package com.yahoo.athenz.instance.provider.impl;

import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.token.PrincipalToken;
import com.yahoo.athenz.auth.token.Token;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.common.server.dns.HostnameResolver;
import com.yahoo.athenz.common.server.util.ResourceUtils;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ResourceException;
import com.yahoo.athenz.zts.InstanceRegisterToken;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.security.PrivateKey;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceZTSProvider.class */
public class InstanceZTSProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceZTSProvider.class);
    private static final Pattern WHITESPACE_PATTERN = Pattern.compile("\\s+");
    private static final String URI_HOSTNAME_PREFIX = "athenz://hostname/";
    static final String ZTS_PROP_PROVIDER_DNS_SUFFIX = "athenz.zts.provider_dns_suffix";
    static final String ZTS_PROP_PRINCIPAL_LIST = "athenz.zts.provider_service_list";
    static final String ZTS_PROP_EXPIRY_TIME = "athenz.zts.provider_token_expiry_time";
    static final String ZTS_PROVIDER_SERVICE = "sys.auth.zts";
    public static final String HDR_KEY_ID = "kid";
    public static final String HDR_TOKEN_TYPE = "typ";
    public static final String HDR_TOKEN_JWT = "jwt";
    public static final String CLAIM_PROVIDER = "provider";
    public static final String CLAIM_DOMAIN = "domain";
    public static final String CLAIM_SERVICE = "service";
    public static final String CLAIM_CLIENT_ID = "client_id";
    public static final String CLAIM_INSTANCE_ID = "instance_id";
    KeyStore keyStore = null;
    Set<String> dnsSuffixes = null;
    String provider = null;
    String keyId = null;
    PrivateKey key = null;
    SignatureAlgorithm keyAlg = null;
    Set<String> principals = null;
    HostnameResolver hostnameResolver = null;
    JwtsSigningKeyResolver signingKeyResolver = null;
    int expiryTime;

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.CLASS;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.provider = str;
        String property = System.getProperty(ZTS_PROP_PRINCIPAL_LIST);
        if (property != null && !property.isEmpty()) {
            this.principals = new HashSet(Arrays.asList(property.split(",")));
        }
        this.dnsSuffixes = new HashSet();
        String property2 = System.getProperty(ZTS_PROP_PROVIDER_DNS_SUFFIX, "zts.athenz.cloud");
        if (StringUtil.isEmpty(property2)) {
            property2 = "zts.athenz.cloud";
        }
        this.dnsSuffixes.addAll(Arrays.asList(property2.split(",")));
        this.keyStore = keyStore;
        this.expiryTime = Integer.parseInt(System.getProperty(ZTS_PROP_EXPIRY_TIME, "30"));
        this.signingKeyResolver = new JwtsSigningKeyResolver((String) null, (SSLContext) null);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void setPrivateKey(PrivateKey privateKey, String str, SignatureAlgorithm signatureAlgorithm) {
        this.key = privateKey;
        this.keyId = str;
        this.keyAlg = signatureAlgorithm;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void setHostnameResolver(HostnameResolver hostnameResolver) {
        this.hostnameResolver = hostnameResolver;
    }

    private ResourceException forbiddenError(String str) {
        LOGGER.error(str);
        return new ResourceException(ResourceException.FORBIDDEN, str);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) {
        return validateInstanceRequest(instanceConfirmation, true);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) {
        return validateInstanceRequest(instanceConfirmation, false);
    }

