package com.yahoo.athenz.instance.provider.impl;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.yahoo.athenz.auth.Authorizer;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.impl.SimplePrincipal;
import com.yahoo.athenz.auth.token.jwts.JwtsHelper;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ProviderResourceException;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceBuildKiteProvider.class */
public class InstanceBuildKiteProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceBuildKiteProvider.class);
    private static final String URI_INSTANCE_ID_PREFIX = "athenz://instanceid/";
    private static final String URI_SPIFFE_PREFIX = "spiffe://";
    static final String BUILD_KITE_PROP_PROVIDER_DNS_SUFFIX = "athenz.zts.build_kite.provider_dns_suffix";
    static final String BUILD_KITE_PROP_BOOT_TIME_OFFSET = "athenz.zts.build_kite.boot_time_offset";
    static final String BUILD_KITE_PROP_CERT_EXPIRY_TIME = "athenz.zts.build_kite.cert_expiry_time";
    static final String BUILD_KITE_PROP_AUDIENCE = "athenz.zts.build_kite.audience";
    static final String BUILD_KITE_PROP_ISSUER = "athenz.zts.build_kite.issuer";
    static final String BUILD_KITE_PROP_JWKS_URI = "athenz.zts.build_kite.jwks_uri";
    static final String BUILD_KITE_ISSUER = "https://agent.buildkite.com";
    static final String BUILD_KITE_ISSUER_JWKS_URI = "https://agent.buildkite.com/.well-known/jwks";
    public static final String CLAIM_ORGANIZATION_SLUG = "organization_slug";
    public static final String CLAIM_PIPELINE_SLUG = "pipeline_slug";
    public static final String CLAIM_BUILD_NUMBER = "build_number";
    public static final String CLAIM_JOB_ID = "job_id";
    Set<String> dnsSuffixes = null;
    String buildKiteIssuer = null;
    String provider = null;
    String audience = null;
    ConfigurableJWTProcessor<SecurityContext> jwtProcessor = null;
    Authorizer authorizer = null;
    DynamicConfigLong bootTimeOffsetSeconds;
    long certExpiryTime;

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.CLASS;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.provider = str;
        this.audience = System.getProperty(BUILD_KITE_PROP_AUDIENCE, "athenz.io");
        this.dnsSuffixes = Set.of((Object[]) System.getProperty(BUILD_KITE_PROP_PROVIDER_DNS_SUFFIX, "build-kite.athenz.io").split(","));
        this.bootTimeOffsetSeconds = new DynamicConfigLong(ConfigManagerSingleton.CONFIG_MANAGER, BUILD_KITE_PROP_BOOT_TIME_OFFSET, Long.valueOf(TimeUnit.SECONDS.convert(5L, TimeUnit.MINUTES)));
        this.certExpiryTime = Long.parseLong(System.getProperty(BUILD_KITE_PROP_CERT_EXPIRY_TIME, "360"));
        this.buildKiteIssuer = System.getProperty(BUILD_KITE_PROP_ISSUER, BUILD_KITE_ISSUER);
        this.jwtProcessor = JwtsHelper.getJWTProcessor(new JwtsSigningKeyResolver(extractIssuerJwksUri(this.buildKiteIssuer), (SSLContext) null));
    }

    String extractIssuerJwksUri(String str) {
        String property = System.getProperty(BUILD_KITE_PROP_JWKS_URI);
        if (!StringUtil.isEmpty(property)) {
            return property;
        }
        String extractJwksUri = new JwtsHelper().extractJwksUri(str + "/.well-known/openid-configuration", (SSLContext) null);
        return StringUtil.isEmpty(extractJwksUri) ? BUILD_KITE_ISSUER_JWKS_URI : extractJwksUri;
    }

