package _ss_com.streamsets.lib.security.http;

import _ss_com.com.google.common.annotations.VisibleForTesting;
import _ss_com.com.google.common.base.Splitter;
import _ss_com.com.google.common.collect.ImmutableSet;
import _ss_com.streamsets.datacollector.record.PathElement;
import _ss_com.streamsets.datacollector.util.Configuration;
import _ss_org.apache.commons.lang.StringUtils;
import com.streamsets.pipeline.api.impl.Utils;
import java.io.IOException;
import java.util.Collections;
import java.util.Set;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.MediaType;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.util.URIUtil;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:_ss_com/streamsets/lib/security/http/SSOUserAuthenticator.class */
public class SSOUserAuthenticator extends AbstractSSOAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(SSOUserAuthenticator.class);
    private static final Set<String> TOKEN_PARAM_SET = ImmutableSet.of(SSOConstants.USER_AUTH_TOKEN_PARAM, SSOConstants.REPEATED_REDIRECT_PARAM);
    public static final String HTTP_META_REDIRECT_TO_SSO = "http.meta.redirect.to.sso";
    private Configuration conf;
    private boolean doMetaRedirectToSso;
    private String dpmBaseUrl;
    private final boolean isDataCollector;

    @VisibleForTesting
    static final String HTML_META_REDIRECT = "<HTML><HEAD><meta http-equiv=\"refresh\" content=\"0; url='%s'\"/></HEAD></HTML>";

    public SSOUserAuthenticator(SSOService sSOService, @NotNull Configuration configuration) {
        super(sSOService);
        this.conf = configuration;
        this.dpmBaseUrl = configuration.get(RemoteSSOService.DPM_BASE_URL_CONFIG, (String) null);
        this.isDataCollector = !configuration.hasName(RemoteSSOService.DPM_APP_SECURITY_URL_CONFIG);
        this.doMetaRedirectToSso = configuration.get(HTTP_META_REDIRECT_TO_SSO, false);
        if (StringUtils.isNotEmpty(this.dpmBaseUrl) && this.dpmBaseUrl.endsWith("/")) {
            this.dpmBaseUrl = this.dpmBaseUrl.substring(0, this.dpmBaseUrl.length() - 1);
        }
    }

    @Override // _ss_com.streamsets.lib.security.http.AbstractSSOAuthenticator
    protected Logger getLog() {
        return LOG;
    }

    StringBuffer getRequestUrl(HttpServletRequest httpServletRequest, Set<String> set) {
        StringBuffer stringBuffer;
        if (this.dpmBaseUrl == null || this.isDataCollector) {
            stringBuffer = new StringBuffer(httpServletRequest.getRequestURL());
        } else {
            stringBuffer = new StringBuffer(this.dpmBaseUrl);
            stringBuffer.append(httpServletRequest.getRequestURI());
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            String str = PathElement.WILDCARD_SINGLE_CHAR;
            for (String str2 : Splitter.on("&").split(queryString)) {
                if (!set.contains(str2.split("=", 2)[0])) {
                    stringBuffer.append(str).append(str2);
                    str = "&";
                }
            }
        }
        return stringBuffer;
    }

    String getRequestUrl(HttpServletRequest httpServletRequest) {
        return getRequestUrl(httpServletRequest, Collections.emptySet()).toString();
    }

    String getRequestUrlWithoutToken(HttpServletRequest httpServletRequest) {
        return getRequestUrl(httpServletRequest, TOKEN_PARAM_SET).toString();
    }

    String getLoginUrl(HttpServletRequest httpServletRequest, boolean z) {
        return getSsoService().createRedirectToLoginUrl(getRequestUrl(httpServletRequest, TOKEN_PARAM_SET).toString(), z);
    }

    org.eclipse.jetty.server.Authentication redirectToSelf(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServerAuthException {
        String parameter = httpServletRequest.getParameter(SSOConstants.USER_AUTH_TOKEN_PARAM);
        String requestUrlWithoutToken = getRequestUrlWithoutToken(httpServletRequest);
        httpServletResponse.setHeader(SSOConstants.X_USER_AUTH_TOKEN, parameter);
        try {
            LOG.debug("Redirecting to self without token '{}'", requestUrlWithoutToken);
            httpServletResponse.sendRedirect(requestUrlWithoutToken);
            return org.eclipse.jetty.server.Authentication.SEND_CONTINUE;
        } catch (IOException e) {
            throw new ServerAuthException(Utils.format("Could not redirect to '{}': {}", new Object[]{requestUrlWithoutToken, e.toString(), e}));
        }
    }

