package io.gravitee.policy.jwt;

import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.jwt.configuration.JWTPolicyConfiguration;
import io.gravitee.policy.jwt.exceptions.ValidationFromCacheException;
import io.gravitee.repository.cache.api.CacheManager;
import io.gravitee.repository.cache.model.Cache;
import io.gravitee.repository.cache.model.Element;
import io.gravitee.repository.exceptions.CacheException;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.impl.DefaultClaims;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.time.Instant;
import java.util.Arrays;
import java.util.Base64;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.env.Environment;

/* loaded from: input_file:io/gravitee/policy/jwt/JWTPolicy.class */
public class JWTPolicy {
    private static final String BEARER = "Bearer";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String DEFAULT_KID = "default";
    private static final String PUBLIC_KEY_PROPERTY = "policy.jwt.issuer.%s.%s";
    private static final String CACHE_NAME = "JWT_CACHE";
    private JWTPolicyConfiguration configuration;
    private Cache cache;
    private static final Logger LOGGER = LoggerFactory.getLogger(JWTPolicy.class);
    private static final Pattern SSH_PUB_KEY = Pattern.compile("ssh-(rsa|dsa) ([A-Za-z0-9/+]+=*) (.*)");
    private static final Pattern PIPE_SPLIT_ISSUER = Pattern.compile("\\|");

    public JWTPolicy(JWTPolicyConfiguration jWTPolicyConfiguration) {
        this.configuration = jWTPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        try {
            String extractJsonWebToken = extractJsonWebToken(request);
            if (this.configuration.isUseValidationCache()) {
                validateTokenFromCache(executionContext, extractJsonWebToken);
            } else {
                validateJsonWebToken(executionContext, extractJsonWebToken);
            }
            policyChain.doNext(request, response);
        } catch (ExpiredJwtException | MalformedJwtException | SignatureException | IllegalArgumentException e) {
            LOGGER.error(e.getMessage(), e.getCause());
            policyChain.failWith(PolicyResult.failure(401, "Unauthorized"));
        }
    }

    private String extractJsonWebToken(Request request) {
        String first = request.headers().getFirst("Authorization");
        return first != null ? first.substring(BEARER.length()).trim() : (String) request.parameters().get(ACCESS_TOKEN);
    }

    private void validateTokenFromCache(ExecutionContext executionContext, String str) {
        try {
            CacheManager cacheManager = (CacheManager) executionContext.getComponent(CacheManager.class);
            if (cacheManager == null) {
                throw new ValidationFromCacheException("No cache manager has been found");
            }
            this.cache = cacheManager.getCache(CACHE_NAME);
            if (this.cache == null) {
                throw new ValidationFromCacheException("No cache named [ JWT_CACHE ] has been found.");
            }
            Element element = this.cache.get(str);
            if (element == null) {
                this.cache.put(Element.from(str, validateJsonWebToken(executionContext, str)));
            } else {
                if (Instant.now().isAfter((Instant) element.value())) {
                    throw new JwtException("Token expired!");
                }
            }
        } catch (ValidationFromCacheException | CacheException e) {
            LOGGER.warn("Problem occurs on cache access, token is validated throught public key! Error is : " + e.getMessage());
            validateJsonWebToken(executionContext, str);
        }
    }

    private Instant validateJsonWebToken(ExecutionContext executionContext, String str) {
        JwtParser parser = Jwts.parser();
        switch (this.configuration.getPublicKeyResolver()) {
            case GIVEN_KEY:
                parser.setSigningKey(getPublickKeyByPolicySettings(executionContext));
                break;
            case GIVEN_ISSUER:
                parser.setSigningKeyResolver(getSigningKeyResolverByPolicyIssuer(executionContext));
                break;
            case GATEWAY_KEYS:
                parser.setSigningKeyResolver(getSigningKeyResolverByGatewaySettings(executionContext));
                break;
            default:
                throw new IllegalArgumentException("Unexpected public key resolver value.");
        }
        return ((DefaultClaims) parser.parse(str).getBody()).getExpiration().toInstant();
    }

