package org.apache.hadoop.security.authentication.server;

import java.io.IOException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;
import java.util.Locale;
import java.util.Properties;
import java.util.TimeZone;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.FileSignerSecretProvider;
import org.apache.hadoop.security.authentication.util.RandomSignerSecretProvider;
import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.SignerException;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/security/authentication/server/AuthenticationFilter.class */
public class AuthenticationFilter implements Filter {
    private static Logger LOG = LoggerFactory.getLogger(AuthenticationFilter.class);
    public static final String CONFIG_PREFIX = "config.prefix";
    public static final String AUTH_TYPE = "type";
    public static final String SIGNATURE_SECRET = "signature.secret";
    public static final String SIGNATURE_SECRET_FILE = "signature.secret.file";
    public static final String AUTH_TOKEN_VALIDITY = "token.validity";
    public static final String COOKIE_DOMAIN = "cookie.domain";
    public static final String COOKIE_PATH = "cookie.path";
    public static final String SIGNER_SECRET_PROVIDER = "signer.secret.provider";
    public static final String SIGNER_SECRET_PROVIDER_ATTRIBUTE = "signer.secret.provider.object";
    private Properties config;
    private Signer signer;
    private SignerSecretProvider secretProvider;
    private AuthenticationHandler authHandler;
    private long validity;
    private String cookieDomain;
    private String cookiePath;
    private boolean isInitializedByTomcat;

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter(CONFIG_PREFIX);
        this.config = getConfiguration(initParameter != null ? initParameter + "." : "", filterConfig);
        String property = this.config.getProperty("type", null);
        if (property == null) {
            throw new ServletException("Authentication type must be specified: simple|kerberos|<class>");
        }
        String name = property.toLowerCase(Locale.ENGLISH).equals(PseudoAuthenticationHandler.TYPE) ? PseudoAuthenticationHandler.class.getName() : property.toLowerCase(Locale.ENGLISH).equals(KerberosAuthenticationHandler.TYPE) ? KerberosAuthenticationHandler.class.getName() : property;
        this.validity = Long.parseLong(this.config.getProperty(AUTH_TOKEN_VALIDITY, "36000")) * 1000;
        initializeSecretProvider(filterConfig);
        initializeAuthHandler(name, filterConfig);
        this.cookieDomain = this.config.getProperty(COOKIE_DOMAIN, null);
        this.cookiePath = this.config.getProperty(COOKIE_PATH, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initializeAuthHandler(String str, FilterConfig filterConfig) throws ServletException {
        try {
            this.authHandler = (AuthenticationHandler) Thread.currentThread().getContextClassLoader().loadClass(str).newInstance();
            this.authHandler.init(this.config);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            throw new ServletException(e);
        }
    }

    protected void initializeSecretProvider(FilterConfig filterConfig) throws ServletException {
        this.secretProvider = (SignerSecretProvider) filterConfig.getServletContext().getAttribute(SIGNER_SECRET_PROVIDER_ATTRIBUTE);
        if (this.secretProvider == null) {
            try {
                this.secretProvider = constructSecretProvider(filterConfig.getServletContext(), this.config, false);
                this.isInitializedByTomcat = true;
            } catch (Exception e) {
                throw new ServletException(e);
            }
        }
        this.signer = new Signer(this.secretProvider);
    }

    public static SignerSecretProvider constructSecretProvider(ServletContext servletContext, Properties properties, boolean z) throws Exception {
        SignerSecretProvider signerSecretProvider;
        String property = properties.getProperty(SIGNER_SECRET_PROVIDER, "file");
        long parseLong = Long.parseLong(properties.getProperty(AUTH_TOKEN_VALIDITY, "36000")) * 1000;
        if (!z && "file".equals(property) && properties.getProperty(SIGNATURE_SECRET_FILE) == null) {
            property = "random";
        }
        if ("file".equals(property)) {
            signerSecretProvider = new FileSignerSecretProvider();
            try {
                signerSecretProvider.init(properties, servletContext, parseLong);
            } catch (Exception e) {
                if (z) {
                    throw e;
                }
                LOG.info("Unable to initialize FileSignerSecretProvider, falling back to use random secrets.");
                signerSecretProvider = new RandomSignerSecretProvider();
                signerSecretProvider.init(properties, servletContext, parseLong);
            }
        } else if ("random".equals(property)) {
            signerSecretProvider = new RandomSignerSecretProvider();
            signerSecretProvider.init(properties, servletContext, parseLong);
        } else if ("zookeeper".equals(property)) {
            signerSecretProvider = new ZKSignerSecretProvider();
            signerSecretProvider.init(properties, servletContext, parseLong);
        } else {
            signerSecretProvider = (SignerSecretProvider) Thread.currentThread().getContextClassLoader().loadClass(property).newInstance();
            signerSecretProvider.init(properties, servletContext, parseLong);
        }
        return signerSecretProvider;
    }

    protected Properties getConfiguration() {
        return this.config;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationHandler getAuthenticationHandler() {
        return this.authHandler;
    }

    protected boolean isRandomSecret() {
        return this.secretProvider.getClass() == RandomSignerSecretProvider.class;
    }

    protected boolean isCustomSignerSecretProvider() {
        Class<?> cls = this.secretProvider.getClass();
        return (cls == FileSignerSecretProvider.class || cls == RandomSignerSecretProvider.class || cls == ZKSignerSecretProvider.class) ? false : true;
    }

