package org.apache.hadoop.hive.metastore;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Enumeration;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.auth.jwt.JWTValidator;
import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TProtocolFactory;
import org.apache.thrift.server.TServlet;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.credentials.extractor.BearerAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/metastore/HmsThriftHttpServlet.class */
public class HmsThriftHttpServlet extends TServlet {
    private static final Logger LOG = LoggerFactory.getLogger(HmsThriftHttpServlet.class);
    private static final String X_USER = "x-actor-username";
    private final boolean isSecurityEnabled;
    private final boolean jwtAuthEnabled;
    public static final String AUTHORIZATION = "Authorization";
    private JWTValidator jwtValidator;
    private Configuration conf;

    public HmsThriftHttpServlet(TProcessor tProcessor, TProtocolFactory tProtocolFactory, Configuration configuration) {
        super(tProcessor, tProtocolFactory);
        this.conf = configuration;
        this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
        if (MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.THRIFT_METASTORE_AUTHENTICATION).equalsIgnoreCase("jwt")) {
            this.jwtAuthEnabled = true;
        } else {
            this.jwtAuthEnabled = false;
            this.jwtValidator = null;
        }
    }

    public void init() throws ServletException {
        super.init();
        if (this.jwtAuthEnabled) {
            try {
                this.jwtValidator = new JWTValidator(this.conf);
            } catch (Exception e) {
                throw new ServletException("Failed to initialize HmsThriftHttpServlet. Error: " + e);
            }
        }
    }

    protected void doPost(final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws ServletException, IOException {
        UserGroupInformation createRemoteUser;
        if (LOG.isDebugEnabled()) {
            LOG.debug(" Logging headers in request");
            Enumeration headerNames = httpServletRequest.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                LOG.debug("Header: [{}], Value: [{}]", str, httpServletRequest.getHeader(str));
            }
        }
        try {
            String extractUserName = extractUserName(httpServletRequest, httpServletResponse);
            if (this.isSecurityEnabled) {
                LOG.info("Creating proxy user for: {}", extractUserName);
                createRemoteUser = UserGroupInformation.createProxyUser(extractUserName, UserGroupInformation.getLoginUser());
            } else {
                LOG.info("Creating remote user for: {}", extractUserName);
                createRemoteUser = UserGroupInformation.createRemoteUser(extractUserName);
            }
            try {
                createRemoteUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hive.metastore.HmsThriftHttpServlet.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        HmsThriftHttpServlet.super.doPost(httpServletRequest, httpServletResponse);
                        return null;
                    }
                });
            } catch (InterruptedException | RuntimeException e) {
                LOG.error("Exception when executing http request as user: " + createRemoteUser.getUserName(), e);
                throw new ServletException(e);
            }
        } catch (HttpAuthenticationException e2) {
            httpServletResponse.setStatus(401);
            httpServletResponse.getWriter().println("Authentication error: " + e2.getMessage());
            LOG.error("Authentication error: ", e2);
        }
    }

    private String getAuthHeader(HttpServletRequest httpServletRequest) throws ServletException {
        String header = httpServletRequest.getHeader(AUTHORIZATION);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Logging headers in request");
            Enumeration headerNames = httpServletRequest.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                LOG.debug("Header: [{}], Value: [{}]", str, httpServletRequest.getHeader(str));
            }
        }
        if (header == null || header.isEmpty()) {
            throw new ServletException("no authorization header received from the client");
        }
        String[] split = header.split(" ");
        String str2 = split[split.length - 1];
        if (str2.isEmpty()) {
            throw new ServletException("Authorization header received from the client does not contain any data.");
        }
        return str2;
    }

    private String extractUserName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws HttpAuthenticationException {
        if (!this.jwtAuthEnabled) {
            String header = httpServletRequest.getHeader("x-actor-username");
            if (header == null || header.isEmpty()) {
                throw new HttpAuthenticationException("User header x-actor-username missing in request");
            }
            return header;
        }
        String extractBearerToken = extractBearerToken(httpServletRequest, httpServletResponse);
        if (extractBearerToken == null) {
            throw new HttpAuthenticationException("Couldn't find bearer token in the auth header in the request");
        }
        try {
            String validateJWTAndExtractUser = this.jwtValidator.validateJWTAndExtractUser(extractBearerToken);
            Preconditions.checkNotNull(validateJWTAndExtractUser, "JWT needs to contain the user name as subject");
            Preconditions.checkState(!validateJWTAndExtractUser.isEmpty(), "User name should not be empty in JWT");
            LOG.info("Successfully validated and extracted user name {} from JWT in Auth header in the request", validateJWTAndExtractUser);
            return validateJWTAndExtractUser;
        } catch (Exception e) {
            throw new HttpAuthenticationException("Failed to validate JWT from Bearer token in Authentication header", e);
        }
    }

    private String extractBearerToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return (String) new BearerAuthExtractor().extract(new JEEContext(httpServletRequest, httpServletResponse)).map((v0) -> {
            return v0.getToken();
        }).orElse(null);
    }
}
