package com.linkedin.kafka.cruisecontrol.servlet.security.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Clock;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.AuthorizationService;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.component.LifeCycle;

/* loaded from: input_file:com/linkedin/kafka/cruisecontrol/servlet/security/jwt/JwtLoginService.class */
public class JwtLoginService extends AbstractLifeCycle implements LoginService {
    public static final String X_509_CERT_TYPE = "X.509";
    private final AuthorizationService _authorizationService;
    private IdentityService _identityService;
    private final RSAPublicKey _publicKey;
    private final List<String> _audiences;
    private Clock _clock;

    public JwtLoginService(AuthorizationService authorizationService, String str, List<String> list) throws IOException, CertificateException {
        this(authorizationService, readPublicKey(str), list);
    }

    public JwtLoginService(AuthorizationService authorizationService, RSAPublicKey rSAPublicKey, List<String> list) {
        this(authorizationService, rSAPublicKey, list, Clock.systemUTC());
    }

    public JwtLoginService(AuthorizationService authorizationService, RSAPublicKey rSAPublicKey, List<String> list, Clock clock) {
        this._authorizationService = authorizationService;
        this._identityService = new DefaultIdentityService();
        this._publicKey = rSAPublicKey;
        this._audiences = list;
        this._clock = clock;
    }

    protected void doStart() throws Exception {
        super.doStart();
        if (this._authorizationService instanceof LifeCycle) {
            this._authorizationService.start();
        }
    }

    protected void doStop() throws Exception {
        if (this._authorizationService instanceof LifeCycle) {
            this._authorizationService.stop();
        }
        super.doStop();
    }

    public String getName() {
        return null;
    }

    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        if (!(obj instanceof SignedJWT) || !(servletRequest instanceof HttpServletRequest)) {
            return null;
        }
        SignedJWT signedJWT = (SignedJWT) obj;
        try {
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            if (!validateToken(signedJWT, jWTClaimsSet, str)) {
                return null;
            }
            String str2 = (String) servletRequest.getAttribute(JwtAuthenticator.JWT_TOKEN_REQUEST_ATTRIBUTE);
            UserIdentity userIdentity = this._authorizationService.getUserIdentity((HttpServletRequest) servletRequest, str);
            if (userIdentity == null) {
                return null;
            }
            return getUserIdentity(signedJWT, jWTClaimsSet, str2, str, userIdentity);
        } catch (ParseException e) {
            JwtAuthenticator.JWT_LOGGER.warn(String.format("%s: Couldn't parse a JWT token", str), e);
            return null;
        }
    }

    public boolean validate(UserIdentity userIdentity) {
        Set privateCredentials = userIdentity.getSubject().getPrivateCredentials(JWTClaimsSet.class);
        return !privateCredentials.isEmpty() && privateCredentials.stream().allMatch(this::validateExpiration);
    }

    public IdentityService getIdentityService() {
        return this._identityService;
    }

    public void setIdentityService(IdentityService identityService) {
        this._identityService = identityService;
    }

    public void logout(UserIdentity userIdentity) {
    }

    void setClock(Clock clock) {
        this._clock = clock;
    }

    private boolean validateToken(SignedJWT signedJWT, JWTClaimsSet jWTClaimsSet, String str) {
        boolean validateSignature = validateSignature(signedJWT);
        if (!validateSignature) {
            JwtAuthenticator.JWT_LOGGER.warn(String.format("%s: Signature could not be verified", str));
        }
        boolean validateAudiences = validateAudiences(jWTClaimsSet);
        if (!validateAudiences) {
            JwtAuthenticator.JWT_LOGGER.warn(String.format("%s: Audience validation failed", str));
        }
        boolean validateExpiration = validateExpiration(jWTClaimsSet);
        if (!validateExpiration) {
            JwtAuthenticator.JWT_LOGGER.warn(String.format("%s: Expiration validation failed", str));
        }
        return validateSignature && validateAudiences && validateExpiration;
    }

    private boolean validateSignature(SignedJWT signedJWT) {
        if (JWSObject.State.SIGNED != signedJWT.getState() || signedJWT.getSignature() == null) {
            return false;
        }
        try {
            return signedJWT.verify(new RSASSAVerifier(this._publicKey));
        } catch (JOSEException e) {
            JwtAuthenticator.JWT_LOGGER.warn("Couldn't verify the signature of a token", e);
            return false;
        }
    }

    private boolean validateAudiences(JWTClaimsSet jWTClaimsSet) {
        if (this._audiences == null) {
            return true;
        }
        Iterator it = jWTClaimsSet.getAudience().iterator();
        while (it.hasNext()) {
            if (this._audiences.contains((String) it.next())) {
                JwtAuthenticator.JWT_LOGGER.trace("JWT token audience has been successfully validated");
                return true;
            }
        }
        JwtAuthenticator.JWT_LOGGER.trace("Couldn't find a valid audience");
        return false;
    }

    private boolean validateExpiration(JWTClaimsSet jWTClaimsSet) {
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        return expirationTime == null || this._clock.instant().isBefore(expirationTime.toInstant());
    }

    private static RSAPublicKey readPublicKey(String str) throws CertificateException, IOException {
        return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance(X_509_CERT_TYPE).generateCertificate(new ByteArrayInputStream(Files.readAllBytes(Paths.get(str, new String[0]))))).getPublicKey();
    }

    private static UserIdentity getUserIdentity(SignedJWT signedJWT, JWTClaimsSet jWTClaimsSet, String str, String str2, UserIdentity userIdentity) {
        JwtUserPrincipal jwtUserPrincipal = new JwtUserPrincipal(str2, str);
        HashSet hashSet = new HashSet();
        hashSet.add(signedJWT);
        hashSet.add(jWTClaimsSet);
        return new JwtUserIdentity(new Subject(true, Collections.singleton(jwtUserPrincipal), Collections.emptySet(), hashSet), jwtUserPrincipal, userIdentity);
    }
}
