package org.apache.knox.gateway.util;

import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.DefaultImpersonationProvider;
import org.apache.hadoop.security.authorize.ImpersonationProvider;
import org.apache.knox.gateway.i18n.GatewaySpiMessages;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;

/* loaded from: input_file:org/apache/knox/gateway/util/AuthFilterUtils.class */
public class AuthFilterUtils {
    public static final String DEFAULT_AUTH_UNAUTHENTICATED_PATHS_PARAM = "/knoxtoken/api/v1/jwks.json";
    public static final String PROXYUSER_PREFIX = "hadoop.proxyuser";
    public static final String QUERY_PARAMETER_DOAS = "doAs";
    public static final String REAL_USER_NAME_ATTRIBUTE = "real.user.name";
    private static final GatewaySpiMessages LOG = (GatewaySpiMessages) MessagesFactory.get(GatewaySpiMessages.class);
    private static final Map<String, Map<String, ImpersonationProvider>> TOPOLOGY_IMPERSONATION_PROVIDERS = new ConcurrentHashMap();
    private static final Lock refreshSuperUserGroupsLock = new ReentrantLock();

    public static boolean doesRequestContainUnauthPath(Set<String> set, ServletRequest servletRequest) {
        return set.contains(((HttpServletRequest) servletRequest).getPathInfo());
    }

    public static void parseStringThenAdd(Set<String> set, String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ";,");
        while (stringTokenizer.hasMoreTokens()) {
            set.add(stringTokenizer.nextToken());
        }
    }

    public static void addUnauthPaths(Set<String> set, String str, String str2) {
        parseStringThenAdd(set, str2);
        if (StringUtils.isBlank(str)) {
            return;
        }
        parseStringThenAdd(set, str);
    }

    public static void refreshSuperUserGroupsConfiguration(ServletContext servletContext, List<String> list, String str, String str2) {
        if (servletContext == null) {
            throw new IllegalArgumentException("Cannot get proxyuser configuration from NULL context");
        }
        refreshSuperUserGroupsConfiguration(servletContext, null, list, str, str2);
    }

    public static void refreshSuperUserGroupsConfiguration(FilterConfig filterConfig, List<String> list, String str, String str2) {
        if (filterConfig == null) {
            throw new IllegalArgumentException("Cannot get proxyuser configuration from NULL filter config");
        }
        refreshSuperUserGroupsConfiguration(null, filterConfig, list, str, str2);
    }

    private static void refreshSuperUserGroupsConfiguration(ServletContext servletContext, FilterConfig filterConfig, List<String> list, String str, String str2) {
        Configuration configuration = new Configuration(false);
        if (list != null) {
            list.stream().filter(str3 -> {
                return str3.startsWith("hadoop.proxyuser.");
            }).forEach(str4 -> {
                configuration.set(str4, servletContext == null ? filterConfig.getInitParameter(str4) : servletContext.getInitParameter(str4));
            });
        }
        saveImpersonationProvider(str, str2, configuration);
    }

    private static void saveImpersonationProvider(String str, String str2, Configuration configuration) {
        refreshSuperUserGroupsLock.lock();
        try {
            ImpersonationProvider defaultImpersonationProvider = new DefaultImpersonationProvider();
            defaultImpersonationProvider.setConf(configuration);
            defaultImpersonationProvider.init(PROXYUSER_PREFIX);
            LOG.createImpersonationProvider(str, str2, PROXYUSER_PREFIX, configuration.getPropsWithPrefix("hadoop.proxyuser.").toString());
            TOPOLOGY_IMPERSONATION_PROVIDERS.putIfAbsent(str, new ConcurrentHashMap());
            TOPOLOGY_IMPERSONATION_PROVIDERS.get(str).put(str2, defaultImpersonationProvider);
            refreshSuperUserGroupsLock.unlock();
        } catch (Throwable th) {
            refreshSuperUserGroupsLock.unlock();
            throw th;
        }
    }

