package io.strimzi.kafka.oauth.validator;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.BooleanNode;
import io.strimzi.kafka.oauth.common.HttpUtil;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.PrincipalExtractor;
import io.strimzi.kafka.oauth.common.TimeUtil;
import io.strimzi.kafka.oauth.common.TokenInfo;
import io.strimzi.kafka.oauth.jsonpath.JsonPathFilterQuery;
import io.strimzi.kafka.oauth.jsonpath.JsonPathQuery;
import io.strimzi.kafka.oauth.metrics.IntrospectHttpSensorKeyProducer;
import io.strimzi.kafka.oauth.metrics.SensorKeyProducer;
import io.strimzi.kafka.oauth.metrics.UserInfoHttpSensorKeyProducer;
import io.strimzi.kafka.oauth.services.OAuthMetrics;
import io.strimzi.kafka.oauth.services.Services;
import io.strimzi.kafka.oauth.validator.TokenValidationException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import org.apache.kafka.common.utils.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:kafka-oauth-common-1.0.0-SNAPSHOT.jar:io/strimzi/kafka/oauth/validator/OAuthIntrospectionValidator.class */
public class OAuthIntrospectionValidator implements TokenValidator {
    private static final Logger log = LoggerFactory.getLogger(OAuthIntrospectionValidator.class);
    private final String validatorId;
    private final URI introspectionURI;
    private final String validIssuerURI;
    private final URI userInfoURI;
    private final String validTokenType;
    private final String clientId;
    private final String clientSecret;
    private final String audience;
    private final JsonPathFilterQuery customClaimMatcher;
    private final SSLSocketFactory socketFactory;
    private final HostnameVerifier hostnameVerifier;
    private final PrincipalExtractor principalExtractor;
    private final JsonPathQuery groupsMatcher;
    private final String groupsDelimiter;
    private final int connectTimeoutSeconds;
    private final int readTimeoutSeconds;
    private final boolean enableMetrics;
    private final OAuthMetrics metrics;
    private final SensorKeyProducer introspectHttpSensorKeyProducer;
    private final SensorKeyProducer userInfoHttpSensorKeyProducer;

    public OAuthIntrospectionValidator(String str, String str2, SSLSocketFactory sSLSocketFactory, HostnameVerifier hostnameVerifier, PrincipalExtractor principalExtractor, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, int i, int i2, boolean z) {
        this.validatorId = checkValidatorId(str);
        this.introspectionURI = checkIntrospectionUri(str2);
        this.socketFactory = checkSocketFactory(sSLSocketFactory);
        this.hostnameVerifier = checkHostnameVerifier(hostnameVerifier);
        this.principalExtractor = principalExtractor != null ? principalExtractor : new PrincipalExtractor();
        this.groupsMatcher = parseGroupsQuery(str3);
        this.groupsDelimiter = parseGroupsDelimiter(str4);
        this.validIssuerURI = checkIssuerUri(str5);
        this.userInfoURI = checkUserInfoUri(str6);
        this.validTokenType = str7;
        this.clientId = str8;
        this.clientSecret = str9;
        this.audience = str10;
        this.customClaimMatcher = parseCustomClaimCheck(str11);
        this.connectTimeoutSeconds = i;
        this.readTimeoutSeconds = i2;
        this.enableMetrics = z;
        this.metrics = z ? Services.getInstance().getMetrics() : null;
        this.introspectHttpSensorKeyProducer = new IntrospectHttpSensorKeyProducer(this.validatorId, this.introspectionURI);
        this.userInfoHttpSensorKeyProducer = this.userInfoURI != null ? new UserInfoHttpSensorKeyProducer(this.validatorId, this.userInfoURI) : null;
        if (log.isDebugEnabled()) {
            log.debug("Configured OAuthIntrospectionValidator:\n    id: " + str + "\n    introspectionEndpointUri: " + this.introspectionURI + "\n    sslSocketFactory: " + sSLSocketFactory + "\n    hostnameVerifier: " + this.hostnameVerifier + "\n    principalExtractor: " + principalExtractor + "\n    groupsClaimQuery: " + str3 + "\n    groupsClaimDelimiter: " + str4 + "\n    validIssuerUri: " + this.validIssuerURI + "\n    userInfoUri: " + this.userInfoURI + "\n    validTokenType: " + str7 + "\n    clientId: " + str8 + "\n    clientSecret: " + LogUtil.mask(str9) + "\n    audience: " + str10 + "\n    customClaimCheck: " + str11 + "\n    connectTimeoutSeconds: " + i + "\n    readTimeoutSeconds: " + i2 + "\n    enableMetrics: " + z);
        }
    }

