package org.apache.druid.security.kerberos;

import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.TimeZone;
import java.util.concurrent.ThreadLocalRandom;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.druid.guice.annotations.Self;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.server.DruidNode;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.Authenticator;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.SignerException;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.http.HttpHeader;

@JsonTypeName("kerberos")
/* loaded from: input_file:org/apache/druid/security/kerberos/KerberosAuthenticator.class */
public class KerberosAuthenticator implements Authenticator {
    private static final Logger log = new Logger(KerberosAuthenticator.class);
    public static final String SIGNED_TOKEN_ATTRIBUTE = "signedToken";
    private final String serverPrincipal;
    private final String serverKeytab;
    private final String authToLocal;
    private final String cookieSignatureSecret;
    private final String authorizerName;
    private final String name;
    private LoginContext loginContext;

    /* loaded from: input_file:org/apache/druid/security/kerberos/KerberosAuthenticator$DruidKerberosConfiguration.class */
    public static class DruidKerberosConfiguration extends Configuration {
        private String keytab;
        private String principal;

        public DruidKerberosConfiguration(String str, String str2) {
            this.keytab = str;
            this.principal = str2;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            if (System.getProperty("java.vendor").contains("IBM")) {
                hashMap.put("useKeytab", this.keytab.startsWith("file://") ? this.keytab : "file://" + this.keytab);
                hashMap.put("principal", this.principal);
                hashMap.put("credsType", "acceptor");
            } else {
                hashMap.put("keyTab", this.keytab);
                hashMap.put("principal", this.principal);
                hashMap.put("useKeyTab", "true");
                hashMap.put("storeKey", "true");
                hashMap.put("doNotPrompt", "true");
                hashMap.put("useTicketCache", "true");
                hashMap.put("renewTGT", "true");
                hashMap.put("isInitiator", "false");
            }
            hashMap.put("refreshKrb5Config", "true");
            String str2 = System.getenv("KRB5CCNAME");
            if (str2 != null) {
                if (System.getProperty("java.vendor").contains("IBM")) {
                    hashMap.put("useDefaultCcache", "true");
                    System.setProperty("KRB5CCNAME", str2);
                    hashMap.put("renewTGT", "true");
                    hashMap.put("credsType", "both");
                } else {
                    hashMap.put("ticketCache", str2);
                }
            }
            if (KerberosAuthenticator.log.isDebugEnabled()) {
                hashMap.put("debug", "true");
            }
            return new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    @JsonCreator
    public KerberosAuthenticator(@JsonProperty("serverPrincipal") String str, @JsonProperty("serverKeytab") String str2, @JsonProperty("authToLocal") String str3, @JsonProperty("cookieSignatureSecret") String str4, @JsonProperty("authorizerName") String str5, @JsonProperty("name") String str6, @Self @JacksonInject DruidNode druidNode) {
        this.serverKeytab = str2;
        this.authToLocal = str3 == null ? "DEFAULT" : str3;
        this.cookieSignatureSecret = str4;
        this.authorizerName = str5;
        this.name = (String) Preconditions.checkNotNull(str6);
        try {
            this.serverPrincipal = SecurityUtil.getServerPrincipal(str, druidNode.getHost());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public Filter getFilter() {
        return new AuthenticationFilter() { // from class: org.apache.druid.security.kerberos.KerberosAuthenticator.1
            private Signer mySigner;

            public void init(FilterConfig filterConfig) throws ServletException {
                ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                try {
                    Thread.currentThread().setContextClassLoader(AuthenticationFilter.class.getClassLoader());
                    super.init(filterConfig);
                    String initParameter = filterConfig.getInitParameter("config.prefix");
                    String str = initParameter != null ? initParameter + "." : "";
                    String property = getConfiguration(str, filterConfig).getProperty(str + "signature.secret");
                    if (property == null) {
                        property = Long.toString(ThreadLocalRandom.current().nextLong());
                        KerberosAuthenticator.log.warn("'signature.secret' configuration not set, using a random value as secret", new Object[0]);
                    }
                    final byte[] utf8 = StringUtils.toUtf8(property);
                    this.mySigner = new Signer(new SignerSecretProvider() { // from class: org.apache.druid.security.kerberos.KerberosAuthenticator.1.1
                        public void init(Properties properties, ServletContext servletContext, long j) {
                        }

                        public byte[] getCurrentSecret() {
                            return utf8;
                        }

