package org.apache.hadoop.gateway.filter.security;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.hadoop.gateway.audit.api.AuditService;
import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
import org.apache.hadoop.gateway.audit.api.Auditor;
import org.apache.hadoop.gateway.i18n.GatewaySpiMessages;
import org.apache.hadoop.gateway.i18n.GatewaySpiResources;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.i18n.resources.ResourcesFactory;
import org.apache.hadoop.gateway.security.GroupPrincipal;
import org.apache.hadoop.gateway.security.ImpersonatedPrincipal;
import org.apache.hadoop.gateway.security.PrimaryPrincipal;
import org.apache.hadoop.gateway.security.principal.PrincipalMapper;
import org.apache.hadoop.gateway.security.principal.PrincipalMappingException;
import org.apache.hadoop.gateway.security.principal.SimplePrincipalMapper;

/* loaded from: input_file:org/apache/hadoop/gateway/filter/security/AbstractIdentityAssertionFilter.class */
public abstract class AbstractIdentityAssertionFilter extends AbstractIdentityAssertionBase implements Filter {
    private static final GatewaySpiMessages LOG = (GatewaySpiMessages) MessagesFactory.get(GatewaySpiMessages.class);
    private static final GatewaySpiResources RES = (GatewaySpiResources) ResourcesFactory.get(GatewaySpiResources.class);
    private static AuditService auditService = AuditServiceFactory.getAuditService();
    private static Auditor auditor = auditService.getAuditor("audit", "knox", "knox");
    protected PrincipalMapper mapper = new SimplePrincipalMapper();

    protected void loadPrincipalMappings(FilterConfig filterConfig) {
        String initParameter = filterConfig.getServletContext().getInitParameter("principal.mapping");
        String initParameter2 = filterConfig.getServletContext().getInitParameter("group.principal.mapping");
        if ((initParameter == null || initParameter.isEmpty()) && (initParameter2 == null || initParameter2.isEmpty())) {
            return;
        }
        try {
            this.mapper.loadMappingTable(initParameter, initParameter2);
        } catch (PrincipalMappingException e) {
            LOG.failedToLoadPrincipalMappingTable(e);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        loadPrincipalMappings(filterConfig);
    }

    public void destroy() {
    }

    protected void continueChainAsPrincipal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain, String str) throws IOException, ServletException {
        boolean z = false;
        Subject subject = Subject.getSubject(AccessController.getContext());
        Set principals = subject.getPrincipals(GroupPrincipal.class);
        PrimaryPrincipal primaryPrincipal = (PrimaryPrincipal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
        if (primaryPrincipal == null) {
            primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) servletRequest).getUserPrincipal().getName());
        } else if (!primaryPrincipal.getName().equals(str)) {
            z = true;
            auditService.getContext().setProxyUsername(str);
            auditor.audit("identity-mapping", primaryPrincipal.getName(), "principal", "success");
        }
        boolean z2 = areGroupsMappedForPrincipal(str) || !principals.isEmpty();
        if (!z && !z2) {
            doFilterInternal(servletRequest, servletResponse, filterChain);
            return;
        }
        Subject subject2 = new Subject();
        Set<Principal> principals2 = subject2.getPrincipals();
        principals2.add(primaryPrincipal);
        Iterator it = principals.iterator();
        while (it.hasNext()) {
            principals2.add((Principal) it.next());
        }
        if (z) {
            subject2.getPrincipals().add(new ImpersonatedPrincipal(str));
        }
        if (z2) {
            addMappedGroupsToSubject(str, subject2);
            addMappedGroupsToSubject("*", subject2);
        }
        doAs(servletRequest, servletResponse, filterChain, subject2);
    }

    private void doAs(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain, Subject subject) throws IOException, ServletException {
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.gateway.filter.security.AbstractIdentityAssertionFilter.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    AbstractIdentityAssertionFilter.this.doFilterInternal(servletRequest, servletResponse, filterChain);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }

    private void addMappedGroupsToSubject(String str, Subject subject) {
        String[] mapGroupPrincipal = this.mapper.mapGroupPrincipal(str);
        if (mapGroupPrincipal != null) {
            auditor.audit("identity-mapping", str, "principal", "success", RES.groupsList(Arrays.toString(mapGroupPrincipal)));
            for (String str2 : mapGroupPrincipal) {
                subject.getPrincipals().add(new GroupPrincipal(str2));
            }
        }
    }

    private boolean areGroupsMappedForPrincipal(String str) {
        boolean z = this.mapper.mapGroupPrincipal(str) != null;
        if (!z) {
            z = this.mapper.mapGroupPrincipal("*") != null;
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        filterChain.doFilter(servletRequest, servletResponse);
    }
}
