package org.apache.knox.gateway.service.knoxsso;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.servlet.ServletContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.audit.log4j.audit.Log4jAuditor;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.util.CookieUtils;
import org.apache.knox.gateway.util.RegExUtils;
import org.apache.knox.gateway.util.Urls;
import org.apache.knox.gateway.util.WhitelistUtils;

@Path(WebSSOResource.RESOURCE_PATH)
/* loaded from: input_file:org/apache/knox/gateway/service/knoxsso/WebSSOResource.class */
public class WebSSOResource {
    private static final KnoxSSOMessages LOGGER = (KnoxSSOMessages) MessagesFactory.get(KnoxSSOMessages.class);
    private static final String SSO_COOKIE_NAME = "knoxsso.cookie.name";
    private static final String SSO_COOKIE_SECURE_ONLY_INIT_PARAM = "knoxsso.cookie.secure.only";
    private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age";
    private static final String SSO_COOKIE_DOMAIN_SUFFIX_PARAM = "knoxsso.cookie.domain.suffix";
    private static final String SSO_COOKIE_TOKEN_TTL_PARAM = "knoxsso.token.ttl";
    private static final String SSO_COOKIE_TOKEN_AUDIENCES_PARAM = "knoxsso.token.audiences";
    private static final String SSO_COOKIE_TOKEN_SIG_ALG = "knoxsso.token.sigalg";
    private static final String SSO_COOKIE_TOKEN_WHITELIST_PARAM = "knoxsso.redirect.whitelist.regex";
    private static final String SSO_SIGNINGKEY_KEYSTORE_NAME = "knoxsso.signingkey.keystore.name";
    private static final String SSO_SIGNINGKEY_KEYSTORE_ALIAS = "knoxsso.signingkey.keystore.alias";
    private static final String SSO_SIGNINGKEY_KEYSTORE_PASSPHRASE_ALIAS = "knoxsso.signingkey.keystore.passphrase.alias";
    private static final String SSO_EXPECTED_PARAM = "knoxsso.expected.params";
    private static final String SSO_ENABLE_SESSION_PARAM = "knoxsso.enable.session";
    private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl";
    private static final String ORIGINAL_URL_COOKIE_NAME = "original-url";
    private static final String DEFAULT_SSO_COOKIE_NAME = "hadoop-jwt";
    private static final long TOKEN_TTL_DEFAULT = 30000;
    static final String RESOURCE_PATH = "/api/v1/websso";
    private String cookieName;
    private String whitelist;
    private String domainSuffix;
    private boolean enableSession;
    private String clusterName;

    @Context
    HttpServletRequest request;

    @Context
    HttpServletResponse response;

    @Context
    ServletContext context;
    private boolean secureOnly = true;
    private int maxAge = -1;
    private long tokenTTL = TOKEN_TTL_DEFAULT;
    private List<String> targetAudiences = new ArrayList();
    private String signatureAlgorithm = "RS256";
    private List<String> ssoExpectedparams = new ArrayList();

    @PostConstruct
    public void init() {
        this.clusterName = String.valueOf(this.context.getAttribute("org.apache.knox.gateway.gateway.cluster"));
        handleCookieSetup();
        this.enableSession = Boolean.parseBoolean(this.context.getInitParameter(SSO_ENABLE_SESSION_PARAM));
        String initParameter = this.context.getInitParameter(SSO_COOKIE_TOKEN_SIG_ALG);
        if (initParameter != null) {
            this.signatureAlgorithm = initParameter;
        }
        String initParameter2 = this.context.getInitParameter(SSO_EXPECTED_PARAM);
        if (initParameter2 != null) {
            this.ssoExpectedparams = Arrays.asList(initParameter2.split(","));
        }
    }

