package org.apache.hadoop.hbase.thrift;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.security.SecurityUtil;
import org.apache.hadoop.hbase.thrift.ThriftServerRunner;
import org.apache.hadoop.hbase.util.Base64;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TProtocolFactory;
import org.apache.thrift.server.TServlet;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/thrift/ThriftHttpServlet.class */
public class ThriftHttpServlet extends TServlet {
    private static final long serialVersionUID = 1;
    private static final Log LOG = LogFactory.getLog(ThriftHttpServlet.class.getName());
    private final transient UserGroupInformation realUser;
    private final transient Configuration conf;
    private final boolean securityEnabled;
    private final boolean doAsEnabled;
    private transient ThriftServerRunner.HBaseHandler hbaseHandler;
    private String outToken;
    public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String AUTHORIZATION = "Authorization";
    public static final String NEGOTIATE = "Negotiate";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/thrift/ThriftHttpServlet$HttpKerberosServerAction.class */
    public static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> {
        HttpServletRequest request;
        UserGroupInformation serviceUGI;
        String outToken = null;

        HttpKerberosServerAction(HttpServletRequest httpServletRequest, UserGroupInformation userGroupInformation) {
            this.request = httpServletRequest;
            this.serviceUGI = userGroupInformation;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public String run() throws HttpAuthenticationException {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSContext gSSContext = null;
            String principalWithoutRealm = SecurityUtil.getPrincipalWithoutRealm(this.serviceUGI.getUserName());
            try {
                try {
                    GSSContext createContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(principalWithoutRealm, new Oid("1.2.840.113554.1.2.2.1")), 0, new Oid[]{new Oid("1.2.840.113554.1.2.2"), new Oid("1.3.6.1.5.5.2")}, 2));
                    byte[] decode = Base64.decode(getAuthHeader(this.request));
                    byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
                    if (acceptSecContext != null) {
                        this.outToken = Base64.encodeBytes(acceptSecContext).replace("\n", "");
                    }
                    if (!createContext.isEstablished()) {
                        throw new HttpAuthenticationException("Kerberos authentication failed: unable to establish context with the service ticket provided by the client.");
                    }
                    String userFromPrincipal = SecurityUtil.getUserFromPrincipal(createContext.getSrcName().toString());
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e) {
                            ThriftHttpServlet.LOG.warn("Error while disposing GSS Context", e);
                        }
                    }
                    return userFromPrincipal;
                } catch (GSSException e2) {
                    throw new HttpAuthenticationException("Kerberos authentication failed: ", e2);
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e3) {
                        ThriftHttpServlet.LOG.warn("Error while disposing GSS Context", e3);
                    }
                }
                throw th;
            }
        }

        private String getAuthHeader(HttpServletRequest httpServletRequest) throws HttpAuthenticationException {
            String header = httpServletRequest.getHeader(ThriftHttpServlet.AUTHORIZATION);
            if (header == null || header.isEmpty()) {
                throw new HttpAuthenticationException("Authorization header received from the client is empty.");
            }
            String substring = header.substring("Negotiate ".length());
            if (substring == null || substring.isEmpty()) {
                throw new HttpAuthenticationException("Authorization header received from the client does not contain any data.");
            }
            return substring;
        }
    }

    public ThriftHttpServlet(TProcessor tProcessor, TProtocolFactory tProtocolFactory, UserGroupInformation userGroupInformation, Configuration configuration, ThriftServerRunner.HBaseHandler hBaseHandler, boolean z, boolean z2) {
        super(tProcessor, tProtocolFactory);
        this.realUser = userGroupInformation;
        this.conf = configuration;
        this.hbaseHandler = hBaseHandler;
        this.securityEnabled = z;
        this.doAsEnabled = z2;
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String remoteUser = httpServletRequest.getRemoteUser();
        if (this.securityEnabled) {
            try {
                remoteUser = doKerberosAuth(httpServletRequest);
                httpServletResponse.addHeader(WWW_AUTHENTICATE, "Negotiate " + this.outToken);
            } catch (HttpAuthenticationException e) {
                LOG.error("Kerberos Authentication failed", e);
                httpServletResponse.setStatus(401);
                httpServletResponse.addHeader(WWW_AUTHENTICATE, NEGOTIATE);
                httpServletResponse.getWriter().println("Authentication Error: " + e.getMessage());
                return;
            }
        }
        String header = httpServletRequest.getHeader("doAs");
        if (remoteUser == null) {
            remoteUser = this.realUser.getShortUserName();
        }
        if (header != null) {
            if (!this.doAsEnabled) {
                throw new ServletException("Support for proxyuser is not configured");
            }
            try {
                ProxyUsers.authorize(UserGroupInformation.createProxyUser(header, UserGroupInformation.createRemoteUser(remoteUser)), httpServletRequest.getRemoteAddr(), this.conf);
                remoteUser = header;
            } catch (AuthorizationException e2) {
                throw new ServletException(e2.getMessage());
            }
        }
        this.hbaseHandler.setEffectiveUser(remoteUser);
        super.doPost(httpServletRequest, httpServletResponse);
    }

    private String doKerberosAuth(HttpServletRequest httpServletRequest) throws HttpAuthenticationException {
        HttpKerberosServerAction httpKerberosServerAction = new HttpKerberosServerAction(httpServletRequest, this.realUser);
        try {
            String str = (String) this.realUser.doAs(httpKerberosServerAction);
            this.outToken = httpKerberosServerAction.outToken;
            return str;
        } catch (Exception e) {
            LOG.error("Failed to perform authentication");
            throw new HttpAuthenticationException(e);
        }
    }
}
