package org.apache.knox.gateway.hadoopauth.filter;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Locale;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.util.HttpExceptionUtils;
import org.apache.knox.gateway.GatewayServer;
import org.apache.knox.gateway.audit.api.AuditContext;
import org.apache.knox.gateway.audit.api.AuditService;
import org.apache.knox.gateway.audit.api.AuditServiceFactory;
import org.apache.knox.gateway.audit.api.Auditor;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.hadoopauth.HadoopAuthMessages;
import org.apache.knox.gateway.hadoopauth.deploy.HadoopAuthDeploymentContributor;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.filter.JWTFederationFilter;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.util.AuthFilterUtils;

/* loaded from: input_file:org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.class */
public class HadoopAuthFilter extends AuthenticationFilter {
    private static final String QUERY_PARAMETER_DOAS = "doAs";
    private static final String PROXYUSER_PREFIX = "hadoop.proxyuser";
    static final String SUPPORT_JWT = "support.jwt";
    private static final String HADOOP_AUTH_UNAUTHENTICATED_PATHS_PARAM = "hadoop.auth.unauthenticated.path.list";
    private JWTFederationFilter jwtFilter;
    private static final HadoopAuthMessages LOG = (HadoopAuthMessages) MessagesFactory.get(HadoopAuthMessages.class);
    private static AuditService auditService = AuditServiceFactory.getAuditService();
    private static Auditor auditor = auditService.getAuditor("audit", "knox", "knox");
    private final Set<String> ignoreDoAs = new HashSet();
    private Set<String> unAuthenticatedPaths = new HashSet(20);

    /* loaded from: input_file:org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter$AnonymousRequest.class */
    private class AnonymousRequest extends HttpServletRequestWrapper {
        private Principal principal;

        AnonymousRequest(HttpServletRequest httpServletRequest, Principal principal) {
            super(httpServletRequest);
            this.principal = principal;
        }

        public String getRemoteUser() {
            return this.principal.getName();
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }
    }

    protected Properties getConfiguration(String str, FilterConfig filterConfig) throws ServletException {
        return getConfiguration((AliasService) GatewayServer.getGatewayServices().getService(ServiceType.ALIAS_SERVICE), str, filterConfig);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        ProxyUsers.refreshSuperUserGroupsConfiguration(getProxyuserConfiguration(filterConfig), PROXYUSER_PREFIX);
        Collection<? extends String> collection = null;
        String initParameter = filterConfig.getInitParameter("gateway.proxyuser.services.ignore.doas");
        if (initParameter != null) {
            String trim = initParameter.trim();
            if (!trim.isEmpty()) {
                collection = Arrays.asList(trim.toLowerCase(Locale.ROOT).split("\\s*,\\s*"));
            }
        }
        if (collection == null) {
            Object attribute = filterConfig.getServletContext().getAttribute("org.apache.knox.gateway.config");
            if (attribute instanceof GatewayConfig) {
                collection = ((GatewayConfig) attribute).getServicesToIgnoreDoAs();
            }
        }
        if (collection != null) {
            this.ignoreDoAs.addAll(collection);
        }
        super.init(filterConfig);
        String initParameter2 = filterConfig.getInitParameter(SUPPORT_JWT);
        if (Boolean.parseBoolean(initParameter2 == null ? "false" : initParameter2)) {
            this.jwtFilter = new JWTFederationFilter();
            this.jwtFilter.init(filterConfig);
            LOG.initializedJwtFilter();
        }
        AuthFilterUtils.addUnauthPaths(this.unAuthenticatedPaths, filterConfig.getInitParameter(HADOOP_AUTH_UNAUTHENTICATED_PATHS_PARAM), "/knoxtoken/api/v1/jwks.json");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (AuthFilterUtils.doesRequestContainUnauthPath(this.unAuthenticatedPaths, servletRequest)) {
            continueWithAnonymousSubject(servletRequest, servletResponse, filterChain);
        } else if (!shouldUseJwtFilter(this.jwtFilter, (HttpServletRequest) servletRequest)) {
            super.doFilter(servletRequest, servletResponse, filterChain);
        } else {
            LOG.useJwtFilter();
            this.jwtFilter.doFilter(servletRequest, servletResponse, filterChain);
        }
    }

