package org.apache.zeppelin.rest;

import com.google.gson.Gson;
import java.text.ParseException;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.Subject;
import org.apache.zeppelin.annotation.ZeppelinApi;
import org.apache.zeppelin.conf.ZeppelinConfiguration;
import org.apache.zeppelin.notebook.AuthorizationService;
import org.apache.zeppelin.notebook.Notebook;
import org.apache.zeppelin.realm.jwt.JWTAuthenticationToken;
import org.apache.zeppelin.realm.jwt.KnoxJwtRealm;
import org.apache.zeppelin.realm.kerberos.KerberosRealm;
import org.apache.zeppelin.realm.kerberos.KerberosToken;
import org.apache.zeppelin.server.JsonResponse;
import org.apache.zeppelin.service.AuthenticationService;
import org.apache.zeppelin.ticket.TicketContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Produces({"application/json"})
@Singleton
@Path("/login")
/* loaded from: input_file:org/apache/zeppelin/rest/LoginRestApi.class */
public class LoginRestApi {
    private static final Logger LOG = LoggerFactory.getLogger(LoginRestApi.class);
    private static final Gson GSON = new Gson();
    private final ZeppelinConfiguration zConf;
    private final AuthenticationService authenticationService;
    private final AuthorizationService authorizationService;

    @Inject
    public LoginRestApi(Notebook notebook, AuthenticationService authenticationService, AuthorizationService authorizationService) {
        this.zConf = notebook.getConf();
        this.authenticationService = authenticationService;
        this.authorizationService = authorizationService;
    }

    @GET
    @ZeppelinApi
    public Response getLogin(@Context HttpHeaders httpHeaders) {
        JsonResponse<Map<String, String>> jsonResponse = null;
        if (!isKnoxSSOEnabled()) {
            if (null != getKerberosRealm()) {
                try {
                    KerberosToken kerberosTokenFromCookies = KerberosRealm.getKerberosTokenFromCookies(httpHeaders.getCookies());
                    if (null != kerberosTokenFromCookies) {
                        Subject subject = SecurityUtils.getSubject();
                        String str = (String) kerberosTokenFromCookies.getPrincipal();
                        if (!subject.isAuthenticated() || !subject.getPrincipal().equals(str)) {
                            jsonResponse = proceedToLogin(subject, kerberosTokenFromCookies);
                        }
                    }
                    if (null == jsonResponse) {
                        LOG.warn("No Kerberos token received");
                        jsonResponse = new JsonResponse<>(Response.Status.UNAUTHORIZED, "", null);
                    }
                    return jsonResponse.build();
                } catch (AuthenticationException e) {
                    LOG.error("Error in Login", e);
                }
            }
            return new JsonResponse(Response.Status.METHOD_NOT_ALLOWED).build();
        }
        KnoxJwtRealm jTWRealm = getJTWRealm();
        Cookie cookie = (Cookie) httpHeaders.getCookies().get(jTWRealm.getCookieName());
        if (cookie != null && cookie.getValue() != null) {
            Subject subject2 = SecurityUtils.getSubject();
            JWTAuthenticationToken jWTAuthenticationToken = new JWTAuthenticationToken(null, cookie.getValue());
            try {
                String name = jTWRealm.getName(jWTAuthenticationToken);
                if (!subject2.isAuthenticated() || !subject2.getPrincipal().equals(name)) {
                    jsonResponse = proceedToLogin(subject2, jWTAuthenticationToken);
                }
            } catch (ParseException e2) {
                LOG.error("ParseException in LoginRestApi: ", e2);
            }
        }
        if (jsonResponse == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("redirectURL", constructKnoxUrl(jTWRealm, jTWRealm.getLogin()));
            jsonResponse = new JsonResponse<>(Response.Status.OK, "", hashMap);
        }
        return jsonResponse.build();
    }

    private KerberosRealm getKerberosRealm() {
        Collection<Realm> realmsList = this.authenticationService.getRealmsList();
        if (realmsList == null) {
            return null;
        }
        Iterator<Realm> it = realmsList.iterator();
        while (it.hasNext()) {
            KerberosRealm kerberosRealm = (Realm) it.next();
            String name = kerberosRealm.getClass().getName();
            LOG.debug("RealmClass.getName: {}", name);
            if (name.equals("org.apache.zeppelin.realm.kerberos.KerberosRealm")) {
                return kerberosRealm;
            }
        }
        return null;
    }

