package org.apache.hadoop.gateway.provider.federation.jwt.filter;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages;
import org.apache.hadoop.gateway.security.PrimaryPrincipal;
import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;

/* loaded from: input_file:org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.class */
public class SSOCookieFederationFilter extends AbstractJWTFilter implements Filter {
    static JWTMessages log = (JWTMessages) MessagesFactory.get(JWTMessages.class);
    private static final String ORIGINAL_URL_QUERY_PARAM = "originalUrl=";
    public static final String SSO_COOKIE_NAME = "sso.cookie.name";
    public static final String SSO_EXPECTED_AUDIENCES = "sso.expected.audiences";
    public static final String SSO_AUTHENTICATION_PROVIDER_URL = "sso.authentication.provider.url";
    private static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt";
    protected JWTokenAuthority authority = null;
    private String cookieName = null;
    private String authenticationProviderUrl = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        GatewayServices gatewayServices;
        ServletContext servletContext = filterConfig.getServletContext();
        if (servletContext != null && (gatewayServices = (GatewayServices) servletContext.getAttribute("org.apache.hadoop.gateway.gateway.services")) != null) {
            this.authority = (JWTokenAuthority) gatewayServices.getService("TokenService");
        }
        this.cookieName = filterConfig.getInitParameter(SSO_COOKIE_NAME);
        if (this.cookieName == null) {
            this.cookieName = DEFAULT_SSO_COOKIE_NAME;
        }
        String initParameter = filterConfig.getInitParameter(SSO_EXPECTED_AUDIENCES);
        if (initParameter != null) {
            this.audiences = parseExpectedAudiences(initParameter);
        }
        this.authenticationProviderUrl = filterConfig.getInitParameter(SSO_AUTHENTICATION_PROVIDER_URL);
        if (this.authenticationProviderUrl == null) {
            log.missingAuthenticationProviderUrlConfiguration();
            throw new ServletException("Required authentication provider URL is missing.");
        }
    }

    public void destroy() {
    }

    @Override // org.apache.hadoop.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String constructLoginURL = constructLoginURL(httpServletRequest);
        String jWTFromCookie = getJWTFromCookie(httpServletRequest);
        if (jWTFromCookie == null) {
            if (httpServletRequest.getMethod().equals("OPTIONS")) {
                Subject subject = new Subject();
                subject.getPrincipals().add(new PrimaryPrincipal("anonymous"));
                continueWithEstablishedSecurityContext(subject, httpServletRequest, (HttpServletResponse) servletResponse, filterChain);
            }
            log.sendRedirectToLoginURL(constructLoginURL);
            ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
            return;
        }
        JWTToken jWTToken = new JWTToken(jWTFromCookie);
        try {
            if (!this.authority.verifyToken(jWTToken)) {
                log.failedToVerifyTokenSignature();
                ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
            } else if (!tokenIsStillValid(jWTToken)) {
                log.tokenHasExpired();
                ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
            } else if (validateAudiences(jWTToken)) {
                continueWithEstablishedSecurityContext(createSubjectFromToken(jWTToken), (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
            } else {
                log.failedToValidateAudience();
                ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
            }
        } catch (TokenServiceException e) {
            log.unableToVerifyToken(e);
            ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
        }
    }

    protected String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (this.cookieName.equals(cookie.getName())) {
                    log.cookieHasBeenFound(this.cookieName);
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    protected String constructLoginURL(HttpServletRequest httpServletRequest) {
        return this.authenticationProviderUrl + (this.authenticationProviderUrl.contains("?") ? "&" : "?") + ORIGINAL_URL_QUERY_PARAM + ((Object) httpServletRequest.getRequestURL().append(getOriginalQueryString(httpServletRequest)));
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }

    private void sendUnauthorized(ServletResponse servletResponse) throws IOException {
        ((HttpServletResponse) servletResponse).sendError(401);
    }

    private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse, final FilterChain filterChain) throws IOException, ServletException {
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }

    private Subject createSubjectFromToken(JWTToken jWTToken) {
        String subject = jWTToken.getSubject();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        hashSet2.add(new PrimaryPrincipal(subject));
        return new Subject(true, hashSet2, hashSet, hashSet);
    }
}