    private SigningKeyResolver getSigningKeyResolverByGatewaySettings(final ExecutionContext executionContext) {
        return new SigningKeyResolverAdapter() { // from class: io.gravitee.policy.jwt.JWTPolicy.1
            public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                String keyId = jwsHeader.getKeyId();
                String str = (String) claims.get("iss");
                if (keyId == null || keyId.isEmpty()) {
                    keyId = JWTPolicy.DEFAULT_KID;
                }
                String property = ((Environment) executionContext.getComponent(Environment.class)).getProperty(String.format(JWTPolicy.PUBLIC_KEY_PROPERTY, str, keyId));
                if (property == null || property.trim().isEmpty()) {
                    return null;
                }
                return JWTPolicy.parsePublicKey(property);
            }
        };
    }

    private SigningKeyResolver getSigningKeyResolverByPolicyIssuer(final ExecutionContext executionContext) {
        if (this.configuration.getResolverParameter() == null || this.configuration.getResolverParameter().trim().isEmpty()) {
            throw new IllegalArgumentException("missing issuer into the policy settings");
        }
        return new SigningKeyResolverAdapter() { // from class: io.gravitee.policy.jwt.JWTPolicy.2
            public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                String str = (String) claims.get("iss");
                JWTPolicy.LOGGER.debug("Transform given issuer {} using template engine", JWTPolicy.this.configuration.getResolverParameter());
                if (!JWTPolicy.PIPE_SPLIT_ISSUER.splitAsStream(executionContext.getTemplateEngine().convert(JWTPolicy.this.configuration.getResolverParameter())).anyMatch(str2 -> {
                    return str2.equals(str);
                })) {
                    return null;
                }
                String keyId = jwsHeader.getKeyId();
                if (keyId == null || keyId.trim().isEmpty()) {
                    keyId = JWTPolicy.DEFAULT_KID;
                }
                String property = ((Environment) executionContext.getComponent(Environment.class)).getProperty(String.format(JWTPolicy.PUBLIC_KEY_PROPERTY, str, keyId));
                if (property == null || property.trim().isEmpty()) {
                    return null;
                }
                return JWTPolicy.parsePublicKey(property);
            }
        };
    }

    private RSAPublicKey getPublickKeyByPolicySettings(ExecutionContext executionContext) {
        String resolverParameter = this.configuration.getResolverParameter();
        if (resolverParameter == null || resolverParameter.trim().isEmpty()) {
            throw new IllegalArgumentException("No specified given key while expecting it due to policy settings.");
        }
        LOGGER.debug("Transform given key {} using template engine", resolverParameter);
        return parsePublicKey(executionContext.getTemplateEngine().convert(resolverParameter));
    }

    static RSAPublicKey parsePublicKey(String str) {
        Matcher matcher = SSH_PUB_KEY.matcher(str);
        if (!matcher.matches()) {
            return null;
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        if ("rsa".equalsIgnoreCase(group)) {
            return parseSSHPublicKey(group2);
        }
        throw new IllegalArgumentException("Only RSA is currently supported, but algorithm was " + group);
    }

    private static RSAPublicKey parseSSHPublicKey(String str) {
        byte[] bArr = {0, 0, 0, 7, 115, 115, 104, 45, 114, 115, 97};
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getDecoder().decode(StandardCharsets.UTF_8.encode(str)).array());
        byte[] bArr2 = new byte[11];
        try {
            if (byteArrayInputStream.read(bArr2) == 11 && Arrays.equals(bArr, bArr2)) {
                return createPublicKey(new BigInteger(readBigInteger(byteArrayInputStream)), new BigInteger(readBigInteger(byteArrayInputStream)));
            }
            throw new IllegalArgumentException("SSH key prefix not found");
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    static RSAPublicKey createPublicKey(BigInteger bigInteger, BigInteger bigInteger2) {
        try {
            return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(bigInteger, bigInteger2));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static byte[] readBigInteger(ByteArrayInputStream byteArrayInputStream) throws IOException {
        byte[] bArr = new byte[4];
        if (byteArrayInputStream.read(bArr) != 4) {
            throw new IOException("Expected length data as 4 bytes");
        }
        int i = (bArr[0] << 24) | (bArr[1] << 16) | (bArr[2] << 8) | bArr[3];
        byte[] bArr2 = new byte[i];
        if (byteArrayInputStream.read(bArr2) != i) {
            throw new IOException("Expected " + i + " key bytes");
        }
        return bArr2;
    }
}
