package co.cask.cdap.gateway.router.handlers;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.logging.AuditLogContent;
import co.cask.cdap.common.logging.AuditLogEntry;
import co.cask.cdap.gateway.router.RouterAuditLookUp;
import co.cask.cdap.security.auth.AccessTokenTransformer;
import co.cask.cdap.security.auth.TokenState;
import co.cask.cdap.security.auth.TokenValidator;
import com.google.common.base.Charsets;
import com.google.common.base.Stopwatch;
import com.google.common.collect.ImmutableSet;
import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import com.google.gson.JsonPrimitive;
import java.net.InetSocketAddress;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import org.apache.twill.discovery.Discoverable;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.jboss.netty.buffer.ChannelBuffer;
import org.jboss.netty.buffer.ChannelBufferIndexFinder;
import org.jboss.netty.buffer.ChannelBuffers;
import org.jboss.netty.channel.Channel;
import org.jboss.netty.channel.ChannelFuture;
import org.jboss.netty.channel.ChannelFutureListener;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.Channels;
import org.jboss.netty.channel.MessageEvent;
import org.jboss.netty.channel.SimpleChannelHandler;
import org.jboss.netty.channel.WriteCompletionEvent;
import org.jboss.netty.handler.codec.http.DefaultHttpResponse;
import org.jboss.netty.handler.codec.http.HttpMethod;
import org.jboss.netty.handler.codec.http.HttpRequest;
import org.jboss.netty.handler.codec.http.HttpResponse;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.jboss.netty.handler.codec.http.HttpVersion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/gateway/router/handlers/SecurityAuthenticationHttpHandler.class */
public class SecurityAuthenticationHttpHandler extends SimpleChannelHandler {
    private final TokenValidator tokenValidator;
    private final AccessTokenTransformer accessTokenTransformer;
    private final Iterable<Discoverable> discoverables;
    private final CConfiguration configuration;
    private final String realm;
    private final Pattern bypassPattern;
    private static final Logger LOG = LoggerFactory.getLogger(SecurityAuthenticationHttpHandler.class);
    private static final Logger AUDIT_LOG = LoggerFactory.getLogger("http-access");
    private static final Set AUDIT_LOG_LOOKUP_METHOD = ImmutableSet.of(HttpMethod.PUT, HttpMethod.DELETE, HttpMethod.POST);
    private static final RouterAuditLookUp AUDIT_LOOK_UP = RouterAuditLookUp.getAuditLookUp();
    private static final ChannelBufferIndexFinder CONTENT_LENGTH_FINDER = new ChannelBufferIndexFinder() { // from class: co.cask.cdap.gateway.router.handlers.SecurityAuthenticationHttpHandler.1
        private byte[] headerName = "Content-Length".getBytes(Charsets.UTF_8);

        public boolean find(ChannelBuffer channelBuffer, int i) {
            if (channelBuffer.capacity() - i < this.headerName.length) {
                return false;
            }
            for (int i2 = 0; i2 < this.headerName.length; i2++) {
                if (this.headerName[i2] != channelBuffer.getByte(i + i2)) {
                    return false;
                }
            }
            return true;
        }
    };
    private static final ChannelBufferIndexFinder TWO_SEPERATOR_FINDER = new ChannelBufferIndexFinder() { // from class: co.cask.cdap.gateway.router.handlers.SecurityAuthenticationHttpHandler.2
        private byte[] lineSeperator = "\r\n\r\n".getBytes(Charsets.UTF_8);

        public boolean find(ChannelBuffer channelBuffer, int i) {
            if (channelBuffer.capacity() - i < this.lineSeperator.length) {
                return false;
            }
            for (int i2 = 0; i2 < this.lineSeperator.length; i2++) {
                if (this.lineSeperator[i2] != channelBuffer.getByte(i + i2)) {
                    return false;
                }
            }
            return true;
        }
    };