    InstanceConfirmation validateInstanceRequest(InstanceConfirmation instanceConfirmation, boolean z) {
        Map<String, String> emptyMap;
        boolean validateRegisterToken;
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_CSR_PUBLIC_KEY);
        if (this.principals != null && !this.principals.contains(domain + "." + service)) {
            throw forbiddenError("Service not supported to be launched by ZTS Provider");
        }
        String attestationData = instanceConfirmation.getAttestationData();
        if (StringUtil.isEmpty(attestationData)) {
            throw forbiddenError("Service credentials not provided");
        }
        StringBuilder sb = new StringBuilder(256);
        if (attestationData.startsWith("v=S1;")) {
            emptyMap = new HashMap();
            emptyMap.put(InstanceProvider.ZTS_CERT_REFRESH, "false");
            validateRegisterToken = validateServiceToken(attestationData, domain, service, instanceProperty, sb);
        } else {
            emptyMap = Collections.emptyMap();
            validateRegisterToken = validateRegisterToken(attestationData, domain, service, InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_ID), z, sb);
        }
        if (!validateRegisterToken) {
            LOGGER.error(sb.toString());
            throw forbiddenError("Unable to validate Certificate Request Auth Token");
        }
        String instanceProperty2 = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_CLIENT_IP);
        String instanceProperty3 = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_SAN_IP);
        String instanceProperty4 = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_HOSTNAME);
        String instanceProperty5 = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_SAN_URI);
        String[] strArr = null;
        if (instanceProperty3 != null && !instanceProperty3.isEmpty()) {
            strArr = instanceProperty3.split(",");
        }
        if (!validateSanIp(strArr, instanceProperty2)) {
            throw forbiddenError("Unable to validate request IP address");
        }
        if (!validateHostname(instanceProperty4, strArr)) {
            throw forbiddenError("Unable to validate certificate request hostname");
        }
        if (!validateSanUri(instanceProperty5, instanceProperty4)) {
            throw forbiddenError("Unable to validate certificate request URI hostname");
        }
        if (!InstanceUtils.validateCertRequestSanDnsNames(attributes, domain, service, this.dnsSuffixes, null, false, new StringBuilder(256))) {
            throw forbiddenError("Unable to validate certificate request DNS");
        }
        instanceConfirmation.setAttributes(emptyMap);
        return instanceConfirmation;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceRegisterToken getInstanceRegisterToken(InstanceConfirmation instanceConfirmation) {
        return new InstanceRegisterToken().setProvider(instanceConfirmation.getProvider()).setDomain(instanceConfirmation.getDomain()).setService(instanceConfirmation.getService()).setAttestationData(Jwts.builder().setId(UUID.randomUUID().toString()).setSubject(ResourceUtils.serviceResourceName(instanceConfirmation.getDomain(), instanceConfirmation.getService())).setIssuedAt(Date.from(Instant.now())).setIssuer(this.provider).setAudience(this.provider).claim(CLAIM_PROVIDER, instanceConfirmation.getProvider()).claim("domain", instanceConfirmation.getDomain()).claim("service", instanceConfirmation.getService()).claim(CLAIM_INSTANCE_ID, InstanceUtils.getInstanceProperty(instanceConfirmation.getAttributes(), InstanceProvider.ZTS_INSTANCE_ID)).claim(CLAIM_CLIENT_ID, InstanceUtils.getInstanceProperty(instanceConfirmation.getAttributes(), InstanceProvider.ZTS_REQUEST_PRINCIPAL)).setHeaderParam(HDR_KEY_ID, this.keyId).setHeaderParam(HDR_TOKEN_TYPE, HDR_TOKEN_JWT).signWith(this.key, this.keyAlg).compact());
    }

    boolean validateSanIp(String[] strArr, String str) {
        LOGGER.debug("Validating sanIps: {}, clientIp: {}", strArr, str);
        if (strArr == null || strArr.length == 0) {
            return true;
        }
        if (str == null || str.isEmpty()) {
            return false;
        }
        for (String str2 : strArr) {
            if (str2.equals(str)) {
                return true;
            }
        }
        LOGGER.error("Unable to match sanIp: {} with clientIp:{}", strArr, str);
        return false;
    }

    boolean validateHostname(String str, String[] strArr) {
        LOGGER.debug("Validating hostname: {}, sanIps: {}", str, strArr);
        if (str == null || str.isEmpty()) {
            LOGGER.info("Request contains no hostname entry for validation");
            if (strArr == null || strArr.length <= 1) {
                return true;
            }
            LOGGER.error("SanIps:{} > 1, and hostname is empty", Integer.valueOf(strArr.length));
            return false;
        }
        if (strArr == null || strArr.length == 0) {
            LOGGER.error("Request contains no sanIp entry for hostname:{} validation", str);
            return false;
        }
        Set allByName = this.hostnameResolver.getAllByName(str);
        for (String str2 : strArr) {
            if (!allByName.contains(str2)) {
                LOGGER.error("One of sanIp: {} is not present in HostIps: {}", allByName, strArr);
                return false;
            }
        }
        return true;
    }

