package org.apache.druid.security.pac4j;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.io.IOException;
import java.text.ParseException;
import java.util.Map;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.server.security.AuthenticationResult;
import org.pac4j.oidc.profile.creator.TokenValidator;

/* loaded from: input_file:org/apache/druid/security/pac4j/JwtAuthFilter.class */
public class JwtAuthFilter implements Filter {
    private static final Logger LOG = new Logger(JwtAuthFilter.class);
    private final String authorizerName;
    private final String name;
    private final OIDCConfig oidcConfig;
    private final TokenValidator tokenValidator;

    public JwtAuthFilter(String str, String str2, OIDCConfig oIDCConfig, TokenValidator tokenValidator) {
        this.authorizerName = str;
        this.name = str2;
        this.oidcConfig = oIDCConfig;
        this.tokenValidator = tokenValidator;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletRequest.getAttribute("Druid-Authentication-Result") != null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Optional<String> extractBearerToken = extractBearerToken((HttpServletRequest) servletRequest);
        if (extractBearerToken.isPresent()) {
            try {
                IDTokenClaimsSet validate = this.tokenValidator.validate(JWTParser.parse(extractBearerToken.get()), (Nonce) null);
                if (validate != null) {
                    Optional of = Optional.of(validate.getStringClaim(this.oidcConfig.getOidcClaim()));
                    if (!of.isPresent()) {
                        LOG.error("Authentication failed! Please ensure that the ID token is valid and it contains the configured claim.", new Object[0]);
                        httpServletResponse.sendError(401);
                        return;
                    } else {
                        LOG.debug("Authentication successful for " + this.oidcConfig.getClientID(), new Object[0]);
                        servletRequest.setAttribute("Druid-Authentication-Result", new AuthenticationResult((String) of.get(), this.authorizerName, this.name, (Map) null));
                    }
                }
            } catch (BadJOSEException | JOSEException | ParseException e) {
                LOG.error(e, "Failed to parse JWT token", new Object[0]);
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void destroy() {
    }

    private static Optional<String> extractBearerToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && header.startsWith("Bearer ")) {
            return Optional.of(header.substring("Bearer ".length()));
        }
        LOG.debug("Request does not contain bearer authentication scheme", new Object[0]);
        return Optional.empty();
    }
}
