package ca.nrc.cadc.auth;

import ca.nrc.cadc.auth.encoding.TokenEncoderDecoder;
import ca.nrc.cadc.auth.encoding.TokenEncoding;
import ca.nrc.cadc.util.Base64;
import ca.nrc.cadc.util.RsaSignatureGenerator;
import ca.nrc.cadc.util.RsaSignatureVerifier;
import ca.nrc.cadc.util.StringUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.Serializable;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.UUID;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/auth/DelegationToken.class */
public class DelegationToken implements Serializable {
    private static final long serialVersionUID = 20180321000000L;
    private Set<Principal> identityPrincipals;
    private Date expiryTime;
    private URI scope;
    private List<String> domains;
    public static final String FIELD_DELIM = "&";
    public static final String VALUE_DELIM = "=";
    private static final Logger log = Logger.getLogger(DelegationToken.class);
    public static String PROXY_LABEL = "proxyuser";
    public static String SCOPE_LABEL = "scope";
    public static String DOMAIN_LABEL = "domain";
    public static String USER_LABEL = "userid";
    public static String EXPIRY_LABEL = "expirytime";
    public static String SIGNATURE_LABEL = "signature";
    private static final TokenEncoderDecoder TOKEN_ENCODER_DECODER = new TokenEncoderDecoder();

    /* loaded from: input_file:ca/nrc/cadc/auth/DelegationToken$ScopeValidator.class */
    public static class ScopeValidator {
        public void verifyScope(URI uri, String str) throws InvalidDelegationTokenException {
            throw new InvalidDelegationTokenException("default: invalid scope");
        }
    }

    public DelegationToken(HttpPrincipal httpPrincipal, URI uri, Date date, List<String> list) {
        if (httpPrincipal == null) {
            throw new IllegalArgumentException("User identity required");
        }
        addPrincipal(httpPrincipal);
        if (date == null) {
            throw new IllegalArgumentException("No expiry time");
        }
        this.expiryTime = date;
        this.scope = uri;
        setDomains(list);
    }

    public DelegationToken(Set<Principal> set, URI uri, Date date, List<String> list) {
        if (set == null || set.size() == 0) {
            throw new IllegalArgumentException("Identity principals required (ie http, x500, cadc internal)");
        }
        if (date == null) {
            throw new IllegalArgumentException("No expiry time");
        }
        addPrincipals(set);
        this.expiryTime = date;
        this.scope = uri;
        setDomains(list);
    }

    public static String format(DelegationToken delegationToken) throws InvalidKeyException, IOException {
        return format(delegationToken, TokenEncoding.BASE64);
    }

    public static String format(DelegationToken delegationToken, TokenEncoding tokenEncoding) throws InvalidKeyException, IOException {
        StringBuilder content = getContent(delegationToken);
        String sb = content.toString();
        log.debug("string to be signed: " + sb);
        content.append(FIELD_DELIM);
        content.append(SIGNATURE_LABEL);
        content.append(VALUE_DELIM);
        content.append(new String(Base64.encode(new RsaSignatureGenerator().sign(new ByteArrayInputStream(sb.getBytes())))));
        return tokenEncoding.name().toLowerCase() + ":" + new String(TOKEN_ENCODER_DECODER.encode(content.toString().getBytes(), tokenEncoding));
    }

    private static StringBuilder getContent(DelegationToken delegationToken) {
        StringBuilder sb = new StringBuilder();
        sb.append(EXPIRY_LABEL).append(VALUE_DELIM);
        sb.append(delegationToken.getExpiryTime().getTime());
        for (Principal principal : delegationToken.identityPrincipals) {
            IdentityType identityType = IdentityType.principalIdentityMap.get(principal.getClass().getSimpleName());
            if (!identityType.equals(IdentityType.ENTRY_DN)) {
                sb.append(FIELD_DELIM);
                sb.append(identityType.getValue());
                sb.append(VALUE_DELIM);
                sb.append(principal.getName());
            }
        }
        HttpPrincipal user = delegationToken.getUser();
        if (StringUtil.hasText(user.getProxyUser())) {
            sb.append(FIELD_DELIM);
            sb.append(PROXY_LABEL);
            sb.append(VALUE_DELIM);
            sb.append(user.getProxyUser());
        }
        if (delegationToken.getScope() != null) {
            sb.append(FIELD_DELIM);
            sb.append(SCOPE_LABEL);
            sb.append(VALUE_DELIM);
            sb.append(delegationToken.getScope());
        }
        if (delegationToken.getDomains() != null) {
            for (String str : delegationToken.getDomains()) {
                sb.append(FIELD_DELIM);
                sb.append(DOMAIN_LABEL);
                sb.append(VALUE_DELIM);
                sb.append(str);
            }
        }
        log.debug("getContent: " + ((Object) sb));
        return sb;
    }

