package org.apache.hadoop.security.token.delegation.web;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.Principal;
import java.util.Enumeration;
import java.util.List;
import java.util.Properties;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.curator.framework.CuratorFramework;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager;
import org.apache.hadoop.util.HttpExceptionUtils;
import org.apache.http.HttpStatus;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;

@InterfaceAudience.Private
@InterfaceStability.Evolving
/* loaded from: input_file:WEB-INF/lib/hadoop-common-2.5.0-cdh5.2.2-SNAPSHOT.jar:org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationFilter.class */
public class DelegationTokenAuthenticationFilter extends AuthenticationFilter {
    private static final String APPLICATION_JSON_MIME = "application/json";
    private static final String ERROR_EXCEPTION_JSON = "exception";
    private static final String ERROR_MESSAGE_JSON = "message";
    public static final String DELEGATION_TOKEN_SECRET_MANAGER_ATTR = "hadoop.http.delegation-token-secret-manager";
    private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
    private static final ThreadLocal<UserGroupInformation> UGI_TL = new ThreadLocal<>();
    public static final String PROXYUSER_PREFIX = "proxyuser";
    private SaslRpcServer.AuthMethod handlerAuthMethod;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public Properties getConfiguration(String str, FilterConfig filterConfig) throws ServletException {
        Properties configuration = super.getConfiguration(str, filterConfig);
        String property = configuration.getProperty("type");
        if (property.equals(PseudoAuthenticationHandler.TYPE)) {
            configuration.setProperty("type", PseudoDelegationTokenAuthenticationHandler.class.getName());
        } else if (property.equals(KerberosAuthenticationHandler.TYPE)) {
            configuration.setProperty("type", KerberosDelegationTokenAuthenticationHandler.class.getName());
        }
        return configuration;
    }

    protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) throws ServletException {
        Configuration configuration = new Configuration(false);
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            if (str.startsWith("proxyuser.")) {
                configuration.set(str, filterConfig.getInitParameter(str));
            }
        }
        return configuration;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        ZKDelegationTokenSecretManager.setCurator((CuratorFramework) filterConfig.getServletContext().getAttribute(ZKSignerSecretProvider.ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE));
        super.init(filterConfig);
        ZKDelegationTokenSecretManager.setCurator(null);
        AuthenticationHandler authenticationHandler = getAuthenticationHandler();
        AbstractDelegationTokenSecretManager abstractDelegationTokenSecretManager = (AbstractDelegationTokenSecretManager) filterConfig.getServletContext().getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR);
        if (abstractDelegationTokenSecretManager != null && (authenticationHandler instanceof DelegationTokenAuthenticationHandler)) {
            ((DelegationTokenAuthenticationHandler) getAuthenticationHandler()).setExternalDelegationTokenSecretManager(abstractDelegationTokenSecretManager);
        }
        if ((authenticationHandler instanceof PseudoAuthenticationHandler) || (authenticationHandler instanceof PseudoDelegationTokenAuthenticationHandler)) {
            setHandlerAuthMethod(SaslRpcServer.AuthMethod.SIMPLE);
        }
        if ((authenticationHandler instanceof KerberosAuthenticationHandler) || (authenticationHandler instanceof KerberosDelegationTokenAuthenticationHandler)) {
            setHandlerAuthMethod(SaslRpcServer.AuthMethod.KERBEROS);
        }
        ProxyUsers.refreshSuperUserGroupsConfiguration(getProxyuserConfiguration(filterConfig), PROXYUSER_PREFIX);
    }

    protected void setHandlerAuthMethod(SaslRpcServer.AuthMethod authMethod) {
        this.handlerAuthMethod = authMethod;
    }

    @VisibleForTesting
    static String getDoAs(HttpServletRequest httpServletRequest) {
        List<NameValuePair> parse = URLEncodedUtils.parse(httpServletRequest.getQueryString(), UTF8_CHARSET);
        if (parse == null) {
            return null;
        }
        for (NameValuePair nameValuePair : parse) {
            if ("doAs".equalsIgnoreCase(nameValuePair.getName())) {
                return nameValuePair.getValue();
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static UserGroupInformation getHttpUserGroupInformationInContext() {
        return UGI_TL.get();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void doFilter(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        boolean z = false;
        UserGroupInformation userGroupInformation = null;
        AuthenticationToken authenticationToken = (AuthenticationToken) httpServletRequest.getUserPrincipal();
        if (authenticationToken != null && authenticationToken != AuthenticationToken.ANONYMOUS) {
            userGroupInformation = (UserGroupInformation) httpServletRequest.getAttribute("hadoop.security.delegation-token.ugi");
            if (userGroupInformation == null) {
                userGroupInformation = UserGroupInformation.createRemoteUser(httpServletRequest.getUserPrincipal().getName(), this.handlerAuthMethod);
                String doAs = getDoAs(httpServletRequest);
                if (doAs != null) {
                    userGroupInformation = UserGroupInformation.createProxyUser(doAs, userGroupInformation);
                    try {
                        ProxyUsers.authorize(userGroupInformation, httpServletRequest.getRemoteHost());
                    } catch (AuthorizationException e) {
                        HttpExceptionUtils.createServletExceptionResponse(httpServletResponse, HttpStatus.SC_FORBIDDEN, e);
                        z = true;
                    }
                }
            }
            UGI_TL.set(userGroupInformation);
        }
        if (z) {
            return;
        }
        final UserGroupInformation userGroupInformation2 = userGroupInformation;
        try {
            super.doFilter(filterChain, (HttpServletRequest) new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.1
                public String getAuthType() {
                    if (userGroupInformation2 != null) {
                        return DelegationTokenAuthenticationFilter.this.handlerAuthMethod.toString();
                    }
                    return null;
                }

                public String getRemoteUser() {
                    if (userGroupInformation2 != null) {
                        return userGroupInformation2.getShortUserName();
                    }
                    return null;
                }

                public Principal getUserPrincipal() {
                    if (userGroupInformation2 != null) {
                        return new Principal() { // from class: org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.1.1
                            @Override // java.security.Principal
                            public String getName() {
                                return userGroupInformation2.getUserName();
                            }
                        };
                    }
                    return null;
                }
            }, httpServletResponse);
            UGI_TL.remove();
        } catch (Throwable th) {
            UGI_TL.remove();
            throw th;
        }
    }
}