    org.eclipse.jetty.server.Authentication redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServerAuthException {
        String loginUrl = getLoginUrl(httpServletRequest, httpServletRequest.getParameter(SSOConstants.REPEATED_REDIRECT_PARAM) != null);
        try {
            LOG.debug("Redirecting to login '{}'", loginUrl);
            if (this.doMetaRedirectToSso) {
                httpServletResponse.setContentType(MediaType.TEXT_HTML);
                httpServletResponse.setStatus(200);
                httpServletResponse.getWriter().println(String.format(HTML_META_REDIRECT, loginUrl));
            } else {
                httpServletResponse.sendRedirect(loginUrl);
            }
            return org.eclipse.jetty.server.Authentication.SEND_CONTINUE;
        } catch (IOException e) {
            throw new ServerAuthException(Utils.format("Could not redirect to '{}': {}", new Object[]{loginUrl, e.toString(), e}));
        }
    }

    org.eclipse.jetty.server.Authentication redirectToLogout(HttpServletResponse httpServletResponse) throws ServerAuthException {
        String logoutUrl = getSsoService().getLogoutUrl();
        try {
            LOG.debug("Redirecting to logout '{}'", logoutUrl);
            httpServletResponse.sendRedirect(logoutUrl);
            return org.eclipse.jetty.server.Authentication.SEND_SUCCESS;
        } catch (IOException e) {
            throw new ServerAuthException(Utils.format("Could not redirect to '{}': {}", new Object[]{logoutUrl, e.toString(), e}));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // _ss_com.streamsets.lib.security.http.AbstractSSOAuthenticator
    public org.eclipse.jetty.server.Authentication returnUnauthorized(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws ServerAuthException {
        org.eclipse.jetty.server.Authentication authentication;
        httpServletResponse.addCookie(createAuthCookie(httpServletRequest, "", 0L));
        if (httpServletRequest.getHeader("X-Requested-By") != null) {
            authentication = super.returnUnauthorized(httpServletRequest, httpServletResponse, null, str2);
        } else {
            redirectToLogin(httpServletRequest, httpServletResponse);
            authentication = org.eclipse.jetty.server.Authentication.SEND_FAILURE;
        }
        return authentication;
    }

    Cookie createAuthCookie(HttpServletRequest httpServletRequest, String str, long j) {
        Cookie cookie = new Cookie(getAuthCookieName(httpServletRequest), str);
        cookie.setPath("/");
        if (j > 0) {
            cookie.setMaxAge((int) ((j - System.currentTimeMillis()) / 1000));
        } else if (j == 0) {
            cookie.setMaxAge(0);
        }
        if (this.isDataCollector) {
            cookie.setSecure(httpServletRequest.isSecure());
        } else {
            cookie.setSecure(this.dpmBaseUrl.startsWith(URIUtil.HTTPS));
        }
        return cookie;
    }

    void setAuthCookieIfNecessary(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, long j) {
        if (str.equals(getAuthTokenFromCookie(httpServletRequest))) {
            return;
        }
        httpServletResponse.addCookie(createAuthCookie(httpServletRequest, str, j));
    }

    boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("GET") && httpServletRequest.getRequestURI().equals(new StringBuilder().append(httpServletRequest.getContextPath()).append("/logout").toString());
    }

    private boolean isCORSOptionsRequest(HttpServletRequest httpServletRequest) {
        return "OPTIONS".equals(httpServletRequest.getMethod());
    }

    String getAuthCookieName(HttpServletRequest httpServletRequest) {
        return SSOConstants.AUTHENTICATION_COOKIE_PREFIX + httpServletRequest.getServerPort();
    }

    Cookie getAuthCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(getAuthCookieName(httpServletRequest))) {
                return cookie;
            }
        }
        return null;
    }

