package org.apache.ranger.authorization.solr.authorizer;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.login.Configuration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.audit.RangerMultiResourceAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.solr.security.AuthorizationContext;
import org.apache.solr.security.AuthorizationPlugin;
import org.apache.solr.security.AuthorizationResponse;

/* loaded from: input_file:org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.class */
public class RangerSolrAuthorizer implements AuthorizationPlugin {
    public static final String PROP_USE_PROXY_IP = "xasecure.solr.use_proxy_ip";
    public static final String PROP_PROXY_IP_HEADER = "xasecure.solr.proxy_ip_header";
    public static final String PROP_SOLR_APP_NAME = "xasecure.solr.app.name";
    public static final String KEY_COLLECTION = "collection";
    public static final String ACCESS_TYPE_CREATE = "create";
    public static final String ACCESS_TYPE_UPDATE = "update";
    public static final String ACCESS_TYPE_QUERY = "query";
    public static final String ACCESS_TYPE_OTHERS = "others";
    public static final String ACCESS_TYPE_ADMIN = "solr_admin";
    boolean useProxyIP = false;
    String proxyIPHeader = "HTTP_X_FORWARDED_FOR";
    String solrAppName = "Client";
    private static final Log logger = LogFactory.getLog(RangerSolrAuthorizer.class);
    private static volatile RangerBasePlugin solrPlugin = null;

    public RangerSolrAuthorizer() {
        logger.info("RangerSolrAuthorizer()");
    }

    public void init(Map<String, Object> map) {
        logger.info("init()");
        try {
            this.useProxyIP = RangerConfiguration.getInstance().getBoolean(PROP_USE_PROXY_IP, this.useProxyIP);
            this.proxyIPHeader = RangerConfiguration.getInstance().get(PROP_PROXY_IP_HEADER, this.proxyIPHeader);
            this.solrAppName = System.getProperty("solr.kerberos.jaas.appname", this.solrAppName);
            this.solrAppName = RangerConfiguration.getInstance().get(PROP_SOLR_APP_NAME, this.solrAppName);
            logger.info("init(): useProxyIP=" + this.useProxyIP);
            logger.info("init(): proxyIPHeader=" + this.proxyIPHeader);
            logger.info("init(): solrAppName=" + this.solrAppName);
            logger.info("init(): KerberosName.rules=" + MiscUtil.getKerberosNamesRules());
            authToJAASFile();
        } catch (Throwable th) {
            logger.fatal("Error init", th);
        }
        try {
            if (solrPlugin == null) {
                synchronized (RangerSolrAuthorizer.class) {
                    RangerBasePlugin rangerBasePlugin = solrPlugin;
                    logger.info("RangerSolrAuthorizer(): init called");
                    if (rangerBasePlugin == null) {
                        solrPlugin = new RangerBasePlugin("solr", "solr");
                    }
                }
            }
            solrPlugin.init();
        } catch (Throwable th2) {
            logger.fatal("Error creating and initializing RangerBasePlugin()");
        }
    }

    private void authToJAASFile() {
        try {
            MiscUtil.authWithConfig(this.solrAppName, Configuration.getConfiguration());
            logger.info("POST AUTH UGI=" + UserGroupInformation.getLoginUser());
        } catch (Throwable th) {
            logger.error("Error authenticating for appName=" + this.solrAppName, th);
        }
    }

    public void close() throws IOException {
        logger.info("close() called");
        try {
            solrPlugin.cleanup();
        } catch (Throwable th) {
            logger.error("Error cleaning up Ranger plugin. Ignoring error", th);
        }
    }

    /* JADX WARN: Finally extract failed */
    public AuthorizationResponse authorize(AuthorizationContext authorizationContext) {
        boolean z = false;
        try {
            if (logger.isDebugEnabled()) {
                logAuthorizationConext(authorizationContext);
            }
            RangerMultiResourceAuditHandler rangerMultiResourceAuditHandler = new RangerMultiResourceAuditHandler();
            String userName = getUserName(authorizationContext);
            Set<String> groupsForUser = getGroupsForUser(userName);
            String str = null;
            Date date = new Date();
            if (this.useProxyIP) {
                str = authorizationContext.getHttpHeader(this.proxyIPHeader);
            }
            if (str == null) {
                str = authorizationContext.getHttpHeader("REMOTE_ADDR");
            }
            ArrayList arrayList = new ArrayList();
            Iterator it = authorizationContext.getCollectionRequests().iterator();
            while (it.hasNext()) {
                RangerAccessRequestImpl createRequest = createRequest(userName, groupsForUser, str, date, authorizationContext, (AuthorizationContext.CollectionRequest) it.next());
                if (createRequest != null) {
                    arrayList.add(createRequest);
                }
            }
            if (logger.isDebugEnabled()) {
                logger.debug("rangerRequests.size()=" + arrayList.size());
            }
            try {
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    RangerAccessResult isAccessAllowed = solrPlugin.isAccessAllowed((RangerAccessRequestImpl) it2.next(), rangerMultiResourceAuditHandler);
                    if (logger.isDebugEnabled()) {
                        logger.debug("rangerRequest=" + isAccessAllowed);
                    }
                    if (isAccessAllowed == null || !isAccessAllowed.getIsAllowed()) {
                        z = true;
                        break;
                    }
                }
                rangerMultiResourceAuditHandler.flushAudit();
            } catch (Throwable th) {
                rangerMultiResourceAuditHandler.flushAudit();
                throw th;
            }
        } catch (Throwable th2) {
            z = true;
            MiscUtil.logErrorMessageByInterval(logger, th2.getMessage(), th2);
        }
        AuthorizationResponse authorizationResponse = z ? new AuthorizationResponse(403) : new AuthorizationResponse(200);
        if (logger.isDebugEnabled()) {
            logger.debug("context=" + authorizationContext + ": returning: " + z);
        }
        return authorizationResponse;
    }