    public static HttpServletRequest getProxyRequest(HttpServletRequest httpServletRequest, String str, String str2, String str3) throws AuthorizationException {
        return getProxyRequest(httpServletRequest, httpServletRequest.getUserPrincipal().getName(), str, str2, str3);
    }

    public static HttpServletRequest getProxyRequest(HttpServletRequest httpServletRequest, String str, String str2, String str3, String str4) throws AuthorizationException {
        final UserGroupInformation remoteRequestUgi = getRemoteRequestUgi(str, str2);
        if (remoteRequestUgi == null) {
            return null;
        }
        authorizeImpersonationRequest(httpServletRequest, remoteRequestUgi, str3, str4);
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.knox.gateway.util.AuthFilterUtils.1
            public String getRemoteUser() {
                return remoteRequestUgi.getShortUserName();
            }

            public Principal getUserPrincipal() {
                UserGroupInformation userGroupInformation = remoteRequestUgi;
                userGroupInformation.getClass();
                return userGroupInformation::getUserName;
            }

            public Object getAttribute(String str5) {
                return (str5 == null || !str5.equals(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE)) ? super.getAttribute(str5) : remoteRequestUgi.getRealUser().getShortUserName();
            }
        };
    }

    public static void authorizeImpersonationRequest(HttpServletRequest httpServletRequest, String str, String str2, String str3, String str4) throws AuthorizationException {
        UserGroupInformation remoteRequestUgi = getRemoteRequestUgi(str, str2);
        if (remoteRequestUgi != null) {
            authorizeImpersonationRequest(httpServletRequest, remoteRequestUgi, str3, str4);
        }
    }

    private static void authorizeImpersonationRequest(HttpServletRequest httpServletRequest, UserGroupInformation userGroupInformation, String str, String str2) throws AuthorizationException {
        ImpersonationProvider impersonationProvider = getImpersonationProvider(str, str2);
        if (impersonationProvider == null) {
            throw new AuthorizationException("ImpersonationProvider for " + str + " / " + str2 + " not found!");
        }
        try {
            impersonationProvider.authorize(userGroupInformation, httpServletRequest.getRemoteAddr());
        } catch (org.apache.hadoop.security.authorize.AuthorizationException e) {
            throw new AuthorizationException((Throwable) e);
        }
    }

    private static ImpersonationProvider getImpersonationProvider(String str, String str2) {
        refreshSuperUserGroupsLock.lock();
        try {
            ImpersonationProvider impersonationProvider = TOPOLOGY_IMPERSONATION_PROVIDERS.getOrDefault(str, Collections.emptyMap()).get(str2);
            refreshSuperUserGroupsLock.unlock();
            return impersonationProvider;
        } catch (Throwable th) {
            refreshSuperUserGroupsLock.unlock();
            throw th;
        }
    }

    private static UserGroupInformation getRemoteRequestUgi(String str, String str2) {
        if (str != null) {
            return UserGroupInformation.createProxyUser(str2, UserGroupInformation.createRemoteUser(str));
        }
        return null;
    }

    public static boolean hasProxyConfig(String str, String str2) {
        return getImpersonationProvider(str, str2) != null;
    }

    public static void removeProxyUserConfig(String str, String str2) {
        if (hasProxyConfig(str, str2)) {
            refreshSuperUserGroupsLock.lock();
            try {
                TOPOLOGY_IMPERSONATION_PROVIDERS.get(str).remove(str2);
                refreshSuperUserGroupsLock.unlock();
            } catch (Throwable th) {
                refreshSuperUserGroupsLock.unlock();
                throw th;
            }
        }
    }

    public static List<String> getInitParameterNamesAsList(FilterConfig filterConfig) {
        return filterConfig.getInitParameterNames() == null ? Collections.emptyList() : Collections.list(filterConfig.getInitParameterNames());
    }
}