    String getAuthTokenFromCookie(HttpServletRequest httpServletRequest) {
        Cookie authCookie = getAuthCookie(httpServletRequest);
        if (authCookie == null) {
            return null;
        }
        return authCookie.getValue();
    }

    boolean isAuthTokenInQueryString(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(SSOConstants.USER_AUTH_TOKEN_PARAM) != null;
    }

    String getAuthTokenFromRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(SSOConstants.USER_AUTH_TOKEN_PARAM);
        if (parameter == null) {
            parameter = httpServletRequest.getHeader(SSOConstants.X_USER_AUTH_TOKEN);
            if (parameter == null) {
                parameter = getAuthTokenFromCookie(httpServletRequest);
            }
        }
        return parameter;
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public org.eclipse.jetty.server.Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String authTokenFromRequest = getAuthTokenFromRequest(httpServletRequest);
        org.eclipse.jetty.server.Authentication authentication = null;
        if (LOG.isTraceEnabled()) {
            LOG.trace("Request: {}", getRequestInfoForLogging(httpServletRequest, SSOUtils.tokenForLog(authTokenFromRequest)));
        }
        if (isCORSOptionsRequest(httpServletRequest)) {
            httpServletResponse.setStatus(200);
            httpServletResponse.setHeader("Access-Control-Allow-Origin", this.conf.get(CORSConstants.HTTP_ACCESS_CONTROL_ALLOW_ORIGIN, "*"));
            httpServletResponse.setHeader("Access-Control-Allow-Headers", this.conf.get(CORSConstants.HTTP_ACCESS_CONTROL_ALLOW_HEADERS, CORSConstants.HTTP_ACCESS_CONTROL_ALLOW_HEADERS_DEFAULT));
            httpServletResponse.setHeader("Access-Control-Allow-Methods", this.conf.get(CORSConstants.HTTP_ACCESS_CONTROL_ALLOW_METHODS, CORSConstants.HTTP_ACCESS_CONTROL_ALLOW_METHODS_DEFAULT));
            return org.eclipse.jetty.server.Authentication.SEND_SUCCESS;
        }
        if (!z) {
            authentication = org.eclipse.jetty.server.Authentication.NOT_CHECKED;
        } else if (authTokenFromRequest != null) {
            try {
                SSOPrincipal validateUserToken = getSsoService().validateUserToken(authTokenFromRequest);
                if (validateUserToken != null) {
                    SSOAuthenticationUser sSOAuthenticationUser = new SSOAuthenticationUser(validateUserToken);
                    if (isLogoutRequest(httpServletRequest)) {
                        if (LOG.isTraceEnabled()) {
                            LOG.trace("Principal '{}' Logout", validateUserToken.getPrincipalId());
                        }
                        getSsoService().invalidateUserToken(authTokenFromRequest);
                        authentication = redirectToLogout(httpServletResponse);
                    } else {
                        setAuthCookieIfNecessary(httpServletRequest, httpServletResponse, authTokenFromRequest, sSOAuthenticationUser.getSSOUserPrincipal().getExpires());
                        if (isAuthTokenInQueryString(httpServletRequest)) {
                            if (LOG.isTraceEnabled()) {
                                LOG.trace("Redirection to self, principal '{}' request: {}", validateUserToken.getPrincipalId(), getRequestInfoForLogging(httpServletRequest, SSOUtils.tokenForLog(authTokenFromRequest)));
                            }
                            authentication = redirectToSelf(httpServletRequest, httpServletResponse);
                        } else {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Principal '{}' request: {}", validateUserToken.getPrincipalId(), getRequestInfoForLogging(httpServletRequest, SSOUtils.tokenForLog(authTokenFromRequest)));
                            }
                            authentication = sSOAuthenticationUser;
                        }
                    }
                }
            } catch (ForbiddenException e) {
                authentication = returnUnauthorized(httpServletRequest, httpServletResponse, e.getErrorInfo(), null, "Request: {}");
            }
        }
        if (authentication == null) {
            authentication = returnUnauthorized(httpServletRequest, httpServletResponse, SSOUtils.tokenForLog(authTokenFromRequest), "Could not authenticate: {}");
        }
        return authentication;
    }
}
