package org.apache.atlas.web.filters;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.net.HttpHeaders;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.web.security.AtlasAuthenticationProvider;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.utils.URIBuilder;
import org.apache.log4j.spi.LocationInfo;
import org.json.simple.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.stereotype.Component;

@Component("ssoAuthenticationFilter")
/* loaded from: input_file:WEB-INF/lib/atlas-webapp-1.1.0.jar:org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.class */
public class AtlasKnoxSSOAuthenticationFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AtlasKnoxSSOAuthenticationFilter.class);
    public static final String BROWSER_USERAGENT = "atlas.sso.knox.browser.useragent";
    public static final String JWT_AUTH_PROVIDER_URL = "atlas.sso.knox.providerurl";
    public static final String JWT_PUBLIC_KEY = "atlas.sso.knox.publicKey";
    public static final String JWT_COOKIE_NAME = "atlas.sso.knox.cookiename";
    public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "atlas.sso.knox.query.param.originalurl";
    public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
    public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
    public static final String DEFAULT_BROWSER_USERAGENT = "Mozilla,Opera,Chrome";
    public static final String PROXY_ATLAS_URL_PATH = "/atlas";
    private final AtlasAuthenticationProvider authenticationProvider;
    private SSOAuthenticationProperties jwtProperties;
    private String originalUrlQueryParam;
    private String authenticationProviderUrl;
    private RSAPublicKey publicKey;
    private String cookieName;
    private Configuration configuration;
    private boolean ssoEnabled;
    private JWSVerifier verifier;

    @VisibleForTesting
    private final int MAX_LOGIN_URL_LENGTH = 2043;

    @Inject
    public AtlasKnoxSSOAuthenticationFilter(AtlasAuthenticationProvider atlasAuthenticationProvider) {
        this.originalUrlQueryParam = JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT;
        this.authenticationProviderUrl = null;
        this.publicKey = null;
        this.cookieName = JWT_COOKIE_NAME_DEFAULT;
        this.configuration = null;
        this.ssoEnabled = false;
        this.verifier = null;
        this.MAX_LOGIN_URL_LENGTH = 2043;
        this.authenticationProvider = atlasAuthenticationProvider;
        try {
            this.configuration = ApplicationProperties.get();
        } catch (Exception e) {
            LOG.error("Error while getting application properties", (Throwable) e);
        }
        if (this.configuration != null) {
            this.ssoEnabled = this.configuration.getBoolean("atlas.sso.knox.enabled", false);
            this.jwtProperties = loadJwtProperties();
        }
        setJwtProperties();
    }

    public AtlasKnoxSSOAuthenticationFilter(AtlasAuthenticationProvider atlasAuthenticationProvider, SSOAuthenticationProperties sSOAuthenticationProperties) {
        this.originalUrlQueryParam = JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT;
        this.authenticationProviderUrl = null;
        this.publicKey = null;
        this.cookieName = JWT_COOKIE_NAME_DEFAULT;
        this.configuration = null;
        this.ssoEnabled = false;
        this.verifier = null;
        this.MAX_LOGIN_URL_LENGTH = 2043;
        this.authenticationProvider = atlasAuthenticationProvider;
        this.jwtProperties = sSOAuthenticationProperties;
        setJwtProperties();
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        AtlasResponseRequestWrapper atlasResponseRequestWrapper = new AtlasResponseRequestWrapper((HttpServletResponse) servletResponse);
        atlasResponseRequestWrapper.setHeader("X-Frame-Options", "DENY");
        atlasResponseRequestWrapper.setHeader("X-Content-Type-Options", "nosniff");
        atlasResponseRequestWrapper.setHeader("X-XSS-Protection", "1; mode=block");
        atlasResponseRequestWrapper.setHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY, "max-age=31536000; includeSubDomains");
        if (!this.ssoEnabled) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Knox doFilter {}", httpServletRequest.getRequestURI());
        }
        if (httpServletRequest.getSession() != null && httpServletRequest.getSession().getAttribute("locallogin") != null) {
            servletRequest.setAttribute("ssoEnabled", false);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (this.jwtProperties == null || isAuthenticated()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Knox ssoEnabled  {} {}", Boolean.valueOf(this.ssoEnabled), httpServletRequest.getRequestURI());
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String jWTFromCookie = getJWTFromCookie(httpServletRequest);
        if (jWTFromCookie == null) {
            redirectToKnox(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        try {
            SignedJWT parse = SignedJWT.parse(jWTFromCookie);
            if (validateToken(parse)) {
                String subject = parse.getJWTClaimsSet().getSubject();
                LOG.info("SSO login user : {} ", subject);
                if (subject != null && !subject.trim().isEmpty()) {
                    List<GrantedAuthority> authoritiesFromUGI = AtlasAuthenticationProvider.getAuthoritiesFromUGI(subject);
                    UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(subject, "", authoritiesFromUGI), "", authoritiesFromUGI);
                    usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
                    this.authenticationProvider.setSsoEnabled(this.ssoEnabled);
                    SecurityContextHolder.getContext().setAuthentication(this.authenticationProvider.authenticate(usernamePasswordAuthenticationToken));
                }
                filterChain.doFilter(servletRequest, httpServletResponse);
            } else {
                redirectToKnox(httpServletRequest, httpServletResponse, filterChain);
            }
        } catch (ParseException e) {
            LOG.warn("Unable to parse the JWT token", (Throwable) e);
            redirectToKnox(httpServletRequest, httpServletResponse, filterChain);
        }
    }

