package org.apache.knox.gateway.hadoopauth.filter;

import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Locale;
import java.util.Properties;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.util.HttpExceptionUtils;
import org.apache.knox.gateway.GatewayFilter;
import org.apache.knox.gateway.GatewayServer;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.hadoopauth.HadoopAuthMessages;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.provider.federation.jwt.filter.JWTFederationFilter;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;

/* loaded from: input_file:org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.class */
public class HadoopAuthFilter extends AuthenticationFilter {
    private static final String QUERY_PARAMETER_DOAS = "doAs";
    private static final String PROXYUSER_PREFIX = "hadoop.proxyuser";
    static final String SUPPORT_JWT = "support.jwt";
    static final String JWT_PREFIX = "jwt.";
    private static final HadoopAuthMessages LOG = (HadoopAuthMessages) MessagesFactory.get(HadoopAuthMessages.class);
    private final Set<String> ignoreDoAs = new HashSet();
    private JWTFederationFilter jwtFilter;

    protected Properties getConfiguration(String str, FilterConfig filterConfig) throws ServletException {
        return getConfiguration((AliasService) GatewayServer.getGatewayServices().getService(ServiceType.ALIAS_SERVICE), str, filterConfig);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        ProxyUsers.refreshSuperUserGroupsConfiguration(getProxyuserConfiguration(filterConfig), PROXYUSER_PREFIX);
        Collection<? extends String> collection = null;
        String initParameter = filterConfig.getInitParameter("gateway.proxyuser.services.ignore.doas");
        if (initParameter != null) {
            String trim = initParameter.trim();
            if (!trim.isEmpty()) {
                collection = Arrays.asList(trim.toLowerCase(Locale.ROOT).split("\\s*,\\s*"));
            }
        }
        if (collection == null) {
            Object attribute = filterConfig.getServletContext().getAttribute("org.apache.knox.gateway.config");
            if (attribute instanceof GatewayConfig) {
                collection = ((GatewayConfig) attribute).getServicesToIgnoreDoAs();
            }
        }
        if (collection != null) {
            this.ignoreDoAs.addAll(collection);
        }
        super.init(filterConfig);
        String initParameter2 = filterConfig.getInitParameter(SUPPORT_JWT);
        if (Boolean.parseBoolean(initParameter2 == null ? "false" : initParameter2)) {
            this.jwtFilter = new JWTFederationFilter();
            ((GatewayFilter.Holder) filterConfig).removeParamPrefix(JWT_PREFIX);
            this.jwtFilter.init(filterConfig);
            LOG.initializedJwtFilter();
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!shouldUseJwtFilter(this.jwtFilter, (HttpServletRequest) servletRequest)) {
            super.doFilter(servletRequest, servletResponse, filterChain);
        } else {
            LOG.useJwtFilter();
            this.jwtFilter.doFilter(servletRequest, servletResponse, filterChain);
        }
    }

    protected void doFilter(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String parameter;
        if (shouldUseJwtFilter(this.jwtFilter, httpServletRequest)) {
            LOG.useJwtFilter();
            this.jwtFilter.doFilter(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (!ignoreDoAs(httpServletRequest.getRemoteUser()) && (parameter = httpServletRequest.getParameter(QUERY_PARAMETER_DOAS)) != null && !parameter.equals(httpServletRequest.getRemoteUser())) {
            LOG.hadoopAuthDoAsUser(parameter, httpServletRequest.getRemoteUser(), httpServletRequest.getRemoteAddr());
            UserGroupInformation createRemoteUser = httpServletRequest.getUserPrincipal() != null ? UserGroupInformation.createRemoteUser(httpServletRequest.getRemoteUser()) : null;
            if (createRemoteUser != null) {
                final UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(parameter, createRemoteUser);
                try {
                    ProxyUsers.authorize(createProxyUser, httpServletRequest.getRemoteAddr());
                    httpServletRequest = new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.knox.gateway.hadoopauth.filter.HadoopAuthFilter.1
                        public String getRemoteUser() {
                            return createProxyUser.getShortUserName();
                        }

                        public Principal getUserPrincipal() {
                            UserGroupInformation userGroupInformation = createProxyUser;
                            userGroupInformation.getClass();
                            return userGroupInformation::getUserName;
                        }
                    };
                    LOG.hadoopAuthProxyUserSuccess();
                } catch (AuthorizationException e) {
                    HttpExceptionUtils.createServletExceptionResponse(httpServletResponse, 403, e);
                    LOG.hadoopAuthProxyUserFailed(e);
                    return;
                }
            }
        }
        super.doFilter(filterChain, httpServletRequest, httpServletResponse);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean shouldUseJwtFilter(JWTFederationFilter jWTFederationFilter, HttpServletRequest httpServletRequest) throws IOException, ServletException {
        return (jWTFederationFilter == null || jWTFederationFilter.getWireToken(httpServletRequest) == null) ? false : true;
    }

    boolean ignoreDoAs(String str) {
        return str == null || str.isEmpty() || this.ignoreDoAs.contains(str.toLowerCase(Locale.ROOT));
    }

    private Configuration getProxyuserConfiguration(FilterConfig filterConfig) {
        Configuration configuration = new Configuration(false);
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            if (str.startsWith("hadoop.proxyuser.")) {
                configuration.set(str, filterConfig.getInitParameter(str));
            }
        }
        return configuration;
    }

    Properties getConfiguration(AliasService aliasService, String str, FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("clusterName");
        Properties properties = new Properties();
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str2 = (String) initParameterNames.nextElement();
            if (str2.startsWith(str)) {
                String initParameter2 = filterConfig.getInitParameter(str2);
                if (initParameter2.startsWith("${ALIAS=") && initParameter2.endsWith("}")) {
                    try {
                        initParameter2 = String.valueOf(aliasService.getPasswordFromAliasForCluster(initParameter, initParameter2.substring("${ALIAS=".length(), initParameter2.length() - 1)));
                    } catch (AliasServiceException e) {
                        throw new ServletException("Unable to retrieve alias for config: " + str2, e);
                    }
                }
                properties.put(str2.substring(str.length()), initParameter2);
            }
        }
        return properties;
    }

    boolean isJwtSupported() {
        return this.jwtFilter != null;
    }
}
