package org.apache.ranger.security.web.filter;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.EventListener;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.FilterRegistration;
import javax.servlet.RequestDispatcher;
import javax.servlet.Servlet;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRegistration;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;
import javax.servlet.descriptor.JspConfigDescriptor;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.htmlparser.jericho.HTMLElementName;
import org.apache.commons.collections.iterators.IteratorEnumeration;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.ranger.biz.UserMgr;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.security.handler.RangerAuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

/* loaded from: input_file:WEB-INF/classes/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.class */
public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
    Logger LOG = LoggerFactory.getLogger(RangerKRBAuthenticationFilter.class);

    @Autowired
    UserMgr userMgr;

    @Autowired
    RESTErrorUtil restErrorUtil;
    static final String NAME_RULES = "hadoop.security.auth_to_local";
    static final String TOKEN_VALID = "ranger.admin.kerberos.token.valid.seconds";
    static final String COOKIE_DOMAIN = "ranger.admin.kerberos.cookie.domain";
    static final String COOKIE_PATH = "ranger.admin.kerberos.cookie.path";
    static final String PRINCIPAL = "ranger.spnego.kerberos.principal";
    static final String KEYTAB = "ranger.spnego.kerberos.keytab";
    static final String NAME_RULES_PARAM = "kerberos.name.rules";
    static final String TOKEN_VALID_PARAM = "token.validity";
    static final String COOKIE_DOMAIN_PARAM = "cookie.domain";
    static final String COOKIE_PATH_PARAM = "cookie.path";
    static final String PRINCIPAL_PARAM = "kerberos.principal";
    static final String KEYTAB_PARAM = "kerberos.keytab";
    static final String AUTH_TYPE = "type";
    static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
    static final String AUTH_COOKIE_NAME = "hadoop.auth";
    static final String HOST_NAME = "ranger.service.host";
    private static final String KERBEROS_TYPE = "kerberos";
    private static final String S_USER = "suser";
    protected static ServletContext noContext = new ServletContext() { // from class: org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.2
        @Override // javax.servlet.ServletContext
        public void setSessionTrackingModes(Set<SessionTrackingMode> set) {
        }

        @Override // javax.servlet.ServletContext
        public boolean setInitParameter(String str, String str2) {
            return false;
        }

        @Override // javax.servlet.ServletContext
        public void setAttribute(String str, Object obj) {
        }

        @Override // javax.servlet.ServletContext
        public void removeAttribute(String str) {
        }

        @Override // javax.servlet.ServletContext
        public void log(String str, Throwable th) {
        }

        @Override // javax.servlet.ServletContext
        public void log(Exception exc, String str) {
        }

        @Override // javax.servlet.ServletContext
        public void log(String str) {
        }

        @Override // javax.servlet.ServletContext
        public String getVirtualServerName() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public SessionCookieConfig getSessionCookieConfig() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Enumeration<Servlet> getServlets() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Map<String, ? extends ServletRegistration> getServletRegistrations() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public ServletRegistration getServletRegistration(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Enumeration<String> getServletNames() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public String getServletContextName() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Servlet getServlet(String str) throws ServletException {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public String getServerInfo() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Set<String> getResourcePaths(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public InputStream getResourceAsStream(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public URL getResource(String str) throws MalformedURLException {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public RequestDispatcher getRequestDispatcher(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public String getRealPath(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public RequestDispatcher getNamedDispatcher(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public int getMinorVersion() {
            return 0;
        }

        @Override // javax.servlet.ServletContext
        public String getMimeType(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public int getMajorVersion() {
            return 0;
        }

        @Override // javax.servlet.ServletContext
        public JspConfigDescriptor getJspConfigDescriptor() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Enumeration<String> getInitParameterNames() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public String getInitParameter(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Map<String, ? extends FilterRegistration> getFilterRegistrations() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public FilterRegistration getFilterRegistration(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public int getEffectiveMinorVersion() {
            return 0;
        }

        @Override // javax.servlet.ServletContext
        public int getEffectiveMajorVersion() {
            return 0;
        }

        @Override // javax.servlet.ServletContext
        public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public String getContextPath() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public ServletContext getContext(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public ClassLoader getClassLoader() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Enumeration<String> getAttributeNames() {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public Object getAttribute(String str) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public void declareRoles(String... strArr) {
        }

