package org.apache.knox.gateway.provider.federation.jwt.filter;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.util.AuthFilterUtils;
import org.apache.knox.gateway.util.CertificateUtils;
import org.apache.knox.gateway.util.CookieUtils;
import org.eclipse.jetty.http.MimeTypes;

/* loaded from: input_file:org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.class */
public class SSOCookieFederationFilter extends AbstractJWTFilter {
    private static final JWTMessages LOGGER = (JWTMessages) MessagesFactory.get(JWTMessages.class);
    public static final String XHR_HEADER = "X-Requested-With";
    public static final String XHR_VALUE = "XMLHttpRequest";
    private static final String GATEWAY_PATH = "gateway.path";
    public static final String SSO_COOKIE_NAME = "sso.cookie.name";
    public static final String SSO_EXPECTED_AUDIENCES = "sso.expected.audiences";
    public static final String SSO_AUTHENTICATION_PROVIDER_URL = "sso.authentication.provider.url";
    public static final String SSO_VERIFICATION_PEM = "sso.token.verification.pem";
    public static final String X_FORWARDED_HOST = "X-Forwarded-Host";
    public static final String X_FORWARDED_PORT = "X-Forwarded-Port";
    public static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";
    private static final String ORIGINAL_URL_QUERY_PARAM = "originalUrl=";
    public static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt";
    private static final String SSO_UNAUTHENTICATED_PATHS_PARAM = "sso.unauthenticated.path.list";
    private static final String DEFAULT_SSO_UNAUTHENTICATED_PATHS_PARAM = "/favicon.ico;/knoxtoken/api/v1/jwks.json";
    private String cookieName;
    private String authenticationProviderUrl;
    private String gatewayPath;
    private Set<String> unAuthenticatedPaths = new HashSet(20);

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        this.cookieName = filterConfig.getInitParameter(SSO_COOKIE_NAME);
        if (this.cookieName == null) {
            this.cookieName = DEFAULT_SSO_COOKIE_NAME;
        }
        String initParameter = filterConfig.getInitParameter(SSO_EXPECTED_AUDIENCES);
        if (initParameter != null) {
            this.audiences = parseExpectedAudiences(initParameter);
        }
        this.authenticationProviderUrl = filterConfig.getInitParameter(SSO_AUTHENTICATION_PROVIDER_URL);
        if (this.authenticationProviderUrl == null) {
            LOGGER.missingAuthenticationProviderUrlConfiguration();
        }
        String initParameter2 = filterConfig.getInitParameter(SSO_VERIFICATION_PEM);
        if (initParameter2 != null) {
            this.publicKey = CertificateUtils.parseRSAPublicKey(initParameter2);
        }
        AuthFilterUtils.addUnauthPaths(this.unAuthenticatedPaths, filterConfig.getInitParameter(SSO_UNAUTHENTICATED_PATHS_PARAM), DEFAULT_SSO_UNAUTHENTICATED_PATHS_PARAM);
        setGatewayPath(filterConfig);
        configureExpectedParameters(filterConfig);
    }

    private void setGatewayPath(FilterConfig filterConfig) {
        this.gatewayPath = filterConfig.getInitParameter(GATEWAY_PATH);
        if (this.gatewayPath == null || this.gatewayPath.isEmpty()) {
            GatewayConfig gatewayConfig = filterConfig.getServletContext() == null ? null : (GatewayConfig) filterConfig.getServletContext().getAttribute("org.apache.knox.gateway.config");
            if (gatewayConfig != null) {
                this.gatewayPath = gatewayConfig.getGatewayPath();
            }
        }
    }

    public void destroy() {
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        JWTToken jWTToken;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        List cookiesForName = CookieUtils.getCookiesForName(httpServletRequest, this.cookieName);
        if (cookiesForName.isEmpty()) {
            if (AuthFilterUtils.doesRequestContainUnauthPath(this.unAuthenticatedPaths, servletRequest)) {
                Subject subject = new Subject();
                subject.getPrincipals().add(new PrimaryPrincipal("anonymous"));
                LOGGER.unauthenticatedPathBypass(httpServletRequest.getRequestURI(), this.unAuthenticatedPaths.toString());
                continueWithEstablishedSecurityContext(subject, httpServletRequest, httpServletResponse, filterChain);
            }
            if (!"OPTIONS".equals(httpServletRequest.getMethod())) {
                sendRedirectToLoginURL(httpServletRequest, httpServletResponse);
                return;
            }
            Subject subject2 = new Subject();
            subject2.getPrincipals().add(new PrimaryPrincipal("anonymous"));
            continueWithEstablishedSecurityContext(subject2, httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        Iterator it = cookiesForName.iterator();
        while (it.hasNext()) {
            try {
                jWTToken = new JWTToken(((Cookie) it.next()).getValue());
            } catch (ParseException | UnknownTokenException e) {
            }
            if (validateToken(httpServletRequest, httpServletResponse, filterChain, jWTToken)) {
                continueWithEstablishedSecurityContext(createSubjectFromToken((JWT) jWTToken), httpServletRequest, httpServletResponse, filterChain);
                return;
            }
            continue;
        }
        if (httpServletResponse == null || httpServletResponse.isCommitted()) {
            return;
        }
        sendRedirectToLoginURL(httpServletRequest, httpServletResponse);
    }

    private void sendRedirectToLoginURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String constructLoginURL = constructLoginURL(httpServletRequest);
        LOGGER.sendRedirectToLoginURL(constructLoginURL);
        httpServletResponse.sendRedirect(constructLoginURL);
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    protected void handleValidationError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i, String str) throws IOException {
        if (httpServletRequest.getHeader(XHR_HEADER) == null || !httpServletRequest.getHeader(XHR_HEADER).equalsIgnoreCase(XHR_VALUE)) {
            httpServletResponse.sendRedirect(constructLoginURL(httpServletRequest));
            return;
        }
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentType(MimeTypes.Type.TEXT_PLAIN.toString());
        if (str == null || str.isEmpty()) {
            return;
        }
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        httpServletResponse.setContentLength(bytes.length);
        httpServletResponse.getOutputStream().write(bytes);
    }

    protected String constructLoginURL(HttpServletRequest httpServletRequest) {
        String deriveDefaultAuthenticationProviderUrl = this.authenticationProviderUrl == null ? deriveDefaultAuthenticationProviderUrl(httpServletRequest) : this.authenticationProviderUrl;
        return deriveDefaultAuthenticationProviderUrl + (deriveDefaultAuthenticationProviderUrl.contains("?") ? "&" : "?") + ORIGINAL_URL_QUERY_PARAM + ((Object) httpServletRequest.getRequestURL().append(getOriginalQueryString(httpServletRequest)));
    }

    public String deriveDefaultAuthenticationProviderUrl(HttpServletRequest httpServletRequest) {
        String str = null;
        try {
            URL url = new URL(httpServletRequest.getRequestURL().toString());
            String protocol = url.getProtocol();
            String host = url.getHost();
            int port = url.getPort();
            StringBuilder sb = new StringBuilder(protocol);
            sb.append("://").append(host);
            if (!host.contains(":") && port != -1) {
                sb.append(':').append(port);
            }
            sb.append('/').append(this.gatewayPath).append("/knoxsso/api/v1/websso");
            str = sb.toString();
        } catch (MalformedURLException e) {
            LOGGER.failedToDeriveAuthenticationProviderUrl(e);
        }
        return str;
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }
}
