package io.cellery.security.cell.sts.server.core.validators;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.cellery.security.cell.sts.server.core.CellStsUtils;
import io.cellery.security.cell.sts.server.core.Constants;
import io.cellery.security.cell.sts.server.core.exception.TokenValidationFailureException;
import io.cellery.security.cell.sts.server.core.model.CellStsRequest;
import io.cellery.security.cell.sts.server.core.model.config.CellStsConfiguration;
import io.cellery.security.cell.sts.server.core.service.CelleryCellSTSException;
import java.text.ParseException;
import java.util.Date;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/cellery/security/cell/sts/server/core/validators/SelfContainedTokenValidator.class */
public class SelfContainedTokenValidator implements TokenValidator {
    private JWTSignatureValidator jwtValidator = new JWKSBasedJWTValidator();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SelfContainedTokenValidator.class);
    private static String globalIssuer = "https://sts.cellery.io";
    private static final String compositeIssuer = CellStsUtils.getIssuerName(Constants.COMPOSITE_CELL_NAME, Constants.SYSTEM_NAMESPACE);
    public static final String KNATIVE_ACTIVATOR_WORKLOAD_REGEX = "^activator-.*\\.knative-serving$";

    @Override // io.cellery.security.cell.sts.server.core.validators.TokenValidator
    public void validateToken(String str, CellStsRequest cellStsRequest) throws TokenValidationFailureException {
        if (StringUtils.isEmpty(str)) {
            throw new TokenValidationFailureException("No token found in the request.");
        }
        try {
            log.debug("Validating token: {}", str);
            SignedJWT parse = SignedJWT.parse(str);
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            validateIssuer(jWTClaimsSet, cellStsRequest);
            validateAudience(jWTClaimsSet, cellStsRequest);
            validateExpiry(jWTClaimsSet);
            validateSignature(parse, cellStsRequest);
        } catch (ParseException e) {
            throw new TokenValidationFailureException("Error while parsing JWT: " + str, e);
        }
    }

    private void validateExpiry(JWTClaimsSet jWTClaimsSet) throws TokenValidationFailureException {
        if (!CellStsConfiguration.getInstance().isSignatureValidationEnabled()) {
            log.debug("Issuer validation turned off.");
        } else {
            if (jWTClaimsSet.getExpirationTime().before(new Date(System.currentTimeMillis()))) {
                throw new TokenValidationFailureException("Token has expired. Expiry time: " + jWTClaimsSet.getExpirationTime());
            }
            log.debug("Token life time is valid, expiry time: {}", jWTClaimsSet.getExpirationTime());
        }
    }

    private void validateAudience(JWTClaimsSet jWTClaimsSet, CellStsRequest cellStsRequest) throws TokenValidationFailureException {
        if (!CellStsConfiguration.getInstance().isAudienceValidationEnabled()) {
            log.debug("Audience validation turned off.");
            return;
        }
        if (jWTClaimsSet.getAudience().isEmpty() && !CellStsUtils.isCompositeSTS()) {
            throw new TokenValidationFailureException("No audiences found in the token");
        }
        try {
            log.debug("Audiences in the token : " + String.join(",", jWTClaimsSet.getAudience()));
            String str = CellStsUtils.getMyCellName() + "." + CellStsUtils.resolveSystemVariable(Constants.CELL_NAMESPACE);
            if (!jWTClaimsSet.getAudience().stream().filter(str2 -> {
                return str2.equalsIgnoreCase(str);
            }).findAny().isPresent() && !isReqAddressedToComposite(jWTClaimsSet, cellStsRequest)) {
                throw new TokenValidationFailureException("Error while validating audience. Expected audience :" + str);
            }
            log.debug("Audience validation successful");
        } catch (CelleryCellSTSException e) {
            throw new TokenValidationFailureException("Cannot infer cell name", e);
        }
    }

    private boolean isReqAddressedToComposite(JWTClaimsSet jWTClaimsSet, CellStsRequest cellStsRequest) {
        String str = (String) jWTClaimsSet.getClaim("destination");
        log.debug("Destination of the jwt is : " + str);
        log.debug("Destination derived from request : " + cellStsRequest.getDestination().getWorkload());
        if (!CellStsUtils.isCompositeSTS()) {
            log.debug("Not composite STS. Hence audience has to be validated with proper cell name.");
            return false;
        }
        log.debug("Composite STS checking whether the incoming jwt is addressed towards composite");
        if (StringUtils.equals(str, cellStsRequest.getDestination().getWorkload())) {
            log.debug("Destination found in the token matches with the actual destination. Hence audience is valid for composite.");
            return true;
        }
        if (StringUtils.isBlank(str) && globalIssuer.equalsIgnoreCase(jWTClaimsSet.getIssuer())) {
            log.debug("Destination is not available and the issuer is global. Hence audience is considered as valid by composite STS.");
            return true;
        }
        log.debug("Request is not addressed towards composite STS");
        return false;
    }

