package org.apache.ranger.security.web.filter;

import com.google.inject.Inject;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.biz.UserMgr;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.security.context.RangerContextHolder;
import org.apache.ranger.security.context.RangerSecurityContext;
import org.apache.ranger.security.handler.RangerAuthenticationProvider;
import org.mortbay.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

/* loaded from: input_file:WEB-INF/classes/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.class */
public class RangerSSOAuthenticationFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RangerSSOAuthenticationFilter.class);
    public static final String BROWSER_USERAGENT = "ranger.sso.browser.useragent";
    public static final String JWT_AUTH_PROVIDER_URL = "ranger.sso.providerurl";
    public static final String JWT_PUBLIC_KEY = "ranger.sso.publicKey";
    public static final String JWT_COOKIE_NAME = "ranger.sso.cookiename";
    public static final String JWT_AUDIENCES = "ranger.sso.audiences";
    public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "ranger.sso.query.param.originalurl";
    public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
    public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
    public static final String JWT_EXPECTED_SIGALG = "ranger.sso.expected.sigalg";
    public static final String JWT_DEFAULT_SIGALG = "RS256";
    public static final String LOCAL_LOGIN_URL = "locallogin";
    public static final String DEFAULT_BROWSER_USERAGENT = "ranger.default.browser-useragents";
    public static final String PROXY_RANGER_URL_PATH = "/ranger";
    private SSOAuthenticationProperties jwtProperties;
    private String originalUrlQueryParam;
    private String authenticationProviderUrl;
    private RSAPublicKey publicKey;
    private String cookieName;

    @Autowired
    UserMgr userMgr;

    @Inject
    public RangerSSOAuthenticationFilter() {
        this.originalUrlQueryParam = JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT;
        this.authenticationProviderUrl = null;
        this.publicKey = null;
        this.cookieName = JWT_COOKIE_NAME_DEFAULT;
        this.jwtProperties = getJwtProperties();
        loadJwtProperties();
    }

    public RangerSSOAuthenticationFilter(SSOAuthenticationProperties sSOAuthenticationProperties) {
        this.originalUrlQueryParam = JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT;
        this.authenticationProviderUrl = null;
        this.publicKey = null;
        this.cookieName = JWT_COOKIE_NAME_DEFAULT;
        this.jwtProperties = sSOAuthenticationProperties;
        loadJwtProperties();
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String constructForwardableURL = constructForwardableURL(httpServletRequest);
        if (httpServletRequest.getRequestedSessionId() != null && !httpServletRequest.isRequestedSessionIdValid()) {
            synchronized (httpServletRequest.getServletContext()) {
                if (httpServletRequest.getServletContext().getAttribute(httpServletRequest.getRequestedSessionId()) != null && LOCAL_LOGIN_URL.equals(httpServletRequest.getServletContext().getAttribute(httpServletRequest.getRequestedSessionId()).toString())) {
                    httpServletRequest.getSession().setAttribute(LOCAL_LOGIN_URL, "true");
                    httpServletRequest.getServletContext().removeAttribute(httpServletRequest.getRequestedSessionId());
                }
            }
        }
        RangerSecurityContext securityContext = RangerContextHolder.getSecurityContext();
        UserSessionBase userSession = securityContext != null ? securityContext.getUserSession() : null;
        boolean booleanValue = userSession != null ? userSession.isSSOEnabled().booleanValue() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
        String header = httpServletRequest.getHeader("User-Agent");
        if (httpServletRequest.getSession() != null && httpServletRequest.getSession().getAttribute(LOCAL_LOGIN_URL) != null) {
            servletRequest.setAttribute("ssoEnabled", false);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!booleanValue || httpServletRequest.getRequestURI().contains(LOCAL_LOGIN_URL)) {
            if (!booleanValue || !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) || !isWebUserAgent(header) || !isAuthenticated()) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            String replace = ((HttpServletRequest) servletRequest).getRequestURI().replace("locallogin/", "").replace(LOCAL_LOGIN_URL, "");
            LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser");
            ((HttpServletResponse) servletResponse).sendRedirect(replace);
            return;
        }
        if (this.jwtProperties == null || isAuthenticated()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String jWTFromCookie = getJWTFromCookie(httpServletRequest);
        if (jWTFromCookie == null) {
            if (!isWebUserAgent(header)) {
                filterChain.doFilter(servletRequest, httpServletResponse);
                return;
            }
            String constructLoginURL = constructLoginURL(httpServletRequest, constructForwardableURL);
            if (LOG.isDebugEnabled()) {
                LOG.debug("SSO URL = " + constructLoginURL);
            }
            httpServletResponse.sendRedirect(constructLoginURL);
            return;
        }
        try {
            SignedJWT parse = SignedJWT.parse(jWTFromCookie);
            if (validateToken(parse)) {
                String subject = parse.getJWTClaimsSet().getSubject();
                LOG.info("SSO login user : " + subject);
                String property = PropertiesUtil.getProperty("ranger.ldap.default.role", RangerConstants.ROLE_USER);
                if (subject != null && !subject.trim().isEmpty()) {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(new SimpleGrantedAuthority(property));
                    UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(subject, "", arrayList), "", arrayList);
                    usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
                    RangerAuthenticationProvider rangerAuthenticationProvider = new RangerAuthenticationProvider();
                    rangerAuthenticationProvider.setSsoEnabled(booleanValue);
                    SecurityContextHolder.getContext().setAuthentication(getGrantedAuthority(rangerAuthenticationProvider.authenticate(usernamePasswordAuthenticationToken)));
                }
                filterChain.doFilter(servletRequest, httpServletResponse);
            } else if (isWebUserAgent(header)) {
                String constructLoginURL2 = constructLoginURL(httpServletRequest, constructForwardableURL);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SSO URL = " + constructLoginURL2);
                }
                httpServletResponse.sendRedirect(constructLoginURL2);
            } else {
                filterChain.doFilter(servletRequest, httpServletResponse);
            }
        } catch (ParseException e) {
            LOG.warn("Unable to parse the JWT token", (Throwable) e);
        }
    }

