package org.apache.solr.servlet;

import java.io.IOException;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Properties;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.reflect.FieldUtils;
import org.apache.curator.framework.AuthInfo;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.SignerException;
import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
import org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenManager;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler;
import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler;
import org.apache.http.client.methods.HttpOptions;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.solr.common.cloud.ZkACLProvider;
import org.apache.solr.common.cloud.ZkCredentialsProvider;
import org.apache.solr.common.util.StrUtils;
import org.apache.solr.core.ConfigSolr;
import org.apache.solr.core.HdfsDirectoryFactory;
import org.apache.solr.core.SolrResourceLoader;
import org.apache.solr.core.ZkContainer;
import org.apache.solr.servlet.authentication.AuthenticationHandlerUtil;
import org.apache.solr.util.HdfsUtil;
import org.apache.zookeeper.data.ACL;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/solr-core-4.10.3-cdh5.15.0-SNAPSHOT.jar:org/apache/solr/servlet/SolrHadoopAuthenticationFilter.class */
public class SolrHadoopAuthenticationFilter extends DelegationTokenAuthenticationFilter {
    public static final String SOLR_PREFIX = "solr.authentication.";
    public static final String SOLR_PROXYUSER_PREFIX = "solr.security.proxyuser.";
    private boolean skipAuthFilter = false;
    private HttpServlet optionsServlet;
    private CuratorFramework curatorFramework;
    private String zkHost;
    Signer signerCopy;
    public static final String USER_NAME = "solr.user.name";
    public static final String DO_AS_USER_NAME = "solr.do.as.user.name";
    public static final String DO_AS_PARAM = "doAs";
    public static final String TOKEN_KIND = "solr-dt";
    private static Logger LOG = LoggerFactory.getLogger(SolrHadoopAuthenticationFilter.class);
    private static String superUser = System.getProperty("solr.authorization.superuser", ZkContainer.DEFAULT_HOST_CONTEXT);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/solr-core-4.10.3-cdh5.15.0-SNAPSHOT.jar:org/apache/solr/servlet/SolrHadoopAuthenticationFilter$SecureProviderSolrZkClient.class */
    public static class SecureProviderSolrZkClient extends SolrZkClient {
        private SecureProviderSolrZkClient() {
        }

        @Override // org.apache.solr.common.cloud.SolrZkClient
        public ZkACLProvider getZkACLProvider() {
            return createZkACLProvider();
        }

        public ZkCredentialsProvider getZkCredentialsProvider() {
            return createZkCredentialsToAddAutomatically();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/solr-core-4.10.3-cdh5.15.0-SNAPSHOT.jar:org/apache/solr/servlet/SolrHadoopAuthenticationFilter$SolrZkToCuratorCredentialsACLs.class */
    public static class SolrZkToCuratorCredentialsACLs {
        private final ACLProvider aclProvider;
        private final List<AuthInfo> authInfos;

        public SolrZkToCuratorCredentialsACLs() {
            SecureProviderSolrZkClient secureProviderSolrZkClient = new SecureProviderSolrZkClient();
            secureProviderSolrZkClient.getZkACLProvider();
            this.aclProvider = createACLProvider(secureProviderSolrZkClient);
            this.authInfos = createAuthInfo(secureProviderSolrZkClient);
        }

        public ACLProvider getACLProvider() {
            return this.aclProvider;
        }

        public List<AuthInfo> getAuthInfos() {
            return this.authInfos;
        }

        private ACLProvider createACLProvider(SecureProviderSolrZkClient secureProviderSolrZkClient) {
            final ZkACLProvider zkACLProvider = secureProviderSolrZkClient.getZkACLProvider();
            return new ACLProvider() { // from class: org.apache.solr.servlet.SolrHadoopAuthenticationFilter.SolrZkToCuratorCredentialsACLs.1
                @Override // org.apache.curator.framework.api.ACLProvider, org.apache.curator.utils.InternalACLProvider
                public List<ACL> getDefaultAcl() {
                    return zkACLProvider.getACLsToAdd(null);
                }

                @Override // org.apache.curator.framework.api.ACLProvider, org.apache.curator.utils.InternalACLProvider
                public List<ACL> getAclForPath(String str) {
                    return zkACLProvider.getACLsToAdd(str);
                }
            };
        }

        private List<AuthInfo> createAuthInfo(SecureProviderSolrZkClient secureProviderSolrZkClient) {
            LinkedList linkedList = new LinkedList();
            for (ZkCredentialsProvider.ZkCredentials zkCredentials : secureProviderSolrZkClient.getZkCredentialsProvider().getCredentials()) {
                linkedList.add(new AuthInfo(zkCredentials.getScheme(), zkCredentials.getAuth()));
            }
            return linkedList;
        }
    }