    protected void doFilter(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String parameter;
        if (AuthFilterUtils.doesRequestContainUnauthPath(this.unAuthenticatedPaths, httpServletRequest)) {
            continueWithAnonymousSubject(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (shouldUseJwtFilter(this.jwtFilter, httpServletRequest)) {
            LOG.useJwtFilter();
            this.jwtFilter.doFilter(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (!ignoreDoAs(httpServletRequest.getRemoteUser()) && (parameter = httpServletRequest.getParameter(QUERY_PARAMETER_DOAS)) != null && !parameter.equals(httpServletRequest.getRemoteUser())) {
            LOG.hadoopAuthDoAsUser(parameter, httpServletRequest.getRemoteUser(), httpServletRequest.getRemoteAddr());
            UserGroupInformation createRemoteUser = httpServletRequest.getUserPrincipal() != null ? UserGroupInformation.createRemoteUser(httpServletRequest.getRemoteUser()) : null;
            if (createRemoteUser != null) {
                final UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(parameter, createRemoteUser);
                try {
                    ProxyUsers.authorize(createProxyUser, httpServletRequest.getRemoteAddr());
                    httpServletRequest = new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.knox.gateway.hadoopauth.filter.HadoopAuthFilter.1
                        public String getRemoteUser() {
                            return createProxyUser.getShortUserName();
                        }

                        public Principal getUserPrincipal() {
                            UserGroupInformation userGroupInformation = createProxyUser;
                            userGroupInformation.getClass();
                            return userGroupInformation::getUserName;
                        }
                    };
                    LOG.hadoopAuthProxyUserSuccess();
                } catch (AuthorizationException e) {
                    HttpExceptionUtils.createServletExceptionResponse(httpServletResponse, 403, e);
                    LOG.hadoopAuthProxyUserFailed(e);
                    return;
                }
            }
        }
        super.doFilter(filterChain, httpServletRequest, httpServletResponse);
    }

    private void continueWithAnonymousSubject(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            Subject subject = new Subject();
            subject.getPrincipals().add(new PrimaryPrincipal("anonymous"));
            LOG.unauthenticatedPathBypass(((HttpServletRequest) servletRequest).getRequestURI(), this.unAuthenticatedPaths.toString());
            continueWithEstablishedSecurityContext(subject, (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        } catch (Exception e) {
            LOG.unauthenticatedPathError(((HttpServletRequest) servletRequest).getRequestURI(), e.toString());
            throw e;
        }
    }

    protected void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final Principal principal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
        AuditContext context = auditService.getContext();
        if (context != null) {
            context.setUsername(principal.getName());
            String str = (String) httpServletRequest.getAttribute("sourceRequestContextUrl");
            if (str != null) {
                auditor.audit(HadoopAuthDeploymentContributor.ROLE, str, "uri", "success");
            }
        }
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: org.apache.knox.gateway.hadoopauth.filter.HadoopAuthFilter.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    filterChain.doFilter(new AnonymousRequest(httpServletRequest, principal), httpServletResponse);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean shouldUseJwtFilter(JWTFederationFilter jWTFederationFilter, HttpServletRequest httpServletRequest) throws IOException, ServletException {
        return (jWTFederationFilter == null || jWTFederationFilter.getWireToken(httpServletRequest) == null) ? false : true;
    }

    boolean ignoreDoAs(String str) {
        return str == null || str.isEmpty() || this.ignoreDoAs.contains(str.toLowerCase(Locale.ROOT));
    }

    private Configuration getProxyuserConfiguration(FilterConfig filterConfig) {
        Configuration configuration = new Configuration(false);
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            if (str.startsWith("hadoop.proxyuser.")) {
                configuration.set(str, filterConfig.getInitParameter(str));
            }
        }
        return configuration;
    }

    Properties getConfiguration(AliasService aliasService, String str, FilterConfig filterConfig) throws ServletException {
        Properties properties = new Properties();
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str2 = (String) initParameterNames.nextElement();
            if (str2.startsWith(str)) {
                properties.put(str2.substring(str.length()), handleAlias(aliasService, filterConfig, filterConfig.getInitParameter(str2), str2));
            }
        }
        return properties;
    }

    private String handleAlias(AliasService aliasService, FilterConfig filterConfig, String str, String str2) throws ServletException {
        String str3 = str;
        if (str.startsWith("${ALIAS=") && str.endsWith("}")) {
            try {
                String initParameter = filterConfig.getInitParameter("clusterName");
                String substring = str.substring("${ALIAS=".length(), str.length() - 1);
                char[] passwordFromAliasForCluster = aliasService.getPasswordFromAliasForCluster(initParameter, substring);
                if (passwordFromAliasForCluster == null) {
                    char[] passwordFromAliasForGateway = aliasService.getPasswordFromAliasForGateway(substring);
                    if (passwordFromAliasForGateway != null) {
                        str3 = String.valueOf(passwordFromAliasForGateway);
                    } else {
                        LOG.noAliasStored(initParameter, substring);
                    }
                } else {
                    str3 = String.valueOf(passwordFromAliasForCluster);
                }
            } catch (AliasServiceException e) {
                throw new ServletException("Unable to retrieve alias for config: " + str2, e);
            }
        }
        return str3;
    }

    boolean isJwtSupported() {
        return this.jwtFilter != null;
    }
}
