package com.yahoo.athenz.instance.provider.impl;

import com.yahoo.athenz.auth.token.IdToken;
import com.yahoo.athenz.auth.token.jwts.JwtsHelper;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.KubernetesDistributionValidator;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import java.lang.invoke.MethodHandles;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/CommonKubernetesDistributionValidator.class */
public abstract class CommonKubernetesDistributionValidator implements KubernetesDistributionValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    static final String ZTS_PROP_K8S_ATTESTATION_EXPECTED_AUDIENCE = "athenz.zts.k8s_provider_attestation_expected_audience";
    String k8sAttestationExpectedAudience;
    Map<String, JwtsSigningKeyResolver> issuersMap = new ConcurrentHashMap();
    JwtsHelper jwtsHelper = new JwtsHelper();

    @Override // com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public void initialize() {
        this.k8sAttestationExpectedAudience = System.getProperty(ZTS_PROP_K8S_ATTESTATION_EXPECTED_AUDIENCE, "");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getIssuerFromToken(IdTokenAttestationData idTokenAttestationData, StringBuilder sb) {
        String issuer = ((Claims) Jwts.parserBuilder().setAllowedClockSkewSeconds(60L).build().parseClaimsJwt(idTokenAttestationData.getIdentityToken().substring(0, idTokenAttestationData.getIdentityToken().lastIndexOf(46) + 1)).getBody()).getIssuer();
        if (StringUtil.isEmpty(issuer)) {
            sb.append("No issuer present in the attestation data token. Possibly malformed token");
        }
        return issuer;
    }

    JwtsSigningKeyResolver getSigningKeyResolverForIssuer(String str, StringBuilder sb) {
        JwtsSigningKeyResolver jwtsSigningKeyResolver = this.issuersMap.get(str);
        if (jwtsSigningKeyResolver == null) {
            String extractJwksUri = this.jwtsHelper.extractJwksUri(str + "/.well-known/openid-configuration", (SSLContext) null);
            if (StringUtil.isEmpty(extractJwksUri)) {
                sb.append("id_token issuer does not have valid jwks uri.");
                return null;
            }
            jwtsSigningKeyResolver = new JwtsSigningKeyResolver(extractJwksUri, (SSLContext) null, true);
            if (jwtsSigningKeyResolver.publicKeyCount() == 0) {
                sb.append("No id_token issuer public keys available.");
                return null;
            }
            this.issuersMap.put(str, jwtsSigningKeyResolver);
        }
        return jwtsSigningKeyResolver;
    }

    IdToken validateIdToken(String str, IdTokenAttestationData idTokenAttestationData, StringBuilder sb) {
        IdToken idToken = null;
        try {
            idToken = new IdToken(idTokenAttestationData.getIdentityToken(), getSigningKeyResolverForIssuer(str, sb));
        } catch (Exception e) {
            sb.append("invalid attestation data for K8S certificate request.");
        }
        return idToken;
    }

    @Override // com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public boolean validateAttestationData(InstanceConfirmation instanceConfirmation, IdTokenAttestationData idTokenAttestationData, String str, StringBuilder sb) {
        IdToken validateIdToken = validateIdToken(str, idTokenAttestationData, sb);
        if (validateIdToken == null) {
            LOGGER.warn("No valid id_token found. Refresh public keys and retry once.");
            this.issuersMap.get(str).loadPublicKeysFromServer();
            validateIdToken = validateIdToken(str, idTokenAttestationData, sb);
            if (validateIdToken == null) {
                sb.append("id_token in the attestation data is invalid.");
                return false;
            }
        }
        if (this.k8sAttestationExpectedAudience.equals(validateIdToken.getAudience())) {
            return validateSubject(instanceConfirmation, validateIdToken, sb);
        }
        sb.append("attestation id_token does not contain expected audience. provided audience=").append(validateIdToken.getAudience());
        return false;
    }

    boolean validateSubject(InstanceConfirmation instanceConfirmation, IdToken idToken, StringBuilder sb) {
        String str = instanceConfirmation.getDomain() + "." + instanceConfirmation.getService();
        String serviceAccountNameFromIdTokenSubject = InstanceUtils.getServiceAccountNameFromIdTokenSubject(idToken.getSubject());
        if (str.equals(serviceAccountNameFromIdTokenSubject)) {
            return true;
        }
        sb.append("subject mismatch between attestation id_token=").append(serviceAccountNameFromIdTokenSubject).append(" and requested certificate=").append(str);
        return false;
    }
}
