package org.apache.falcon.security;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.falcon.util.Servlets;
import org.apache.falcon.util.StartupProperties;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.log4j.NDC;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/falcon-prism-0.8-classes.jar:org/apache/falcon/security/FalconAuthenticationFilter.class */
public class FalconAuthenticationFilter extends AuthenticationFilter {
    private static final Logger LOG = LoggerFactory.getLogger(FalconAuthenticationFilter.class);
    protected static final String DO_AS_PARAM = "doAs";
    protected static final String FALCON_PREFIX = "falcon.http.authentication.";
    protected static final String KERBEROS_PRINCIPAL = "falcon.http.authentication.kerberos.principal";
    private static final String BLACK_LISTED_USERS_KEY = "falcon.http.authentication.blacklisted.users";
    private HttpServlet optionsServlet;
    private Set<String> blackListedUsers;

    public void init(FilterConfig filterConfig) throws ServletException {
        LOG.info("FalconAuthenticationFilter initialization started");
        super.init(filterConfig);
        this.optionsServlet = new HttpServlet() { // from class: org.apache.falcon.security.FalconAuthenticationFilter.1
        };
        this.optionsServlet.init();
        initializeBlackListedUsers();
    }

    private void initializeBlackListedUsers() {
        this.blackListedUsers = new HashSet();
        String property = StartupProperties.get().getProperty(BLACK_LISTED_USERS_KEY);
        if (StringUtils.isEmpty(property)) {
            return;
        }
        this.blackListedUsers.addAll(Arrays.asList(property.split(",")));
    }

    protected Properties getConfiguration(String str, FilterConfig filterConfig) {
        Properties properties = new Properties();
        Properties properties2 = StartupProperties.get();
        properties.setProperty("cookie.path", "/");
        for (Map.Entry entry : properties2.entrySet()) {
            String str2 = (String) entry.getKey();
            if (str2.startsWith(FALCON_PREFIX)) {
                properties.setProperty(str2.substring(FALCON_PREFIX.length()), (String) entry.getValue());
            }
        }
        if (UserGroupInformation.isSecurityEnabled()) {
            properties.setProperty("kerberos.principal", getKerberosPrincipalWithSubstitutedHost(properties2));
        }
        return properties;
    }

    private String getKerberosPrincipalWithSubstitutedHost(Properties properties) {
        String property = properties.getProperty(KERBEROS_PRINCIPAL);
        try {
            property = org.apache.hadoop.security.SecurityUtil.getServerPrincipal(property, SecurityUtil.getLocalHostName());
        } catch (IOException e) {
        }
        return property;
    }

    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        super.doFilter(servletRequest, servletResponse, new FilterChain() { // from class: org.apache.falcon.security.FalconAuthenticationFilter.2
            @Override // javax.servlet.FilterChain
            public void doFilter(ServletRequest servletRequest2, ServletResponse servletResponse2) throws IOException, ServletException {
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest2;
                if (httpServletRequest.getMethod().equals("OPTIONS")) {
                    FalconAuthenticationFilter.this.optionsServlet.service(servletRequest, servletResponse);
                    return;
                }
                String userFromRequest = Servlets.getUserFromRequest(httpServletRequest);
                if (StringUtils.isEmpty(userFromRequest)) {
                    ((HttpServletResponse) servletResponse).sendError(Response.Status.BAD_REQUEST.getStatusCode(), "Param user.name can't be empty");
                    return;
                }
                if (FalconAuthenticationFilter.this.blackListedUsers.contains(userFromRequest)) {
                    ((HttpServletResponse) servletResponse).sendError(Response.Status.BAD_REQUEST.getStatusCode(), "User can't be a superuser:falcon.http.authentication.blacklisted.users");
                    return;
                }
                try {
                    NDC.push(userFromRequest + ":" + httpServletRequest.getMethod() + "/" + httpServletRequest.getPathInfo());
                    String parameter = httpServletRequest.getParameter("doAs");
                    CurrentUser.authenticate(userFromRequest);
                    CurrentUser.proxyDoAsUser(parameter, HostnameFilter.get());
                    FalconAuthenticationFilter.LOG.info("Request from authenticated user: {}, URL={}, doAs user: {}", userFromRequest, Servlets.getRequestURI(httpServletRequest), parameter);
                    filterChain.doFilter(servletRequest2, servletResponse2);
                } finally {
                    NDC.pop();
                }
            }
        });
    }

    public void destroy() {
        if (this.optionsServlet != null) {
            this.optionsServlet.destroy();
        }
        super.destroy();
    }
}
