package org.apache.hadoop.hbase.thrift;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.hbase.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TProtocolFactory;
import org.apache.thrift.server.TServlet;
import org.apache.yetus.audience.InterfaceAudience;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/thrift/ThriftHttpServlet.class */
public class ThriftHttpServlet extends TServlet {
    private static final long serialVersionUID = 1;
    private static final Logger LOG = LoggerFactory.getLogger(ThriftHttpServlet.class.getName());
    private final transient UserGroupInformation serviceUGI;
    private final transient UserGroupInformation httpUGI;
    private final transient HBaseServiceHandler handler;
    private final boolean doAsEnabled;
    private final boolean securityEnabled;
    public static final String NEGOTIATE = "Negotiate";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/thrift/ThriftHttpServlet$HttpKerberosServerAction.class */
    public static class HttpKerberosServerAction implements PrivilegedExceptionAction<String> {
        final HttpServletRequest request;
        final UserGroupInformation httpUGI;
        String outToken = null;

        HttpKerberosServerAction(HttpServletRequest httpServletRequest, UserGroupInformation userGroupInformation) {
            this.request = httpServletRequest;
            this.httpUGI = userGroupInformation;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public String run() throws HttpAuthenticationException {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSContext gSSContext = null;
            String principalWithoutRealm = SecurityUtil.getPrincipalWithoutRealm(this.httpUGI.getUserName());
            try {
                try {
                    GSSContext createContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(principalWithoutRealm, new Oid("1.2.840.113554.1.2.2.1")), 0, new Oid[]{new Oid("1.2.840.113554.1.2.2"), new Oid("1.3.6.1.5.5.2")}, 2));
                    byte[] decode = Base64.getDecoder().decode(getAuthHeader(this.request));
                    byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
                    if (acceptSecContext != null) {
                        this.outToken = Base64.getEncoder().encodeToString(acceptSecContext).replace("\n", "");
                    }
                    if (!createContext.isEstablished()) {
                        throw new HttpAuthenticationException("Kerberos authentication failed: unable to establish context with the service ticket provided by the client.");
                    }
                    String userFromPrincipal = SecurityUtil.getUserFromPrincipal(createContext.getSrcName().toString());
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e) {
                            ThriftHttpServlet.LOG.warn("Error while disposing GSS Context", e);
                        }
                    }
                    return userFromPrincipal;
                } catch (Throwable th) {
                    if (0 != 0) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e2) {
                            ThriftHttpServlet.LOG.warn("Error while disposing GSS Context", e2);
                        }
                    }
                    throw th;
                }
            } catch (GSSException e3) {
                throw new HttpAuthenticationException("Kerberos authentication failed: ", e3);
            }
        }

        private String getAuthHeader(HttpServletRequest httpServletRequest) throws HttpAuthenticationException {
            String header = httpServletRequest.getHeader("Authorization");
            if (header == null || header.isEmpty()) {
                throw new HttpAuthenticationException("Authorization header received from the client is empty.");
            }
            String substring = header.substring("Negotiate ".length());
            if (substring.isEmpty()) {
                throw new HttpAuthenticationException("Authorization header received from the client does not contain any data.");
            }
            return substring;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/thrift/ThriftHttpServlet$RemoteUserIdentity.class */
    public static class RemoteUserIdentity {
        final String outToken;
        final String principal;

        RemoteUserIdentity(String str, String str2) {
            this.principal = str;
            this.outToken = str2;
        }
    }

    public ThriftHttpServlet(TProcessor tProcessor, TProtocolFactory tProtocolFactory, UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2, HBaseServiceHandler hBaseServiceHandler, boolean z, boolean z2) {
        super(tProcessor, tProtocolFactory);
        this.serviceUGI = userGroupInformation;
        this.httpUGI = userGroupInformation2;
        this.handler = hBaseServiceHandler;
        this.securityEnabled = z;
        this.doAsEnabled = z2;
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String remoteUser = httpServletRequest.getRemoteUser();
        if (this.securityEnabled) {
            String header = httpServletRequest.getHeader("Authorization");
            if (header == null || header.isEmpty()) {
                httpServletResponse.addHeader("WWW-Authenticate", NEGOTIATE);
                httpServletResponse.sendError(401);
                return;
            }
            try {
                RemoteUserIdentity doKerberosAuth = doKerberosAuth(httpServletRequest);
                remoteUser = doKerberosAuth.principal;
                httpServletResponse.addHeader("WWW-Authenticate", "Negotiate " + doKerberosAuth.outToken);
            } catch (HttpAuthenticationException e) {
                LOG.error("Kerberos Authentication failed", e);
                httpServletResponse.addHeader("WWW-Authenticate", NEGOTIATE);
                httpServletResponse.sendError(401, "Authentication Error: " + e.getMessage());
                return;
            }
        }
        if (remoteUser == null) {
            remoteUser = this.serviceUGI.getShortUserName();
        }
        String header2 = httpServletRequest.getHeader("doAs");
        if (header2 != null) {
            if (!this.doAsEnabled) {
                throw new ServletException("Support for proxyuser is not configured");
            }
            try {
                ProxyUsers.authorize(UserGroupInformation.createProxyUser(header2, UserGroupInformation.createRemoteUser(remoteUser)), httpServletRequest.getRemoteAddr());
                remoteUser = header2;
            } catch (AuthorizationException e2) {
                throw new ServletException(e2);
            }
        }
        this.handler.setEffectiveUser(remoteUser);
        super.doPost(httpServletRequest, httpServletResponse);
    }

    private RemoteUserIdentity doKerberosAuth(HttpServletRequest httpServletRequest) throws HttpAuthenticationException {
        HttpKerberosServerAction httpKerberosServerAction = new HttpKerberosServerAction(httpServletRequest, this.httpUGI);
        try {
            return new RemoteUserIdentity((String) this.httpUGI.doAs(httpKerberosServerAction), httpKerberosServerAction.outToken);
        } catch (Exception e) {
            LOG.info("Failed to authenticate with {} kerberos principal", this.httpUGI.getUserName());
            throw new HttpAuthenticationException(e);
        }
    }
}