    private void handleCookieSetup() {
        this.cookieName = this.context.getInitParameter(SSO_COOKIE_NAME);
        if (this.cookieName == null) {
            this.cookieName = DEFAULT_SSO_COOKIE_NAME;
        }
        String initParameter = this.context.getInitParameter(SSO_COOKIE_SECURE_ONLY_INIT_PARAM);
        if (StringUtils.isBlank(initParameter)) {
            this.secureOnly = ((GatewayConfig) this.request.getServletContext().getAttribute("org.apache.knox.gateway.config")).isSSLEnabled();
        } else {
            this.secureOnly = Boolean.parseBoolean(initParameter);
        }
        if (!this.secureOnly) {
            LOGGER.cookieSecureOnly(this.secureOnly);
        }
        String initParameter2 = this.context.getInitParameter(SSO_COOKIE_MAX_AGE_INIT_PARAM);
        if (initParameter2 != null) {
            try {
                LOGGER.setMaxAge(initParameter2);
                this.maxAge = Integer.parseInt(initParameter2);
            } catch (NumberFormatException e) {
                LOGGER.invalidMaxAgeEncountered(initParameter2);
            }
        }
        this.domainSuffix = this.context.getInitParameter(SSO_COOKIE_DOMAIN_SUFFIX_PARAM);
        this.whitelist = this.context.getInitParameter(SSO_COOKIE_TOKEN_WHITELIST_PARAM);
        if (this.whitelist == null) {
            this.whitelist = WhitelistUtils.getDispatchWhitelist(this.request);
        }
        String initParameter3 = this.context.getInitParameter(SSO_COOKIE_TOKEN_AUDIENCES_PARAM);
        if (initParameter3 != null) {
            for (String str : initParameter3.split(",")) {
                this.targetAudiences.add(str.trim());
            }
        }
        String initParameter4 = this.context.getInitParameter(SSO_COOKIE_TOKEN_TTL_PARAM);
        if (initParameter4 != null) {
            try {
                this.tokenTTL = Long.parseLong(initParameter4);
                if (this.tokenTTL < -1 || this.tokenTTL + System.currentTimeMillis() < 0) {
                    LOGGER.invalidTokenTTLEncountered(initParameter4);
                    this.tokenTTL = TOKEN_TTL_DEFAULT;
                }
            } catch (NumberFormatException e2) {
                LOGGER.invalidTokenTTLEncountered(initParameter4);
            }
        }
    }

    @GET
    @Produces({"application/json", "application/xml"})
    public Response doGet() {
        return getAuthenticationToken(307);
    }

    @POST
    @Produces({"application/json", "application/xml"})
    public Response doPost() {
        return getAuthenticationToken(303);
    }

    private Response getAuthenticationToken(int i) {
        String value;
        HttpSession session;
        GatewayServices gatewayServices = (GatewayServices) this.request.getServletContext().getAttribute("org.apache.knox.gateway.gateway.services");
        boolean z = true;
        List cookiesForName = CookieUtils.getCookiesForName(this.request, ORIGINAL_URL_COOKIE_NAME);
        if (cookiesForName.isEmpty()) {
            z = false;
            value = getOriginalUrlFromQueryParams();
            if (value.isEmpty()) {
                LOGGER.originalURLNotFound();
                throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST);
            }
            boolean z2 = true;
            if (this.whitelist != null) {
                String str = null;
                try {
                    str = URLDecoder.decode(value, StandardCharsets.UTF_8.name());
                } catch (UnsupportedEncodingException e) {
                }
                z2 = RegExUtils.checkWhitelist(this.whitelist, str != null ? str : value);
            }
            if (!z2) {
                LOGGER.whiteListMatchFail(Log4jAuditor.maskTokenFromURL(value), this.whitelist);
                throw new WebApplicationException("Original URL not valid according to the configured whitelist.", Response.Status.BAD_REQUEST);
            }
        } else {
            value = ((Cookie) cookiesForName.get(0)).getValue();
        }
        AliasService aliasService = (AliasService) gatewayServices.getService(ServiceType.ALIAS_SERVICE);
        JWTokenAuthority jWTokenAuthority = (JWTokenAuthority) gatewayServices.getService(ServiceType.TOKEN_SERVICE);
        Principal userPrincipal = this.request.getUserPrincipal();
        try {
            String initParameter = this.context.getInitParameter(SSO_SIGNINGKEY_KEYSTORE_NAME);
            String initParameter2 = this.context.getInitParameter(SSO_SIGNINGKEY_KEYSTORE_ALIAS);
            String initParameter3 = this.context.getInitParameter(SSO_SIGNINGKEY_KEYSTORE_PASSPHRASE_ALIAS);
            char[] cArr = null;
            if (initParameter3 != null) {
                cArr = aliasService.getPasswordFromAliasForCluster(this.clusterName, initParameter3);
            }
            JWT issueToken = jWTokenAuthority.issueToken(userPrincipal, this.targetAudiences, this.signatureAlgorithm, getExpiry(), initParameter, initParameter2, cArr);
            if (issueToken != null) {
                addJWTHadoopCookie(value, issueToken);
            }
            if (z) {
                removeOriginalUrlCookie(this.response);
            }
            LOGGER.aboutToRedirectToOriginal(Log4jAuditor.maskTokenFromURL(value));
            this.response.setStatus(i);
            this.response.setHeader("Location", value);
            try {
                this.response.getOutputStream().close();
            } catch (IOException e2) {
                LOGGER.unableToCloseOutputStream(e2.getMessage(), Arrays.toString(e2.getStackTrace()));
            }
        } catch (TokenServiceException | AliasServiceException e3) {
            LOGGER.unableToIssueToken(e3);
        }
        URI uri = null;
        try {
            uri = new URI(value);
        } catch (URISyntaxException e4) {
        }
        if (!this.enableSession && (session = this.request.getSession(false)) != null) {
            session.invalidate();
        }
        return Response.seeOther(uri).entity("{ \"redirectTo\" : " + value + " }").build();
    }

