package org.apache.hadoop.security.authentication.server;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.Properties;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.hdfs.web.oauth2.OAuth2Constants;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.JWTUtils;
import org.apache.hadoop.security.authentication.util.SsoConfigurationUtil;
import org.apache.hadoop.shaded.com.auth0.jwt.JWT;
import org.apache.hadoop.shaded.com.auth0.jwt.interfaces.DecodedJWT;
import org.apache.hadoop.shaded.com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.hadoop.shaded.javax.servlet.ServletException;
import org.apache.hadoop.shaded.javax.servlet.http.HttpServletRequest;
import org.apache.hadoop.shaded.javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.shaded.org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.hadoop.shaded.org.apache.http.client.methods.HttpPost;
import org.apache.hadoop.shaded.org.apache.http.impl.client.CloseableHttpClient;
import org.apache.hadoop.shaded.org.apache.http.impl.client.HttpClientBuilder;
import org.apache.hadoop.shaded.org.apache.http.message.BasicNameValuePair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.class */
public class JWTRedirectAuthenticationHandler extends MultiMechsAuthenticationHandler {
    private static Logger LOG = LoggerFactory.getLogger(JWTRedirectAuthenticationHandler.class);
    public static final String AUTHENTICATION_PROVIDER_URL = "authentication.provider.url";
    public static final String JWT_CLIENT_ID = "jwt.client.id";
    public static final String JWT_CLIENT_SECRET = "jwt.client.secret";
    private static final String REDIRECT_URI_QUERY_PARAM = "redirect_uri=";
    private String authenticationProviderUrl = null;
    private String clientId = null;
    private final String delimiter = "&";
    private final String CODE = "code";

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        this.authenticationProviderUrl = properties.getProperty(AUTHENTICATION_PROVIDER_URL, SsoConfigurationUtil.getInstance().getClientIssuer());
        if (this.authenticationProviderUrl == null) {
            throw new ServletException("Authentication provider URL must not be null - configure: authentication.provider.url");
        }
        if (this.authenticationProviderUrl.endsWith("/")) {
            this.authenticationProviderUrl = this.authenticationProviderUrl.substring(0, this.authenticationProviderUrl.length() - 1);
        }
        this.clientId = properties.getProperty(JWT_CLIENT_ID, SsoConfigurationUtil.getInstance().getClientId());
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public AuthenticationToken postauthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String jWTFromCookie = JWTUtils.getJWTFromCookie(httpServletRequest);
        if (jWTFromCookie == null && httpServletRequest.getParameter("code") == null) {
            String constructLoginURL = constructLoginURL(httpServletRequest);
            LOG.debug("Sending redirect to: " + constructLoginURL);
            httpServletResponse.sendRedirect(constructLoginURL);
        } else if (jWTFromCookie == null && httpServletRequest.getParameter("code") != null) {
            DecodedJWT decode = JWT.decode(new ObjectMapper().readTree(getJWTTokenFromCode(httpServletRequest.getParameter("code"), httpServletRequest)).get(OAuth2Constants.ACCESS_TOKEN).asText());
            if (JWTUtils.validateToken(decode)) {
                String asString = decode.getClaim(SsoConfigurationUtil.getInstance().getUserAttrName()).asString();
                authenticationToken = new AuthenticationToken(asString, asString, getType());
                authenticationToken.setJWTExpires(decode.getExpiresAt().getTime());
                authenticationToken.setJWTBasedToken(true);
            } else {
                String constructLoginURL2 = constructLoginURL(httpServletRequest);
                LOG.info("Can't add token to cookie, because validating failed.");
                httpServletResponse.sendRedirect(constructLoginURL2);
            }
        } else if (jWTFromCookie != null) {
            String str = null;
            DecodedJWT decode2 = JWT.decode(jWTFromCookie);
            boolean validateToken = JWTUtils.validateToken(decode2);
            if (validateToken) {
                str = decode2.getClaim(SsoConfigurationUtil.getInstance().getUserAttrName()).asString();
            } else {
                LOG.warn("jwtToken failed validation: " + decode2.getToken());
            }
            if (validateToken) {
                LOG.debug("Issuing AuthenticationToken for user.");
                authenticationToken = new AuthenticationToken(str, str, getType());
            } else {
                String constructLoginURL3 = constructLoginURL(httpServletRequest);
                LOG.info("token validation failed - sending redirect to: " + constructLoginURL3);
                httpServletResponse.sendRedirect(constructLoginURL3);
            }
        } else {
            LOG.info("JWT can't be found in cookies or get from the authentication server");
        }
        return authenticationToken;
    }

    public String getJWTTokenFromCode(String str, HttpServletRequest httpServletRequest) throws IOException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        HttpPost httpPost = new HttpPost(getTokenUrl());
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, "authorization_code"));
        arrayList.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ID, SsoConfigurationUtil.getInstance().getClientId()));
        arrayList.add(new BasicNameValuePair("code", str));
        arrayList.add(new BasicNameValuePair(OAuth2Constants.CLIENT_SECRET, SsoConfigurationUtil.getInstance().getClientSecret()));
        arrayList.add(new BasicNameValuePair("redirect_uri", httpServletRequest.getRequestURL().toString() + "?" + AuthenticationFilter.ACTION_PARAM + "=processCode"));
        httpPost.setEntity(new UrlEncodedFormEntity(arrayList));
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(build.execute(httpPost).getEntity().getContent()));
        try {
            StringBuilder sb = new StringBuilder();
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    return sb.toString();
                }
                sb.append(readLine);
                sb.append(System.lineSeparator());
            }
        } catch (Throwable th) {
            try {
                bufferedReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public String getTokenUrl() {
        return this.authenticationProviderUrl + "/protocol/openid-connect/token";
    }

    public String getAuthUrl() {
        return this.authenticationProviderUrl + "/protocol/openid-connect/auth";
    }

    @VisibleForTesting
    String constructLoginURL(HttpServletRequest httpServletRequest) {
        return getAuthUrl() + "?response_type=code&client_id=" + this.clientId + "&scope=openid&" + REDIRECT_URI_QUERY_PARAM + JWTUtils.constructURLWithHostname(httpServletRequest.getRequestURL().toString());
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public void addHeader(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"master\"");
    }
}
