package org.apache.hadoop.security;

import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Random;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.mortbay.io.EndPoint;
import org.mortbay.jetty.Request;
import org.mortbay.jetty.security.ServletSSL;
import org.mortbay.jetty.security.SslSocketConnector;

/* loaded from: input_file:lib/hadoop-core-1.2.1.jar:org/apache/hadoop/security/Krb5AndCertsSslSocketConnector.class */
public class Krb5AndCertsSslSocketConnector extends SslSocketConnector {
    public static final List<String> KRB5_CIPHER_SUITES = Collections.unmodifiableList(Collections.singletonList("TLS_KRB5_WITH_3DES_EDE_CBC_SHA"));
    private static final Log LOG;
    private static final String REMOTE_PRINCIPAL = "remote_principal";
    private final boolean useKrb;
    private final boolean useCerts;

    /* loaded from: input_file:lib/hadoop-core-1.2.1.jar:org/apache/hadoop/security/Krb5AndCertsSslSocketConnector$Krb5SslFilter.class */
    public static class Krb5SslFilter implements Filter {
        @Override // javax.servlet.Filter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            final Principal principal = (Principal) servletRequest.getAttribute(Krb5AndCertsSslSocketConnector.REMOTE_PRINCIPAL);
            if (principal != null && (principal instanceof KerberosPrincipal)) {
                filterChain.doFilter(new HttpServletRequestWrapper((HttpServletRequest) servletRequest) { // from class: org.apache.hadoop.security.Krb5AndCertsSslSocketConnector.Krb5SslFilter.1
                    @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
                    public Principal getUserPrincipal() {
                        return principal;
                    }

                    @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
                    public String getRemoteUser() {
                        return principal.getName();
                    }
                }, servletResponse);
            } else {
                Krb5AndCertsSslSocketConnector.LOG.warn("User not authenticated via kerberos from " + servletRequest.getRemoteAddr());
                ((HttpServletResponse) servletResponse).sendError(403, "User not authenticated via Kerberos");
            }
        }

        @Override // javax.servlet.Filter
        public void init(FilterConfig filterConfig) throws ServletException {
        }

        @Override // javax.servlet.Filter
        public void destroy() {
        }
    }

    /* loaded from: input_file:lib/hadoop-core-1.2.1.jar:org/apache/hadoop/security/Krb5AndCertsSslSocketConnector$MODE.class */
    public enum MODE {
        KRB,
        CERTS,
        BOTH
    }

    public Krb5AndCertsSslSocketConnector() {
        this.useKrb = true;
        this.useCerts = false;
        setPasswords();
    }

    public Krb5AndCertsSslSocketConnector(MODE mode) {
        this.useKrb = mode == MODE.KRB || mode == MODE.BOTH;
        this.useCerts = mode == MODE.CERTS || mode == MODE.BOTH;
        setPasswords();
        logIfDebug("useKerb = " + this.useKrb + ", useCerts = " + this.useCerts);
    }

    private void setPasswords() {
        if (this.useCerts) {
            return;
        }
        Random random = new Random();
        System.setProperty("jetty.ssl.password", String.valueOf(random.nextLong()));
        System.setProperty("jetty.ssl.keypassword", String.valueOf(random.nextLong()));
    }

    @Override // org.mortbay.jetty.security.SslSocketConnector
    protected SSLServerSocketFactory createFactory() throws Exception {
        if (this.useCerts) {
            return super.createFactory();
        }
        SSLContext sSLContext = super.getProvider() == null ? SSLContext.getInstance(super.getProtocol()) : SSLContext.getInstance(super.getProtocol(), super.getProvider());
        sSLContext.init(null, null, null);
        return sSLContext.getServerSocketFactory();
    }

    @Override // org.mortbay.jetty.security.SslSocketConnector, org.mortbay.jetty.bio.SocketConnector
    protected ServerSocket newServerSocket(String str, int i, int i2) throws IOException {
        SSLServerSocket sSLServerSocket;
        String[] strArr;
        logIfDebug("Creating new KrbServerSocket for: " + str);
        if (this.useCerts) {
            sSLServerSocket = (SSLServerSocket) super.newServerSocket(str, i, i2);
        } else {
            try {
                sSLServerSocket = (SSLServerSocket) (str == null ? createFactory().createServerSocket(i, i2) : createFactory().createServerSocket(i, i2, InetAddress.getByName(str)));
            } catch (Exception e) {
                LOG.warn("Could not create KRB5 Listener", e);
                throw new IOException("Could not create KRB5 Listener: " + e.toString());
            }
        }
        if (this.useKrb) {
            sSLServerSocket.setNeedClientAuth(true);
            if (this.useCerts) {
                String[] enabledCipherSuites = sSLServerSocket.getEnabledCipherSuites();
                strArr = new String[enabledCipherSuites.length + KRB5_CIPHER_SUITES.size()];
                System.arraycopy(enabledCipherSuites, 0, strArr, 0, enabledCipherSuites.length);
                System.arraycopy(KRB5_CIPHER_SUITES.toArray(new String[0]), 0, strArr, enabledCipherSuites.length, KRB5_CIPHER_SUITES.size());
            } else {
                strArr = (String[]) KRB5_CIPHER_SUITES.toArray(new String[0]);
            }
            sSLServerSocket.setEnabledCipherSuites(strArr);
        }
        return sSLServerSocket;
    }

    @Override // org.mortbay.jetty.security.SslSocketConnector, org.mortbay.jetty.bio.SocketConnector, org.mortbay.jetty.AbstractConnector, org.mortbay.jetty.Connector
    public void customize(EndPoint endPoint, Request request) throws IOException {
        if (this.useKrb) {
            SSLSocket sSLSocket = (SSLSocket) endPoint.getTransport();
            Object peerPrincipal = sSLSocket.getSession().getPeerPrincipal();
            logIfDebug("Remote principal = " + peerPrincipal);
            request.setScheme("https");
            request.setAttribute(REMOTE_PRINCIPAL, peerPrincipal);
            if (!this.useCerts) {
                String cipherSuite = sSLSocket.getSession().getCipherSuite();
                Object valueOf = Integer.valueOf(ServletSSL.deduceKeyLength(cipherSuite));
                request.setAttribute("javax.servlet.request.cipher_suite", cipherSuite);
                request.setAttribute("javax.servlet.request.key_size", valueOf);
            }
        }
        if (this.useCerts) {
            super.customize(endPoint, request);
        }
    }

    private void logIfDebug(String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(str);
        }
    }

    static {
        System.setProperty("https.cipherSuites", KRB5_CIPHER_SUITES.get(0));
        LOG = LogFactory.getLog(Krb5AndCertsSslSocketConnector.class);
    }
}