    private String getOriginalUrlFromQueryParams() {
        String parameter = this.request.getParameter(ORIGINAL_URL_REQUEST_PARAM);
        StringBuilder sb = new StringBuilder(parameter);
        boolean z = true;
        for (Map.Entry entry : this.request.getParameterMap().entrySet()) {
            if (!ORIGINAL_URL_REQUEST_PARAM.equals(entry.getKey()) && !parameter.contains(((String) entry.getKey()) + "=") && !this.ssoExpectedparams.contains(entry.getKey())) {
                if (z) {
                    sb.append('?');
                    z = false;
                }
                sb.append('&').append((String) entry.getKey());
                String[] strArr = (String[]) entry.getValue();
                if (strArr.length > 0 && strArr[0] != null) {
                    sb.append('=');
                }
                for (int i = 0; i < strArr.length; i++) {
                    if (strArr[0] != null) {
                        sb.append(strArr[i]);
                        if (i < strArr.length - 1) {
                            sb.append('&').append((String) entry.getKey()).append('=');
                        }
                    }
                }
            }
        }
        return sb.toString();
    }

    private long getExpiry() {
        return this.tokenTTL == -1 ? -1L : System.currentTimeMillis() + this.tokenTTL;
    }

    private void addJWTHadoopCookie(String str, JWT jwt) {
        LOGGER.addingJWTCookie(jwt.toString());
        StringBuilder sb = new StringBuilder(50);
        try {
            sb.append(this.cookieName).append('=').append(jwt.toString());
            sb.append("; Path=/");
            String domainName = Urls.getDomainName(str, this.domainSuffix);
            if (domainName != null) {
                sb.append("; Domain=").append(domainName);
            }
            sb.append("; HttpOnly");
            if (this.secureOnly) {
                sb.append("; Secure");
            }
            if (this.maxAge != -1) {
                sb.append("; Max-Age=").append(this.maxAge);
            }
            sb.append("; SameSite=None");
            this.response.setHeader("Set-Cookie", sb.toString());
            LOGGER.addedJWTCookie();
        } catch (Exception e) {
            LOGGER.unableAddCookieToResponse(e.getMessage(), Arrays.toString(e.getStackTrace()));
            throw new WebApplicationException("Unable to add JWT cookie to response.");
        }
    }

    private void removeOriginalUrlCookie(HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie(ORIGINAL_URL_COOKIE_NAME, (String) null);
        cookie.setMaxAge(0);
        cookie.setPath(RESOURCE_PATH);
        httpServletResponse.addCookie(cookie);
    }
}
