package io.cellery.security.cell.sts.server.core.service;

import com.mashape.unirest.http.Unirest;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import io.cellery.security.cell.sts.server.authorization.AuthorizationFailedException;
import io.cellery.security.cell.sts.server.authorization.AuthorizationService;
import io.cellery.security.cell.sts.server.core.CellStsUtils;
import io.cellery.security.cell.sts.server.core.Constants;
import io.cellery.security.cell.sts.server.core.STSTokenGenerator;
import io.cellery.security.cell.sts.server.core.context.store.UserContextStore;
import io.cellery.security.cell.sts.server.core.exception.CellSTSRequestValidationFailedException;
import io.cellery.security.cell.sts.server.core.exception.TokenValidationFailureException;
import io.cellery.security.cell.sts.server.core.model.CellStsRequest;
import io.cellery.security.cell.sts.server.core.model.CellStsResponse;
import io.cellery.security.cell.sts.server.core.model.RequestDestination;
import io.cellery.security.cell.sts.server.core.model.config.CellStsConfiguration;
import io.cellery.security.cell.sts.server.core.validators.CellSTSRequestValidator;
import io.cellery.security.cell.sts.server.core.validators.DefaultCellSTSReqValidator;
import io.cellery.security.cell.sts.server.core.validators.SelfContainedTokenValidator;
import io.cellery.security.cell.sts.server.core.validators.TokenValidator;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.HashMap;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang.StringUtils;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/cellery/security/cell/sts/server/core/service/CelleryCellStsService.class */
public class CelleryCellStsService {
    protected static final String CELLERY_AUTH_SUBJECT_CLAIMS_HEADER = "x-cellery-auth-subject-claims";
    protected static final String AUTHORIZATION_HEADER_NAME = "authorization";
    protected static final String BEARER_HEADER_VALUE_PREFIX = "Bearer ";
    protected UserContextStore userContextStore;
    protected UserContextStore localContextStore;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CelleryCellStsService.class);
    protected static final TokenValidator TOKEN_VALIDATOR = new SelfContainedTokenValidator();
    protected static final CellSTSRequestValidator REQUEST_VALIDATOR = new DefaultCellSTSReqValidator();
    protected static final AuthorizationService AUTHORIZATION_SERVICE = new AuthorizationService();

    public CelleryCellStsService(UserContextStore userContextStore, UserContextStore userContextStore2) throws CelleryCellSTSException {
        this.userContextStore = userContextStore;
        this.localContextStore = userContextStore2;
        setHttpClientProperties();
    }

    public void handleInboundRequest(CellStsRequest cellStsRequest, CellStsResponse cellStsResponse) throws CelleryCellSTSException {
        JWTClaimsSet handleInternalRequest;
        String requestId = cellStsRequest.getRequestId();
        try {
            if (REQUEST_VALIDATOR.isAuthenticationRequired(cellStsRequest)) {
                log.debug("Authentication is required for the request ID: {} ", requestId);
                log.debug("Caller cell : {}", cellStsRequest.getSource().getCellInstanceName());
                String userContextJwt = getUserContextJwt(cellStsRequest);
                log.debug("Incoming JWT : " + userContextJwt);
                if (CellStsUtils.isRequestToMicroGateway(cellStsRequest)) {
                    log.debug("Request to micro-gateway intercepted");
                    handleInternalRequest = handleRequestToMicroGW(cellStsRequest, requestId, userContextJwt);
                } else {
                    handleInternalRequest = handleInternalRequest(cellStsRequest, requestId, userContextJwt);
                }
                try {
                    AUTHORIZATION_SERVICE.authorize(cellStsRequest, userContextJwt);
                    HashMap hashMap = new HashMap();
                    if (StringUtils.isNotEmpty(handleInternalRequest.getSubject())) {
                        hashMap.put(Constants.CELLERY_AUTH_SUBJECT_HEADER, handleInternalRequest.getSubject());
                        log.debug("Set {} to: {}", Constants.CELLERY_AUTH_SUBJECT_HEADER, handleInternalRequest.getSubject());
                    } else {
                        log.debug("Subject is not available. No user context is passed.");
                    }
                    hashMap.put(CELLERY_AUTH_SUBJECT_CLAIMS_HEADER, new PlainJWT(handleInternalRequest).serialize());
                    log.debug("Set {} to : {}", CELLERY_AUTH_SUBJECT_CLAIMS_HEADER, new PlainJWT(handleInternalRequest).serialize());
                    cellStsResponse.addResponseHeaders(hashMap);
                } catch (AuthorizationFailedException e) {
                    throw new CelleryCellSTSException("Authorization failure", e);
                }
            }
        } catch (CellSTSRequestValidationFailedException e2) {
            throw new CelleryCellSTSException("Error while evaluating authentication requirement", e2);
        }
    }

