package io.strimzi.kafka.oauth.validator;

import com.fasterxml.jackson.databind.JsonNode;
import io.strimzi.kafka.oauth.common.HttpUtil;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.TimeUtil;
import io.strimzi.kafka.oauth.common.TokenInfo;
import io.strimzi.kafka.oauth.validator.TokenValidationException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import org.apache.kafka.common.utils.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/validator/OAuthIntrospectionValidator.class */
public class OAuthIntrospectionValidator implements TokenValidator {
    private static final Logger log = LoggerFactory.getLogger(OAuthIntrospectionValidator.class);
    private final URI introspectionURI;
    private final String validIssuerURI;
    private final String clientId;
    private final String clientSecret;
    private final boolean defaultChecks;
    private final String audience;
    private final SSLSocketFactory socketFactory;
    private final HostnameVerifier hostnameVerifier;

    public OAuthIntrospectionValidator(String str, SSLSocketFactory sSLSocketFactory, HostnameVerifier hostnameVerifier, String str2, String str3, String str4, boolean z, String str5) {
        if (str == null) {
            throw new IllegalArgumentException("introspectionEndpointUri == null");
        }
        try {
            this.introspectionURI = new URI(str);
            if (sSLSocketFactory != null && !"https".equals(this.introspectionURI.getScheme())) {
                throw new IllegalArgumentException("SSL socket factory set but introspectionEndpointUri not 'https'");
            }
            this.socketFactory = sSLSocketFactory;
            if (hostnameVerifier != null && !"https".equals(this.introspectionURI.getScheme())) {
                throw new IllegalArgumentException("Certificate hostname verifier set but keysEndpointUri not 'https'");
            }
            this.hostnameVerifier = hostnameVerifier;
            try {
                new URI(str2);
                this.validIssuerURI = str2;
                this.clientId = str3;
                this.clientSecret = str4;
                this.defaultChecks = z;
                this.audience = str5;
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException("Invalid issuer uri: " + str2, e);
            }
        } catch (URISyntaxException e2) {
            throw new IllegalArgumentException("Invalid introspection endpoint uri: " + str, e2);
        }
    }

    @Override // io.strimzi.kafka.oauth.validator.TokenValidator
    public TokenInfo validate(String str) {
        JsonNode jsonNode;
        try {
            JsonNode jsonNode2 = (JsonNode) HttpUtil.post(this.introspectionURI, this.socketFactory, this.hostnameVerifier, this.clientSecret != null ? "Basic " + OAuthAuthenticator.base64encode(this.clientId + ':' + this.clientSecret) : null, "application/x-www-form-urlencoded", "token=" + str, JsonNode.class);
            try {
                if (!jsonNode2.get("active").asBoolean()) {
                    throw new TokenExpiredException("Token has expired");
                }
                JsonNode jsonNode3 = jsonNode2.get("exp");
                if (jsonNode3 == null) {
                    throw new IllegalStateException("Introspection response contains no expires information (\"exp\"): " + jsonNode2);
                }
                long asLong = 1000 * jsonNode3.asLong();
                if (Time.SYSTEM.milliseconds() > asLong) {
                    throw new TokenExpiredException("The token expired at: " + asLong + " (" + TimeUtil.formatIsoDateTimeUTC(asLong) + ")");
                }
                JsonNode jsonNode4 = jsonNode2.get("iat");
                if (jsonNode4 == null) {
                    throw new IllegalStateException("Introspection response contains no issued time information (\"iat\"): " + jsonNode2);
                }
                long asLong2 = 1000 * jsonNode4.asLong();
                JsonNode jsonNode5 = jsonNode2.get("sub");
                String asText = jsonNode5 != null ? jsonNode5.asText() : null;
                if (this.defaultChecks) {
                    JsonNode jsonNode6 = jsonNode2.get("iss");
                    if (jsonNode6 == null || !this.validIssuerURI.equals(jsonNode6.asText())) {
                        throw new TokenValidationException("Token check failed - invalid issuer: " + jsonNode6).status(TokenValidationException.Status.INVALID_TOKEN);
                    }
                    if (asText == null) {
                        throw new TokenValidationException("Token check failed - invalid subject: null").status(TokenValidationException.Status.INVALID_TOKEN);
                    }
                    JsonNode jsonNode7 = jsonNode2.get("token_type");
                    if (jsonNode7 != null && !"access_token".equals(jsonNode7.asText())) {
                        throw new TokenValidationException("Token check failed - invalid token type: " + jsonNode7).status(TokenValidationException.Status.UNSUPPORTED_TOKEN_TYPE);
                    }
                }
                if (this.audience != null && ((jsonNode = jsonNode2.get("aud")) == null || !this.audience.equals(jsonNode.asText()))) {
                    throw new TokenValidationException("Token check failed - invalid audience: " + jsonNode).status(TokenValidationException.Status.INVALID_TOKEN);
                }
                JsonNode jsonNode8 = jsonNode2.get("scope");
                return new TokenInfo(str, jsonNode8 != null ? jsonNode8.asText() : null, asText, asLong2, asLong);
            } catch (Exception e) {
                throw new RuntimeException("Failed to introspect token - invalid response: \"active\" attribute is missing or not a boolean (" + jsonNode2.get("active") + ")");
            }
        } catch (IOException e2) {
            throw new RuntimeException("Failed to introspect token - send, fetch or parse failed: ", e2);
        }
    }
}
