package org.apache.knox.gateway.provider.federation.jwt.filter;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.ParseException;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;

/* loaded from: input_file:org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.class */
public class AccessTokenFederationFilter implements Filter {
    private static JWTMessages log = (JWTMessages) MessagesFactory.get(JWTMessages.class);
    private static final String BEARER = "Bearer ";
    private JWTokenAuthority authority;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.authority = (JWTokenAuthority) ((GatewayServices) filterConfig.getServletContext().getAttribute("org.apache.knox.gateway.gateway.services")).getService("TokenService");
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = ((HttpServletRequest) servletRequest).getHeader("Authorization");
        if (header == null || !header.startsWith(BEARER)) {
            log.missingBearerToken();
            sendUnauthorized(servletResponse);
            return;
        }
        try {
            JWTToken parseToken = JWTToken.parseToken(header.substring(BEARER.length()));
            boolean z = false;
            try {
                z = this.authority.verifyToken(parseToken);
            } catch (TokenServiceException e) {
                log.unableToVerifyToken(e);
            }
            if (!z) {
                log.failedToVerifyTokenSignature();
                sendUnauthorized(servletResponse);
            } else if (Long.parseLong(parseToken.getExpires()) <= System.currentTimeMillis()) {
                log.tokenHasExpired();
                sendUnauthorized(servletResponse);
            } else if (((HttpServletRequest) servletRequest).getRequestURL().indexOf(parseToken.getAudience().toLowerCase()) != -1) {
                continueWithEstablishedSecurityContext(createSubjectFromToken(parseToken), (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
            } else {
                log.failedToValidateAudience();
                sendUnauthorized(servletResponse);
            }
        } catch (ParseException e2) {
            throw new ServletException("ParseException encountered while processing the JWT token: ", e2);
        }
    }

    private void sendUnauthorized(ServletResponse servletResponse) throws IOException {
        ((HttpServletResponse) servletResponse).sendError(401);
    }

    private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse, final FilterChain filterChain) throws IOException, ServletException {
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: org.apache.knox.gateway.provider.federation.jwt.filter.AccessTokenFederationFilter.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }

    private Subject createSubjectFromToken(JWTToken jWTToken) {
        String principal = jWTToken.getPrincipal();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        hashSet2.add(new PrimaryPrincipal(principal));
        return new Subject(true, hashSet2, hashSet, hashSet);
    }
}