    public static DelegationToken parse(String str, String str2) throws InvalidDelegationTokenException {
        return parse(str, str2, null);
    }

    public static DelegationToken parse(String str, String str2, ScopeValidator scopeValidator) throws InvalidDelegationTokenException {
        return str.startsWith(EXPIRY_LABEL) ? parse(str.split(FIELD_DELIM), str, str2, scopeValidator) : parseEncoded(URI.create(str), str2, scopeValidator);
    }

    private static DelegationToken parse(String[] strArr, String str, String str2, ScopeValidator scopeValidator) throws InvalidDelegationTokenException {
        String str3 = null;
        HashSet hashSet = new HashSet();
        String str4 = null;
        Date date = null;
        URI uri = null;
        String str5 = null;
        ArrayList arrayList = new ArrayList();
        try {
            for (String str6 : strArr) {
                log.debug("Field: " + str6);
                String substring = str6.substring(0, str6.indexOf(VALUE_DELIM));
                String substring2 = str6.substring(str6.indexOf(VALUE_DELIM) + 1);
                log.debug("key = value: " + substring + VALUE_DELIM + substring2);
                if (substring.equalsIgnoreCase(IdentityType.USERID.getValue())) {
                    str3 = substring2;
                } else if (substring.equalsIgnoreCase(PROXY_LABEL)) {
                    str4 = substring2;
                } else if (substring.equalsIgnoreCase(IdentityType.X500.getValue().toLowerCase())) {
                    hashSet.add(new X500Principal(substring2));
                } else if (substring.equalsIgnoreCase(IdentityType.NUMERICID.getValue()) || substring.equalsIgnoreCase(IdentityType.CADC.getValue())) {
                    hashSet.add(new NumericPrincipal(UUID.fromString(substring2)));
                } else if (substring.equalsIgnoreCase(IdentityType.POSIX.getValue())) {
                    hashSet.add(new PosixPrincipal(Integer.parseInt(substring2)));
                } else if (substring.equalsIgnoreCase(EXPIRY_LABEL)) {
                    date = new Date(Long.valueOf(substring2).longValue());
                } else if (substring.equalsIgnoreCase(SCOPE_LABEL)) {
                    uri = new URI(substring2);
                } else if (substring.equalsIgnoreCase(SIGNATURE_LABEL)) {
                    str5 = substring2;
                } else if (substring.equalsIgnoreCase(DOMAIN_LABEL)) {
                    arrayList.add(substring2);
                }
            }
            if (str3 != null && str4 != null) {
                hashSet.add(new HttpPrincipal(str3, str4));
            } else if (str3 != null) {
                hashSet.add(new HttpPrincipal(str3));
            }
            if (str5 == null) {
                throw new InvalidDelegationTokenException("missing signature");
            }
            if (date == null) {
                throw new InvalidDelegationTokenException("missing expirytime");
            }
            if (new Date().getTime() > date.getTime()) {
                throw new InvalidDelegationTokenException("expired");
            }
            if (uri != null) {
                if (scopeValidator == null) {
                    scopeValidator = getScopeValidator();
                }
                scopeValidator.verifyScope(uri, str2);
            }
            validateSignature(str5, str);
            return new DelegationToken(hashSet, uri, date, arrayList);
        } catch (NumberFormatException e) {
            throw new InvalidDelegationTokenException("invalid numeric field", e);
        } catch (URISyntaxException e2) {
            throw new InvalidDelegationTokenException("invalid scope URI", e2);
        }
    }