    @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        String property = System.getProperty(HdfsDirectoryFactory.KERBEROS_ENABLED);
        if (property != null && StrUtils.parseBoolean(property)) {
            Configuration conf = getConf();
            conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
            UserGroupInformation.setConfiguration(conf);
        }
        if (filterConfig != null) {
            ConfigSolr loadConfigSolr = SolrDispatchFilter.loadConfigSolr(new SolrResourceLoader(SolrResourceLoader.locateSolrHome()));
            this.zkHost = loadConfigSolr.getZkHost();
            if (isZkEnabled()) {
                filterConfig.getServletContext().setAttribute(ZKSignerSecretProvider.ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE, getCuratorClient(30000, loadConfigSolr.getZkClientTimeout()));
            }
            super.init(filterConfig);
        } else {
            this.zkHost = System.getProperty("zkHost");
        }
        this.optionsServlet = new HttpServlet() { // from class: org.apache.solr.servlet.SolrHadoopAuthenticationFilter.1
        };
        this.optionsServlet.init();
        SolrRequestParsers.DEFAULT.setAddRequestHeadersToContext(true);
        try {
            this.signerCopy = (Signer) FieldUtils.readField((Object) this, "signer", true);
        } catch (IllegalAccessException e) {
            throw new IllegalStateException("Initialization failed due to " + e.getLocalizedMessage(), e);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void destroy() {
        this.optionsServlet.destroy();
        this.optionsServlet = null;
        if (this.curatorFramework != null) {
            this.curatorFramework.close();
        }
        this.curatorFramework = null;
        this.signerCopy = null;
        super.destroy();
    }

    @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter
    protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) throws ServletException {
        Configuration configuration = new Configuration(false);
        Enumeration<?> propertyNames = System.getProperties().propertyNames();
        while (propertyNames.hasMoreElements()) {
            String obj = propertyNames.nextElement().toString();
            if (obj.startsWith(SOLR_PROXYUSER_PREFIX)) {
                configuration.set("proxyuser." + obj.substring(SOLR_PROXYUSER_PREFIX.length()), System.getProperty(obj));
            }
        }
        String str = "proxyuser." + superUser + ".groups";
        String str2 = "proxyuser." + superUser + ".hosts";
        if (configuration.get(str) == null && configuration.get(str2) == null) {
            configuration.set(str, "*");
            configuration.set(str2, "*");
        } else {
            LOG.warn("Not automatically granting proxy privileges to superUser: " + superUser + " because user groups or user hosts already set for superUser");
        }
        return configuration;
    }

    private String getZkChroot() {
        return this.zkHost != null ? this.zkHost.substring(this.zkHost.indexOf("/"), this.zkHost.length()) : "/solr";
    }

    protected void setDefaultDelegationTokenProp(Properties properties, String str, String str2) {
        String property = properties.getProperty(str);
        if (null == property) {
            properties.setProperty(str, str2);
        } else {
            if (str2.equals(property)) {
                return;
            }
            LOG.debug("Default delegation token configuration overriden.  Default: " + str2 + " Actual: " + property);
        }
    }

