package org.apache.ambari.logsearch.auth.filter;

import com.google.gson.Gson;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.ambari.logsearch.auth.model.JWTAuthenticationToken;
import org.apache.ambari.logsearch.web.filters.LogsearchSecurityContextFormationFilter;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.utils.URIBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:org/apache/ambari/logsearch/auth/filter/AbstractJWTFilter.class */
public abstract class AbstractJWTFilter extends AbstractAuthenticationProcessingFilter {
    private static final Logger LOG = LoggerFactory.getLogger(AbstractJWTFilter.class);
    private static final String PEM_HEADER = "-----BEGIN CERTIFICATE-----\n";
    private static final String PEM_FOOTER = "\n-----END CERTIFICATE-----";
    private static final String PROXY_LOGSEARCH_URL_PATH = "/logsearch";

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJWTFilter(RequestMatcher requestMatcher) {
        super(requestMatcher);
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        if (StringUtils.isEmpty(getProvidedUrl())) {
            throw new BadCredentialsException("Authentication provider URL must not be null or empty.");
        }
        if (StringUtils.isEmpty(getPublicKey())) {
            throw new BadCredentialsException("Public key for signature validation must be provisioned.");
        }
        try {
            Claims claims = (Claims) Jwts.parser().setSigningKey(parseRSAPublicKey(getPublicKey())).parseClaimsJws(getJWTFromCookie(httpServletRequest)).getBody();
            String subject = claims.getSubject();
            LOG.info("USERNAME: " + subject);
            LOG.info("URL = " + ((Object) httpServletRequest.getRequestURL()));
            if (StringUtils.isNotEmpty(claims.getAudience()) && !getAudiences().contains(claims.getAudience())) {
                throw new IllegalArgumentException(String.format("Audience validation failed. (Not found: %s)", claims.getAudience()));
            }
            JWTAuthenticationToken jWTAuthenticationToken = new JWTAuthenticationToken(subject, getPublicKey(), getAuthorities());
            jWTAuthenticationToken.setAuthenticated(true);
            SecurityContextHolder.getContext().setAuthentication(jWTAuthenticationToken);
            return jWTAuthenticationToken;
        } catch (ExpiredJwtException | MalformedJwtException | SignatureException | IllegalArgumentException e) {
            LOG.info("URL = " + ((Object) httpServletRequest.getRequestURL()));
            LOG.warn("Error during JWT authentication: {}", e.getMessage());
            throw new BadCredentialsException(e.getMessage(), e);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!isAuthJwtEnabled() || isAuthenticated(authentication)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            super.doFilter(servletRequest, servletResponse, filterChain);
        }
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        super.successfulAuthentication(httpServletRequest, httpServletResponse, filterChain, authentication);
        String header = httpServletRequest.getHeader("X-Requested-With");
        if (!isWebUserAgent(httpServletRequest.getHeader(LogsearchSecurityContextFormationFilter.USER_AGENT)) || "XMLHttpRequest".equals(header)) {
            return;
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        super.unsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException);
        String header = httpServletRequest.getHeader("X-Requested-With");
        String constructLoginURL = constructLoginURL(httpServletRequest);
        if (constructLoginURL.endsWith("?doAs=anonymous")) {
            constructLoginURL = StringUtils.removeEnd(constructLoginURL, "?doAs=anonymous");
        }
        if (isWebUserAgent(httpServletRequest.getHeader(LogsearchSecurityContextFormationFilter.USER_AGENT)) && !"XMLHttpRequest".equals(header)) {
            httpServletResponse.sendRedirect(constructLoginURL);
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("knoxssoredirectURL", URLEncoder.encode(constructLoginURL, "UTF-8"));
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setStatus(401);
        httpServletResponse.sendError(401, new Gson().toJson(hashMap));
    }

    private String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (getCookieName().equals(cookie.getName())) {
                    LOG.info(getCookieName() + " cookie has been found and is being processed");
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    private boolean isWebUserAgent(String str) {
        boolean z = false;
        List<String> userAgentList = getUserAgentList();
        if (userAgentList != null && userAgentList.size() > 0) {
            Iterator<String> it = userAgentList.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (StringUtils.startsWithIgnoreCase(str, it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    private RSAPublicKey parseRSAPublicKey(String str) throws ServletException {
        try {
            return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream((PEM_HEADER + str + PEM_FOOTER).getBytes("UTF8")))).getPublicKey();
        } catch (UnsupportedEncodingException e) {
            throw new ServletException(e);
        } catch (CertificateException e2) {
            throw new ServletException(str.startsWith(PEM_HEADER) ? "CertificateException - be sure not to include PEM header and footer in the PEM configuration element." : "CertificateException - PEM may be corrupt", e2);
        }
    }

    private String constructLoginURL(HttpServletRequest httpServletRequest) {
        return getProvidedUrl() + (getProvidedUrl().contains("?") ? "&" : "?") + getOriginalUrlQueryParam() + "=" + createForwardableURL(httpServletRequest) + getOriginalQueryString(httpServletRequest);
    }

    private String createForwardableURL(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("x-forwarded-proto");
        String header2 = httpServletRequest.getHeader("x-forwarded-host");
        String header3 = httpServletRequest.getHeader("x-forwarded-context");
        if (!StringUtils.isNotBlank(header) || !StringUtils.isNotBlank(header2) || !StringUtils.isNotBlank(header3)) {
            return httpServletRequest.getRequestURL().toString();
        }
        try {
            URIBuilder uRIBuilder = new URIBuilder();
            uRIBuilder.setScheme(header).setHost(header2).setPath(header3 + PROXY_LOGSEARCH_URL_PATH + httpServletRequest.getRequestURI());
            return uRIBuilder.build().toString();
        } catch (URISyntaxException e) {
            LOG.error("URISyntaxException while build xforward url ", e);
            return httpServletRequest.getRequestURL().toString();
        }
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }

    private boolean isAuthenticated(Authentication authentication) {
        return (authentication == null || (authentication instanceof AnonymousAuthenticationToken) || !authentication.isAuthenticated()) ? false : true;
    }

    protected abstract String getPublicKey();

    protected abstract String getProvidedUrl();

    protected abstract boolean isAuthJwtEnabled();

    protected abstract String getCookieName();

    protected abstract String getOriginalUrlQueryParam();

    protected abstract List<String> getAudiences();

    protected abstract Collection<? extends GrantedAuthority> getAuthorities();

    protected abstract List<String> getUserAgentList();
}