    public SecurityAuthenticationHttpHandler(String str, TokenValidator tokenValidator, CConfiguration cConfiguration, AccessTokenTransformer accessTokenTransformer, DiscoveryServiceClient discoveryServiceClient) {
        this.realm = str;
        this.tokenValidator = tokenValidator;
        this.accessTokenTransformer = accessTokenTransformer;
        this.discoverables = discoveryServiceClient.discover("external.authentication");
        this.configuration = cConfiguration;
        this.bypassPattern = createMatcher(cConfiguration.get("router.bypass.auth.regex"));
    }

    private Pattern createMatcher(String str) {
        if (str == null) {
            return null;
        }
        try {
            return Pattern.compile(str);
        } catch (PatternSyntaxException e) {
            throw new IllegalArgumentException(String.format("Invalid regular expression for %s", "router.bypass.auth.regex"), e);
        }
    }

    private boolean matchBypassPattern(HttpRequest httpRequest) {
        return this.bypassPattern != null && this.bypassPattern.matcher(httpRequest.getUri()).matches();
    }

    private boolean validateSecuredInterception(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest, Channel channel, AuditLogEntry auditLogEntry) throws Exception {
        int indexOf;
        String header = httpRequest.getHeader("Authorization");
        String str = null;
        if (header != null && (indexOf = header.trim().indexOf(32)) != -1) {
            str = header.substring(indexOf + 1).trim();
        }
        HttpMethod method = httpRequest.getMethod();
        String uri = httpRequest.getUri();
        auditLogEntry.setClientIP(((InetSocketAddress) channelHandlerContext.getChannel().getRemoteAddress()).getAddress());
        auditLogEntry.setRequestLine(method, uri, httpRequest.getProtocolVersion());
        TokenState validate = this.tokenValidator.validate(str);
        if (validate.isValid()) {
            AccessTokenTransformer.AccessTokenIdentifierPair transform = this.accessTokenTransformer.transform(str);
            AuditLogContent auditLogContent = AUDIT_LOG_LOOKUP_METHOD.contains(method) ? AUDIT_LOOK_UP.getAuditLogContent(httpRequest.getUri(), method) : null;
            if (auditLogContent != null) {
                List<String> headerNames = auditLogContent.getHeaderNames();
                if (!headerNames.isEmpty()) {
                    HashMap hashMap = new HashMap();
                    for (String str2 : headerNames) {
                        hashMap.put(str2, httpRequest.getHeader(str2));
                    }
                    auditLogEntry.setHeaders(hashMap);
                }
                if (auditLogContent.isLogRequestBody()) {
                    ChannelBuffer content = httpRequest.getContent();
                    if (content.readable()) {
                        auditLogEntry.setRequestBody(content.toString(Charsets.UTF_8));
                    }
                }
                auditLogEntry.setLogResponseBody(auditLogContent.isLogResponsebody());
            }
            auditLogEntry.setUserName(transform.getAccessTokenIdentifierObj().getUsername());
            httpRequest.setHeader("Authorization", "CDAP-verified " + transform.getAccessTokenIdentifierStr());
            httpRequest.setHeader("CDAP-UserId", transform.getAccessTokenIdentifierObj().getUsername());
            httpRequest.setHeader("CDAP-UserIP", ((InetSocketAddress) channelHandlerContext.getChannel().getRemoteAddress()).getAddress().getHostAddress());
            return true;
        }
        DefaultHttpResponse defaultHttpResponse = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
        auditLogEntry.setResponseCode(Integer.valueOf(HttpResponseStatus.UNAUTHORIZED.getCode()));
        JsonObject jsonObject = new JsonObject();
        if (validate == TokenState.MISSING) {
            defaultHttpResponse.addHeader("WWW-Authenticate", String.format("Bearer realm=\"%s\"", this.realm));
            LOG.debug("Authentication failed due to missing token");
        } else {
            defaultHttpResponse.addHeader("WWW-Authenticate", String.format("Bearer realm=\"%s\" error=\"invalid_token\" error_description=\"%s\"", this.realm, validate.getMsg()));
            jsonObject.addProperty("error", "invalid_token");
            jsonObject.addProperty("error_description", validate.getMsg());
            LOG.debug("Authentication failed due to invalid token, reason={};", validate);
        }
        JsonArray jsonArray = new JsonArray();
        stopWatchWait(jsonArray);
        jsonObject.add("auth_uri", jsonArray);
        ChannelBuffer wrappedBuffer = ChannelBuffers.wrappedBuffer(jsonObject.toString().getBytes(Charsets.UTF_8));
        defaultHttpResponse.setContent(wrappedBuffer);
        int readableBytes = wrappedBuffer.readableBytes();
        defaultHttpResponse.setHeader("Content-Length", Integer.valueOf(readableBytes));
        defaultHttpResponse.setHeader("Content-Type", "application/json;charset=UTF-8");
        auditLogEntry.setResponseContentLength(new Long(readableBytes));
        ChannelFuture future = Channels.future(channel);
        Channels.write(channelHandlerContext, future, defaultHttpResponse);
        future.addListener(ChannelFutureListener.CLOSE);
        return false;
    }