    private static DelegationToken parseEncoded(URI uri, String str, ScopeValidator scopeValidator) throws InvalidDelegationTokenException {
        if (!StringUtil.hasLength(uri.getScheme())) {
            throw new InvalidDelegationTokenException("Wrong format for encoded token.");
        }
        String str2 = new String(TOKEN_ENCODER_DECODER.decode(uri.getSchemeSpecificPart(), TokenEncoding.valueOf(uri.getScheme().toUpperCase())));
        return parse(str2.split(FIELD_DELIM), str2, str, scopeValidator);
    }

    private static void validateSignature(String str, String str2) throws InvalidDelegationTokenException {
        try {
            byte[] decode = Base64.decode(str);
            RsaSignatureVerifier rsaSignatureVerifier = new RsaSignatureVerifier();
            String[] split = str2.split(FIELD_DELIM + SIGNATURE_LABEL + VALUE_DELIM);
            log.debug("string to be verified" + split[0]);
            if (rsaSignatureVerifier.verify(new ByteArrayInputStream(split[0].getBytes()), decode)) {
                return;
            }
            log.error("invalid signature: " + new String(decode));
            throw new InvalidDelegationTokenException("cannot verify signature");
        } catch (Exception e) {
            log.debug("failed to verify DelegationToken signature", e);
            throw new InvalidDelegationTokenException("cannot verify signature", e);
        }
    }

    private static ScopeValidator getScopeValidator() {
        try {
            String str = DelegationToken.class.getSimpleName() + ".properties";
            String str2 = DelegationToken.class.getName() + ".scopeValidator";
            Properties properties = new Properties();
            properties.load(DelegationToken.class.getClassLoader().getResource(str).openStream());
            String property = properties.getProperty(str2);
            log.debug(str + ": " + str2 + " = " + property);
            ScopeValidator scopeValidator = (ScopeValidator) Class.forName(property).newInstance();
            log.debug("created: " + scopeValidator.getClass().getName());
            return scopeValidator;
        } catch (Exception e) {
            log.debug("failed to load custom ScopeValidator", e);
            return new ScopeValidator();
        }
    }

    public HttpPrincipal getUser() {
        return (HttpPrincipal) getPrincipalByClass(HttpPrincipal.class);
    }

    public <T extends Principal> T getPrincipalByClass(Class cls) {
        Iterator<Principal> it = this.identityPrincipals.iterator();
        while (it.hasNext()) {
            T t = (T) it.next();
            if (t.getClass() == cls) {
                return t;
            }
        }
        return null;
    }

    public Date getExpiryTime() {
        return this.expiryTime;
    }

    public URI getScope() {
        return this.scope;
    }

    public List<String> getDomains() {
        return this.domains;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("DelegationToken(").append(USER_LABEL).append(VALUE_DELIM);
        if (StringUtil.hasText(getUser().getProxyUser())) {
            sb.append(",").append(PROXY_LABEL).append(VALUE_DELIM);
            sb.append(getUser().getProxyUser());
        }
        sb.append(getUser());
        sb.append(",").append(SCOPE_LABEL).append(VALUE_DELIM);
        sb.append(getScope());
        sb.append(",startTime=");
        sb.append(getExpiryTime());
        Iterator<String> it = this.domains.iterator();
        while (it.hasNext()) {
            sb.append(",").append(DOMAIN_LABEL).append(VALUE_DELIM).append(it.next());
        }
        sb.append(")");
        return sb.toString();
    }

    private void setDomains(List<String> list) {
        if (list != null) {
            if (this.domains == null) {
                this.domains = new ArrayList();
            }
            this.domains.addAll(list);
        }
    }

    private void addPrincipal(Principal principal) {
        if (principal != null) {
            HashSet hashSet = new HashSet();
            hashSet.add(principal);
            addPrincipals(hashSet);
        }
    }

    private void addPrincipals(Set<Principal> set) {
        if (set != null) {
            if (this.identityPrincipals == null) {
                this.identityPrincipals = new HashSet();
            }
            this.identityPrincipals.addAll(set);
        }
    }

    public Set<Principal> getIdentityPrincipals() {
        return this.identityPrincipals;
    }
}