    private void validateIssuer(JWTClaimsSet jWTClaimsSet, CellStsRequest cellStsRequest) throws TokenValidationFailureException {
        if (!CellStsConfiguration.getInstance().isIssuerValidationEnabled()) {
            log.debug("Issuer validation turned off.");
            return;
        }
        String str = globalIssuer;
        String workload = cellStsRequest.getSource().getWorkload();
        String issuer = jWTClaimsSet.getIssuer();
        if (StringUtils.isNotEmpty(cellStsRequest.getSource().getCellInstanceName())) {
            String namespaceFromAddress = CellStsUtils.getNamespaceFromAddress(cellStsRequest.getSource().getWorkload());
            if (StringUtils.isNotEmpty(issuer) && compositeIssuer.equalsIgnoreCase(issuer)) {
                namespaceFromAddress = Constants.SYSTEM_NAMESPACE;
                log.debug("Composite issuer found. Hence changing source issuer ns to cellery-system");
            }
            str = CellStsUtils.getIssuerName(cellStsRequest.getSource().getCellInstanceName(), namespaceFromAddress);
        } else if (StringUtils.isNotEmpty(workload) && workload.matches(KNATIVE_ACTIVATOR_WORKLOAD_REGEX)) {
            try {
                log.debug("Request is received from the knative activator. Setting issuer to this cell");
                str = CellStsUtils.getIssuerName(CellStsUtils.getMyCellName(), CellStsUtils.getNamespaceFromAddress(cellStsRequest.getSource().getWorkload()));
            } catch (CelleryCellSTSException e) {
                throw new TokenValidationFailureException("Cannot infer the issuer", e);
            }
        }
        if (StringUtils.isEmpty(issuer)) {
            throw new TokenValidationFailureException("No issuer found in the JWT");
        }
        if (StringUtils.equalsIgnoreCase(issuer, CellStsUtils.getGatewayIssuer(cellStsRequest.getSource().getCellInstanceName()))) {
            return;
        }
        if (!StringUtils.equalsIgnoreCase(issuer, str)) {
            throw new TokenValidationFailureException("Issuer validation failed. Expected issuer : " + str + ". Received issuer: " + issuer);
        }
        log.debug("Issuer validated successfully. Issuer : {}", str);
    }

    private void validateSignature(JWT jwt, CellStsRequest cellStsRequest) throws TokenValidationFailureException {
        String issuerName;
        if (!CellStsConfiguration.getInstance().isSignatureValidationEnabled()) {
            log.debug("Signature validation turned off.");
            return;
        }
        String globalJWKEndpoint = CellStsConfiguration.getInstance().getGlobalJWKEndpoint();
        String cellInstanceName = cellStsRequest.getSource().getCellInstanceName();
        String workload = cellStsRequest.getSource().getWorkload();
        if (StringUtils.isEmpty(cellInstanceName) && StringUtils.isNotEmpty(workload) && workload.matches(KNATIVE_ACTIVATOR_WORKLOAD_REGEX)) {
            try {
                log.debug("Request is received from the knative activator. Setting source cell to this cell");
                cellInstanceName = CellStsUtils.getMyCellName();
            } catch (CelleryCellSTSException e) {
                throw new TokenValidationFailureException("Cannot infer the source cell name", e);
            }
        }
        if (StringUtils.isNotEmpty(cellInstanceName)) {
            int resolvePort = resolvePort(cellInstanceName);
            try {
                JWTClaimsSet jWTClaimsSet = jwt.getJWTClaimsSet();
                if (StringUtils.equalsIgnoreCase(cellInstanceName, CellStsUtils.getMyCellName())) {
                    issuerName = "localhost";
                } else if (isTokenFromComposite(jWTClaimsSet.getStringClaim("destination"), cellStsRequest.getDestination().getWorkload(), jWTClaimsSet.getIssuer())) {
                    log.debug("Validating token issued by composite cell");
                    issuerName = jWTClaimsSet.getIssuer();
                } else {
                    log.debug("Deriving hostname from source and source workload ns" + CellStsUtils.getNamespaceFromAddress(cellStsRequest.getSource().getWorkload()));
                    issuerName = CellStsUtils.getIssuerName(cellInstanceName, CellStsUtils.getNamespaceFromAddress(cellStsRequest.getSource().getWorkload()));
                }
                globalJWKEndpoint = "https://" + issuerName + ParameterizedMessage.ERROR_MSG_SEPARATOR + resolvePort;
            } catch (CelleryCellSTSException | ParseException e2) {
                throw new TokenValidationFailureException("Error while retrieving cell name", e2);
            }
        }
        log.debug("Calling JWKS endpoint: " + globalJWKEndpoint);
        try {
            log.debug("Validating signature of the token");
            this.jwtValidator.validateSignature(jwt, globalJWKEndpoint, jwt.getHeader().getAlgorithm().getName(), (Map<String, Object>) null);
            log.debug("Token signature validated successfully");
        } catch (TokenValidationFailureException e3) {
            throw new TokenValidationFailureException("Error while validating signature of the token", e3);
        }
    }

    private boolean isTokenFromComposite(String str, String str2, String str3) {
        log.debug("Asserting whether the token is issued by composite, Issuer :" + str3 + ". Destination from req : " + str2 + ", destination from token : " + str);
        return CellStsUtils.getIssuerName(Constants.COMPOSITE_CELL_NAME, Constants.SYSTEM_NAMESPACE).equalsIgnoreCase(str3) && StringUtils.equals(str2, str);
    }

    private int resolvePort(String str) {
        return 8090;
    }
}