    protected long getValidity() {
        return this.validity / 1000;
    }

    protected String getCookieDomain() {
        return this.cookieDomain;
    }

    protected String getCookiePath() {
        return this.cookiePath;
    }

    public void destroy() {
        if (this.authHandler != null) {
            this.authHandler.destroy();
            this.authHandler = null;
        }
        if (this.secretProvider == null || !this.isInitializedByTomcat) {
            return;
        }
        this.secretProvider.destroy();
        this.secretProvider = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Properties getConfiguration(String str, FilterConfig filterConfig) throws ServletException {
        Properties properties = new Properties();
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str2 = (String) initParameterNames.nextElement();
            if (str2.startsWith(str)) {
                properties.put(str2.substring(str.length()), filterConfig.getInitParameter(str2));
            }
        }
        return properties;
    }

    protected String getRequestURL(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append("?").append(httpServletRequest.getQueryString());
        }
        return requestURL.toString();
    }

    protected AuthenticationToken getToken(HttpServletRequest httpServletRequest) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
                    try {
                        str = this.signer.verifyAndExtract(cookie.getValue());
                        break;
                    } catch (SignerException e) {
                        throw new AuthenticationException(e);
                    }
                }
                i++;
            }
        }
        if (str != null) {
            authenticationToken = AuthenticationToken.parse(str);
            if (!authenticationToken.getType().equals(this.authHandler.getType())) {
                throw new AuthenticationException("Invalid AuthenticationToken type");
            }
            if (authenticationToken.isExpired()) {
                throw new AuthenticationException("AuthenticationToken expired");
            }
        }
        return authenticationToken;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        AuthenticationToken authenticationToken;
        boolean z = true;
        int i = 401;
        AuthenticationException authenticationException = null;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean equals = "https".equals(httpServletRequest.getScheme());
        boolean z2 = false;
        try {
            try {
                authenticationToken = getToken(httpServletRequest);
            } catch (AuthenticationException e) {
                LOG.warn("AuthenticationToken ignored: " + e.getMessage());
                authenticationException = e;
                authenticationToken = null;
            }
            if (this.authHandler.managementOperation(authenticationToken, httpServletRequest, httpServletResponse)) {
                if (authenticationToken == null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Request [{}] triggering authentication", getRequestURL(httpServletRequest));
                    }
                    authenticationToken = this.authHandler.authenticate(httpServletRequest, httpServletResponse);
                    if (authenticationToken != null && authenticationToken.getExpires() != 0 && authenticationToken != AuthenticationToken.ANONYMOUS) {
                        authenticationToken.setExpires(System.currentTimeMillis() + (getValidity() * 1000));
                    }
                    z2 = true;
                }
                if (authenticationToken != null) {
                    z = false;
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Request [{}] user [{}] authenticated", getRequestURL(httpServletRequest), authenticationToken.getUserName());
                    }
                    final AuthenticationToken authenticationToken2 = authenticationToken;
                    HttpServletRequestWrapper httpServletRequestWrapper = new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.hadoop.security.authentication.server.AuthenticationFilter.1
                        public String getAuthType() {
                            return authenticationToken2.getType();
                        }

                        public String getRemoteUser() {
                            return authenticationToken2.getUserName();
                        }

                        public Principal getUserPrincipal() {
                            if (authenticationToken2 != AuthenticationToken.ANONYMOUS) {
                                return authenticationToken2;
                            }
                            return null;
                        }
                    };
                    if (z2 && !authenticationToken.isExpired() && authenticationToken != AuthenticationToken.ANONYMOUS) {
                        createAuthCookie(httpServletResponse, this.signer.sign(authenticationToken.toString()), getCookieDomain(), getCookiePath(), authenticationToken.getExpires(), equals);
                    }
                    doFilter(filterChain, (HttpServletRequest) httpServletRequestWrapper, httpServletResponse);
                }
            } else {
                z = false;
            }
        } catch (AuthenticationException e2) {
            i = 403;
            authenticationException = e2;
            if (LOG.isDebugEnabled()) {
                LOG.debug("Authentication exception: " + e2.getMessage(), e2);
            } else {
                LOG.warn("Authentication exception: " + e2.getMessage());
            }
        }
        if (!z || httpServletResponse.isCommitted()) {
            return;
        }
        createAuthCookie(httpServletResponse, "", getCookieDomain(), getCookiePath(), 0L, equals);
        if (i == 401 && !httpServletResponse.containsHeader("WWW-Authenticate")) {
            i = 403;
        }
        if (authenticationException == null) {
            httpServletResponse.sendError(i, "Authentication required");
        } else {
            httpServletResponse.sendError(i, authenticationException.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doFilter(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    public static void createAuthCookie(HttpServletResponse httpServletResponse, String str, String str2, String str3, long j, boolean z) {
        StringBuilder append = new StringBuilder(AuthenticatedURL.AUTH_COOKIE).append(AbstractGangliaSink.EQUAL);
        if (str != null && str.length() > 0) {
            append.append("\"").append(str).append("\"");
        }
        if (str3 != null) {
            append.append("; Path=").append(str3);
        }
        if (str2 != null) {
            append.append("; Domain=").append(str2);
        }
        if (j >= 0) {
            Date date = new Date(j);
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz");
            simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
            append.append("; Expires=").append(simpleDateFormat.format(date));
        }
        if (z) {
            append.append("; Secure");
        }
        append.append("; HttpOnly");
        httpServletResponse.addHeader("Set-Cookie", append.toString());
    }
}
