package co.cask.cdap.gateway.router.handlers;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.logging.AuditLogEntry;
import co.cask.cdap.common.utils.Networks;
import co.cask.cdap.security.auth.AccessTokenTransformer;
import co.cask.cdap.security.auth.TokenState;
import co.cask.cdap.security.auth.TokenValidator;
import com.google.common.util.concurrent.SettableFuture;
import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import com.google.gson.JsonPrimitive;
import io.netty.buffer.Unpooled;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.codec.http.DefaultFullHttpResponse;
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponse;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpUtil;
import io.netty.handler.codec.http.HttpVersion;
import io.netty.util.ReferenceCountUtil;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.annotation.Nullable;
import org.apache.twill.common.Cancellable;
import org.apache.twill.common.Threads;
import org.apache.twill.discovery.Discoverable;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.discovery.ServiceDiscovered;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/gateway/router/handlers/AuthenticationHandler.class */
public class AuthenticationHandler extends ChannelInboundHandlerAdapter {
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationHandler.class);
    private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger("http-access");
    private final CConfiguration cConf;
    private final String realm;
    private final TokenValidator tokenValidator;
    private final Pattern bypassPattern;
    private final boolean auditLogEnabled;
    private final List<String> authServerURLs;
    private final DiscoveryServiceClient discoveryServiceClient;
    private final AccessTokenTransformer tokenTransformer;

    public AuthenticationHandler(CConfiguration cConfiguration, TokenValidator tokenValidator, DiscoveryServiceClient discoveryServiceClient, AccessTokenTransformer accessTokenTransformer) {
        this.cConf = cConfiguration;
        this.realm = cConfiguration.get("security.realm");
        this.tokenValidator = tokenValidator;
        this.bypassPattern = createBypassPattern(cConfiguration);
        this.auditLogEnabled = cConfiguration.getBoolean("router.audit.log.enabled");
        this.authServerURLs = getConfiguredAuthServerURLs(cConfiguration);
        this.discoveryServiceClient = discoveryServiceClient;
        this.tokenTransformer = accessTokenTransformer;
    }

    public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (!(obj instanceof HttpRequest)) {
            channelHandlerContext.fireChannelRead(obj);
            return;
        }
        HttpRequest httpRequest = (HttpRequest) obj;
        if (isBypassed(httpRequest)) {
            channelHandlerContext.fireChannelRead(obj);
            return;
        }
        TokenState validateAccessToken = validateAccessToken(httpRequest, channelHandlerContext.channel());
        if (validateAccessToken.isValid()) {
            channelHandlerContext.fireChannelRead(obj);
            return;
        }
        try {
            DefaultHttpHeaders defaultHttpHeaders = new DefaultHttpHeaders();
            JsonObject jsonObject = new JsonObject();
            if (validateAccessToken == TokenState.MISSING) {
                defaultHttpHeaders.add(HttpHeaderNames.WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\"", this.realm));
                LOG.debug("Authentication failed due to missing token");
            } else {
                defaultHttpHeaders.add(HttpHeaderNames.WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\" error=\"invalid_token\" error_description=\"%s\"", this.realm, validateAccessToken.getMsg()));
                jsonObject.addProperty("error", "invalid_token");
                jsonObject.addProperty("error_description", validateAccessToken.getMsg());
                LOG.debug("Authentication failed due to invalid token, reason={};", validateAccessToken);
            }
            jsonObject.add("auth_uri", getAuthenticationURLs());
            DefaultFullHttpResponse defaultFullHttpResponse = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.copiedBuffer(jsonObject.toString(), StandardCharsets.UTF_8));
            HttpUtil.setContentLength(defaultFullHttpResponse, r0.readableBytes());
            HttpUtil.setKeepAlive(defaultFullHttpResponse, false);
            defaultFullHttpResponse.headers().setAll(defaultHttpHeaders);
            defaultFullHttpResponse.headers().set(HttpHeaderNames.CONTENT_TYPE, "application/json;charset=UTF-8");
            auditLogIfNeeded(httpRequest, defaultFullHttpResponse, channelHandlerContext.channel());
            channelHandlerContext.writeAndFlush(defaultFullHttpResponse).addListener(ChannelFutureListener.CLOSE);
            ReferenceCountUtil.release(obj);
        } catch (Throwable th) {
            ReferenceCountUtil.release(obj);
            throw th;
        }
    }

    private boolean isBypassed(HttpRequest httpRequest) {
        return this.bypassPattern != null && this.bypassPattern.matcher(httpRequest.uri()).matches();
    }

