package id.onyx.obdp.server.security.authentication.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import id.onyx.obdp.server.configuration.OBDPServerConfigurationKey;
import id.onyx.obdp.server.security.authentication.AmbariAuthenticationException;
import id.onyx.obdp.server.security.authentication.OBDPAuthenticationEventHandler;
import id.onyx.obdp.server.security.authentication.OBDPAuthenticationFilter;
import id.onyx.obdp.server.security.authentication.OBDPUserAuthentication;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

@Component
@Order(1)
/* loaded from: input_file:id/onyx/obdp/server/security/authentication/jwt/OBDPJwtAuthenticationFilter.class */
public class OBDPJwtAuthenticationFilter implements OBDPAuthenticationFilter {
    private static final Logger LOG = LoggerFactory.getLogger(OBDPJwtAuthenticationFilter.class);
    private final OBDPAuthenticationEventHandler eventHandler;
    private final AuthenticationEntryPoint ambariEntryPoint;
    private final AuthenticationProvider authenticationProvider;
    private final JwtAuthenticationPropertiesProvider propertiesProvider;

    OBDPJwtAuthenticationFilter(AuthenticationEntryPoint authenticationEntryPoint, JwtAuthenticationPropertiesProvider jwtAuthenticationPropertiesProvider, OBDPJwtAuthenticationProvider oBDPJwtAuthenticationProvider, OBDPAuthenticationEventHandler oBDPAuthenticationEventHandler) {
        if (oBDPAuthenticationEventHandler == null) {
            throw new IllegalArgumentException("The OBDPAuthenticationEventHandler must not be null");
        }
        this.ambariEntryPoint = authenticationEntryPoint;
        this.eventHandler = oBDPAuthenticationEventHandler;
        this.propertiesProvider = jwtAuthenticationPropertiesProvider;
        this.authenticationProvider = oBDPJwtAuthenticationProvider;
    }

    @Override // id.onyx.obdp.server.security.authentication.OBDPAuthenticationFilter
    public boolean shouldApply(HttpServletRequest httpServletRequest) {
        boolean z = false;
        JwtAuthenticationProperties jwtAuthenticationProperties = this.propertiesProvider.m179get();
        if (jwtAuthenticationProperties != null && jwtAuthenticationProperties.isEnabledForAmbari()) {
            String jWTFromCookie = getJWTFromCookie(httpServletRequest);
            z = jWTFromCookie != null && isAuthenticationRequired(jWTFromCookie);
        }
        return z;
    }

    @Override // id.onyx.obdp.server.security.authentication.OBDPAuthenticationFilter
    public boolean shouldIncrementFailureCount() {
        return false;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        this.eventHandler.beforeAttemptAuthentication(this, servletRequest, servletResponse);
        JwtAuthenticationProperties jwtAuthenticationProperties = this.propertiesProvider.m179get();
        if (jwtAuthenticationProperties == null || !jwtAuthenticationProperties.isEnabledForAmbari()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            String jWTFromCookie = getJWTFromCookie(httpServletRequest);
            if (jWTFromCookie == null || !isAuthenticationRequired(jWTFromCookie)) {
                LOG.trace("No JWT cookie found, do nothing");
            } else {
                try {
                    SignedJWT parse = SignedJWT.parse(jWTFromCookie);
                    if (!validateToken(parse)) {
                        throw new BadCredentialsException("Invalid JWT token");
                    }
                    Authentication authenticate = this.authenticationProvider.authenticate(new JwtAuthenticationToken(parse.getJWTClaimsSet().getSubject(), jWTFromCookie, null));
                    SecurityContextHolder.getContext().setAuthentication(authenticate);
                    this.eventHandler.onSuccessfulAuthentication(this, httpServletRequest, httpServletResponse, authenticate);
                } catch (ParseException e) {
                    LOG.warn("Unable to parse the JWT token", e);
                    throw new BadCredentialsException("Unable to parse the JWT token - " + e.getLocalizedMessage());
                }
            }
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (AuthenticationException e2) {
            LOG.warn("JWT authentication failed - {}", e2.getLocalizedMessage());
            SecurityContextHolder.clearContext();
            this.eventHandler.onUnsuccessfulAuthentication(this, httpServletRequest, httpServletResponse, e2 instanceof AmbariAuthenticationException ? (AmbariAuthenticationException) e2 : new AmbariAuthenticationException(null, e2.getMessage(), false, e2));
            this.ambariEntryPoint.commence(httpServletRequest, httpServletResponse, e2);
        }
    }

    public void destroy() {
    }

    private boolean isAuthenticationRequired(String str) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !authentication.isAuthenticated()) {
            return true;
        }
        if (!(authentication instanceof OBDPUserAuthentication) || StringUtils.equals(str, (String) authentication.getCredentials())) {
            return authentication instanceof AnonymousAuthenticationToken;
        }
        return true;
    }

