package org.apache.knox.gateway.websockets;

import java.net.HttpCookie;
import java.text.ParseException;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
import org.apache.knox.gateway.provider.federation.jwt.filter.SignatureVerificationCache;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenStateService;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.services.topology.TopologyService;
import org.apache.knox.gateway.topology.Service;
import org.apache.knox.gateway.topology.Topology;
import org.apache.knox.gateway.util.CertificateUtils;
import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;

/* loaded from: input_file:org/apache/knox/gateway/websockets/JWTValidatorFactory.class */
public class JWTValidatorFactory {
    private static final String KNOXSSO_COOKIE_NAME = "knoxsso.cookie.name";
    private static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt";
    private static final String JWT_EXPECTED_ISSUER = "jwt.expected.issuer";
    private static final String JWT_EXPECTED_SIGALG = "jwt.expected.sigalg";
    public static final String SSO_VERIFICATION_PEM = "sso.token.verification.pem";
    private static final JWTMessages jwtMessagesLog = (JWTMessages) MessagesFactory.get(JWTMessages.class);

    public static JWTValidator create(ServletUpgradeRequest servletUpgradeRequest, GatewayServices gatewayServices, GatewayConfig gatewayConfig) {
        Map<String, String> params = getParams(gatewayServices);
        JWTValidator jWTValidator = new JWTValidator(extractToken(servletUpgradeRequest, params.containsKey(KNOXSSO_COOKIE_NAME) ? params.get(KNOXSSO_COOKIE_NAME) : DEFAULT_SSO_COOKIE_NAME), (JWTokenAuthority) gatewayServices.getService(ServiceType.TOKEN_SERVICE), SignatureVerificationCache.getInstance("knoxsso", new WebSocketFilterConfig(params)));
        if (params.containsKey(SSO_VERIFICATION_PEM)) {
            try {
                jWTValidator.setPublicKey(CertificateUtils.parseRSAPublicKey(params.get(SSO_VERIFICATION_PEM)));
            } catch (ServletException e) {
                throw new RuntimeException("Failed to obtain public key: " + e);
            }
        }
        if (params.containsKey(JWT_EXPECTED_ISSUER)) {
            jWTValidator.setExpectedIssuer(params.get(JWT_EXPECTED_ISSUER));
        }
        if (params.containsKey(JWT_EXPECTED_SIGALG)) {
            jWTValidator.setExpectedSigAlg(params.get(JWT_EXPECTED_SIGALG));
        }
        if (isServerManagedTokenStateEnabled(gatewayConfig, params.get("knox.token.exp.server-managed"))) {
            jWTValidator.setTokenStateService((TokenStateService) gatewayServices.getService(ServiceType.TOKEN_STATE_SERVICE));
        }
        return jWTValidator;
    }

    private static Map<String, String> getParams(GatewayServices gatewayServices) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Topology topology : ((TopologyService) gatewayServices.getService(ServiceType.TOPOLOGY_SERVICE)).getTopologies()) {
            if (topology.getName().equals("knoxsso")) {
                for (Service service : topology.getServices()) {
                    if (service.getRole().equals("KNOXSSO")) {
                        return service.getParams();
                    }
                }
            }
        }
        return linkedHashMap;
    }

    private static JWT extractToken(ServletUpgradeRequest servletUpgradeRequest, String str) {
        List<HttpCookie> cookies = servletUpgradeRequest.getCookies();
        if (cookies != null) {
            for (HttpCookie httpCookie : cookies) {
                if (str.equals(httpCookie.getName())) {
                    try {
                        return new JWTToken(httpCookie.getValue());
                    } catch (ParseException e) {
                    }
                }
            }
        }
        jwtMessagesLog.missingBearerToken();
        throw new RuntimeException("No Valid JWT found");
    }

    private static boolean isServerManagedTokenStateEnabled(GatewayConfig gatewayConfig, String str) {
        boolean z;
        if (str == null || str.isEmpty()) {
            z = gatewayConfig != null && gatewayConfig.isServerManagedTokenStateEnabled();
        } else {
            z = Boolean.parseBoolean(str);
        }
        return z;
    }
}
