package org.apache.hadoop.hive.metastore;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.Arrays;
import java.util.Enumeration;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.auth.HttpAuthenticationException;
import org.apache.hadoop.hive.metastore.auth.jwt.JWTValidator;
import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.credentials.extractor.BearerAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/metastore/ServletSecurity.class */
public class ServletSecurity {
    private static final Logger LOG = LoggerFactory.getLogger(ServletSecurity.class);
    static final String X_USER = "x-actor-username";
    private final boolean isSecurityEnabled;
    private final boolean jwtAuthEnabled;
    private final Configuration conf;
    private JWTValidator jwtValidator;

    @FunctionalInterface
    /* loaded from: input_file:org/apache/hadoop/hive/metastore/ServletSecurity$MethodExecutor.class */
    public interface MethodExecutor {
        void execute(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException;
    }

    /* loaded from: input_file:org/apache/hadoop/hive/metastore/ServletSecurity$ProxyServlet.class */
    public class ProxyServlet extends HttpServlet {
        private final HttpServlet delegate;

        ProxyServlet(HttpServlet httpServlet) {
            this.delegate = httpServlet;
        }

        public void init() throws ServletException {
            ServletSecurity.this.init();
            this.delegate.init();
        }

        public void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
            ServletSecurity servletSecurity = ServletSecurity.this;
            HttpServlet httpServlet = this.delegate;
            httpServlet.getClass();
            servletSecurity.execute(httpServletRequest, httpServletResponse, (v1, v2) -> {
                r3.service(v1, v2);
            });
        }

        public String getServletName() {
            try {
                return this.delegate.getServletName();
            } catch (IllegalStateException e) {
                return this.delegate.toString();
            }
        }

        public String getServletInfo() {
            return this.delegate.getServletInfo();
        }
    }

    public ServletSecurity(Configuration configuration) {
        this(configuration, isAuthJwt(configuration));
    }

    public ServletSecurity(Configuration configuration, boolean z) {
        this.jwtValidator = null;
        this.conf = configuration;
        this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
        this.jwtAuthEnabled = z;
    }

    public static boolean isAuthJwt(Configuration configuration) {
        return "jwt".equalsIgnoreCase(MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.PROPERTIES_SERVLET_AUTH));
    }

    public void init() throws ServletException {
        if (this.jwtAuthEnabled && this.jwtValidator == null) {
            try {
                this.jwtValidator = new JWTValidator(this.conf);
            } catch (Exception e) {
                throw new ServletException("Failed to initialize ServletSecurity. Error: " + e);
            }
        }
    }

    public HttpServlet proxy(HttpServlet httpServlet) {
        try {
            init();
            return new ProxyServlet(httpServlet);
        } catch (ServletException e) {
            LOG.error("Unable to proxy security for servlet {}", httpServlet.toString(), e);
            return null;
        }
    }

    public void execute(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MethodExecutor methodExecutor) throws IOException {
        UserGroupInformation createProxyUser;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Logging headers in {} request", httpServletRequest.getMethod());
            Enumeration headerNames = httpServletRequest.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                LOG.debug("Header: [{}], Value: [{}]", str, httpServletRequest.getHeader(str));
            }
        }
        try {
            String extractUserName = extractUserName(httpServletRequest, httpServletResponse);
            if (this.isSecurityEnabled || this.jwtAuthEnabled) {
                LOG.info("Creating proxy user for: {}", extractUserName);
                createProxyUser = UserGroupInformation.createProxyUser(extractUserName, UserGroupInformation.getLoginUser());
            } else {
                LOG.info("Creating remote user for: {}", extractUserName);
                createProxyUser = UserGroupInformation.createRemoteUser(extractUserName);
            }
            try {
                createProxyUser.doAs(() -> {
                    methodExecutor.execute(httpServletRequest, httpServletResponse);
                    return null;
                });
            } catch (InterruptedException e) {
                LOG.info("Interrupted when executing http request as user: {}", createProxyUser.getUserName(), e);
                Thread.currentThread().interrupt();
            } catch (RuntimeException e2) {
                throw new IOException("Exception when executing http request as user: " + createProxyUser.getUserName(), e2);
            }
        } catch (HttpAuthenticationException e3) {
            httpServletResponse.setStatus(401);
            httpServletResponse.getWriter().println("Authentication error: " + e3.getMessage());
            LOG.error("Authentication error: ", e3);
        }
    }