    private ProviderResourceException forbiddenError(String str) {
        LOGGER.error(str);
        return new ProviderResourceException(ProviderResourceException.FORBIDDEN, str);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void setAuthorizer(Authorizer authorizer) {
        this.authorizer = authorizer;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        if (this.authorizer == null) {
            throw forbiddenError("Authorizer not available");
        }
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        if (!StringUtil.isEmpty(InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_SAN_IP))) {
            throw forbiddenError("Request must not have any sanIP addresses");
        }
        if (!StringUtil.isEmpty(InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_HOSTNAME))) {
            throw forbiddenError("Request must not have any hostname values");
        }
        if (!validateSanUri(InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_SAN_URI))) {
            throw forbiddenError("Unable to validate certificate request URI values");
        }
        String attestationData = instanceConfirmation.getAttestationData();
        if (StringUtil.isEmpty(attestationData)) {
            throw forbiddenError("Service credentials not provided");
        }
        StringBuilder sb = new StringBuilder(256);
        if (!validateOIDCToken(attestationData, domain, service, InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_ID), sb)) {
            throw forbiddenError("Unable to validate Certificate Request: " + sb);
        }
        if (!InstanceUtils.validateCertRequestSanDnsNames(attributes, domain, service, this.dnsSuffixes, null, null, false, new StringBuilder(256), null)) {
            throw forbiddenError("Unable to validate certificate request sanDNS entries");
        }
        HashMap hashMap = new HashMap();
        hashMap.put(InstanceProvider.ZTS_CERT_REFRESH, "false");
        hashMap.put(InstanceProvider.ZTS_CERT_USAGE, InstanceProvider.ZTS_CERT_USAGE_CLIENT);
        hashMap.put(InstanceProvider.ZTS_CERT_EXPIRY_TIME, Long.toString(this.certExpiryTime));
        instanceConfirmation.setAttributes(hashMap);
        return instanceConfirmation;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        throw forbiddenError("BuildKite X.509 Certificates cannot be refreshed");
    }

    boolean validateSanUri(String str) {
        if (StringUtil.isEmpty(str)) {
            LOGGER.debug("Request contains no sanURI to verify");
            return true;
        }
        for (String str2 : str.split(",")) {
            if (!str2.startsWith(URI_SPIFFE_PREFIX) && !str2.startsWith(URI_INSTANCE_ID_PREFIX)) {
                LOGGER.error("Request contains unsupported uri value: {}", str2);
                return false;
            }
        }
        return true;
    }

    boolean validateOIDCToken(String str, String str2, String str3, String str4, StringBuilder sb) {
        if (this.jwtProcessor == null) {
            sb.append("JWT Processor not initialized");
            return false;
        }
        try {
            JWTClaimsSet process = this.jwtProcessor.process(str, (SecurityContext) null);
            if (!this.buildKiteIssuer.equals(process.getIssuer())) {
                sb.append("token issuer is not BuildKite: ").append(process.getIssuer());
                return false;
            }
            if (!this.audience.equals(JwtsHelper.getAudience(process))) {
                sb.append("token audience is not ZTS Server audience: ").append(JwtsHelper.getAudience(process));
                return false;
            }
            Date issueTime = process.getIssueTime();
            if (issueTime == null || issueTime.getTime() < System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(((Long) this.bootTimeOffsetSeconds.get()).longValue())) {
                sb.append("job start time is not recent enough, issued at: ").append(issueTime);
                return false;
            }
            if (validateInstanceId(str4, process, sb)) {
                return validateTenantDomainToken(process, str2, str3, sb);
            }
            return false;
        } catch (Exception e) {
            sb.append("Unable to parse and validate token: ").append(e.getMessage());
            return false;
        }
    }

    boolean validateInstanceId(String str, JWTClaimsSet jWTClaimsSet, StringBuilder sb) {
        String stringClaim = JwtsHelper.getStringClaim(jWTClaimsSet, CLAIM_ORGANIZATION_SLUG);
        if (StringUtil.isEmpty(stringClaim)) {
            sb.append("token does not contain required organization_slug claim");
            return false;
        }
        String stringClaim2 = JwtsHelper.getStringClaim(jWTClaimsSet, CLAIM_PIPELINE_SLUG);
        if (StringUtil.isEmpty(stringClaim2)) {
            sb.append("token does not contain required pipeline_slug claim");
            return false;
        }
        long longClaim = JwtsHelper.getLongClaim(jWTClaimsSet, CLAIM_BUILD_NUMBER, -1L);
        if (longClaim == -1) {
            sb.append("token does not contain required build_number claim");
            return false;
        }
        if (StringUtil.isEmpty(JwtsHelper.getStringClaim(jWTClaimsSet, CLAIM_JOB_ID))) {
            sb.append("token does not contain required job_id claim");
            return false;
        }
        String str2 = stringClaim + ":" + stringClaim2 + ":" + longClaim + ":" + stringClaim;
        if (str2.equals(str)) {
            return true;
        }
        sb.append("invalid instance id: ").append(str2).append("/").append(str);
        return false;
    }

    boolean validateTenantDomainToken(JWTClaimsSet jWTClaimsSet, String str, String str2, StringBuilder sb) {
        String subject = jWTClaimsSet.getSubject();
        if (StringUtil.isEmpty(subject)) {
            sb.append("token does not contain required subject claim");
            return false;
        }
        String str3 = str + ":" + subject;
        if (this.authorizer.access("build-kite.build", str3, SimplePrincipal.create(str, str2, (String) null), (String) null)) {
            return true;
        }
        sb.append("authorization check failed for action ").append("build-kite.build").append(", resource: ").append(str3);
        return false;
    }
}
