package org.apache.knox.gateway.provider.federation.jwt.filter;

import com.nimbusds.jose.JOSEObjectType;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Base64;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Stream;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.JWTMessages;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.util.AuthFilterUtils;
import org.apache.knox.gateway.util.CertificateUtils;
import org.apache.knox.gateway.util.CookieUtils;

/* loaded from: input_file:org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.class */
public class JWTFederationFilter extends AbstractJWTFilter {
    private static final JWTMessages LOGGER = (JWTMessages) MessagesFactory.get(JWTMessages.class);
    public static final String JWT_UNAUTHENTICATED_PATHS_PARAM = "jwt.unauthenticated.path.list";
    public static final String KNOX_TOKEN_AUDIENCES = "knox.token.audiences";
    public static final String TOKEN_VERIFICATION_PEM = "knox.token.verification.pem";
    public static final String KNOX_TOKEN_QUERY_PARAM_NAME = "knox.token.query.param.name";
    public static final String TOKEN_PRINCIPAL_CLAIM = "knox.token.principal.claim";
    public static final String JWKS_URL = "knox.token.jwks.url";
    public static final String ALLOWED_JWS_TYPES = "knox.token.allowed.jws.types";
    public static final String BEARER = "Bearer ";
    public static final String BASIC = "Basic";
    public static final String TOKEN = "Token";
    public static final String PASSCODE = "Passcode";
    public static final String KNOX_TOKEN_USE_COOKIE = "knox.token.use.cookie";
    public static final String KNOX_TOKEN_COOKIE_NAME = "knox.token.cookie.name";
    private boolean useCookie;
    private String cookieName;
    private String paramName;
    private Set<String> unAuthenticatedPaths = new HashSet(20);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter$NoValidCookiesException.class */
    public class NoValidCookiesException extends Exception {
        NoValidCookiesException() {
            super("None of the presented cookies are valid.");
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter$TokenType.class */
    public enum TokenType {
        JWT,
        Passcode
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        String initParameter = filterConfig.getInitParameter(KNOX_TOKEN_AUDIENCES);
        if (initParameter != null) {
            this.audiences = parseExpectedAudiences(initParameter);
        }
        String initParameter2 = filterConfig.getInitParameter(KNOX_TOKEN_QUERY_PARAM_NAME);
        if (initParameter2 != null) {
            this.paramName = initParameter2;
        }
        String initParameter3 = filterConfig.getInitParameter(JWKS_URL);
        if (initParameter3 != null) {
            this.expectedJWKSUrl = initParameter3;
        }
        this.allowedJwsTypes = new HashSet();
        String initParameter4 = filterConfig.getInitParameter(ALLOWED_JWS_TYPES);
        if (initParameter4 != null) {
            Stream.of((Object[]) initParameter4.trim().split(",")).forEach(str -> {
                this.allowedJwsTypes.add(new JOSEObjectType(str.trim()));
            });
        } else {
            this.allowedJwsTypes.add(JOSEObjectType.JWT);
        }
        String initParameter5 = filterConfig.getInitParameter(KNOX_TOKEN_USE_COOKIE);
        this.useCookie = StringUtils.isBlank(initParameter5) ? false : Boolean.parseBoolean(initParameter5);
        String initParameter6 = filterConfig.getInitParameter(KNOX_TOKEN_COOKIE_NAME);
        this.cookieName = StringUtils.isBlank(initParameter6) ? SSOCookieFederationFilter.DEFAULT_SSO_COOKIE_NAME : initParameter6;
        String initParameter7 = filterConfig.getInitParameter(TOKEN_PRINCIPAL_CLAIM);
        if (initParameter7 != null) {
            this.expectedPrincipalClaim = initParameter7;
        }
        String initParameter8 = filterConfig.getInitParameter(TOKEN_VERIFICATION_PEM);
        if (initParameter8 != null) {
            this.publicKey = CertificateUtils.parseRSAPublicKey(initParameter8);
        }
        AuthFilterUtils.addUnauthPaths(this.unAuthenticatedPaths, filterConfig.getInitParameter(JWT_UNAUTHENTICATED_PATHS_PARAM), "/knoxtoken/api/v1/jwks.json");
        configureExpectedParameters(filterConfig);
    }