    private String constructForwardableURL(HttpServletRequest httpServletRequest) {
        String str = "";
        String str2 = "";
        String str3 = "";
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str4 = (String) headerNames.nextElement();
            Enumeration headers = httpServletRequest.getHeaders(str4);
            String str5 = "";
            if (headers != null) {
                while (headers.hasMoreElements()) {
                    str5 = (String) headers.nextElement();
                }
            }
            if (StringUtils.trimToNull(str4) != null && StringUtils.trimToNull(str5) != null) {
                if (str4.equalsIgnoreCase("x-forwarded-proto")) {
                    str = str5;
                } else if (str4.equalsIgnoreCase("x-forwarded-host")) {
                    str2 = str5;
                } else if (str4.equalsIgnoreCase("x-forwarded-context")) {
                    str3 = str5;
                }
            }
        }
        String str6 = "";
        if (StringUtils.trimToNull(str) != null && StringUtils.trimToNull(str2) != null && StringUtils.trimToNull(str3) != null) {
            str6 = str + "://" + str2 + str3 + PROXY_RANGER_URL_PATH + httpServletRequest.getRequestURI();
        }
        return str6;
    }

    private Authentication getGrantedAuthority(Authentication authentication) {
        if (authentication == null || !authentication.isAuthenticated()) {
            return authentication;
        }
        List<GrantedAuthority> authorities = getAuthorities(authentication.getName().toString());
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(authentication.getName().toString(), authentication.getCredentials().toString(), authorities), authentication.getCredentials(), authorities);
        usernamePasswordAuthenticationToken.setDetails(authentication.getDetails());
        return usernamePasswordAuthenticationToken;
    }

    private List<GrantedAuthority> getAuthorities(String str) {
        Collection<String> rolesByLoginId = this.userMgr.getRolesByLoginId(str);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = rolesByLoginId.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority(it.next()));
        }
        return arrayList;
    }

    private boolean isWebUserAgent(String str) {
        String[] userAgentList;
        boolean z = false;
        if (this.jwtProperties != null && (userAgentList = this.jwtProperties.getUserAgentList()) != null && userAgentList.length > 0) {
            int length = userAgentList.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (str.toLowerCase().startsWith(userAgentList[i].toLowerCase())) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        return z;
    }

    private void loadJwtProperties() {
        if (this.jwtProperties != null) {
            this.authenticationProviderUrl = this.jwtProperties.getAuthenticationProviderUrl();
            this.publicKey = this.jwtProperties.getPublicKey();
            this.cookieName = this.jwtProperties.getCookieName();
            this.originalUrlQueryParam = this.jwtProperties.getOriginalUrlQueryParam();
        }
    }