    private KnoxJwtRealm getJTWRealm() {
        Collection<Realm> realmsList = this.authenticationService.getRealmsList();
        if (realmsList == null) {
            return null;
        }
        Iterator<Realm> it = realmsList.iterator();
        while (it.hasNext()) {
            KnoxJwtRealm knoxJwtRealm = (Realm) it.next();
            if (knoxJwtRealm instanceof KnoxJwtRealm) {
                return knoxJwtRealm;
            }
        }
        return null;
    }

    private boolean isKnoxSSOEnabled() {
        Collection<Realm> realmsList = this.authenticationService.getRealmsList();
        if (realmsList == null) {
            return false;
        }
        Iterator<Realm> it = realmsList.iterator();
        while (it.hasNext()) {
            if (it.next() instanceof KnoxJwtRealm) {
                return true;
            }
        }
        return false;
    }

    private JsonResponse<Map<String, String>> proceedToLogin(Subject subject, AuthenticationToken authenticationToken) {
        JsonResponse<Map<String, String>> jsonResponse = null;
        try {
            logoutCurrentUser();
            subject.getSession(true);
            subject.login(authenticationToken);
            Set<String> associatedRoles = this.authenticationService.getAssociatedRoles();
            String principal = this.authenticationService.getPrincipal();
            String ticket = "anonymous".equals(principal) ? "anonymous" : TicketContainer.instance.getTicket(principal);
            HashMap hashMap = new HashMap();
            hashMap.put("principal", principal);
            hashMap.put("roles", GSON.toJson(associatedRoles));
            hashMap.put("ticket", ticket);
            jsonResponse = new JsonResponse<>(Response.Status.OK, "", hashMap);
            this.authorizationService.setRoles(principal, associatedRoles);
        } catch (AuthenticationException e) {
            LOG.error("Exception in login: ", e);
        }
        return jsonResponse;
    }

    @POST
    @ZeppelinApi
    public Response postLogin(@FormParam("userName") String str, @FormParam("password") String str2) {
        LOG.debug("userName: {}", str);
        Subject subject = SecurityUtils.getSubject();
        if (subject.isAuthenticated()) {
            subject.logout();
        }
        LOG.debug("currentUser: {}", subject);
        JsonResponse<Map<String, String>> jsonResponse = null;
        if (!subject.isAuthenticated()) {
            jsonResponse = proceedToLogin(subject, new UsernamePasswordToken(str, str2));
        }
        if (jsonResponse == null) {
            jsonResponse = new JsonResponse<>(Response.Status.FORBIDDEN, "", null);
        }
        LOG.info(jsonResponse.toString());
        return jsonResponse.build();
    }

    @POST
    @ZeppelinApi
    @Path("logout")
    public Response logout() {
        Response.Status status;
        logoutCurrentUser();
        HashMap hashMap = new HashMap();
        if (this.zConf.isAuthorizationHeaderClear().booleanValue()) {
            status = Response.Status.UNAUTHORIZED;
            hashMap.put("clearAuthorizationHeader", "true");
        } else {
            status = Response.Status.FORBIDDEN;
            hashMap.put("clearAuthorizationHeader", "false");
        }
        if (isKnoxSSOEnabled()) {
            KnoxJwtRealm jTWRealm = getJTWRealm();
            hashMap.put("redirectURL", constructKnoxUrl(jTWRealm, jTWRealm.getLogout()));
            hashMap.put("isLogoutAPI", jTWRealm.getLogoutAPI().toString());
        }
        JsonResponse jsonResponse = new JsonResponse(status, "", hashMap);
        LOG.info(jsonResponse.toString());
        return jsonResponse.build();
    }

    private String constructKnoxUrl(KnoxJwtRealm knoxJwtRealm, String str) {
        StringBuilder sb = new StringBuilder(knoxJwtRealm.getProviderUrl());
        sb.append(str);
        if (knoxJwtRealm.getRedirectParam() != null) {
            sb.append("?").append(knoxJwtRealm.getRedirectParam()).append("=");
        }
        return sb.toString();
    }

    private void logoutCurrentUser() {
        Subject subject = SecurityUtils.getSubject();
        TicketContainer.instance.removeTicket(this.authenticationService.getPrincipal());
        subject.getSession().stop();
        subject.logout();
    }
}