    public void destroy() {
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (AuthFilterUtils.doesRequestContainUnauthPath(this.unAuthenticatedPaths, servletRequest)) {
            continueWithAnonymousSubject(servletRequest, servletResponse, filterChain);
            return;
        }
        if (this.useCookie) {
            try {
                if (authenticateWithCookies((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain)) {
                    return;
                }
            } catch (NoValidCookiesException e) {
                log.missingValidCookie();
                handleValidationError((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, 401, "There is no valid cookie found");
                return;
            }
        }
        Pair<TokenType, String> wireToken = getWireToken(servletRequest);
        if (wireToken == null || wireToken.getLeft() == null || wireToken.getRight() == null) {
            log.missingTokenFromHeader(wireToken);
            ((HttpServletResponse) servletResponse).sendError(401);
            return;
        }
        TokenType tokenType = (TokenType) wireToken.getLeft();
        String str = (String) wireToken.getRight();
        if (TokenType.JWT.equals(tokenType)) {
            try {
                JWTToken jWTToken = new JWTToken(str);
                if (validateToken((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain, jWTToken)) {
                    continueWithEstablishedSecurityContext(createSubjectFromToken((JWT) jWTToken), (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
                }
                return;
            } catch (ParseException | UnknownTokenException e2) {
                ((HttpServletResponse) servletResponse).sendError(401);
                return;
            }
        }
        if (TokenType.Passcode.equals(tokenType)) {
            String str2 = null;
            String str3 = null;
            try {
                String[] split = decodeBase64(str).split("::");
                str2 = decodeBase64(split[0]);
                str3 = decodeBase64(split[1]);
            } catch (Exception e3) {
                log.failedToParsePasscodeToken(e3);
                handleValidationError((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, 401, "Error while parsing the received passcode token");
            }
            if (validateToken((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain, str2, str3)) {
                try {
                    continueWithEstablishedSecurityContext(createSubjectFromTokenIdentifier(str2), (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
                } catch (UnknownTokenException e4) {
                    ((HttpServletResponse) servletResponse).sendError(401);
                }
            }
        }
    }

    private String decodeBase64(String str) {
        return new String(Base64.getDecoder().decode(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
    }

    public Pair<TokenType, String> getWireToken(ServletRequest servletRequest) {
        String parameter;
        Pair<TokenType, String> pair = null;
        String header = ((HttpServletRequest) servletRequest).getHeader("Authorization");
        if (header != null) {
            if (header.startsWith(BEARER)) {
                pair = Pair.of(TokenType.JWT, header.substring(BEARER.length()));
            } else if (header.toLowerCase(Locale.ROOT).startsWith(BASIC.toLowerCase(Locale.ROOT))) {
                pair = parseFromHTTPBasicCredentials(header);
            }
        }
        if (pair == null && (parameter = servletRequest.getParameter(this.paramName)) != null) {
            pair = Pair.of(TokenType.JWT, parameter);
        }
        return pair;
    }

    private Pair<TokenType, String> parseFromHTTPBasicCredentials(String str) {
        Pair<TokenType, String> pair = null;
        String[] split = new String(Base64.getDecoder().decode(str.substring(BASIC.length()).trim()), StandardCharsets.UTF_8).split(":", 2);
        String str2 = split[0];
        String str3 = split[1].isEmpty() ? null : split[1];
        if (TOKEN.equalsIgnoreCase(str2) || PASSCODE.equalsIgnoreCase(str2)) {
            pair = Pair.of(TOKEN.equalsIgnoreCase(str2) ? TokenType.JWT : TokenType.Passcode, str3);
        }
        return pair;
    }

    private boolean authenticateWithCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws NoValidCookiesException, ServletException, IOException {
        JWTToken jWTToken;
        List cookiesForName = CookieUtils.getCookiesForName(httpServletRequest, this.cookieName);
        Iterator it = cookiesForName.iterator();
        while (it.hasNext()) {
            try {
                jWTToken = new JWTToken(((Cookie) it.next()).getValue());
            } catch (ParseException | UnknownTokenException e) {
            }
            if (validateToken(httpServletRequest, httpServletResponse, filterChain, jWTToken)) {
                continueWithEstablishedSecurityContext(createSubjectFromToken((JWT) jWTToken), httpServletRequest, httpServletResponse, filterChain);
                return true;
            }
            continue;
        }
        if (cookiesForName.isEmpty()) {
            return false;
        }
        throw new NoValidCookiesException();
    }

    @Override // org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter
    protected void handleValidationError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i, String str) throws IOException {
        if (str != null) {
            httpServletResponse.sendError(i, str);
        } else {
            httpServletResponse.sendError(i);
        }
    }

    private void continueWithAnonymousSubject(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            Subject subject = new Subject();
            subject.getPrincipals().add(new PrimaryPrincipal("anonymous"));
            LOGGER.unauthenticatedPathBypass(((HttpServletRequest) servletRequest).getRequestURI(), this.unAuthenticatedPaths.toString());
            continueWithEstablishedSecurityContext(subject, (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        } catch (Exception e) {
            LOGGER.unauthenticatedPathError(((HttpServletRequest) servletRequest).getRequestURI(), e.toString());
            throw e;
        }
    }
}