        @Override // javax.servlet.ServletContext
        public <T extends Servlet> T createServlet(Class<T> cls) throws ServletException {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public <T extends EventListener> T createListener(Class<T> cls) throws ServletException {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public <T extends Filter> T createFilter(Class<T> cls) throws ServletException {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public ServletRegistration.Dynamic addServlet(String str, Class<? extends Servlet> cls) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public ServletRegistration.Dynamic addServlet(String str, Servlet servlet) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public ServletRegistration.Dynamic addServlet(String str, String str2) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public void addListener(Class<? extends EventListener> cls) {
        }

        @Override // javax.servlet.ServletContext
        public <T extends EventListener> void addListener(T t) {
        }

        @Override // javax.servlet.ServletContext
        public void addListener(String str) {
        }

        @Override // javax.servlet.ServletContext
        public FilterRegistration.Dynamic addFilter(String str, Class<? extends Filter> cls) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public FilterRegistration.Dynamic addFilter(String str, Filter filter) {
            return null;
        }

        @Override // javax.servlet.ServletContext
        public FilterRegistration.Dynamic addFilter(String str, String str2) {
            return null;
        }
    };

    public RangerKRBAuthenticationFilter() {
        try {
            init(null);
        } catch (ServletException e) {
            this.LOG.error("Error while initializing Filter : " + e.getMessage());
        }
    }

    @Override // org.apache.ranger.security.web.filter.RangerKrbFilter, javax.servlet.Filter
    public void init(final FilterConfig filterConfig) throws ServletException {
        final HashMap hashMap = new HashMap();
        hashMap.put("type", PropertiesUtil.getProperty("hadoop.security.authentication", "simple"));
        hashMap.put("kerberos.name.rules", PropertiesUtil.getProperty("hadoop.security.auth_to_local", DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_DEFAULT));
        hashMap.put("token.validity", PropertiesUtil.getProperty(TOKEN_VALID, "30"));
        hashMap.put("cookie.domain", PropertiesUtil.getProperty(COOKIE_DOMAIN, PropertiesUtil.getProperty(HOST_NAME, "localhost")));
        hashMap.put("cookie.path", PropertiesUtil.getProperty(COOKIE_PATH, "/"));
        try {
            hashMap.put("kerberos.principal", SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(PRINCIPAL, ""), PropertiesUtil.getProperty(HOST_NAME)));
        } catch (IOException e) {
        }
        hashMap.put("kerberos.keytab", PropertiesUtil.getProperty(KEYTAB, ""));
        super.init(new FilterConfig() { // from class: org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.1
            @Override // javax.servlet.FilterConfig
            public ServletContext getServletContext() {
                return filterConfig != null ? filterConfig.getServletContext() : RangerKRBAuthenticationFilter.noContext;
            }

            @Override // javax.servlet.FilterConfig
            public Enumeration<String> getInitParameterNames() {
                return new IteratorEnumeration(hashMap.keySet().iterator());
            }

            @Override // javax.servlet.FilterConfig
            public String getInitParameter(String str) {
                return (String) hashMap.get(str);
            }

