package org.apache.knox.gateway.hadoopauth.filter;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.ParseException;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.knox.gateway.audit.api.AuditService;
import org.apache.knox.gateway.audit.api.AuditServiceFactory;
import org.apache.knox.gateway.audit.api.Auditor;
import org.apache.knox.gateway.hadoopauth.HadoopAuthMessages;
import org.apache.knox.gateway.hadoopauth.deploy.HadoopAuthDeploymentContributor;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.filter.JWTFederationFilter;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.services.security.token.UnknownTokenException;

/* loaded from: input_file:org/apache/knox/gateway/hadoopauth/filter/HadoopAuthPostFilter.class */
public class HadoopAuthPostFilter implements Filter {
    private static HadoopAuthMessages log = (HadoopAuthMessages) MessagesFactory.get(HadoopAuthMessages.class);
    private static AuditService auditService = AuditServiceFactory.getAuditService();
    private static Auditor auditor = auditService.getAuditor("audit", "knox", "knox");
    private JWTFederationFilter jwtFilter;

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("support.jwt");
        if (Boolean.parseBoolean(initParameter == null ? "false" : initParameter)) {
            this.jwtFilter = new JWTFederationFilter();
            this.jwtFilter.init(filterConfig);
        }
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Subject subject = null;
        if (HadoopAuthFilter.shouldUseJwtFilter(this.jwtFilter, (HttpServletRequest) servletRequest)) {
            try {
                Pair wireToken = this.jwtFilter.getWireToken(servletRequest);
                JWTFederationFilter.TokenType tokenType = (JWTFederationFilter.TokenType) wireToken.getLeft();
                String str = (String) wireToken.getRight();
                if (JWTFederationFilter.TokenType.JWT.equals(tokenType)) {
                    subject = this.jwtFilter.createSubjectFromToken(str);
                } else if (JWTFederationFilter.TokenType.Passcode.equals(tokenType)) {
                    subject = this.jwtFilter.createSubjectFromTokenIdentifier(str);
                }
            } catch (ParseException | UnknownTokenException e) {
            }
        } else {
            String remoteUser = ((HttpServletRequest) servletRequest).getRemoteUser();
            if (remoteUser != null) {
                subject = new Subject();
                subject.getPrincipals().add(new PrimaryPrincipal(remoteUser));
            }
        }
        if (subject == null) {
            ((HttpServletResponse) servletResponse).sendError(403, "User not authenticated");
            return;
        }
        log.hadoopAuthAssertedPrincipal(getPrincipalsAsString(subject));
        auditService.getContext().setUsername(getPrincipalsAsString(subject));
        auditor.audit(HadoopAuthDeploymentContributor.ROLE, (String) servletRequest.getAttribute("sourceRequestContextUrl"), "uri", "success");
        doAs(servletRequest, servletResponse, filterChain, subject);
    }

    private String getPrincipalsAsString(Subject subject) {
        return String.join(",", (Iterable<? extends CharSequence>) subject.getPrincipals().stream().map(principal -> {
            return principal.getName();
        }).collect(Collectors.toSet()));
    }

    private void doAs(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain, Subject subject) throws IOException, ServletException {
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: org.apache.knox.gateway.hadoopauth.filter.HadoopAuthPostFilter.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }
}