    private HostnameVerifier checkHostnameVerifier(HostnameVerifier hostnameVerifier) {
        if (hostnameVerifier == null || "https".equals(this.introspectionURI.getScheme())) {
            return hostnameVerifier;
        }
        throw new IllegalArgumentException("Certificate hostname verifier set but keysEndpointUri not 'https'");
    }

    private URI checkUserInfoUri(String str) {
        if (str == null) {
            return null;
        }
        try {
            return new URI(str);
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Invalid userInfo uri: " + str, e);
        }
    }

    private String checkIssuerUri(String str) {
        if (str != null) {
            try {
                new URI(str);
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException("Invalid issuer uri: " + str, e);
            }
        }
        return str;
    }

    private SSLSocketFactory checkSocketFactory(SSLSocketFactory sSLSocketFactory) {
        if (sSLSocketFactory == null || "https".equals(this.introspectionURI.getScheme())) {
            return sSLSocketFactory;
        }
        throw new IllegalArgumentException("SSL socket factory set but introspectionEndpointUri not 'https'");
    }

    private URI checkIntrospectionUri(String str) {
        if (str == null) {
            throw new IllegalArgumentException("introspectionEndpointUri == null");
        }
        try {
            return new URI(str);
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Invalid introspection endpoint uri: " + str, e);
        }
    }

    private String checkValidatorId(String str) {
        if (str == null) {
            throw new IllegalArgumentException("validatorId == null");
        }
        return str;
    }

    private JsonPathFilterQuery parseCustomClaimCheck(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (trim.length() == 0) {
            throw new IllegalArgumentException("Value of customClaimCheck is empty");
        }
        return JsonPathFilterQuery.parse(trim);
    }

    private JsonPathQuery parseGroupsQuery(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (trim.length() == 0) {
            throw new IllegalArgumentException("Value of groupsClaimQuery is empty");
        }
        return JsonPathQuery.parse(trim);
    }

    private String parseGroupsDelimiter(String str) {
        if (str == null || str.length() != 0) {
            return ",";
        }
        throw new IllegalArgumentException("Value of groupsClaimDelimiter is empty");
    }

    @Override // io.strimzi.kafka.oauth.validator.TokenValidator
    public TokenInfo validate(String str) {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            JsonNode jsonNode = (JsonNode) HttpUtil.post(this.introspectionURI, this.socketFactory, this.hostnameVerifier, this.clientSecret != null ? "Basic " + OAuthAuthenticator.base64encode(this.clientId + ':' + this.clientSecret) : null, "application/x-www-form-urlencoded", "token=" + str, JsonNode.class, this.connectTimeoutSeconds, this.readTimeoutSeconds);
            addIntrospectHttpMetricSuccessTime(currentTimeMillis);
            JsonNode jsonNode2 = jsonNode.get("active");
            if (!(jsonNode2 instanceof BooleanNode)) {
                throw new ValidationException("Failed to introspect token - invalid response: \"active\" attribute is missing or not a boolean (" + jsonNode2 + ")");
            }
            if (!jsonNode2.asBoolean()) {
                throw new TokenValidationException("Token validation failed: Token not active");
            }
            JsonNode jsonNode3 = jsonNode.get("exp");
            if (jsonNode3 == null) {
                throw new IllegalStateException("Introspection response contains no expires information (\"exp\"): " + jsonNode);
            }
            long asLong = 1000 * jsonNode3.asLong();
            if (Time.SYSTEM.milliseconds() > asLong) {
                throw new TokenExpiredException("The token expired at: " + asLong + " (" + TimeUtil.formatIsoDateTimeUTC(asLong) + ")");
            }
            JsonNode jsonNode4 = jsonNode.get("iat");
            long asLong2 = jsonNode4 == null ? 0L : 1000 * jsonNode4.asLong();
            String principal = this.principalExtractor.getPrincipal(jsonNode);
            JsonNode jsonNode5 = null;
            if (principal == null) {
                if (this.userInfoURI != null) {
                    jsonNode5 = getUserInfoEndpointResponse(str);
                    principal = getPrincipalFromUserInfoEndpoint(jsonNode5);
                }
                if (principal == null && !this.principalExtractor.isConfigured()) {
                    principal = this.principalExtractor.getSub(jsonNode);
                }
                if (principal == null) {
                    throw new ValidationException("Failed to extract principal - check usernameClaim, fallbackUsernameClaim configuration");
                }
            }
            performOptionalChecks(jsonNode);
            Set<String> set = null;
            if (this.groupsMatcher != null) {
                set = extractGroupsFromResponse(jsonNode);
                if (set == null && jsonNode5 != null) {
                    set = extractGroupsFromResponse(jsonNode5);
                }
            }
            JsonNode jsonNode6 = jsonNode.get(TokenInfo.SCOPE);
            return new TokenInfo(str, jsonNode6 != null ? String.join(" ", JSONUtil.asListOfString(jsonNode6)) : null, principal, set, asLong2, asLong);
        } catch (IOException e) {
            addIntrospectHttpMetricErrorTime(e, currentTimeMillis);
            throw new ValidationException("Failed to introspect token - send, fetch or parse failed: ", e);
        }
    }