    boolean validateSanUri(String str, String str2) {
        LOGGER.debug("Validating sanUri: {}, hostname: {}", str, str2);
        if (str == null || str.isEmpty()) {
            LOGGER.info("Request contains no sanURI to verify");
            return true;
        }
        for (String str3 : str.split(",")) {
            int indexOf = str3.indexOf(URI_HOSTNAME_PREFIX);
            if (indexOf != -1 && !str3.substring(indexOf + URI_HOSTNAME_PREFIX.length()).equals(str2)) {
                LOGGER.error("SanURI: {} does not contain hostname: {}", str, str2);
                return false;
            }
        }
        return true;
    }

    boolean validateServiceToken(String str, String str2, String str3, String str4, StringBuilder sb) {
        PrincipalToken authenticate = authenticate(str, this.keyStore, str4, sb);
        if (authenticate == null) {
            return false;
        }
        if (!authenticate.getDomain().equalsIgnoreCase(str2)) {
            sb.append("validate failed: domain mismatch: ").append(authenticate.getDomain()).append(" vs. ").append(str2);
            return false;
        }
        if (authenticate.getName().equalsIgnoreCase(str3)) {
            return true;
        }
        sb.append("validate failed: service mismatch: ").append(authenticate.getName()).append(" vs. ").append(str3);
        return false;
    }

    boolean validateRegisterToken(String str, String str2, String str3, String str4, boolean z, StringBuilder sb) {
        Date issuedAt;
        Claims claims = (Claims) Jwts.parserBuilder().setSigningKeyResolver(this.signingKeyResolver).setAllowedClockSkewSeconds(60L).build().parseClaimsJws(str).getBody();
        if (!ZTS_PROVIDER_SERVICE.equals(claims.getAudience())) {
            sb.append("token audience is not ZTS provider: ").append(claims.getAudience());
            return false;
        }
        if (z && ((issuedAt = claims.getIssuedAt()) == null || issuedAt.getTime() < System.currentTimeMillis() - TimeUnit.MINUTES.toMillis(this.expiryTime))) {
            sb.append("token is already expired, issued at: ").append(issuedAt);
            return false;
        }
        if (!str2.equals(claims.get("domain", String.class))) {
            sb.append("invalid domain name in token: ").append((String) claims.get("domain", String.class));
            return false;
        }
        if (!str3.equals(claims.get("service", String.class))) {
            sb.append("invalid service name in token: ").append((String) claims.get("service", String.class));
            return false;
        }
        if (!str4.equals(claims.get(CLAIM_INSTANCE_ID, String.class))) {
            sb.append("invalid instance id in token: ").append((String) claims.get(CLAIM_INSTANCE_ID, String.class));
            return false;
        }
        if (ZTS_PROVIDER_SERVICE.equals(claims.get(CLAIM_PROVIDER, String.class))) {
            return true;
        }
        sb.append("invalid provider name in token: ").append((String) claims.get(CLAIM_PROVIDER, String.class));
        return false;
    }

    PrincipalToken authenticate(String str, KeyStore keyStore, String str2, StringBuilder sb) {
        try {
            PrincipalToken principalToken = new PrincipalToken(str);
            if (principalToken.getAuthorizedServices() != null) {
                sb.append("authenticate failed: authorized service token").append(" : credential=").append(Token.getUnsignedToken(str));
                LOGGER.error(sb.toString());
                return null;
            }
            String publicKey = keyStore.getPublicKey(principalToken.getDomain().toLowerCase(), principalToken.getName().toLowerCase(), principalToken.getKeyId());
            if (!principalToken.validate(publicKey, 300, false, sb)) {
                return null;
            }
            if (validatePublicKeys(publicKey, str2)) {
                return principalToken;
            }
            sb.append("CSR and Athenz public key mismatch");
            LOGGER.error(sb.toString());
            return null;
        } catch (IllegalArgumentException e) {
            sb.append("authenticate failed: Invalid token: exc=").append(e.getMessage()).append(" : credential=").append(Token.getUnsignedToken(str));
            LOGGER.error(sb.toString());
            return null;
        }
    }

    public boolean validatePublicKeys(String str, String str2) {
        return WHITESPACE_PATTERN.matcher(str).replaceAll("").equals(WHITESPACE_PATTERN.matcher(str2).replaceAll(""));
    }
}
