package org.apache.falcon.security;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.falcon.FalconException;
import org.apache.falcon.cli.FalconCLI;
import org.apache.falcon.entity.CatalogStorage;
import org.apache.falcon.entity.EntityNotRegisteredException;
import org.apache.falcon.entity.EntityUtil;
import org.apache.falcon.entity.v0.EntityType;
import org.apache.falcon.util.Servlets;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.oozie.client.rest.RestConstants;
import org.apache.xerces.impl.Constants;
import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/falcon-prism-0.8-classes.jar:org/apache/falcon/security/FalconAuthorizationFilter.class */
public class FalconAuthorizationFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger(FalconAuthorizationFilter.class);
    private static final String DO_AS_PARAM = "doAs";
    private boolean isAuthorizationEnabled;
    private AuthorizationProvider authorizationProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/falcon-prism-0.8-classes.jar:org/apache/falcon/security/FalconAuthorizationFilter$RequestParts.class */
    public static class RequestParts {
        private final String resource;
        private final String action;
        private final String entityName;
        private final String entityType;

        public RequestParts(String str, String str2, String str3, String str4) {
            this.resource = str;
            this.action = str2;
            this.entityName = str3;
            this.entityType = str4;
        }

        public String getResource() {
            return this.resource;
        }

        public String getAction() {
            return this.action;
        }

        public String getEntityName() {
            return this.entityName;
        }

        public String getEntityType() {
            return this.entityType;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("RequestParts{").append("resource='").append(this.resource).append(CatalogStorage.PARTITION_VALUE_QUOTE).append(", action='").append(this.action).append(CatalogStorage.PARTITION_VALUE_QUOTE);
            if (this.entityName != null) {
                sb.append(", entityName='").append(this.entityName).append(CatalogStorage.PARTITION_VALUE_QUOTE);
            }
            if (this.entityType != null) {
                sb.append(", entityType='").append(this.entityType).append(CatalogStorage.PARTITION_VALUE_QUOTE);
            }
            sb.append("}");
            return sb.toString();
        }
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            this.isAuthorizationEnabled = SecurityUtil.isAuthorizationEnabled();
            if (this.isAuthorizationEnabled) {
                LOG.info("Falcon is running with authorization enabled");
            }
            this.authorizationProvider = SecurityUtil.getAuthorizationProvider();
        } catch (FalconException e) {
            throw new ServletException(e);
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.isAuthorizationEnabled) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            RequestParts userRequest = getUserRequest(httpServletRequest);
            LOG.info("Authorizing user={} against request={}", CurrentUser.getUser(), userRequest);
            try {
                UserGroupInformation authenticatedUGI = CurrentUser.getAuthenticatedUGI();
                this.authorizationProvider.authorizeResource(userRequest.getResource(), userRequest.getAction(), userRequest.getEntityType(), userRequest.getEntityName(), authenticatedUGI);
                tryProxy(authenticatedUGI, userRequest.getEntityType(), userRequest.getEntityName(), servletRequest.getParameter("doAs"));
                LOG.info("Authorization succeeded for user={}, proxy={}", authenticatedUGI.getShortUserName(), CurrentUser.getUser());
            } catch (EntityNotRegisteredException e) {
                if (!httpServletRequest.getMethod().equals("DELETE")) {
                    sendError((HttpServletResponse) servletResponse, 400, e.getMessage());
                    return;
                }
            } catch (AuthorizationException e2) {
                sendError((HttpServletResponse) servletResponse, 403, e2.getMessage());
                return;
            } catch (IllegalArgumentException e3) {
                sendError((HttpServletResponse) servletResponse, 400, e3.getMessage());
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override // javax.servlet.Filter
    public void destroy() {
        this.authorizationProvider = null;
    }

    private static RequestParts getUserRequest(HttpServletRequest httpServletRequest) {
        String[] split = httpServletRequest.getPathInfo().substring(1).split("/");
        String str = split[0];
        String str2 = split[1];
        if (!str.equalsIgnoreCase(Constants.DOM_ENTITIES) && !str.equalsIgnoreCase(FalconCLI.INSTANCE_CMD)) {
            return new RequestParts(str, str2, null, null);
        }
        return new RequestParts(str, str2, split.length > 3 ? split[3] : null, split.length > 2 ? split[2] : null);
    }

    private void tryProxy(UserGroupInformation userGroupInformation, String str, String str2, String str3) throws IOException {
        if (str == null || str2 == null) {
            return;
        }
        try {
            SecurityUtil.tryProxy(EntityUtil.getEntity(EntityType.getEnum(str), str2), str3);
        } catch (FalconException e) {
        }
    }

    private void sendError(HttpServletResponse httpServletResponse, int i, String str) throws IOException {
        LOG.error("Authorization failed : {}/{}", Integer.valueOf(i), str);
        if (httpServletResponse.isCommitted()) {
            return;
        }
        httpServletResponse.setStatus(i);
        httpServletResponse.setContentType(RestConstants.JSON_CONTENT_TYPE);
        httpServletResponse.getOutputStream().print(getJsonResponse(i, str));
    }

    private String getJsonResponse(int i, String str) throws IOException {
        try {
            JSONObject jSONObject = new JSONObject();
            jSONObject.put("errorCode", i);
            jSONObject.put("errorMessage", str);
            jSONObject.put(Servlets.REQUEST_ID, Thread.currentThread().getName());
            return jSONObject.toString();
        } catch (JSONException e) {
            throw new IOException((Throwable) e);
        }
    }
}