    private void stopWatchWait(JsonArray jsonArray) throws Exception {
        Object obj;
        int i;
        boolean z = false;
        Stopwatch stopwatch = new Stopwatch();
        stopwatch.start();
        if (this.configuration.getBoolean("ssl.external.enabled")) {
            obj = "https";
            i = this.configuration.getInt("security.auth.server.ssl.bind.port");
        } else {
            obj = "http";
            i = this.configuration.getInt("security.auth.server.bind.port");
        }
        String str = this.configuration.get("security.auth.server.announce.address");
        if (str != null) {
            jsonArray.add(new JsonPrimitive(String.format("%s://%s/%s", obj, str, "token")));
            return;
        }
        do {
            Iterator<Discoverable> it = this.discoverables.iterator();
            while (it.hasNext()) {
                jsonArray.add(new JsonPrimitive(String.format("%s://%s:%d/%s", obj, it.next().getSocketAddress().getHostName(), Integer.valueOf(i), "token")));
                z = true;
            }
            if (!z) {
                TimeUnit.MILLISECONDS.sleep(200L);
            }
            if (z) {
                return;
            }
        } while (stopwatch.elapsedTime(TimeUnit.SECONDS) < 2);
    }

    public void messageReceived(ChannelHandlerContext channelHandlerContext, MessageEvent messageEvent) throws Exception {
        Object message = messageEvent.getMessage();
        if (!(message instanceof HttpRequest)) {
            super.messageReceived(channelHandlerContext, messageEvent);
            return;
        }
        AuditLogEntry auditLogEntry = new AuditLogEntry();
        channelHandlerContext.setAttachment(auditLogEntry);
        HttpRequest httpRequest = (HttpRequest) message;
        if (matchBypassPattern(httpRequest) || validateSecuredInterception(channelHandlerContext, httpRequest, messageEvent.getChannel(), auditLogEntry)) {
            Channels.fireMessageReceived(channelHandlerContext, message, messageEvent.getRemoteAddress());
        }
    }

    public void writeRequested(ChannelHandlerContext channelHandlerContext, MessageEvent messageEvent) throws Exception {
        AuditLogEntry logEntry = getLogEntry(channelHandlerContext);
        boolean isLogResponseBody = logEntry.isLogResponseBody();
        Object message = messageEvent.getMessage();
        if (message instanceof HttpResponse) {
            HttpResponse httpResponse = (HttpResponse) message;
            logEntry.setResponseCode(Integer.valueOf(httpResponse.getStatus().getCode()));
            if (isLogResponseBody) {
                ChannelBuffer content = httpResponse.getContent();
                if (content.readable()) {
                    logEntry.setResponseBody(content.toString(Charsets.UTF_8));
                }
            }
            if (httpResponse.containsHeader("Content-Length")) {
                String header = httpResponse.getHeader("Content-Length");
                try {
                    logEntry.setResponseContentLength(Long.valueOf(header));
                } catch (NumberFormatException e) {
                    LOG.warn("Invalid value for content length in HTTP response message: {}", header, e);
                }
            }
        } else if (message instanceof ChannelBuffer) {
            ChannelBuffer channelBuffer = (ChannelBuffer) message;
            if (logEntry.getResponseCode() == null) {
                logEntry.setResponseCode(findResponseCode(channelBuffer));
                if (logEntry.getResponseCode() != null) {
                    logEntry.setResponseContentLength(findContentLength(channelBuffer));
                    if (isLogResponseBody) {
                        logEntry.setResponseBody(findResponseBody(channelBuffer, true));
                    }
                }
            } else if (isLogResponseBody) {
                logEntry.appendResponseBody(findResponseBody(channelBuffer, false));
            }
        } else {
            LOG.debug("Unhandled response message type: {}", message.getClass());
        }
        super.writeRequested(channelHandlerContext, messageEvent);
    }