    private JWTClaimsSet handleInternalRequest(CellStsRequest cellStsRequest, String str, String str2) throws CelleryCellSTSException {
        log.debug("Call from a workload to workload within cell {} ; Source workload {} ; Destination workload", cellStsRequest.getSource().getCellInstanceName(), cellStsRequest.getSource().getWorkload(), cellStsRequest.getDestination().getWorkload());
        try {
            if (this.localContextStore.get(str) == null) {
                log.debug("Initial entrace to cell from gateway. No cached security found.");
                validateInboundToken(cellStsRequest, str2);
                this.localContextStore.put(str, str2);
            } else if (!StringUtils.equalsIgnoreCase(this.localContextStore.get(str), str2)) {
                throw new CelleryCellSTSException("Intra cell STS security is tampered.");
            }
            return extractUserClaimsFromJwt(str2);
        } catch (TokenValidationFailureException e) {
            throw new CelleryCellSTSException("Error while validating locally issued token.", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JWTClaimsSet handleRequestToMicroGW(CellStsRequest cellStsRequest, String str, String str2) throws CelleryCellSTSException {
        log.debug("Incoming request to cell gateway {} from {}", CellStsUtils.getMyCellName(), cellStsRequest.getSource());
        try {
            log.debug("Validating incoming JWT {}", str2);
            validateInboundToken(cellStsRequest, str2);
            this.userContextStore.put(str, str2);
            return extractUserClaimsFromJwt(str2);
        } catch (TokenValidationFailureException e) {
            throw new CelleryCellSTSException("Error while validating JWT token", e);
        }
    }

    private void validateInboundToken(CellStsRequest cellStsRequest, String str) throws TokenValidationFailureException {
        TOKEN_VALIDATOR.validateToken(str, cellStsRequest);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserContextJwt(CellStsRequest cellStsRequest) {
        return extractJwtFromAuthzHeader(getAuthorizationHeaderValue(cellStsRequest));
    }

    public void handleOutboundRequest(CellStsRequest cellStsRequest, CellStsResponse cellStsResponse) throws CelleryCellSTSException {
        RequestDestination destination = cellStsRequest.getDestination();
        if (destination.isExternalToCellery()) {
            log.info("Intercepted an outbound call to a workload:{} outside Cellery. Passing the call through.", destination);
        } else {
            log.info("Intercepted an outbound call to a workload:{} within Cellery. Injecting a STS security for authentication and user-context sharing from Cell STS.", destination);
            attachToken(cellStsRequest, cellStsResponse);
        }
    }

    protected void attachToken(CellStsRequest cellStsRequest, CellStsResponse cellStsResponse) throws CelleryCellSTSException {
        String stsToken = getStsToken(cellStsRequest);
        if (StringUtils.isEmpty(stsToken)) {
            throw new CelleryCellSTSException("No JWT token received from the STS endpoint: " + CellStsConfiguration.getInstance().getStsEndpoint());
        }
        log.debug("Attaching jwt to outbound request : {}", stsToken);
        if (cellStsRequest.getRequestHeaders().get(Constants.CELLERY_AUTH_SUBJECT_HEADER) != null) {
            log.info("Found user in outgoing request");
        }
        cellStsResponse.addResponseHeader(AUTHORIZATION_HEADER_NAME, BEARER_HEADER_VALUE_PREFIX + stsToken);
    }

    private String getAuthorizationHeaderValue(CellStsRequest cellStsRequest) {
        return cellStsRequest.getRequestHeaders().get(AUTHORIZATION_HEADER_NAME);
    }

    private JWTClaimsSet extractUserClaimsFromJwt(String str) throws CelleryCellSTSException {
        if (StringUtils.isBlank(str)) {
            throw new CelleryCellSTSException("Cannot extract user context JWT from Authorization header.");
        }
        return getJWTClaims(str);
    }

    private String extractJwtFromAuthzHeader(String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        String[] split = str.split("\\s+");
        if (split.length > 1) {
            return split[1];
        }
        return null;
    }

    private JWTClaimsSet getJWTClaims(String str) throws CelleryCellSTSException {
        try {
            return SignedJWT.parse(str).getJWTClaimsSet();
        } catch (ParseException e) {
            throw new CelleryCellSTSException("Error while parsing the Signed JWT in authorization header.", e);
        }
    }