            @Override // javax.servlet.FilterConfig
            public String getFilterName() {
                return "KerberosFilter";
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.ranger.security.web.filter.RangerKrbFilter
    public void doFilter(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        Collection<String> headers;
        String[] split;
        int indexOf;
        int indexOf2;
        String property = PropertiesUtil.getProperty("hadoop.security.authentication");
        String str = null;
        if (httpServletResponse.containsHeader("Set-Cookie") && (headers = httpServletResponse.getHeaders("Set-Cookie")) != null) {
            for (String str2 : headers) {
                if (!StringUtils.isEmpty(str2) && str2.toLowerCase().startsWith("hadoop.auth".toLowerCase()) && str2.contains("u=") && (split = str2.split(";")) != null) {
                    for (String str3 : split) {
                        if (!StringUtils.isEmpty(str3) && str3.toLowerCase().startsWith("hadoop.auth".toLowerCase()) && (indexOf = str3.indexOf("u=")) != -1 && (indexOf2 = str3.indexOf(BeanFactory.FACTORY_BEAN_PREFIX, indexOf)) != -1) {
                            try {
                                str = str3.substring(indexOf + 2, indexOf2);
                            } catch (Exception e) {
                                str = null;
                            }
                        }
                    }
                }
            }
        }
        String parameter = httpServletRequest.getParameter(S_USER);
        String pathInfo = httpServletRequest.getPathInfo();
        if (!StringUtils.isEmpty(parameter) && parameter.equalsIgnoreCase("keyadmin") && !StringUtils.isEmpty(pathInfo) && pathInfo.contains("public/v2/api/service")) {
            this.LOG.info("Session will be created by : " + parameter);
            str = parameter;
        }
        if (!isSpnegoEnable(property) || StringUtils.isEmpty(str)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated()) {
            try {
                super.doFilter(filterChain, httpServletRequest, httpServletResponse);
                return;
            } catch (Exception e2) {
                throw this.restErrorUtil.createRESTException("RangerKRBAuthenticationFilter Failed : " + e2.getMessage());
            }
        }
        String property2 = PropertiesUtil.getProperty("ranger.ldap.default.role", RangerConstants.ROLE_USER);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SimpleGrantedAuthority(property2));
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(str, "", arrayList), "", arrayList);
        usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(getGrantedAuthority(new RangerAuthenticationProvider().authenticate(usernamePasswordAuthenticationToken)));
        httpServletRequest.setAttribute("spnegoEnabled", true);
        this.LOG.info("Logged into Ranger as = " + str);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    @Override // org.apache.ranger.security.web.filter.RangerKrbFilter, javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        int indexOf;
        int indexOf2;
        int indexOf3;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!isSpnegoEnable(PropertiesUtil.getProperty("hadoop.security.authentication"))) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        KerberosName.setRules(PropertiesUtil.getProperty("hadoop.security.auth_to_local", DFSConfigKeys.DFS_CLIENT_WRITE_REPLACE_DATANODE_ON_FAILURE_POLICY_DEFAULT));
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                String name = cookie.getName();
                if (name != null && name.equalsIgnoreCase(HTMLElementName.U)) {
                    int indexOf4 = name.indexOf("u=");
                    if (indexOf4 != -1 && (indexOf3 = name.indexOf(BeanFactory.FACTORY_BEAN_PREFIX, indexOf4)) != -1) {
                        str = name.substring(indexOf4 + 2, indexOf3);
                    }
                } else if (name != null && name.equalsIgnoreCase("hadoop.auth") && (indexOf = name.indexOf("u=")) != -1 && (indexOf2 = name.indexOf(BeanFactory.FACTORY_BEAN_PREFIX, indexOf)) != -1) {
                    str = name.substring(indexOf + 2, indexOf2);
                }
            }
        }
        if ((authentication != null && authentication.isAuthenticated()) || StringUtils.isEmpty(str)) {
            try {
                super.doFilter(servletRequest, servletResponse, filterChain);
                return;
            } catch (Exception e) {
                throw this.restErrorUtil.createRESTException("RangerKRBAuthenticationFilter Failed : " + e.getMessage());
            }
        }
        String property = PropertiesUtil.getProperty("ranger.ldap.default.role", RangerConstants.ROLE_USER);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SimpleGrantedAuthority(property));
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(str, "", arrayList), "", arrayList);
        usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(getGrantedAuthority(new RangerAuthenticationProvider().authenticate(usernamePasswordAuthenticationToken)));
        servletRequest.setAttribute("spnegoEnabled", true);
        this.LOG.info("Logged into Ranger as = " + str);
    }

    private boolean isSpnegoEnable(String str) {
        return !StringUtils.isEmpty(str) && str.equalsIgnoreCase("kerberos") && SecureClientLogin.isKerberosCredentialExists(PropertiesUtil.getProperty(PRINCIPAL), PropertiesUtil.getProperty(KEYTAB));
    }

    private Authentication getGrantedAuthority(Authentication authentication) {
        if (authentication == null || !authentication.isAuthenticated()) {
            return authentication;
        }
        List<GrantedAuthority> authorities = getAuthorities(authentication.getName().toString());
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(authentication.getName().toString(), authentication.getCredentials().toString(), authorities), authentication.getCredentials(), authorities);
        usernamePasswordAuthenticationToken.setDetails(authentication.getDetails());
        return usernamePasswordAuthenticationToken;
    }

    private List<GrantedAuthority> getAuthorities(String str) {
        Collection<String> rolesByLoginId = this.userMgr.getRolesByLoginId(str);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = rolesByLoginId.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority(it.next()));
        }
        return arrayList;
    }
}
