package org.apache.knox.gateway.provider.federation.jwt.filter;

import java.io.IOException;
import java.text.ParseException;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.util.CertificateUtils;
import org.eclipse.jetty.http.MimeTypes;

/* loaded from: input_file:org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.class */
public class SSOCookieFederationFilter extends AbstractJWTFilter {
    private static final String GATEWAY_PATH = "gateway.path";
    public static final String SSO_COOKIE_NAME = "sso.cookie.name";
    public static final String SSO_EXPECTED_AUDIENCES = "sso.expected.audiences";
    public static final String SSO_AUTHENTICATION_PROVIDER_URL = "sso.authentication.provider.url";
    public static final String SSO_VERIFICATION_PEM = "sso.token.verification.pem";
    public static final String X_FORWARDED_HOST = "X-Forwarded-Host";
    public static final String X_FORWARDED_PORT = "X-Forwarded-Port";
    public static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";
    private static final String ORIGINAL_URL_QUERY_PARAM = "originalUrl=";
    private static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt";
    private static final String XHR_HEADER = "X-Requested-With";
    private static final String XHR_VALUE = "XMLHttpRequest";
    private static JWTMessages log = (JWTMessages) MessagesFactory.get(JWTMessages.class);
    private String cookieName;
    private String authenticationProviderUrl;
    private String gatewayPath;

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        this.cookieName = filterConfig.getInitParameter(SSO_COOKIE_NAME);
        if (this.cookieName == null) {
            this.cookieName = DEFAULT_SSO_COOKIE_NAME;
        }
        String initParameter = filterConfig.getInitParameter(SSO_EXPECTED_AUDIENCES);
        if (initParameter != null) {
            this.audiences = parseExpectedAudiences(initParameter);
        }
        this.authenticationProviderUrl = filterConfig.getInitParameter(SSO_AUTHENTICATION_PROVIDER_URL);
        if (this.authenticationProviderUrl == null) {
            log.missingAuthenticationProviderUrlConfiguration();
        }
        String initParameter2 = filterConfig.getInitParameter(SSO_VERIFICATION_PEM);
        if (initParameter2 != null) {
            this.publicKey = CertificateUtils.parseRSAPublicKey(initParameter2);
        }
        this.gatewayPath = filterConfig.getInitParameter(GATEWAY_PATH);
        configureExpectedParameters(filterConfig);
    }

    public void destroy() {
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String constructLoginURL = constructLoginURL(httpServletRequest);
        String jWTFromCookie = getJWTFromCookie(httpServletRequest);
        if (jWTFromCookie != null) {
            try {
                JWTToken jWTToken = new JWTToken(jWTFromCookie);
                if (validateToken((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain, jWTToken)) {
                    continueWithEstablishedSecurityContext(createSubjectFromToken(jWTToken), (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
                }
                return;
            } catch (ParseException e) {
                ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
                return;
            }
        }
        if (httpServletRequest.getMethod().equals("OPTIONS")) {
            Subject subject = new Subject();
            subject.getPrincipals().add(new PrimaryPrincipal("anonymous"));
            continueWithEstablishedSecurityContext(subject, httpServletRequest, (HttpServletResponse) servletResponse, filterChain);
        }
        log.sendRedirectToLoginURL(constructLoginURL);
        ((HttpServletResponse) servletResponse).sendRedirect(constructLoginURL);
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    protected void handleValidationError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i, String str) throws IOException {
        String constructLoginURL = constructLoginURL(httpServletRequest);
        if (httpServletRequest.getHeader(XHR_HEADER) == null || !httpServletRequest.getHeader(XHR_HEADER).equalsIgnoreCase(XHR_VALUE)) {
            httpServletResponse.sendRedirect(constructLoginURL);
            return;
        }
        byte[] bytes = str.getBytes("UTF-8");
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentType(MimeTypes.Type.TEXT_PLAIN.toString());
        httpServletResponse.setContentLength(bytes.length);
        httpServletResponse.getOutputStream().write(bytes);
    }

    protected String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (this.cookieName.equals(cookie.getName())) {
                    log.cookieHasBeenFound(this.cookieName);
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    protected String constructLoginURL(HttpServletRequest httpServletRequest) {
        if (this.authenticationProviderUrl == null) {
            this.authenticationProviderUrl = deriveDefaultAuthenticationProviderUrl(httpServletRequest);
        }
        return this.authenticationProviderUrl + (this.authenticationProviderUrl.contains("?") ? "&" : "?") + ORIGINAL_URL_QUERY_PARAM + ((Object) httpServletRequest.getRequestURL().append(getOriginalQueryString(httpServletRequest)));
    }

    public String deriveDefaultAuthenticationProviderUrl(HttpServletRequest httpServletRequest) {
        String header;
        String header2;
        int parseInt;
        if (beingProxied(httpServletRequest)) {
            header = httpServletRequest.getHeader(X_FORWARDED_PROTO);
            header2 = httpServletRequest.getHeader(X_FORWARDED_HOST);
            parseInt = Integer.parseInt(httpServletRequest.getHeader(X_FORWARDED_PORT));
        } else {
            header = httpServletRequest.getScheme();
            header2 = httpServletRequest.getServerName();
            parseInt = httpServletRequest.getServerPort();
        }
        StringBuffer stringBuffer = new StringBuffer(header);
        stringBuffer.append("://").append(header2);
        if (!header2.contains(":")) {
            stringBuffer.append(":").append(parseInt);
        }
        stringBuffer.append("/").append(this.gatewayPath).append("/knoxsso/api/v1/websso");
        return stringBuffer.toString();
    }

    private boolean beingProxied(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(X_FORWARDED_HOST) != null;
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }
}