    private Set<String> extractGroupsFromResponse(JsonNode jsonNode) {
        JsonNode apply = this.groupsMatcher.apply(jsonNode);
        if (apply == null) {
            return null;
        }
        return (Set) JSONUtil.asListOfString(apply, this.groupsDelimiter != null ? this.groupsDelimiter : ",").stream().map((v0) -> {
            return v0.trim();
        }).filter(str -> {
            return !str.isEmpty();
        }).collect(Collectors.toSet());
    }

    private JsonNode getUserInfoEndpointResponse(String str) {
        String str2 = "Bearer " + str;
        long currentTimeMillis = System.currentTimeMillis();
        try {
            JsonNode jsonNode = (JsonNode) HttpUtil.get(this.userInfoURI, this.socketFactory, this.hostnameVerifier, str2, JsonNode.class, this.connectTimeoutSeconds, this.readTimeoutSeconds);
            addUserInfoHttpMetricSuccessTime(currentTimeMillis);
            return jsonNode;
        } catch (IOException e) {
            addUserInfoHttpMetricErrorTime(e, currentTimeMillis);
            throw new ValidationException("Request to User Info Endpoint failed: ", e);
        }
    }

    private String getPrincipalFromUserInfoEndpoint(JsonNode jsonNode) {
        String principal = this.principalExtractor.getPrincipal(jsonNode);
        if (principal == null && !this.principalExtractor.isConfigured()) {
            principal = this.principalExtractor.getSub(jsonNode);
        }
        return principal;
    }

    private void performOptionalChecks(JsonNode jsonNode) {
        JsonNode jsonNode2;
        JsonNode jsonNode3;
        if (this.validIssuerURI != null && ((jsonNode3 = jsonNode.get("iss")) == null || !this.validIssuerURI.equals(jsonNode3.asText()))) {
            throw new TokenValidationException("Token check failed - Invalid issuer: " + jsonNode3).status(TokenValidationException.Status.INVALID_TOKEN);
        }
        if (this.validTokenType != null && ((jsonNode2 = jsonNode.get(TokenInfo.TOKEN_TYPE)) == null || !this.validTokenType.equals(jsonNode2.asText()))) {
            throw new TokenValidationException("Token check failed - Invalid token type: " + jsonNode2 + " (should be '" + this.validTokenType + "')" + (jsonNode2 == null ? ". Consider not setting 'oauth.valid.token.type'" : "")).status(TokenValidationException.Status.UNSUPPORTED_TOKEN_TYPE);
        }
        if (this.audience != null) {
            JsonNode jsonNode4 = jsonNode.get("aud");
            if (!(jsonNode4 != null ? JSONUtil.asListOfString(jsonNode4) : Collections.emptyList()).contains(this.audience)) {
                throw new TokenValidationException("Token check failed - Invalid audience: " + jsonNode4).status(TokenValidationException.Status.INVALID_TOKEN);
            }
        }
        if (this.customClaimMatcher != null && !this.customClaimMatcher.matches(jsonNode)) {
            throw new TokenValidationException("Token check failed - Custom claim check failed.").status(TokenValidationException.Status.INVALID_TOKEN);
        }
    }

    @Override // io.strimzi.kafka.oauth.validator.TokenValidator
    public String getValidatorId() {
        return this.validatorId;
    }

    private void addIntrospectHttpMetricSuccessTime(long j) {
        if (this.enableMetrics) {
            this.metrics.addTime(this.introspectHttpSensorKeyProducer.successKey(), System.currentTimeMillis() - j);
        }
    }

    private void addIntrospectHttpMetricErrorTime(Throwable th, long j) {
        if (this.enableMetrics) {
            this.metrics.addTime(this.introspectHttpSensorKeyProducer.errorKey(th), System.currentTimeMillis() - j);
        }
    }

    private void addUserInfoHttpMetricSuccessTime(long j) {
        if (this.enableMetrics) {
            this.metrics.addTime(this.userInfoHttpSensorKeyProducer.successKey(), System.currentTimeMillis() - j);
        }
    }

    private void addUserInfoHttpMetricErrorTime(Throwable th, long j) {
        if (this.enableMetrics) {
            this.metrics.addTime(this.userInfoHttpSensorKeyProducer.errorKey(th), System.currentTimeMillis() - j);
        }
    }
}
