package org.apache.storm.daemon.ui.filters;

import java.io.IOException;
import java.security.Principal;
import java.util.List;
import java.util.Map;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.commons.codec.Charsets;
import org.apache.commons.io.IOUtils;
import org.apache.storm.daemon.StormCommon;
import org.apache.storm.daemon.common.JsonResponseBuilder;
import org.apache.storm.daemon.ui.UIHelpers;
import org.apache.storm.daemon.ui.resources.AuthNimbusOp;
import org.apache.storm.daemon.ui.resources.StormApiResource;
import org.apache.storm.generated.AuthorizationException;
import org.apache.storm.security.auth.IAuthorizer;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.thrift.TException;
import org.apache.storm.utils.NimbusClient;
import org.apache.storm.utils.Utils;
import org.json.simple.JSONValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
/* loaded from: input_file:org/apache/storm/daemon/ui/filters/AuthorizedUserFilter.class */
public class AuthorizedUserFilter implements ContainerRequestFilter {
    public static final Logger LOG = LoggerFactory.getLogger(AuthorizedUserFilter.class);
    public static Map<String, Object> conf = Utils.readStormConfig();
    public static IAuthorizer uiImpersonationHandler;
    public static IAuthorizer uiAclHandler;

    @Context
    private ResourceInfo resourceInfo;

    public static Response makeResponse(Exception exc, ContainerRequestContext containerRequestContext, int i) {
        String str = null;
        if (containerRequestContext.getMediaType() != null && containerRequestContext.getMediaType().equals(MediaType.APPLICATION_JSON_TYPE)) {
            try {
                String iOUtils = IOUtils.toString(containerRequestContext.getEntityStream(), Charsets.UTF_8);
                containerRequestContext.setEntityStream(IOUtils.toInputStream(iOUtils));
                Map map = (Map) JSONValue.parse(iOUtils);
                if (map.containsKey(StormApiResource.callbackParameterName)) {
                    str = String.valueOf(map.get(StormApiResource.callbackParameterName));
                }
            } catch (IOException e) {
                LOG.error("Exception while trying to get callback ", e);
            }
        }
        return new JsonResponseBuilder().setData(UIHelpers.exceptionToJson(exc, i)).setCallback(str).setStatus(i).build();
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String value;
        AuthNimbusOp authNimbusOp = (AuthNimbusOp) this.resourceInfo.getResourceMethod().getAnnotation(AuthNimbusOp.class);
        if (authNimbusOp == null || (value = authNimbusOp.value()) == null) {
            return;
        }
        Map map = null;
        if (authNimbusOp.needsTopoId()) {
            String str = (String) ((List) containerRequestContext.getUriInfo().getPathParameters().get("id")).get(0);
            try {
                NimbusClient configuredClient = NimbusClient.getConfiguredClient(conf);
                Throwable th = null;
                try {
                    try {
                        map = (Map) JSONValue.parse(configuredClient.getClient().getTopologyConf(str));
                        if (configuredClient != null) {
                            if (0 != 0) {
                                try {
                                    configuredClient.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                configuredClient.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (configuredClient != null) {
                        if (th != null) {
                            try {
                                configuredClient.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            configuredClient.close();
                        }
                    }
                    throw th4;
                }
            } catch (TException e) {
                LOG.error("Unable to fetch topo conf for {} due to ", str, e);
                containerRequestContext.abortWith(makeResponse(new IOException("Unable to fetch topo conf for topo id " + str, e), containerRequestContext, 500));
                return;
            } catch (AuthorizationException e2) {
                LOG.error("Nimbus isn't allowing {} to access the topology conf of {}. {}", new Object[]{ReqContext.context(), str, e2.get_msg()});
                containerRequestContext.abortWith(makeResponse(e2, containerRequestContext, 403));
                return;
            }
        }
        ReqContext context = ReqContext.context();
        if (context.isImpersonating() && uiImpersonationHandler != null) {
            if (!uiImpersonationHandler.permit(context, value, map)) {
                Principal realPrincipal = context.realPrincipal();
                Principal principal = context.principal();
                containerRequestContext.abortWith(makeResponse(new AuthorizationException("user '" + (realPrincipal != null ? realPrincipal.getName() : "unknown") + "' is not authorized to impersonate user '" + (principal != null ? principal.getName() : "unknown") + "' from host '" + context.remoteAddress().toString() + "'. Pleasesee SECURITY.MD to learn how to configure impersonation ACL."), containerRequestContext, 401));
                return;
            }
            LOG.warn(" principal {} is trying to impersonate {} but {} has no authorizer configured. This is a potential security hole. Please see SECURITY.MD to learn how to configure an impersonation authorizer.", new Object[]{context.realPrincipal().toString(), context.principal().toString(), conf.get("nimbus.impersonation.authorizer")});
        }
        if (uiAclHandler == null || uiAclHandler.permit(context, value, map)) {
            return;
        }
        Principal principal2 = context.principal();
        containerRequestContext.abortWith(makeResponse(new AuthorizationException("UI request '" + value + "' for '" + (principal2 != null ? principal2.getName() : "unknown") + "' user is not authorized"), containerRequestContext, 403));
    }

    static {
        try {
            uiImpersonationHandler = StormCommon.mkAuthorizationHandler((String) conf.get("nimbus.impersonation.authorizer"), conf);
            uiAclHandler = StormCommon.mkAuthorizationHandler((String) conf.get("nimbus.authorizer"), conf);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            LOG.error("Error initializing AuthorizedUserFilter: ", e);
            throw new RuntimeException(e);
        }
    }
}
