package org.apache.knox.gateway.identityasserter.common.filter;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.knox.gateway.IdentityAsserterMessages;
import org.apache.knox.gateway.audit.api.AuditContext;
import org.apache.knox.gateway.audit.api.AuditService;
import org.apache.knox.gateway.audit.api.AuditServiceFactory;
import org.apache.knox.gateway.audit.api.Auditor;
import org.apache.knox.gateway.filter.security.AbstractIdentityAssertionBase;
import org.apache.knox.gateway.i18n.GatewaySpiResources;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.i18n.resources.ResourcesFactory;
import org.apache.knox.gateway.security.GroupPrincipal;
import org.apache.knox.gateway.security.ImpersonatedPrincipal;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.knox.gateway.security.SubjectUtils;

/* loaded from: input_file:org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.class */
public abstract class AbstractIdentityAssertionFilter extends AbstractIdentityAssertionBase implements Filter {
    private IdentityAsserterMessages LOG = (IdentityAsserterMessages) MessagesFactory.get(IdentityAsserterMessages.class);
    private static final GatewaySpiResources RES = (GatewaySpiResources) ResourcesFactory.get(GatewaySpiResources.class);
    private static AuditService auditService = AuditServiceFactory.getAuditService();
    private static Auditor auditor = auditService.getAuditor("audit", "knox", "knox");

    public abstract String[] mapGroupPrincipals(String str, Subject subject);

    public abstract String mapUserPrincipal(String str);

    /* JADX INFO: Access modifiers changed from: protected */
    public void continueChainAsPrincipal(HttpServletRequestWrapper httpServletRequestWrapper, ServletResponse servletResponse, FilterChain filterChain, String str, String[] strArr) throws IOException, ServletException {
        boolean z = false;
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject == null) {
            this.LOG.subjectNotAvailable();
            throw new IllegalStateException("Required Subject Missing");
        }
        String primaryPrincipalName = SubjectUtils.getPrimaryPrincipalName(subject);
        if (primaryPrincipalName == null) {
            primaryPrincipalName = httpServletRequestWrapper.getUserPrincipal().getName();
        } else if (!primaryPrincipalName.equals(str)) {
            z = true;
            AuditContext context = auditService.getContext();
            context.setProxyUsername(str);
            auditService.attachContext(context);
            auditor.audit("identity-mapping", primaryPrincipalName, "principal", "success", RES.effectiveUser(str));
        }
        Set groupPrincipals = SubjectUtils.getGroupPrincipals(subject);
        boolean z2 = (strArr == null && groupPrincipals.isEmpty()) ? false : true;
        if (!z && !z2) {
            doFilterInternal(httpServletRequestWrapper, servletResponse, filterChain);
            return;
        }
        Subject subject2 = new Subject();
        subject2.getPrincipals().add(new PrimaryPrincipal(primaryPrincipalName));
        Iterator it = groupPrincipals.iterator();
        while (it.hasNext()) {
            subject2.getPrincipals().add((Principal) it.next());
        }
        if (z) {
            subject2.getPrincipals().add(new ImpersonatedPrincipal(str));
        }
        if (z2) {
            addMappedGroupsToSubject(str, strArr, subject2);
        }
        doAs(httpServletRequestWrapper, servletResponse, filterChain, subject2);
    }

    private void doAs(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain, Subject subject) throws IOException, ServletException {
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    AbstractIdentityAssertionFilter.this.doFilterInternal(servletRequest, servletResponse, filterChain);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }

    private void addMappedGroupsToSubject(String str, String[] strArr, Subject subject) {
        if (strArr != null) {
            auditor.audit("identity-mapping", str, "principal", "success", RES.groupsList(Arrays.toString(strArr)));
            for (String str2 : strArr) {
                subject.getPrincipals().add(new GroupPrincipal(str2));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        filterChain.doFilter(servletRequest, servletResponse);
    }
}