    private boolean isAuthenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (authentication == null || !authentication.isAuthenticated() || (authentication instanceof SSOAuthentication)) ? false : true;
    }

    protected String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (this.cookieName == null || !this.cookieName.equals(cookie.getName())) {
                    i++;
                } else {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(this.cookieName + " cookie has been found and is being processed");
                    }
                    str = cookie.getValue();
                }
            }
        }
        return str;
    }

    protected String constructLoginURL(HttpServletRequest httpServletRequest, String str) {
        String str2 = this.authenticationProviderUrl + (this.authenticationProviderUrl.contains("?") ? BeanFactory.FACTORY_BEAN_PREFIX : "?") + this.originalUrlQueryParam + "=";
        return StringUtils.trimToNull(str) != null ? str2 + str + getOriginalQueryString(httpServletRequest) : str2 + ((Object) httpServletRequest.getRequestURL().append(getOriginalQueryString(httpServletRequest)));
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }

    protected boolean validateToken(SignedJWT signedJWT) {
        if (!validateSignature(signedJWT)) {
            LOG.warn("Signature of JWT token could not be verified. Please check the public key");
            return false;
        }
        if (!validateExpiration(signedJWT)) {
            LOG.warn("Expiration time validation of JWT token failed.");
            return false;
        }
        if (validateAudiences(signedJWT)) {
            return true;
        }
        LOG.warn("Audience validation of JWT token failed.");
        return false;
    }

    protected boolean validateSignature(SignedJWT signedJWT) {
        boolean z = false;
        if (JWSObject.State.SIGNED == signedJWT.getState()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SSO token is in a SIGNED state");
            }
            if (signedJWT.getSignature() != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SSO token signature is not null");
                }
                try {
                    if (signedJWT.verify(new RSASSAVerifier(this.publicKey))) {
                        z = true;
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("SSO token has been successfully verified");
                        }
                    } else {
                        LOG.warn("SSO signature verification failed.Please check the public key");
                    }
                } catch (JOSEException e) {
                    LOG.warn("Error while validating signature", (Throwable) e);
                } catch (Exception e2) {
                    LOG.warn("Error while validating signature", (Throwable) e2);
                }
            }
            if (z && !signedJWT.getHeader().getAlgorithm().getName().equals(this.jwtProperties.getExpectedSigAlg())) {
                z = false;
            }
        }
        return z;
    }

    protected boolean validateExpiration(SignedJWT signedJWT) {
        boolean z = false;
        try {
            Date expirationTime = signedJWT.getJWTClaimsSet().getExpirationTime();
            if (expirationTime == null || new Date().before(expirationTime)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SSO token expiration date has been successfully validated");
                }
                z = true;
            } else {
                LOG.warn("SSO expiration date validation failed.");
            }
        } catch (ParseException e) {
            LOG.warn("SSO expiration date validation failed.", (Throwable) e);
        }
        return z;
    }

    /* JADX WARN: Code restructure failed: missing block: B:17:0x0051, code lost:
    
