package com.yahoo.athenz.instance.provider.impl;

import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.token.IdToken;
import com.yahoo.athenz.auth.token.jwts.JwtsHelper;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.instance.provider.AttrValidator;
import com.yahoo.athenz.instance.provider.AttrValidatorFactory;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ProviderResourceException;
import com.yahoo.rdl.JSON;
import java.util.HashMap;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceCodeSigningProvider.class */
public class InstanceCodeSigningProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceCodeSigningProvider.class);
    static final String CODE_SIGNING_PROP_CERT_VALIDITY = "athenz.zts.code_signing_cert_validity";
    static final String ZTS_PROP_CODE_SIGNING_ATTR_VALIDATOR_FACTORY_CLASS = "athenz.zts.code_signing_attr_validator_factory_class";
    static final String ZTS_PROP_CODE_SIGNING_OIDC_PROVIDER_OPENID_CONFIG_URI = "athenz.zts.code_signing_oidc_provider_openid_config_uri";
    static final String ZTS_PROP_CODE_SIGNING_OIDC_PROVIDER_JWKS_URI = "athenz.zts.code_signing_oidc_provider_openid_jwks_uri";
    static final String ZTS_PROP_ZTS_OPENID_ISSUER = "athenz.zts.openid_issuer";
    static final String ZTS_PROP_CODE_SIGNING_ATTESTATION_EXPECTED_AUDIENCE = "athenz.zts.code_signing_attestation_expected_audience";
    int certValidityTime;
    AttrValidator attrValidator;
    JwtsSigningKeyResolver signingKeyResolver;
    String codeSigningAttestationExpectedAudience;

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.CLASS;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.certValidityTime = Integer.parseInt(System.getProperty(CODE_SIGNING_PROP_CERT_VALIDITY, "15"));
        this.attrValidator = newAttrValidator(sSLContext);
        this.signingKeyResolver = new JwtsSigningKeyResolver(extractIssuerJwksUri(sSLContext), sSLContext, true);
        this.codeSigningAttestationExpectedAudience = System.getProperty(ZTS_PROP_CODE_SIGNING_ATTESTATION_EXPECTED_AUDIENCE, "");
    }

    String extractIssuerJwksUri(SSLContext sSLContext) {
        String property = System.getProperty(ZTS_PROP_CODE_SIGNING_OIDC_PROVIDER_JWKS_URI);
        if (!StringUtil.isEmpty(property)) {
            return property;
        }
        String extractJwksUri = new JwtsHelper().extractJwksUri(System.getProperty(ZTS_PROP_CODE_SIGNING_OIDC_PROVIDER_OPENID_CONFIG_URI, System.getProperty(ZTS_PROP_ZTS_OPENID_ISSUER) + "/.well-known/openid-configuration"), sSLContext);
        if (StringUtil.isEmpty(extractJwksUri)) {
            LOGGER.error("configured oidc provider for code signing does not have valid jwks uri - no code signing certificates will be issued");
        }
        return extractJwksUri;
    }

    static AttrValidator newAttrValidator(SSLContext sSLContext) {
        String property = System.getProperty(ZTS_PROP_CODE_SIGNING_ATTR_VALIDATOR_FACTORY_CLASS);
        if (property == null) {
            return null;
        }
        try {
            return ((AttrValidatorFactory) Class.forName(property).getConstructor(new Class[0]).newInstance(new Object[0])).create(sSLContext);
        } catch (Exception e) {
            LOGGER.error("Invalid AttributeValidatorFactory class: {}", property, e);
            throw new IllegalArgumentException("Invalid AttributeValidatorFactory class");
        }
    }

    public ProviderResourceException error(String str) {
        return error(ProviderResourceException.FORBIDDEN, str);
    }

    public ProviderResourceException error(int i, String str) {
        LOGGER.error(str);
        return new ProviderResourceException(i, str);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        try {
            IdToken idToken = new IdToken(((IdTokenAttestationData) JSON.fromString(instanceConfirmation.getAttestationData(), IdTokenAttestationData.class)).getIdentityToken(), this.signingKeyResolver);
            if (!this.codeSigningAttestationExpectedAudience.equals(idToken.getAudience())) {
                throw error("attestation id_token does not contain expected audience. provided audience=" + idToken.getAudience());
            }
            String str = instanceConfirmation.getDomain() + "." + instanceConfirmation.getService();
            if (!idToken.getSubject().equals(str)) {
                throw error("subject mismatch between attestation id_token=" + idToken.getSubject() + " and requested certificate=" + str);
            }
            if (this.attrValidator != null && !this.attrValidator.confirm(instanceConfirmation)) {
                throw error("Unable to validate request instance attributes using attributeValidator=" + String.valueOf(this.attrValidator));
            }
            HashMap hashMap = new HashMap();
            hashMap.put(InstanceProvider.ZTS_CERT_EXPIRY_TIME, Long.toString(this.certValidityTime));
            hashMap.put(InstanceProvider.ZTS_CERT_USAGE, InstanceProvider.ZTS_CERT_USAGE_CODE_SIGNING);
            hashMap.put(InstanceProvider.ZTS_CERT_REFRESH, "false");
            instanceConfirmation.setAttributes(hashMap);
            return instanceConfirmation;
        } catch (Exception e) {
            throw error("invalid attestation data for code signing certificate request");
        }
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        throw error("Code signing X.509 Certificates cannot be refreshed");
    }
}
