package com.linkedin.kafka.cruisecontrol.servlet.security.jwt;

import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.text.ParseException;
import java.util.function.Function;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/linkedin/kafka/cruisecontrol/servlet/security/jwt/JwtAuthenticator.class */
public class JwtAuthenticator extends LoginAuthenticator {
    public static final String JWT_TOKEN_REQUEST_ATTRIBUTE = "com.linkedin.kafka.cruisecontrol.JwtTokenAttribute";
    static final Logger JWT_LOGGER = LoggerFactory.getLogger("kafka.cruisecontrol.jwt.logger");
    private static final String METHOD = "JWT";
    static final String BEARER = "Bearer";
    static final String REDIRECT_URL = "{redirectUrl}";
    private final String _cookieName;
    private final Function<HttpServletRequest, String> _authenticationProviderUrlGenerator;

    public JwtAuthenticator(String str, String str2) {
        this._cookieName = str2;
        Function function = str3 -> {
            return httpServletRequest -> {
                return str3.replace(REDIRECT_URL, httpServletRequest.getRequestURL().toString() + getOriginalQueryString(httpServletRequest));
            };
        };
        this._authenticationProviderUrlGenerator = (Function) function.apply(str);
    }

    public String getAuthMethod() {
        return METHOD;
    }

    public void prepareRequest(ServletRequest servletRequest) {
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        JWT_LOGGER.trace("Authentication request received for " + servletRequest.toString());
        if (!(servletRequest instanceof HttpServletRequest) && !(servletResponse instanceof HttpServletResponse)) {
            return Authentication.UNAUTHENTICATED;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (HttpMethod.OPTIONS.name().toLowerCase().equals(httpServletRequest.getMethod().toLowerCase())) {
            return Authentication.NOT_CHECKED;
        }
        String jwtFromBearerAuthorization = getJwtFromBearerAuthorization(httpServletRequest);
        if (jwtFromBearerAuthorization == null) {
            jwtFromBearerAuthorization = getJwtFromCookie(httpServletRequest);
        }
        if (jwtFromBearerAuthorization == null) {
            String apply = this._authenticationProviderUrlGenerator.apply(httpServletRequest);
            JWT_LOGGER.info("No JWT token found, sending redirect to " + apply);
            try {
                ((HttpServletResponse) servletResponse).sendRedirect(apply);
                return Authentication.SEND_CONTINUE;
            } catch (IOException e) {
                JWT_LOGGER.error("Couldn't authenticate request", e);
                throw new ServerAuthException(e);
            }
        }
        try {
            SignedJWT parse = SignedJWT.parse(jwtFromBearerAuthorization);
            String subject = parse.getJWTClaimsSet().getSubject();
            servletRequest.setAttribute(JWT_TOKEN_REQUEST_ATTRIBUTE, jwtFromBearerAuthorization);
            UserIdentity login = login(subject, parse, servletRequest);
            if (login != null) {
                return new UserAuthentication(getAuthMethod(), login);
            }
            ((HttpServletResponse) servletResponse).setStatus(401);
            return Authentication.SEND_FAILURE;
        } catch (ParseException e2) {
            String apply2 = this._authenticationProviderUrlGenerator.apply(httpServletRequest);
            JWT_LOGGER.warn("Unable to parse the JWT token, redirecting back to the login page", e2);
            try {
                ((HttpServletResponse) servletResponse).sendRedirect(apply2);
                return Authentication.SEND_FAILURE;
            } catch (IOException e3) {
                throw new ServerAuthException(e3);
            }
        }
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
        return true;
    }

    String getJwtFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (this._cookieName != null && this._cookieName.equals(cookie.getName())) {
                    JWT_LOGGER.trace(this._cookieName + " cookie has been found and is being processed");
                    str = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return str;
    }

    String getJwtFromBearerAuthorization(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.asString());
        if (header == null || !header.startsWith(BEARER)) {
            return null;
        }
        return header.substring(BEARER.length()).trim();
    }

    private String getOriginalQueryString(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        return queryString == null ? "" : "?" + queryString;
    }
}