    private String getStsToken(CellStsRequest cellStsRequest) throws CelleryCellSTSException {
        String requestId = cellStsRequest.getRequestId();
        if (isRequestFromMicroGateway(cellStsRequest)) {
            log.debug("Request with ID: {} from micro gateway to {} workload of cell {}", requestId, cellStsRequest.getDestination().getWorkload(), cellStsRequest.getDestination().getCellName());
            if (StringUtils.isNotEmpty(this.localContextStore.get(requestId))) {
                log.debug("Found an already existing local token issued for same request on a different occurance");
                return this.localContextStore.get(requestId);
            }
            String str = this.userContextStore.get(requestId);
            return StringUtils.isEmpty(str) ? getTokenFromLocalSTS(CellStsUtils.getMyCellName()) : getTokenFromLocalSTS(str, CellStsUtils.getMyCellName());
        }
        if (isIntraCellCall(cellStsRequest) && this.localContextStore.get(requestId) != null) {
            log.debug("Intra cell request with ID: {} from source workload {} to destination workload {} within cell {}", requestId, cellStsRequest.getSource().getWorkload(), cellStsRequest.getDestination().getWorkload());
            return this.localContextStore.get(requestId);
        }
        if (!isIntraCellCall(cellStsRequest) && this.localContextStore.get(requestId) != null) {
            log.debug("Outbound call from home cell. Building token");
            return getTokenFromLocalSTS(this.localContextStore.get(requestId), cellStsRequest.getDestination().getCellName());
        }
        log.debug("Request initiated within cell {} to {}", cellStsRequest.getSource().getCellInstanceName(), cellStsRequest.getDestination().toString());
        String userContextJwt = getUserContextJwt(cellStsRequest);
        if (!StringUtils.isNotEmpty(userContextJwt)) {
            return getTokenFromLocalSTS(cellStsRequest.getDestination().getCellName());
        }
        log.debug("Found a token attached by the workload : {}", userContextJwt);
        return getTokenWithWorkloadPassedBearerToken(cellStsRequest, userContextJwt);
    }

    private String getTokenWithWorkloadPassedBearerToken(CellStsRequest cellStsRequest, String str) throws CelleryCellSTSException {
        try {
            log.debug("Validating workload attached token.");
            TOKEN_VALIDATOR.validateToken(str, cellStsRequest);
            return getTokenFromLocalSTS(str, cellStsRequest.getDestination().getCellName());
        } catch (TokenValidationFailureException e) {
            throw new CelleryCellSTSException("Error while validating workload passed token", e);
        }
    }

    private boolean isIntraCellCall(CellStsRequest cellStsRequest) throws CelleryCellSTSException {
        return StringUtils.equals(CellStsUtils.getMyCellName(), cellStsRequest.getDestination().getCellName());
    }

    private boolean isRequestFromMicroGateway(CellStsRequest cellStsRequest) throws CelleryCellSTSException {
        String workload = cellStsRequest.getSource().getWorkload();
        return StringUtils.isNotEmpty(workload) && workload.startsWith(new StringBuilder().append(CellStsUtils.getMyCellName()).append("--gateway-deployment-").toString());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getTokenFromLocalSTS(String str) throws CelleryCellSTSException {
        return STSTokenGenerator.generateToken(str, CellStsUtils.getIssuerName(CellStsUtils.getMyCellName()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getTokenFromLocalSTS(String str, String str2) throws CelleryCellSTSException {
        String generateToken = STSTokenGenerator.generateToken(str, str2, CellStsUtils.getIssuerName(CellStsUtils.getMyCellName()));
        log.info("Issued a token from local STS : " + CellStsUtils.getCellImageName());
        return generateToken;
    }

    private void setHttpClientProperties() throws CelleryCellSTSException {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: io.cellery.security.cell.sts.server.core.service.CelleryCellStsService.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
            }
        }};
        try {
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            sSLContext.init(null, trustManagerArr, new SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sSLContext.getSocketFactory());
            HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { // from class: io.cellery.security.cell.sts.server.core.service.CelleryCellStsService.2
                @Override // javax.net.ssl.HostnameVerifier
                public boolean verify(String str, SSLSession sSLSession) {
                    return true;
                }
            });
            try {
                Unirest.setHttpClient(HttpClients.custom().setSSLContext(new SSLContextBuilder().loadTrustMaterial((KeyStore) null, (x509CertificateArr, str) -> {
                    return true;
                }).build()).setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).disableRedirectHandling().build());
            } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException e) {
                throw new CelleryCellSTSException("Error initializing the http client.", e);
            }
        } catch (KeyManagementException | NoSuchAlgorithmException e2) {
            throw new CelleryCellSTSException("Error while initializing SSL context");
        }
    }
}
