package org.apache.hadoop.gateway.service.knoxsso;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.annotation.PostConstruct;
import javax.servlet.ServletContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
import org.apache.hadoop.gateway.services.security.token.impl.JWT;
import org.apache.hadoop.gateway.util.RegExUtils;
import org.apache.hadoop.gateway.util.Urls;

@Path(WebSSOResource.RESOURCE_PATH)
/* loaded from: input_file:org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.class */
public class WebSSOResource {
    private static final String SSO_COOKIE_SECURE_ONLY_INIT_PARAM = "knoxsso.cookie.secure.only";
    private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age";
    private static final String SSO_COOKIE_DOMAIN_SUFFIX_PARAM = "knoxsso.cookie.domain.suffix";
    private static final String SSO_COOKIE_TOKEN_TTL_PARAM = "knoxsso.token.ttl";
    private static final String SSO_COOKIE_TOKEN_AUDIENCES_PARAM = "knoxsso.token.audiences";
    private static final String SSO_COOKIE_TOKEN_WHITELIST_PARAM = "knoxsso.redirect.whitelist.regex";
    private static final String SSO_ENABLE_SESSION_PARAM = "knoxsso.enable.session";
    private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl";
    private static final String ORIGINAL_URL_COOKIE_NAME = "original-url";
    private static final String JWT_COOKIE_NAME = "hadoop-jwt";
    private static final String DEFAULT_WHITELIST = "^/.*$;^https?://(localhost|127.0.0.1|0:0:0:0:0:0:0:1|::1):\\d{0,9}/.*$";
    static final String RESOURCE_PATH = "/api/v1/websso";
    private static KnoxSSOMessages log = (KnoxSSOMessages) MessagesFactory.get(KnoxSSOMessages.class);
    private boolean secureOnly = true;
    private int maxAge = -1;
    private long tokenTTL = 30000;
    private String whitelist = null;
    private String domainSuffix = null;
    private String[] targetAudiences = null;
    private boolean enableSession = false;

    @Context
    private HttpServletRequest request;

    @Context
    private HttpServletResponse response;

    @Context
    ServletContext context;

    @PostConstruct
    public void init() {
        String initParameter = this.context.getInitParameter(SSO_COOKIE_SECURE_ONLY_INIT_PARAM);
        if (initParameter != null) {
            this.secureOnly = !"false".equals(initParameter);
            if (!this.secureOnly) {
                log.cookieSecureOnly(this.secureOnly);
            }
        }
        String initParameter2 = this.context.getInitParameter(SSO_COOKIE_MAX_AGE_INIT_PARAM);
        if (initParameter2 != null) {
            try {
                log.setMaxAge(initParameter2);
                this.maxAge = Integer.parseInt(initParameter2);
            } catch (NumberFormatException e) {
                log.invalidMaxAgeEncountered(initParameter2);
            }
        }
        this.domainSuffix = this.context.getInitParameter(SSO_COOKIE_DOMAIN_SUFFIX_PARAM);
        this.whitelist = this.context.getInitParameter(SSO_COOKIE_TOKEN_WHITELIST_PARAM);
        if (this.whitelist == null) {
            this.whitelist = DEFAULT_WHITELIST;
        }
        String initParameter3 = this.context.getInitParameter(SSO_COOKIE_TOKEN_AUDIENCES_PARAM);
        if (initParameter3 != null) {
            this.targetAudiences = initParameter3.split(",");
        }
        String initParameter4 = this.context.getInitParameter(SSO_COOKIE_TOKEN_TTL_PARAM);
        if (initParameter4 != null) {
            try {
                this.tokenTTL = Long.parseLong(initParameter4);
            } catch (NumberFormatException e2) {
                log.invalidTokenTTLEncountered(initParameter4);
            }
        }
        this.enableSession = "true".equals(this.context.getInitParameter(SSO_ENABLE_SESSION_PARAM));
    }

    @GET
    @Produces({"application/json", "application/xml"})
    public Response doGet() {
        return getAuthenticationToken(307);
    }

    @POST
    @Produces({"application/json", "application/xml"})
    public Response doPost() {
        return getAuthenticationToken(303);
    }

    private Response getAuthenticationToken(int i) {
        HttpSession session;
        GatewayServices gatewayServices = (GatewayServices) this.request.getServletContext().getAttribute("org.apache.hadoop.gateway.gateway.services");
        boolean z = true;
        String cookieValue = getCookieValue(this.request, ORIGINAL_URL_COOKIE_NAME);
        if (cookieValue == null) {
            z = false;
            cookieValue = this.request.getParameter(ORIGINAL_URL_REQUEST_PARAM);
            if (cookieValue == null) {
                log.originalURLNotFound();
                throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST);
            }
            if (!RegExUtils.checkWhitelist(this.whitelist, cookieValue)) {
                log.whiteListMatchFail(cookieValue, this.whitelist);
                throw new WebApplicationException("Original URL not valid according to the configured whitelist.", Response.Status.BAD_REQUEST);
            }
        }
        try {
            JWT issueToken = ((JWTokenAuthority) gatewayServices.getService("TokenService")).issueToken(this.request.getUserPrincipal(), "RS256", getExpiry());
            if (issueToken != null) {
                addJWTHadoopCookie(cookieValue, issueToken);
            }
            if (z) {
                removeOriginalUrlCookie(this.response);
            }
            log.aboutToRedirectToOriginal(cookieValue);
            this.response.setStatus(i);
            this.response.setHeader("Location", cookieValue);
            try {
                this.response.getOutputStream().close();
            } catch (IOException e) {
                log.unableToCloseOutputStream(e.getMessage(), e.getStackTrace().toString());
            }
        } catch (TokenServiceException e2) {
            log.unableToIssueToken(e2);
        }
        URI uri = null;
        try {
            uri = new URI(cookieValue);
        } catch (URISyntaxException e3) {
        }
        if (!this.enableSession && (session = this.request.getSession(false)) != null) {
            session.invalidate();
        }
        return Response.seeOther(uri).entity("{ \"redirectTo\" : " + cookieValue + " }").build();
    }

    private long getExpiry() {
        return this.tokenTTL == -1 ? -1L : System.currentTimeMillis() + this.tokenTTL;
    }

    private void addJWTHadoopCookie(String str, JWT jwt) {
        log.addingJWTCookie(jwt.toString());
        Cookie cookie = new Cookie(JWT_COOKIE_NAME, jwt.toString());
        cookie.setPath("/");
        try {
            String domainName = Urls.getDomainName(str, this.domainSuffix);
            if (domainName != null) {
                cookie.setDomain(domainName);
            }
            cookie.setHttpOnly(true);
            if (this.secureOnly) {
                cookie.setSecure(true);
            }
            if (this.maxAge != -1) {
                cookie.setMaxAge(this.maxAge);
            }
            this.response.addCookie(cookie);
            log.addedJWTCookie();
        } catch (Exception e) {
            log.unableAddCookieToResponse(e.getMessage(), e.getStackTrace().toString());
            throw new WebApplicationException("Unable to add JWT cookie to response.");
        }
    }

    private void removeOriginalUrlCookie(HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie(ORIGINAL_URL_COOKIE_NAME, (String) null);
        cookie.setMaxAge(0);
        cookie.setPath(RESOURCE_PATH);
        httpServletResponse.addCookie(cookie);
    }

    private String getCookieValue(HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        String str2 = null;
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (str.equals(cookie.getName())) {
                    str2 = cookie.getValue();
                }
            }
        }
        if (str2 == null) {
            log.cookieNotFound(str);
        }
        return str2;
    }
}