    private String extractUserName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws HttpAuthenticationException {
        if (!this.jwtAuthEnabled) {
            String header = httpServletRequest.getHeader(X_USER);
            if (header == null || header.isEmpty()) {
                throw new HttpAuthenticationException("User header x-actor-username missing in request");
            }
            return header;
        }
        String extractBearerToken = extractBearerToken(httpServletRequest, httpServletResponse);
        if (extractBearerToken == null) {
            throw new HttpAuthenticationException("Couldn't find bearer token in the auth header in the request");
        }
        try {
            String validateJWTAndExtractUser = this.jwtValidator.validateJWTAndExtractUser(extractBearerToken);
            Preconditions.checkNotNull(validateJWTAndExtractUser, "JWT needs to contain the user name as subject");
            Preconditions.checkState(!validateJWTAndExtractUser.isEmpty(), "User name should not be empty in JWT");
            LOG.info("Successfully validated and extracted user name {} from JWT in Auth header in the request", validateJWTAndExtractUser);
            return validateJWTAndExtractUser;
        } catch (Exception e) {
            throw new HttpAuthenticationException("Failed to validate JWT from Bearer token in Authentication header", e);
        }
    }

    private String extractBearerToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return (String) new BearerAuthExtractor().extract(new JEEContext(httpServletRequest, httpServletResponse)).map((v0) -> {
            return v0.getToken();
        }).orElse(null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void loginServerPrincipal(Configuration configuration) throws IOException {
        LOG.info(" Checking if security is enabled");
        if (!UserGroupInformation.isSecurityEnabled()) {
            LOG.info("Security is not enabled. Not logging in via keytab");
        } else {
            LOG.info("Logging in via keytab while starting HTTP metastore");
            UserGroupInformation.loginUserFromKeytab(SecurityUtil.getServerPrincipal(MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.KERBEROS_PRINCIPAL), "0.0.0.0"), MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.KERBEROS_KEYTAB_FILE));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SslContextFactory createSslContextFactory(Configuration configuration) throws IOException {
        if (!MetastoreConf.getBoolVar(configuration, MetastoreConf.ConfVars.USE_SSL)) {
            return null;
        }
        String trim = MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.SSL_KEYSTORE_PATH).trim();
        if (trim.isEmpty()) {
            throw new IllegalArgumentException(MetastoreConf.ConfVars.SSL_KEYSTORE_PATH + " Not configured for SSL connection");
        }
        String password = MetastoreConf.getPassword(configuration, MetastoreConf.ConfVars.SSL_KEYSTORE_PASSWORD);
        String trim2 = MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.SSL_KEYSTORE_TYPE).trim();
        String trim3 = MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.SSL_KEYMANAGERFACTORY_ALGORITHM).trim();
        String[] split = MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.SSL_PROTOCOL_BLACKLIST).split(",");
        if (LOG.isInfoEnabled()) {
            LOG.info("HTTP Server SSL: adding excluded protocols: {}", Arrays.toString(split));
        }
        SslContextFactory.Server server = new SslContextFactory.Server();
        server.addExcludeProtocols(split);
        if (LOG.isInfoEnabled()) {
            LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = {}", Arrays.toString(server.getExcludeProtocols()));
        }
        server.setKeyStorePath(trim);
        server.setKeyStorePassword(password);
        server.setKeyStoreType(trim2);
        server.setKeyManagerFactoryAlgorithm(trim3);
        return server;
    }
}