                        /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
                        public byte[][] getAllSecrets() {
                            return new byte[]{utf8};
                        }
                    });
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                } catch (Throwable th) {
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                    throw th;
                }
            }

            protected AuthenticationToken getToken(HttpServletRequest httpServletRequest) throws AuthenticationException {
                AuthenticationToken authenticationToken = null;
                String str = null;
                Cookie[] cookies = httpServletRequest.getCookies();
                if (cookies != null) {
                    int length = cookies.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        Cookie cookie = cookies[i];
                        if (cookie.getName().equals("hadoop.auth")) {
                            try {
                                str = this.mySigner.verifyAndExtract(cookie.getValue());
                                break;
                            } catch (SignerException e) {
                                throw new AuthenticationException(e);
                            }
                        }
                        i++;
                    }
                }
                if (str != null) {
                    authenticationToken = AuthenticationToken.parse(str);
                    if (!authenticationToken.getType().equals(getAuthenticationHandler().getType())) {
                        throw new AuthenticationException("Invalid AuthenticationToken type");
                    }
                    if (authenticationToken.isExpired()) {
                        throw new AuthenticationException("AuthenticationToken expired");
                    }
                }
                return authenticationToken;
            }

            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                if (servletRequest.getAttribute("Druid-Authentication-Result") != null) {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                }
                if (KerberosAuthenticator.this.loginContext == null) {
                    KerberosAuthenticator.this.initializeKerberosLogin();
                }
                doFilterSuper(servletRequest, servletResponse, filterChain);
            }

            private void doFilterSuper(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
                AuthenticationToken authenticationToken;
                boolean z = true;
                int i = 401;
                AuthenticationException authenticationException = null;
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
                boolean equals = "https".equals(httpServletRequest.getScheme());
                boolean z2 = false;
                try {
                    try {
                        authenticationToken = getToken(httpServletRequest);
                    } catch (AuthenticationException e) {
                        KerberosAuthenticator.log.warn("AuthenticationToken ignored: " + e.getMessage(), new Object[0]);
                        authenticationException = e;
                        authenticationToken = null;
                    }
                    if (getAuthenticationHandler().managementOperation(authenticationToken, httpServletRequest, httpServletResponse)) {
                        if (authenticationToken == null) {
                            if (KerberosAuthenticator.log.isDebugEnabled()) {
                                KerberosAuthenticator.log.debug("Request [{%s}] triggering authentication", new Object[]{getRequestURL(httpServletRequest)});
                            }
                            authenticationToken = getAuthenticationHandler().authenticate(httpServletRequest, httpServletResponse);
                            if (authenticationToken != null && authenticationToken.getExpires() != 0 && authenticationToken != AuthenticationToken.ANONYMOUS) {
                                authenticationToken.setExpires(System.currentTimeMillis() + (getValidity() * 1000));
                            }
                            z2 = true;
                        }
                        if (authenticationToken != null) {
                            z = false;
                            if (KerberosAuthenticator.log.isDebugEnabled()) {
                                KerberosAuthenticator.log.debug("Request [{%s}] user [{%s}] authenticated", new Object[]{getRequestURL(httpServletRequest), authenticationToken.getUserName()});
                            }
                            final AuthenticationToken authenticationToken2 = authenticationToken;
                            HttpServletRequestWrapper httpServletRequestWrapper = new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.druid.security.kerberos.KerberosAuthenticator.1.2
                                public String getAuthType() {
                                    return authenticationToken2.getType();
                                }

                                public String getRemoteUser() {
                                    return authenticationToken2.getUserName();
                                }

                                public Principal getUserPrincipal() {
                                    if (authenticationToken2 != AuthenticationToken.ANONYMOUS) {
                                        return authenticationToken2;
                                    }
                                    return null;
                                }
                            };
                            if (z2 && !authenticationToken.isExpired() && authenticationToken != AuthenticationToken.ANONYMOUS) {
                                String sign = this.mySigner.sign(authenticationToken.toString());
                                KerberosAuthenticator.tokenToAuthCookie(httpServletResponse, sign, getCookieDomain(), getCookiePath(), authenticationToken.getExpires(), !authenticationToken.isExpired() && authenticationToken.getExpires() > 0, equals);
                                servletRequest.setAttribute(KerberosAuthenticator.SIGNED_TOKEN_ATTRIBUTE, KerberosAuthenticator.tokenToCookieString(sign, getCookieDomain(), getCookiePath(), authenticationToken.getExpires(), !authenticationToken.isExpired() && authenticationToken.getExpires() > 0, equals));
                            }
                            servletRequest.setAttribute("Druid-Authentication-Result", new AuthenticationResult(authenticationToken.getName(), KerberosAuthenticator.this.authorizerName, KerberosAuthenticator.this.name, (Map) null));
                            doFilter(filterChain, (HttpServletRequest) httpServletRequestWrapper, httpServletResponse);
                        }
                    } else {
                        z = false;
                    }
                } catch (AuthenticationException e2) {
                    i = 403;
                    authenticationException = e2;
                    if (KerberosAuthenticator.log.isDebugEnabled()) {
                        KerberosAuthenticator.log.debug(e2, "Authentication exception: " + e2.getMessage(), new Object[0]);
                    } else {
                        KerberosAuthenticator.log.warn("Authentication exception: " + e2.getMessage(), new Object[0]);
                    }
                }
                if (!z || httpServletResponse.isCommitted()) {
                    return;
                }
                KerberosAuthenticator.tokenToAuthCookie(httpServletResponse, "", getCookieDomain(), getCookiePath(), 0L, false, equals);
                if (i == 401 && !httpServletResponse.containsHeader("WWW-Authenticate")) {
                    i = 403;
                }
                if (authenticationException == null) {
                    filterChain.doFilter(servletRequest, servletResponse);
                } else {
                    httpServletResponse.sendError(i, authenticationException.getMessage());
                }
            }
        };
    }

