package org.apache.solr.security.hadoop;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.curator.framework.AuthInfo;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.solr.common.cloud.ZkACLProvider;
import org.apache.solr.common.cloud.ZkCredentialsProvider;
import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.data.ACL;

/* loaded from: input_file:org/apache/solr/security/hadoop/DelegationTokenKerberosFilter.class */
public class DelegationTokenKerberosFilter extends DelegationTokenAuthenticationFilter {
    private CuratorFramework curatorFramework;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/solr/security/hadoop/DelegationTokenKerberosFilter$SolrZkToCuratorCredentialsACLs.class */
    public static class SolrZkToCuratorCredentialsACLs {
        private final String zkChroot;
        private final ACLProvider aclProvider;
        private final List<AuthInfo> authInfos;

        public SolrZkToCuratorCredentialsACLs(SolrZkClient solrZkClient) {
            this.aclProvider = createACLProvider(solrZkClient);
            this.authInfos = createAuthInfo(solrZkClient);
            String zkServerAddress = solrZkClient.getZkServerAddress();
            this.zkChroot = zkServerAddress.contains("/") ? zkServerAddress.substring(zkServerAddress.indexOf("/")) : null;
        }

        public ACLProvider getACLProvider() {
            return this.aclProvider;
        }

        public List<AuthInfo> getAuthInfos() {
            return this.authInfos;
        }

        private ACLProvider createACLProvider(SolrZkClient solrZkClient) {
            final ZkACLProvider zkACLProvider = solrZkClient.getZkACLProvider();
            return new ACLProvider() { // from class: org.apache.solr.security.hadoop.DelegationTokenKerberosFilter.SolrZkToCuratorCredentialsACLs.1
                public List<ACL> getDefaultAcl() {
                    return zkACLProvider.getACLsToAdd((String) null);
                }

                public List<ACL> getAclForPath(String str) {
                    return (!(zkACLProvider instanceof SecurityAwareZkACLProvider) || SolrZkToCuratorCredentialsACLs.this.zkChroot == null) ? zkACLProvider.getACLsToAdd(str) : zkACLProvider.getACLsToAdd(str.replace(SolrZkToCuratorCredentialsACLs.this.zkChroot, ""));
                }
            };
        }

        private List<AuthInfo> createAuthInfo(SolrZkClient solrZkClient) {
            ArrayList arrayList = new ArrayList();
            for (ZkCredentialsProvider.ZkCredentials zkCredentials : solrZkClient.getZkClientConnectionStrategy().getZkCredentialsToAddAutomatically().getCredentials()) {
                arrayList.add(new AuthInfo(zkCredentials.getScheme(), zkCredentials.getAuth()));
            }
            return arrayList;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        if (filterConfig != null && "zookeeper".equals(filterConfig.getInitParameter("signer.secret.provider"))) {
            try {
                filterConfig.getServletContext().setAttribute("signer.secret.provider.zookeeper.curator.client", getCuratorClient((SolrZkClient) filterConfig.getServletContext().getAttribute("solr.kerberos.delegation.token.zk.client")));
            } catch (InterruptedException | KeeperException e) {
                throw new ServletException(e);
            }
        }
        super.init(filterConfig);
    }

    protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) {
        Configuration configuration = new Configuration(false);
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            if (str.startsWith(KerberosPlugin.IMPERSONATOR_PREFIX)) {
                String initParameter = filterConfig.getInitParameter(str);
                configuration.set("proxyuser." + str.substring(KerberosPlugin.IMPERSONATOR_PREFIX.length()), initParameter);
                configuration.set(str, initParameter);
            }
        }
        return configuration;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        super.doFilter(servletRequest, servletResponse, new FilterChain() { // from class: org.apache.solr.security.hadoop.DelegationTokenKerberosFilter.1
            public void doFilter(ServletRequest servletRequest2, ServletResponse servletResponse2) throws IOException, ServletException {
                UserGroupInformation realUser;
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest2;
                UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                if (userGroupInformation != null && userGroupInformation.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY && (realUser = userGroupInformation.getRealUser()) != null) {
                    httpServletRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUser.getShortUserName());
                }
                filterChain.doFilter(servletRequest2, servletResponse2);
            }
        });
    }

    public void destroy() {
        super.destroy();
        if (this.curatorFramework != null) {
            this.curatorFramework.close();
        }
        this.curatorFramework = null;
    }

    protected void initializeAuthHandler(String str, FilterConfig filterConfig) throws ServletException {
        super.initializeAuthHandler(str, filterConfig);
        AuthenticationHandler authenticationHandler = getAuthenticationHandler();
        super.initializeAuthHandler(RequestContinuesRecorderAuthenticationHandler.class.getName(), filterConfig);
        ((RequestContinuesRecorderAuthenticationHandler) getAuthenticationHandler()).setAuthHandler(authenticationHandler);
    }

    protected CuratorFramework getCuratorClient(SolrZkClient solrZkClient) throws InterruptedException, KeeperException {
        ExponentialBackoffRetry exponentialBackoffRetry = new ExponentialBackoffRetry(1000, 3);
        if (solrZkClient == null) {
            throw new IllegalArgumentException("zkClient required");
        }
        String zkServerAddress = solrZkClient.getZkServerAddress();
        String str = (zkServerAddress.contains("/") ? zkServerAddress.substring(zkServerAddress.indexOf("/")) : "") + "/security";
        String substring = str.startsWith("/") ? str.substring(1) : str;
        String substring2 = zkServerAddress.contains("/") ? zkServerAddress.substring(0, zkServerAddress.indexOf("/")) : zkServerAddress;
        SolrZkToCuratorCredentialsACLs solrZkToCuratorCredentialsACLs = new SolrZkToCuratorCredentialsACLs(solrZkClient);
        try {
            solrZkClient.makePath("/security", CreateMode.PERSISTENT, true);
        } catch (KeeperException.NodeExistsException e) {
        }
        this.curatorFramework = CuratorFrameworkFactory.builder().namespace(substring).connectString(substring2).retryPolicy(exponentialBackoffRetry).aclProvider(solrZkToCuratorCredentialsACLs.getACLProvider()).authorization(solrZkToCuratorCredentialsACLs.getAuthInfos()).sessionTimeoutMs(solrZkClient.getZkClientTimeout()).connectionTimeoutMs(30000).build();
        this.curatorFramework.start();
        return this.curatorFramework;
    }
}