    private void logAuthorizationConext(AuthorizationContext authorizationContext) {
        try {
            String str = "";
            int i = -1;
            for (AuthorizationContext.CollectionRequest collectionRequest : authorizationContext.getCollectionRequests()) {
                i++;
                if (i > 0) {
                    str = str + ",";
                }
                str = str + collectionRequest.collectionName;
            }
            String str2 = "";
            int i2 = -1;
            Enumeration headerNames = authorizationContext.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                i2++;
                if (i2 > 0) {
                    str2 = str2 + ",";
                }
                String str3 = (String) headerNames.nextElement();
                str2 = str2 + str3 + "=" + authorizationContext.getHttpHeader(str3);
            }
            String httpHeader = authorizationContext.getHttpHeader("HTTP_X_FORWARDED_FOR");
            if (httpHeader == null) {
                httpHeader = authorizationContext.getHttpHeader("REMOTE_HOST");
            }
            if (httpHeader == null) {
                httpHeader = authorizationContext.getHttpHeader("REMOTE_ADDR");
            }
            String userName = getUserName(authorizationContext);
            logger.info("AuthorizationContext: context.getResource()=" + authorizationContext.getResource() + ", solarParams=" + authorizationContext.getParams() + ", requestType=" + authorizationContext.getRequestType() + ", ranger.requestType=" + mapToRangerAccessType(authorizationContext) + ", userPrincipal=" + authorizationContext.getUserPrincipal() + ", userName=" + userName + ", groups=" + getGroupsForUser(userName) + ", ipAddress=" + httpHeader + ", collections=" + str + ", headers=" + str2);
        } catch (Throwable th) {
            logger.error("Error getting request context!!!", th);
        }
    }

    private RangerAccessRequestImpl createRequest(String str, Set<String> set, String str2, Date date, AuthorizationContext authorizationContext, AuthorizationContext.CollectionRequest collectionRequest) {
        String mapToRangerAccessType = mapToRangerAccessType(authorizationContext);
        if (collectionRequest.collectionName == null) {
            logger.fatal("Can't create RangerRequest oject. userName=" + str + ", accessType=" + mapToRangerAccessType + ", ip=" + str2 + ", collectionRequest=" + collectionRequest);
            return null;
        }
        RangerAccessRequestImpl createBaseRequest = createBaseRequest(str, set, str2, date);
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessResourceImpl.setValue(KEY_COLLECTION, collectionRequest.collectionName);
        createBaseRequest.setResource(rangerAccessResourceImpl);
        createBaseRequest.setAccessType(mapToRangerAccessType);
        createBaseRequest.setAction(mapToRangerAccessType);
        return createBaseRequest;
    }

    private RangerAccessRequestImpl createBaseRequest(String str, Set<String> set, String str2, Date date) {
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        if (str != null && !str.isEmpty()) {
            rangerAccessRequestImpl.setUser(str);
        }
        if (set != null && set.size() > 0) {
            rangerAccessRequestImpl.setUserGroups(set);
        }
        if (str2 != null && !str2.isEmpty()) {
            rangerAccessRequestImpl.setClientIPAddress(str2);
        }
        rangerAccessRequestImpl.setAccessTime(date);
        return rangerAccessRequestImpl;
    }

    private String getUserName(AuthorizationContext authorizationContext) {
        Principal userPrincipal = authorizationContext.getUserPrincipal();
        if (userPrincipal != null) {
            return MiscUtil.getShortNameFromPrincipalName(userPrincipal.getName());
        }
        return null;
    }

    private Set<String> getGroupsForUser(String str) {
        return MiscUtil.getGroupsForRequestUser(str);
    }

    String mapToRangerAccessType(AuthorizationContext authorizationContext) {
        String str = ACCESS_TYPE_OTHERS;
        AuthorizationContext.RequestType requestType = authorizationContext.getRequestType();
        if (AuthorizationContext.RequestType.ADMIN.equals(requestType)) {
            str = ACCESS_TYPE_ADMIN;
        } else if (AuthorizationContext.RequestType.READ.equals(requestType)) {
            str = ACCESS_TYPE_QUERY;
        } else if (AuthorizationContext.RequestType.WRITE.equals(requestType)) {
            str = ACCESS_TYPE_UPDATE;
        } else if (AuthorizationContext.RequestType.UNKNOWN.equals(requestType)) {
            logger.info("UNKNOWN request type. Mapping it to " + str + ". Resource=" + authorizationContext.getResource());
            str = ACCESS_TYPE_OTHERS;
        } else {
            logger.info("Request type is not supported. requestType=" + requestType + ". Mapping it to " + str + ". Resource=" + authorizationContext.getResource());
        }
        return str;
    }
}