    public void writeComplete(ChannelHandlerContext channelHandlerContext, WriteCompletionEvent writeCompletionEvent) throws Exception {
        AuditLogEntry logEntry = getLogEntry(channelHandlerContext);
        if (logEntry.isLogged()) {
            return;
        }
        AUDIT_LOG.trace(logEntry.toString());
        logEntry.setLogged(true);
    }

    private Integer findResponseCode(ChannelBuffer channelBuffer) {
        Integer num = null;
        int indexOf = channelBuffer.indexOf(channelBuffer.readerIndex(), channelBuffer.writerIndex(), ChannelBufferIndexFinder.LINEAR_WHITESPACE);
        if (indexOf < 0 || indexOf >= channelBuffer.writerIndex() - 4) {
            LOG.debug("Invalid index for space in response: index={}, buffer size={}", Integer.valueOf(indexOf), Integer.valueOf(channelBuffer.readableBytes()));
        } else {
            String trim = channelBuffer.toString(indexOf, 4, Charsets.UTF_8).trim();
            try {
                num = Integer.valueOf(trim);
            } catch (NumberFormatException e) {
                LOG.warn("Invalid value for HTTP response code: {}", trim, e);
            }
        }
        return num;
    }

    private Long findContentLength(ChannelBuffer channelBuffer) {
        Long l = null;
        int writerIndex = channelBuffer.writerIndex();
        int indexOf = channelBuffer.indexOf(channelBuffer.readerIndex(), writerIndex, CONTENT_LENGTH_FINDER);
        if (indexOf >= 0) {
            int indexOf2 = channelBuffer.indexOf(indexOf, writerIndex, (byte) 58);
            int indexOf3 = channelBuffer.indexOf(indexOf, writerIndex, ChannelBufferIndexFinder.CRLF);
            if (indexOf2 > 0 && indexOf2 < indexOf3) {
                String trim = channelBuffer.toString(indexOf2 + 1, indexOf3 - (indexOf2 + 1), Charsets.UTF_8).trim();
                try {
                    l = Long.valueOf(trim);
                } catch (NumberFormatException e) {
                    LOG.warn("Invalid value for content length in HTTP response message: {}", trim, e);
                }
            }
        }
        return l;
    }

    private AuditLogEntry getLogEntry(ChannelHandlerContext channelHandlerContext) {
        AuditLogEntry auditLogEntry;
        Object attachment = channelHandlerContext.getAttachment();
        if (attachment == null || !(attachment instanceof AuditLogEntry)) {
            auditLogEntry = new AuditLogEntry();
            channelHandlerContext.setAttachment(auditLogEntry);
        } else {
            auditLogEntry = (AuditLogEntry) attachment;
        }
        return auditLogEntry;
    }

    private String findResponseBody(ChannelBuffer channelBuffer, boolean z) {
        if (!z) {
            return channelBuffer.readable() ? channelBuffer.toString(Charsets.UTF_8) : "";
        }
        int writerIndex = channelBuffer.writerIndex();
        int indexOf = channelBuffer.indexOf(channelBuffer.readerIndex(), writerIndex, TWO_SEPERATOR_FINDER);
        return indexOf >= 0 ? channelBuffer.toString(indexOf + 4, (writerIndex - indexOf) - 4, Charsets.UTF_8).trim() : "";
    }
}