    public Class<? extends Filter> getFilterClass() {
        return null;
    }

    public Map<String, String> getInitParameters() {
        HashMap hashMap = new HashMap();
        hashMap.put("kerberos.principal", this.serverPrincipal);
        hashMap.put("kerberos.keytab", this.serverKeytab);
        hashMap.put("type", DruidKerberosAuthenticationHandler.class.getName());
        hashMap.put("kerberos.name.rules", this.authToLocal);
        if (this.cookieSignatureSecret != null) {
            hashMap.put("signature.secret", this.cookieSignatureSecret);
        }
        return hashMap;
    }

    public String getPath() {
        return "/*";
    }

    public EnumSet<DispatcherType> getDispatcherType() {
        return null;
    }

    public String getAuthChallengeHeader() {
        return "Negotiate";
    }

    public AuthenticationResult authenticateJDBCContext(Map<String, Object> map) {
        throw new UnsupportedOperationException("JDBC Kerberos auth not supported yet");
    }

    public void decorateProxyRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Request request) {
        Object attribute = httpServletRequest.getAttribute(SIGNED_TOKEN_ATTRIBUTE);
        if (attribute == null || !(attribute instanceof String)) {
            return;
        }
        log.debug("Found cookie token will attache it to proxyRequest as cookie", new Object[0]);
        request.header(HttpHeader.COOKIE, Joiner.on(";").join((String) attribute, (String) request.getCookies().stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.joining(";")), new Object[0]));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void initializeKerberosLogin() throws ServletException {
        try {
            if (this.serverPrincipal == null || this.serverPrincipal.trim().length() == 0) {
                throw new ServletException("Principal not defined in configuration");
            }
            String str = this.serverKeytab;
            if (str == null || str.trim().length() == 0) {
                throw new ServletException("Keytab not defined in configuration");
            }
            if (!new File(str).exists()) {
                throw new ServletException("Keytab does not exist: " + str);
            }
            HashSet hashSet = new HashSet();
            hashSet.add(new KerberosPrincipal(this.serverPrincipal));
            Subject subject = new Subject(false, hashSet, new HashSet(), new HashSet());
            DruidKerberosConfiguration druidKerberosConfiguration = new DruidKerberosConfiguration(str, this.serverPrincipal);
            log.info("Login using keytab " + str + ", for principal " + this.serverPrincipal, new Object[0]);
            this.loginContext = new LoginContext("", subject, (CallbackHandler) null, druidKerberosConfiguration);
            this.loginContext.login();
            log.info("Initialized, principal %s from keytab %s", new Object[]{this.serverPrincipal, str});
        } catch (Exception e) {
            throw new ServletException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void tokenToAuthCookie(HttpServletResponse httpServletResponse, String str, String str2, String str3, long j, boolean z, boolean z2) {
        httpServletResponse.addHeader("Set-Cookie", tokenToCookieString(str, str2, str3, j, z, z2));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String tokenToCookieString(String str, String str2, String str3, long j, boolean z, boolean z2) {
        StringBuilder append = new StringBuilder("hadoop.auth").append("=");
        if (str != null && str.length() > 0) {
            append.append("\"").append(str).append("\"");
        }
        if (str3 != null) {
            append.append("; Path=").append(str3);
        }
        if (str2 != null) {
            append.append("; Domain=").append(str2);
        }
        if (j >= 0 && z) {
            Date date = new Date(j);
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz", Locale.ENGLISH);
            simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
            append.append("; Expires=").append(simpleDateFormat.format(date));
        }
        if (z2) {
            append.append("; Secure");
        }
        append.append("; HttpOnly");
        return append.toString();
    }
}
