package org.apache.solr.servlet;

import java.io.IOException;
import java.net.InetAddress;
import java.security.AccessControlException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.util.StringUtils;
import org.apache.log4j.spi.LocationInfo;
import org.apache.solr.core.ZkContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/solr-core-4.4.0-cdh5.1.0.jar:org/apache/solr/servlet/ProxyUserFilter.class */
public class ProxyUserFilter implements Filter {
    public static final String CONF_PREFIX = "solr.security.proxyuser.";
    public static final String GROUPS = ".groups";
    public static final String HOSTS = ".hosts";
    public static final String DO_AS_PARAM = "doAs";
    private Map<String, Set<String>> proxyUserHosts = new HashMap();
    private Map<String, Set<String>> proxyUserGroups = new HashMap();
    private Groups hGroups;
    private static final Logger LOG = LoggerFactory.getLogger(ProxyUserFilter.class);
    private static String superUser = System.getProperty("solr.authorization.superuser", ZkContainer.DEFAULT_HOST_CONTEXT);

    public void init(FilterConfig filterConfig) throws ServletException {
        Enumeration<?> propertyNames = System.getProperties().propertyNames();
        while (propertyNames.hasMoreElements()) {
            String obj = propertyNames.nextElement().toString();
            if (obj.startsWith(CONF_PREFIX) && obj.endsWith(".groups")) {
                String substring = obj.substring(0, obj.lastIndexOf(".groups"));
                if (System.getProperty(substring + HOSTS) == null) {
                    throw new ServletException("Missing system property: " + substring + HOSTS);
                }
                String substring2 = substring.substring(CONF_PREFIX.length());
                String trim = System.getProperty(obj).trim();
                LOG.info("Loading proxyuser settings [{}]=[{}]", obj, trim);
                this.proxyUserGroups.put(substring2, trim.equals("*") ? null : new HashSet(Arrays.asList(trim.split(StringUtils.COMMA_STR))));
            }
            if (obj.startsWith(CONF_PREFIX) && obj.endsWith(HOSTS)) {
                String substring3 = obj.substring(0, obj.lastIndexOf(HOSTS));
                if (System.getProperty(substring3 + ".groups") == null) {
                    throw new ServletException("Missing system property: " + substring3 + ".groups");
                }
                String substring4 = substring3.substring(CONF_PREFIX.length());
                String trim2 = System.getProperty(obj).trim();
                LOG.info("Loading proxyuser settings [{}]=[{}]", obj, trim2);
                HashSet hashSet = null;
                if (!trim2.equals("*")) {
                    String[] split = trim2.split(StringUtils.COMMA_STR);
                    for (int i = 0; i < split.length; i++) {
                        String str = split[i];
                        try {
                            split[i] = normalizeHostname(str);
                            LOG.info("  Hostname, original [{}], normalized [{}]", str, split[i]);
                        } catch (Exception e) {
                            throw new ServletException("Could not normalize hostname", e);
                        }
                    }
                    hashSet = new HashSet(Arrays.asList(split));
                }
                this.proxyUserHosts.put(substring4, hashSet);
            }
        }
        if (this.proxyUserGroups.containsKey(superUser) || this.proxyUserHosts.containsKey(superUser)) {
            LOG.warn("Not automatically granting proxy privileges to superUser: " + superUser + " because user groups or user hosts already set for superUser");
        } else {
            this.proxyUserGroups.put(superUser, null);
            this.proxyUserHosts.put(superUser, null);
        }
        this.hGroups = new Groups(new Configuration());
    }

    public void validate(String str, String str2, String str3) throws IOException, AccessControlException {
        checkNotEmpty(str, "proxyUser", "If you're attempting to use user-impersonation via a proxy user, please make sure that solr.security.proxyuser.#USER#.hosts and solr.security.proxyuser.#USER#.groups are configured correctly");
        checkNotEmpty(str2, "proxyHost", "If you're attempting to use user-impersonation via a proxy user, please make sure that solr.security.proxyuser." + str + ".hosts and " + CONF_PREFIX + str + ".groups are configured correctly");
        checkNotEmpty(str3, "doAsUser");
        LOG.debug("Authorization check proxyuser [{}] host [{}] doAs [{}]", str, str2, str3);
        if (!this.proxyUserHosts.containsKey(str)) {
            throw new AccessControlException(MessageFormat.format("User [{0}] not defined as proxyuser", str));
        }
        validateRequestorHost(str, normalizeHostname(str2), this.proxyUserHosts.get(str));
        validateGroup(str, str3, this.proxyUserGroups.get(str));
    }

    private void validateRequestorHost(String str, String str2, Set<String> set) throws IOException, AccessControlException {
        if (set != null && !set.contains(str2) && !set.contains(normalizeHostname(str2))) {
            throw new AccessControlException(MessageFormat.format("Unauthorized host [{1}] for proxyuser [{2}]", str2, str));
        }
    }

    private void validateGroup(String str, String str2, Set<String> set) throws IOException, AccessControlException {
        if (set != null) {
            List<String> groups = this.hGroups.getGroups(str2);
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (groups.contains(it.next())) {
                    return;
                }
            }
            throw new AccessControlException(MessageFormat.format("Unauthorized proxyuser [{1}] for user [{2}], not in proxyuser groups", str, str2));
        }
    }

    private String normalizeHostname(String str) {
        try {
            return InetAddress.getByName(str).getCanonicalHostName();
        } catch (IOException e) {
            throw new AccessControlException(MessageFormat.format("Could not resolve host [{1}], {2}", str, e.getMessage()));
        }
    }

    private String checkNotEmpty(String str, String str2) {
        return checkNotEmpty(str, str2, null);
    }

    private String checkNotEmpty(String str, String str2, String str3) {
        if (str == null) {
            throw new IllegalArgumentException(str2 + " cannot be null" + (str3 == null ? "" : ", " + str3));
        }
        if (str.length() == 0) {
            throw new IllegalArgumentException(str2 + " cannot be empty" + (str3 == null ? "" : ", " + str3));
        }
        return str;
    }

    private String getRequestUrl(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append(LocationInfo.NA).append(httpServletRequest.getQueryString());
        }
        return requestURL.toString();
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String str = (String) servletRequest.getAttribute(SolrHadoopAuthenticationFilter.USER_NAME);
        String str2 = SolrRequestParsers.parseQueryString(((HttpServletRequest) servletRequest).getQueryString()).get(DO_AS_PARAM);
        if (str2 != null && !str2.equals(str)) {
            validate(str, HostnameFilter.get(), str2);
            LOG.debug("Proxy user [{}] DoAs user [{}] Request [{}]", str, str2, getRequestUrl((HttpServletRequest) servletRequest));
            servletRequest.setAttribute(SolrHadoopAuthenticationFilter.USER_NAME, str2);
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }
}