    private TokenState validateAccessToken(HttpRequest httpRequest, Channel channel) {
        String str = httpRequest.headers().get(HttpHeaderNames.AUTHORIZATION);
        String str2 = null;
        if (str != null) {
            int indexOf = str.trim().indexOf(32);
            if (indexOf < 0) {
                return TokenState.MISSING;
            }
            str2 = str.substring(indexOf + 1).trim();
        }
        TokenState validate = this.tokenValidator.validate(str2);
        if (validate.isValid()) {
            try {
                AccessTokenTransformer.AccessTokenIdentifierPair transform = this.tokenTransformer.transform(str2);
                httpRequest.headers().set(HttpHeaderNames.AUTHORIZATION, "CDAP-verified " + transform.getAccessTokenIdentifierStr());
                httpRequest.headers().set("CDAP-UserId", transform.getAccessTokenIdentifierObj().getUsername());
                String ip = Networks.getIP(channel.remoteAddress());
                if (ip != null) {
                    httpRequest.headers().set("CDAP-UserIP", ip);
                }
            } catch (Exception e) {
                LOG.debug("Exception raised when getting token information from a validate token", e);
                return TokenState.INVALID;
            }
        }
        return validate;
    }

    private JsonArray getAuthenticationURLs() {
        final JsonArray jsonArray = new JsonArray();
        if (!this.authServerURLs.isEmpty()) {
            Iterator<String> it = this.authServerURLs.iterator();
            while (it.hasNext()) {
                jsonArray.add(new JsonPrimitive(it.next()));
            }
            return jsonArray;
        }
        final String protocol = getProtocol(this.cConf);
        final int port = getPort(this.cConf);
        ServiceDiscovered discover = this.discoveryServiceClient.discover("external.authentication");
        addAuthServerUrls(discover, protocol, port, jsonArray);
        if (jsonArray.size() > 0) {
            return jsonArray;
        }
        final SettableFuture create = SettableFuture.create();
        Cancellable watchChanges = discover.watchChanges(new ServiceDiscovered.ChangeListener() { // from class: co.cask.cdap.gateway.router.handlers.AuthenticationHandler.1
            public void onChange(ServiceDiscovered serviceDiscovered) {
                AuthenticationHandler.this.addAuthServerUrls(serviceDiscovered, protocol, port, jsonArray);
                if (jsonArray.size() > 0) {
                    create.set(jsonArray);
                }
            }
        }, Threads.SAME_THREAD_EXECUTOR);
        try {
            try {
                JsonArray jsonArray2 = (JsonArray) create.get(2L, TimeUnit.SECONDS);
                watchChanges.cancel();
                return jsonArray2;
            } catch (TimeoutException e) {
                LOG.warn("No authentication server detected via service discovery");
                watchChanges.cancel();
                return jsonArray;
            } catch (Exception e2) {
                watchChanges.cancel();
                return jsonArray;
            }
        } catch (Throwable th) {
            watchChanges.cancel();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void addAuthServerUrls(Iterable<Discoverable> iterable, String str, int i, JsonArray jsonArray) {
        Iterator<Discoverable> it = iterable.iterator();
        while (it.hasNext()) {
            jsonArray.add(new JsonPrimitive(String.format("%s://%s:%d/%s", str, it.next().getSocketAddress().getHostName(), Integer.valueOf(i), "token")));
        }
    }

    private void auditLogIfNeeded(HttpRequest httpRequest, HttpResponse httpResponse, Channel channel) {
        if (this.auditLogEnabled) {
            AuditLogEntry auditLogEntry = new AuditLogEntry(httpRequest, Networks.getIP(channel.remoteAddress()));
            auditLogEntry.setResponse(httpResponse);
            AUDIT_LOGGER.trace(auditLogEntry.toString());
        }
    }

    @Nullable
    private static Pattern createBypassPattern(CConfiguration cConfiguration) {
        String str = cConfiguration.get("router.bypass.auth.regex");
        if (str == null) {
            return null;
        }
        try {
            return Pattern.compile(str);
        } catch (PatternSyntaxException e) {
            throw new IllegalArgumentException("Invalid regular expression " + str + " for configuration router.bypass.auth.regex", e);
        }
    }

    private static List<String> getConfiguredAuthServerURLs(CConfiguration cConfiguration) {
        ArrayList arrayList = new ArrayList();
        for (String str : cConfiguration.getTrimmedStrings("security.auth.server.announce.urls")) {
            arrayList.add(str + "/token");
        }
        return Collections.unmodifiableList(arrayList);
    }

    private static String getProtocol(CConfiguration cConfiguration) {
        return cConfiguration.getBoolean("ssl.external.enabled") ? "https" : "http";
    }

    private static int getPort(CConfiguration cConfiguration) {
        return cConfiguration.getBoolean("ssl.external.enabled") ? cConfiguration.getInt("security.auth.server.ssl.bind.port") : cConfiguration.getInt("security.auth.server.bind.port");
    }
}
