package org.apache.hive.org.apache.hadoop.security.authentication.server;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hive.org.apache.hadoop.hbase.security.visibility.VisibilityConstants;
import org.apache.hive.org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hive.org.apache.hadoop.security.authentication.util.CertificateUtil;
import org.apache.hive.org.slf4j.Logger;
import org.apache.hive.org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.class */
public class JWTRedirectAuthenticationHandler extends AltKerberosAuthenticationHandler {
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) JWTRedirectAuthenticationHandler.class);
    public static final String AUTHENTICATION_PROVIDER_URL = "authentication.provider.url";
    public static final String PUBLIC_KEY_PEM = "public.key.pem";
    public static final String EXPECTED_JWT_AUDIENCES = "expected.jwt.audiences";
    public static final String JWT_COOKIE_NAME = "jwt.cookie.name";
    private static final String ORIGINAL_URL_QUERY_PARAM = "originalUrl=";
    private String authenticationProviderUrl = null;
    private RSAPublicKey publicKey = null;
    private List<String> audiences = null;
    private String cookieName = "hadoop-jwt";

    public void setPublicKey(RSAPublicKey rSAPublicKey) {
        this.publicKey = rSAPublicKey;
    }

    @Override // org.apache.hive.org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler, org.apache.hive.org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler, org.apache.hive.org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        super.init(properties);
        this.authenticationProviderUrl = properties.getProperty(AUTHENTICATION_PROVIDER_URL);
        if (this.authenticationProviderUrl == null) {
            throw new ServletException("Authentication provider URL must not be null - configure: authentication.provider.url");
        }
        if (this.publicKey == null) {
            String property = properties.getProperty(PUBLIC_KEY_PEM);
            if (property == null) {
                throw new ServletException("Public key for signature validation must be provisioned.");
            }
            this.publicKey = CertificateUtil.parseRSAPublicKey(property);
        }
        String property2 = properties.getProperty(EXPECTED_JWT_AUDIENCES);
        if (property2 != null) {
            String[] split = property2.split(",");
            this.audiences = new ArrayList();
            for (String str : split) {
                this.audiences.add(str);
            }
        }
        String property3 = properties.getProperty(JWT_COOKIE_NAME);
        if (property3 != null) {
            this.cookieName = property3;
        }
    }

    @Override // org.apache.hive.org.apache.hadoop.security.authentication.server.AltKerberosAuthenticationHandler
    public AuthenticationToken alternateAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String jWTFromCookie = getJWTFromCookie(httpServletRequest);
        if (jWTFromCookie == null) {
            String constructLoginURL = constructLoginURL(httpServletRequest);
            LOG.info("sending redirect to: " + constructLoginURL);
            httpServletResponse.sendRedirect(constructLoginURL);
        } else {
            String str = null;
            boolean z = false;
            try {
                SignedJWT parse = SignedJWT.parse(jWTFromCookie);
                z = validateToken(parse);
                if (z) {
                    str = parse.getJWTClaimsSet().getSubject();
                    LOG.info("USERNAME: " + str);
                } else {
                    LOG.warn("jwtToken failed validation: " + parse.serialize());
                }
            } catch (ParseException e) {
                LOG.warn("Unable to parse the JWT token", (Throwable) e);
            }
            if (z) {
                LOG.debug("Issuing AuthenticationToken for user.");
                authenticationToken = new AuthenticationToken(str, str, getType());
            } else {
                String constructLoginURL2 = constructLoginURL(httpServletRequest);
                LOG.info("token validation failed - sending redirect to: " + constructLoginURL2);
                httpServletResponse.sendRedirect(constructLoginURL2);
            }
        }
        return authenticationToken;
    }

    protected String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (this.cookieName.equals(cookie.getName())) {
                    LOG.info(this.cookieName + " cookie has been found and is being processed");
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    protected String constructLoginURL(HttpServletRequest httpServletRequest) {
        return this.authenticationProviderUrl + (this.authenticationProviderUrl.contains("?") ? VisibilityConstants.AND_OPERATOR : "?") + ORIGINAL_URL_QUERY_PARAM + httpServletRequest.getRequestURL().toString() + getOriginalQueryString(httpServletRequest);
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }

    protected boolean validateToken(SignedJWT signedJWT) {
        boolean validateSignature = validateSignature(signedJWT);
        if (!validateSignature) {
            LOG.warn("Signature could not be verified");
        }
        boolean validateAudiences = validateAudiences(signedJWT);
        if (!validateAudiences) {
            LOG.warn("Audience validation failed.");
        }
        boolean validateExpiration = validateExpiration(signedJWT);
        if (!validateExpiration) {
            LOG.info("Expiration validation failed.");
        }
        return validateSignature && validateAudiences && validateExpiration;
    }

    protected boolean validateSignature(SignedJWT signedJWT) {
        boolean z = false;
        if (JWSObject.State.SIGNED == signedJWT.getState()) {
            LOG.debug("JWT token is in a SIGNED state");
            if (signedJWT.getSignature() != null) {
                LOG.debug("JWT token signature is not null");
                try {
                    if (signedJWT.verify(new RSASSAVerifier(this.publicKey))) {
                        z = true;
                        LOG.debug("JWT token has been successfully verified");
                    } else {
                        LOG.warn("JWT signature verification failed.");
                    }
                } catch (JOSEException e) {
                    LOG.warn("Error while validating signature", (Throwable) e);
                }
            }
        }
        return z;
    }

    protected boolean validateAudiences(SignedJWT signedJWT) {
        boolean z = false;
        try {
            List<String> audience = signedJWT.getJWTClaimsSet().getAudience();
            if (this.audiences == null) {
                z = true;
            } else {
                Iterator<String> it2 = audience.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (this.audiences.contains(it2.next())) {
                        LOG.debug("JWT token audience has been successfully validated");
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    LOG.warn("JWT audience validation failed.");
                }
            }
        } catch (ParseException e) {
            LOG.warn("Unable to parse the JWT token.", (Throwable) e);
        }
        return z;
    }

    protected boolean validateExpiration(SignedJWT signedJWT) {
        boolean z = false;
        try {
            Date expirationTime = signedJWT.getJWTClaimsSet().getExpirationTime();
            if (expirationTime == null || new Date().before(expirationTime)) {
                LOG.debug("JWT token expiration date has been successfully validated");
                z = true;
            } else {
                LOG.warn("JWT expiration date validation failed.");
            }
        } catch (ParseException e) {
            LOG.warn("JWT expiration date validation failed.", (Throwable) e);
        }
        return z;
    }
}