    private void redirectToKnox(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!isWebUserAgent(httpServletRequest.getHeader("User-Agent"))) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (!"XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With"))) {
            httpServletResponse.sendRedirect(constructLoginURL(httpServletRequest, false));
            return;
        }
        String constructLoginURL = constructLoginURL(httpServletRequest, true);
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("knoxssoredirectURL", URLEncoder.encode(constructLoginURL, "UTF-8"));
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setStatus(401);
        httpServletResponse.sendError(401, jSONObject.toString());
    }

    private boolean isWebUserAgent(String str) {
        String[] userAgentList;
        boolean z = false;
        if (this.jwtProperties != null && (userAgentList = this.jwtProperties.getUserAgentList()) != null && userAgentList.length > 0) {
            int length = userAgentList.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (StringUtils.startsWithIgnoreCase(str, userAgentList[i])) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        return z;
    }

    private void setJwtProperties() {
        if (this.jwtProperties != null) {
            this.authenticationProviderUrl = this.jwtProperties.getAuthenticationProviderUrl();
            this.publicKey = this.jwtProperties.getPublicKey();
            this.cookieName = this.jwtProperties.getCookieName();
            this.originalUrlQueryParam = this.jwtProperties.getOriginalUrlQueryParam();
            if (this.publicKey != null) {
                this.verifier = new RSASSAVerifier(this.publicKey);
            }
        }
    }

    private boolean isAuthenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (authentication == null || !authentication.isAuthenticated() || (authentication instanceof SSOAuthentication)) ? false : true;
    }

    protected String getJWTFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (this.cookieName != null && cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (this.cookieName.equals(cookie.getName())) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("{} cookie has been found and is being processed", this.cookieName);
                    }
                    str = cookie.getValue();
                } else {
                    i++;
                }
            }
        }
        return str;
    }

    protected String constructLoginURL(HttpServletRequest httpServletRequest, boolean z) {
        String str = LocationInfo.NA;
        if (this.authenticationProviderUrl.contains(LocationInfo.NA)) {
            str = "&";
        }
        String constructForwardableURL = constructForwardableURL(parseXForwardHeader(httpServletRequest), httpServletRequest.getRequestURI());
        StringBuilder sb = new StringBuilder();
        sb.append(this.authenticationProviderUrl).append(str).append(this.originalUrlQueryParam).append("=");
        if (z) {
            String header = httpServletRequest.getHeader("referer");
            String str2 = header == null ? httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + ":" + httpServletRequest.getServerPort() + httpServletRequest.getContextPath() : header;
            if (StringUtils.trimToNull(constructForwardableURL) != null) {
                safeAppend(sb, constructForwardableURL, str2);
            } else {
                safeAppend(sb, str2);
            }
        } else if (StringUtils.trimToNull(constructForwardableURL) != null) {
            safeAppend(sb, constructForwardableURL, getOriginalQueryString(httpServletRequest));
        } else {
            safeAppend(sb, httpServletRequest.getRequestURL().toString(), getOriginalQueryString(httpServletRequest));
        }
        return sb.toString();
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : LocationInfo.NA + queryString;
    }

    private Map<String, String> parseXForwardHeader(HttpServletRequest httpServletRequest) {
        String str = "";
        String str2 = "";
        String str3 = "";
        HashMap hashMap = null;
        Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            Enumeration<String> headers = httpServletRequest.getHeaders(nextElement);
            String str4 = "";
            if (headers != null) {
                while (headers.hasMoreElements()) {
                    str4 = headers.nextElement();
                }
            }
            if (StringUtils.trimToNull(nextElement) != null && StringUtils.trimToNull(str4) != null) {
                if (nextElement.equalsIgnoreCase("x-forwarded-proto")) {
                    str = str4;
                } else if (nextElement.equalsIgnoreCase("x-forwarded-host")) {
                    str2 = str4;
                } else if (nextElement.equalsIgnoreCase("x-forwarded-context")) {
                    str3 = str4;
                }
            }
        }
        if (StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(str2) && StringUtils.isNotEmpty(str3)) {
            hashMap = new HashMap();
            hashMap.put("x-forwarded-proto", str);
            hashMap.put("x-forwarded-host", str2);
            hashMap.put("x-forwarded-context", str3);
        }
        return hashMap;
    }

    private String constructForwardableURL(Map<String, String> map, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(" constructForwardableURL ==>>" + map + " requestURI " + str);
        }
        String str2 = null;
        if (map != null) {
            String str3 = map.get("x-forwarded-proto");
            String str4 = map.get("x-forwarded-host");
            String str5 = map.get("x-forwarded-context");
            if (StringUtils.isNotBlank(str3) && StringUtils.isNotBlank(str4) && StringUtils.isNotBlank(str5)) {
                try {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(" Atlas url with proxy path ==>" + str3 + "://" + str4 + str5 + PROXY_ATLAS_URL_PATH + str);
                    }
                    URIBuilder uRIBuilder = new URIBuilder();
                    uRIBuilder.setScheme(str3).setHost(str4).setPath(str5 + PROXY_ATLAS_URL_PATH + str);
                    str2 = uRIBuilder.build().toString();
                } catch (URISyntaxException e) {
                    LOG.error(" URISyntaxException while build xforward url ", (Throwable) e);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(" xForwardedURL ==>> " + str2);
        }
        return str2;
    }