        org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.LOG.debug("Audience claim has been validated.");
        r6 = true;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected boolean validateAudiences(com.nimbusds.jwt.SignedJWT r5) {
        /*
            r4 = this;
            r0 = 0
            r6 = r0
            r0 = r4
            org.apache.ranger.security.web.filter.SSOAuthenticationProperties r0 = r0.jwtProperties
            java.util.List r0 = r0.getAudiences()
            boolean r0 = r0.isEmpty()
            if (r0 == 0) goto L16
            r0 = 1
            r6 = r0
            goto L72
        L16:
            r0 = r5
            com.nimbusds.jwt.JWTClaimsSet r0 = r0.getJWTClaimsSet()     // Catch: java.text.ParseException -> L66
            java.util.List r0 = r0.getAudience()     // Catch: java.text.ParseException -> L66
            r7 = r0
            r0 = r7
            if (r0 == 0) goto L63
            r0 = r7
            java.util.Iterator r0 = r0.iterator()     // Catch: java.text.ParseException -> L66
            r8 = r0
        L2a:
            r0 = r8
            boolean r0 = r0.hasNext()     // Catch: java.text.ParseException -> L66
            if (r0 == 0) goto L63
            r0 = r8
            java.lang.Object r0 = r0.next()     // Catch: java.text.ParseException -> L66
            java.lang.String r0 = (java.lang.String) r0     // Catch: java.text.ParseException -> L66
            r9 = r0
            r0 = r4
            org.apache.ranger.security.web.filter.SSOAuthenticationProperties r0 = r0.jwtProperties     // Catch: java.text.ParseException -> L66
            java.util.List r0 = r0.getAudiences()     // Catch: java.text.ParseException -> L66
            r1 = r9
            boolean r0 = r0.contains(r1)     // Catch: java.text.ParseException -> L66
            if (r0 == 0) goto L60
            org.slf4j.Logger r0 = org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.LOG     // Catch: java.text.ParseException -> L66
            java.lang.String r1 = "Audience claim has been validated."
            r0.debug(r1)     // Catch: java.text.ParseException -> L66
            r0 = 1
            r6 = r0
            goto L63
        L60:
            goto L2a
        L63:
            goto L72
        L66:
            r7 = move-exception
            org.slf4j.Logger r0 = org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.LOG
            java.lang.String r1 = "Audience validation failed."
            r2 = r7
            r0.warn(r1, r2)
        L72:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.validateAudiences(com.nimbusds.jwt.SignedJWT):boolean");
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    public SSOAuthenticationProperties getJwtProperties() {
        String property = PropertiesUtil.getProperty(JWT_AUTH_PROVIDER_URL);
        if (property == null || !PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false)) {
            return null;
        }
        SSOAuthenticationProperties sSOAuthenticationProperties = new SSOAuthenticationProperties();
        String property2 = PropertiesUtil.getProperty(JWT_PUBLIC_KEY);
        if (property2 == null) {
            LOG.error("Public key pem not specified for SSO auth provider {}. SSO auth will be disabled.", property);
            return null;
        }
        sSOAuthenticationProperties.setAuthenticationProviderUrl(property);
        sSOAuthenticationProperties.setCookieName(PropertiesUtil.getProperty(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT));
        sSOAuthenticationProperties.setOriginalUrlQueryParam(PropertiesUtil.getProperty(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT));
        String property3 = PropertiesUtil.getProperty(DEFAULT_BROWSER_USERAGENT);
        String property4 = PropertiesUtil.getProperty(BROWSER_USERAGENT);
        if (property4 != null && !property4.isEmpty()) {
            sSOAuthenticationProperties.setUserAgentList(property4.split(","));
        } else if (property3 != null && !property3.isEmpty()) {
            sSOAuthenticationProperties.setUserAgentList(property3.split(","));
        }
        String property5 = PropertiesUtil.getProperty(JWT_AUDIENCES);
        if (property5 != null && !property5.isEmpty()) {
            sSOAuthenticationProperties.setAudiences(Arrays.asList(property5.split(",")));
        }
        sSOAuthenticationProperties.setExpectedSigAlg(PropertiesUtil.getProperty(JWT_EXPECTED_SIGALG, JWT_DEFAULT_SIGALG));
        try {
            sSOAuthenticationProperties.setPublicKey(parseRSAPublicKey(property2));
        } catch (IOException e) {
            LOG.error("Unable to read public certificate file. JWT auth will be disabled.", (Throwable) e);
        } catch (CertificateException e2) {
            LOG.error("Unable to parse public certificate file. JWT auth will be disabled.", (Throwable) e2);
        } catch (ServletException e3) {
            LOG.error("ServletException while processing the properties", (Throwable) e3);
        }
        return sSOAuthenticationProperties;
    }

    public static RSAPublicKey parseRSAPublicKey(String str) throws CertificateException, UnsupportedEncodingException, ServletException {
        try {
            return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(("-----BEGIN CERTIFICATE-----\n" + str + "\n-----END CERTIFICATE-----").getBytes(StringUtil.__UTF8Alt)))).getPublicKey();
        } catch (UnsupportedEncodingException e) {
            throw new ServletException(e);
        } catch (CertificateException e2) {
            throw new ServletException(str.startsWith("-----BEGIN CERTIFICATE-----\n") ? "CertificateException - be sure not to include PEM header and footer in the PEM configuration element." : "CertificateException - PEM may be corrupt", e2);
        }
    }
}
