties = properties;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public String getProperty(String str) {
        if (this.properties == null) {
            return null;
        }
        return this.properties.getProperty(str);
    }
}