    protected CuratorFramework getCuratorClient(int i, int i2) throws ServletException {
        ExponentialBackoffRetry exponentialBackoffRetry = new ExponentialBackoffRetry(1000, 3);
        String zkChroot = getZkChroot();
        String substring = zkChroot.startsWith("/") ? zkChroot.substring(1) : zkChroot;
        String substring2 = this.zkHost != null ? this.zkHost.substring(0, this.zkHost.indexOf("/")) : "localhost:2181";
        SolrZkToCuratorCredentialsACLs solrZkToCuratorCredentialsACLs = new SolrZkToCuratorCredentialsACLs();
        if (System.getProperty(Krb5HttpClientConfigurer.LOGIN_CONFIG_PROP) != null) {
            LOG.info("Connecting to ZooKeeper with SASL/Kerberos");
            HttpClientUtil.createClient(null);
        } else {
            LOG.info("Connecting to ZooKeeper without authentication");
        }
        this.curatorFramework = CuratorFrameworkFactory.builder().namespace(substring).connectString(substring2).retryPolicy(exponentialBackoffRetry).aclProvider(solrZkToCuratorCredentialsACLs.getACLProvider()).authorization(solrZkToCuratorCredentialsACLs.getAuthInfos()).sessionTimeoutMs(i2).connectionTimeoutMs(i).build();
        this.curatorFramework.start();
        return this.curatorFramework;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public Properties getConfiguration(String str, FilterConfig filterConfig) {
        Properties properties = new Properties();
        properties.setProperty(AuthenticationFilter.COOKIE_PATH, "/");
        for (String str2 : System.getProperties().stringPropertyNames()) {
            if (str2.startsWith(SOLR_PREFIX)) {
                properties.setProperty(str2.substring(SOLR_PREFIX.length()), System.getProperty(str2));
            }
        }
        if (isZkEnabled()) {
            setDefaultDelegationTokenProp(properties, AuthenticationFilter.AUTH_TOKEN_VALIDITY, "36000");
            setDefaultDelegationTokenProp(properties, AuthenticationFilter.SIGNER_SECRET_PROVIDER, "zookeeper");
            setDefaultDelegationTokenProp(properties, DelegationTokenManager.ENABLE_ZK_KEY, "true");
            String zkChroot = getZkChroot();
            setDefaultDelegationTokenProp(properties, ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH, (zkChroot.startsWith("/") ? zkChroot.substring(1) : zkChroot) + "/zkdtsm");
            setDefaultDelegationTokenProp(properties, ZKSignerSecretProvider.ZOOKEEPER_PATH, "/token");
        } else {
            LOG.info("zkHost is null, not setting ZK-related delegation token properties");
        }
        String property = properties.getProperty("type");
        if (property == null) {
            properties.setProperty("type", PseudoDelegationTokenAuthenticationHandler.class.getName());
            if (properties.getProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED) == null) {
                properties.setProperty(PseudoAuthenticationHandler.ANONYMOUS_ALLOWED, "true");
            }
        } else if (property.equals("simple")) {
            properties.setProperty("type", PseudoDelegationTokenAuthenticationHandler.class.getName());
        } else if (property.equals(KerberosAuthenticationHandler.TYPE)) {
            properties.setProperty("type", KerberosDelegationTokenAuthenticationHandler.class.getName());
        }
        properties.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, TOKEN_KIND);
        return properties;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        super.doFilter(servletRequest, servletResponse, new FilterChain() { // from class: org.apache.solr.servlet.SolrHadoopAuthenticationFilter.2
            public void doFilter(ServletRequest servletRequest2, ServletResponse servletResponse2) throws IOException, ServletException {
                UserGroupInformation realUser;
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest2;
                if (httpServletRequest.getMethod().equals(HttpOptions.METHOD_NAME)) {
                    SolrHadoopAuthenticationFilter.this.optionsServlet.service(servletRequest, servletResponse);
                    return;
                }
                httpServletRequest.setAttribute(SolrHadoopAuthenticationFilter.USER_NAME, httpServletRequest.getRemoteUser());
                UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                if (userGroupInformation != null && userGroupInformation.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY && (realUser = userGroupInformation.getRealUser()) != null) {
                    httpServletRequest.setAttribute(SolrHadoopAuthenticationFilter.DO_AS_USER_NAME, realUser.getShortUserName());
                }
                filterChain.doFilter(servletRequest2, servletResponse2);
            }
        });
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    protected AuthenticationToken getToken(HttpServletRequest httpServletRequest) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
                    try {
                        str = this.signerCopy.verifyAndExtract(cookie.getValue());
                        break;
                    } catch (SignerException e) {
                        throw new AuthenticationException(e);
                    }
                }
                i++;
            }
        }
        if (str != null) {
            authenticationToken = AuthenticationToken.parse(str);
            Collection<String> types = AuthenticationHandlerUtil.getTypes(getAuthenticationHandler());
            boolean z = false;
            Iterator<String> it = types.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().equalsIgnoreCase(authenticationToken.getType())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new AuthenticationException("Invalid AuthenticationToken type " + authenticationToken.getType() + " : expected one of " + types);
            }
            if (authenticationToken.isExpired()) {
                throw new AuthenticationException("AuthenticationToken expired");
            }
        }
        return authenticationToken;
    }

    private Configuration getConf() {
        Configuration configuration = new Configuration();
        HdfsUtil.addHdfsResources(configuration, System.getProperty(HdfsDirectoryFactory.CONFIG_DIRECTORY));
        return configuration;
    }

    private boolean isZkEnabled() {
        return null != this.zkHost;
    }
}