    String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            JwtAuthenticationProperties jwtAuthenticationProperties = this.propertiesProvider.m179get();
            String cookieName = jwtAuthenticationProperties == null ? null : jwtAuthenticationProperties.getCookieName();
            if (StringUtils.isEmpty(cookieName)) {
                cookieName = OBDPServerConfigurationKey.SSO_JWT_COOKIE_NAME.getDefaultValue();
            }
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookieName.equals(cookie.getName())) {
                    LOG.info("{} cookie has been found and is being processed", cookieName);
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    private boolean validateToken(SignedJWT signedJWT) {
        boolean validateSignature = validateSignature(signedJWT);
        if (!validateSignature) {
            LOG.warn("Signature could not be verified");
        }
        boolean validateAudiences = validateAudiences(signedJWT);
        if (!validateAudiences) {
            LOG.warn("Audience validation failed.");
        }
        boolean validateExpiration = validateExpiration(signedJWT);
        if (!validateExpiration) {
            LOG.info("Expiration validation failed.");
        }
        return validateSignature && validateAudiences && validateExpiration;
    }

    boolean validateSignature(SignedJWT signedJWT) {
        boolean z = false;
        if (JWSObject.State.SIGNED == signedJWT.getState()) {
            LOG.debug("JWT token is in a SIGNED state");
            if (signedJWT.getSignature() != null) {
                LOG.debug("JWT token signature is not null");
                JwtAuthenticationProperties jwtAuthenticationProperties = this.propertiesProvider.m179get();
                RSAPublicKey publicKey = jwtAuthenticationProperties == null ? null : jwtAuthenticationProperties.getPublicKey();
                if (publicKey == null) {
                    LOG.warn("SSO server public key has not be set, validation of the JWT token cannot be performed.");
                } else {
                    try {
                        if (signedJWT.verify(new RSASSAVerifier(publicKey))) {
                            z = true;
                            LOG.debug("JWT token has been successfully verified");
                        } else {
                            LOG.warn("JWT signature verification failed.");
                        }
                    } catch (JOSEException e) {
                        LOG.warn("Error while validating signature", e);
                    }
                }
            }
        }
        return z;
    }

    boolean validateAudiences(SignedJWT signedJWT) {
        boolean z = false;
        try {
            List audience = signedJWT.getJWTClaimsSet().getAudience();
            JwtAuthenticationProperties jwtAuthenticationProperties = this.propertiesProvider.m179get();
            List<String> audiences = jwtAuthenticationProperties == null ? null : jwtAuthenticationProperties.getAudiences();
            if (audiences == null) {
                z = true;
            } else {
                if (audience == null) {
                    LOG.warn("JWT token has no audiences, validation failed.");
                    return false;
                }
                LOG.info("Audience List: {}", audiences);
                Iterator it = audience.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String str = (String) it.next();
                    LOG.info("Found audience: {}", str);
                    if (audiences.contains(str)) {
                        LOG.debug("JWT token audience has been successfully validated");
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    LOG.warn("JWT audience validation failed.");
                }
            }
        } catch (ParseException e) {
            LOG.warn("Unable to parse the JWT token.", e);
        }
        return z;
    }

    boolean validateExpiration(SignedJWT signedJWT) {
        boolean z = false;
        try {
            Date expirationTime = signedJWT.getJWTClaimsSet().getExpirationTime();
            if (expirationTime == null || new Date().before(expirationTime)) {
                LOG.debug("JWT token expiration date has been successfully validated");
                z = true;
            } else {
                LOG.warn("JWT expiration date validation failed.");
            }
        } catch (ParseException e) {
            LOG.warn("JWT expiration date validation failed.", e);
        }
        return z;
    }
}