    @VisibleForTesting
    void safeAppend(StringBuilder sb, String... strArr) {
        for (String str : strArr) {
            if (sb.length() + str.length() < 2043) {
                sb.append(str);
            }
        }
    }

    protected boolean validateToken(SignedJWT signedJWT) {
        boolean validateSignature = validateSignature(signedJWT);
        if (validateSignature) {
            validateSignature = validateExpiration(signedJWT);
            if (!validateSignature) {
                LOG.warn("Expiration time validation of JWT token failed.");
            }
        } else {
            LOG.warn("Signature of JWT token could not be verified. Please check the public key");
        }
        return validateSignature;
    }

    protected boolean validateSignature(SignedJWT signedJWT) {
        boolean z = false;
        if (JWSObject.State.SIGNED == signedJWT.getState()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SSO token is in a SIGNED state");
            }
            if (signedJWT.getSignature() != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SSO token signature is not null");
                }
                try {
                    if (this.verifier == null || !signedJWT.verify(this.verifier)) {
                        LOG.warn("SSO signature verification failed.Please check the public key");
                    } else {
                        z = true;
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("SSO token has been successfully verified");
                        }
                    }
                } catch (JOSEException e) {
                    LOG.warn("Error while validating signature", (Throwable) e);
                } catch (Exception e2) {
                    LOG.warn("Error while validating signature", (Throwable) e2);
                }
            }
        }
        return z;
    }

    protected boolean validateExpiration(SignedJWT signedJWT) {
        boolean z = false;
        try {
            Date expirationTime = signedJWT.getJWTClaimsSet().getExpirationTime();
            if (expirationTime == null || new Date().before(expirationTime)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SSO token expiration date has been successfully validated");
                }
                z = true;
            } else {
                LOG.warn("SSO expiration date validation failed.");
            }
        } catch (ParseException e) {
            LOG.warn("SSO expiration date validation failed.", (Throwable) e);
        }
        return z;
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    public SSOAuthenticationProperties loadJwtProperties() {
        String string = this.configuration.getString(JWT_AUTH_PROVIDER_URL);
        if (string == null || !this.configuration.getBoolean("atlas.sso.knox.enabled", false)) {
            return null;
        }
        SSOAuthenticationProperties sSOAuthenticationProperties = new SSOAuthenticationProperties();
        String string2 = this.configuration.getString(JWT_PUBLIC_KEY);
        if (string2 == null) {
            LOG.error("Public key pem not specified for SSO auth provider {}. SSO auth will be disabled");
            return null;
        }
        sSOAuthenticationProperties.setAuthenticationProviderUrl(string);
        sSOAuthenticationProperties.setCookieName(this.configuration.getString(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT));
        sSOAuthenticationProperties.setOriginalUrlQueryParam(this.configuration.getString(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT));
        String[] stringArray = this.configuration.getStringArray(BROWSER_USERAGENT);
        if (stringArray == null || stringArray.length <= 0) {
            sSOAuthenticationProperties.setUserAgentList(DEFAULT_BROWSER_USERAGENT.split(","));
        } else {
            sSOAuthenticationProperties.setUserAgentList(stringArray);
        }
        try {
            sSOAuthenticationProperties.setPublicKey(parseRSAPublicKey(string2));
        } catch (IOException e) {
            LOG.error("Unable to read public certificate file. JWT auth will be disabled.", (Throwable) e);
        } catch (CertificateException e2) {
            LOG.error("Unable to parse public certificate file. JWT auth will be disabled.", (Throwable) e2);
        } catch (ServletException e3) {
            LOG.error("ServletException while processing the properties", (Throwable) e3);
        }
        return sSOAuthenticationProperties;
    }

    public static RSAPublicKey parseRSAPublicKey(String str) throws CertificateException, UnsupportedEncodingException, ServletException {
        try {
            return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(("-----BEGIN CERTIFICATE-----\n" + str + "\n-----END CERTIFICATE-----").getBytes("UTF8")))).getPublicKey();
        } catch (UnsupportedEncodingException e) {
            throw new ServletException(e);
        } catch (CertificateException e2) {
            throw new ServletException(str.startsWith("-----BEGIN CERTIFICATE-----\n") ? "CertificateException - be sure not to include PEM header and footer in the PEM configuration element." : "CertificateException - PEM may be corrupt", e2);
        }
    }
}
