package org.apache.hadoop.yarn.server.webproxy;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.PrintWriter;
import java.net.InetAddress;
import java.net.SocketException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriBuilderException;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ApplicationReport;
import org.apache.hadoop.yarn.api.records.YarnApplicationState;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher;
import org.apache.hadoop.yarn.util.Apps;
import org.apache.hadoop.yarn.util.StringHelper;
import org.apache.hadoop.yarn.util.TrackingUriPlugin;
import org.apache.hadoop.yarn.webapp.hamlet2.Hamlet;
import org.apache.hadoop.yarn.webapp.hamlet2.HamletImpl;
import org.apache.hadoop.yarn.webapp.hamlet2.HamletSpec;
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.HttpClientBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.class */
public class WebAppProxyServlet extends HttpServlet {
    private static final long serialVersionUID = 1;
    private static final String REDIRECT = "/redirect";
    public static final String PROXY_USER_COOKIE_NAME = "proxy-user";
    private static final Logger LOG = LoggerFactory.getLogger(WebAppProxyServlet.class);
    private static final Set<String> PASS_THROUGH_HEADERS = new HashSet(Arrays.asList("User-Agent", "Accept", "Accept-Encoding", "Accept-Language", "Accept-Charset", "Content-Type", "Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"));
    private transient YarnConfiguration conf = new YarnConfiguration();
    private transient List<TrackingUriPlugin> trackingUriPlugins = this.conf.getInstances("yarn.tracking.url.generator", TrackingUriPlugin.class);
    private final String failurePageUrlBase = StringHelper.pjoin(new Object[]{WebAppUtils.getResolvedRMWebAppURLWithScheme(this.conf), "cluster", "failure"});

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$yarn$api$records$YarnApplicationState = new int[YarnApplicationState.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$yarn$api$records$YarnApplicationState[YarnApplicationState.KILLED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$yarn$api$records$YarnApplicationState[YarnApplicationState.FINISHED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$yarn$api$records$YarnApplicationState[YarnApplicationState.FAILED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet$HTTP.class */
    public enum HTTP {
        GET,
        POST,
        HEAD,
        PUT,
        DELETE
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet$Page.class */
    public static class Page extends Hamlet {
        Page(PrintWriter printWriter) {
            super(printWriter, 0, false);
        }

        public Hamlet.HTML<__> html() {
            return new Hamlet.HTML<>(this, "html", (HamletSpec.__) null, EnumSet.of(HamletImpl.EOpt.ENDTAG));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet$__.class */
    public static class __ implements HamletSpec.__ {
        private __() {
        }
    }

    protected void setConf(YarnConfiguration yarnConfiguration) {
        this.conf = yarnConfiguration;
    }

    private String getRmAppPageUrlBase(ApplicationId applicationId) throws YarnException, IOException {
        return ((AppReportFetcher) getServletContext().getAttribute(WebAppProxy.FETCHER_ATTRIBUTE)).getRmAppPageUrlBase(applicationId);
    }

    private String getAhsAppPageUrlBase() {
        return ((AppReportFetcher) getServletContext().getAttribute(WebAppProxy.FETCHER_ATTRIBUTE)).getAhsAppPageUrlBase();
    }

    private static void notFound(HttpServletResponse httpServletResponse, String str) throws IOException {
        ProxyUtils.notFound(httpServletResponse, str);
    }

    private static void warnUserPage(HttpServletResponse httpServletResponse, String str, String str2, ApplicationId applicationId) throws IOException {
        httpServletResponse.addCookie(makeCheckCookie(applicationId, false));
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        new Page(httpServletResponse.getWriter()).html().h1("WARNING: The following page may not be safe!").h3().__(new Object[]{"click "}).a(str, "here").__(new Object[]{" to continue to an Application Master web interface owned by ", str2}).__().__();
    }

    @VisibleForTesting
    static boolean checkHttpsStrictAndNotProvided(HttpServletResponse httpServletResponse, URI uri, YarnConfiguration yarnConfiguration) throws IOException {
        boolean equals = yarnConfiguration.get("yarn.resourcemanager.application-https.policy", "NONE").equals("STRICT");
        boolean equals2 = uri.getScheme().equals("https");
        if (!equals || equals2) {
            return false;
        }
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        new Page(httpServletResponse.getWriter()).html().h1("HTTPS must be used").h3().__(new Object[]{"yarn.resourcemanager.application-https.policy", "is set to STRICT, which means that the tracking URL ", "must be an HTTPS URL, but it is not."}).__(new Object[]{"The tracking URL is: ", uri}).__().__();
        return true;
    }

    private void proxyLink(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, URI uri, Cookie cookie, String str, HTTP http, ApplicationId applicationId) throws IOException {
        ProxyCA proxyCA;
        HttpRequestBase httpPut;
        HttpClientBuilder create = HttpClientBuilder.create();
        String str2 = this.conf.get("yarn.resourcemanager.application-https.policy", "NONE");
        boolean z = this.conf.getBoolean("yarn.resourcemanager.proxy.timeout.enabled", true);
        int i = this.conf.getInt("yarn.resourcemanager.proxy.connection.timeout", 60000);
        if ((str2.equals("LENIENT") || str2.equals("STRICT")) && (proxyCA = getProxyCA()) != null) {
            try {
                create.setSSLContext(proxyCA.createSSLContext(applicationId));
                create.setSSLHostnameVerifier(proxyCA.getHostnameVerifier());
            } catch (Exception e) {
                throw new IOException(e);
            }
        }
        InetAddress byName = InetAddress.getByName(str);
        LOG.debug("local InetAddress for proxy host: {}", byName);
        create.setDefaultRequestConfig(z ? RequestConfig.custom().setCircularRedirectsAllowed(true).setLocalAddress(byName).setConnectionRequestTimeout(i).setSocketTimeout(i).setConnectTimeout(i).build() : RequestConfig.custom().setCircularRedirectsAllowed(true).setLocalAddress(byName).build());
        if (http.equals(HTTP.GET)) {
            httpPut = new HttpGet(uri);
        } else {
            if (!http.equals(HTTP.PUT)) {
                httpServletResponse.setStatus(405);
                return;
            }
            httpPut = new HttpPut(uri);
            StringBuilder sb = new StringBuilder();
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader((InputStream) httpServletRequest.getInputStream(), StandardCharsets.UTF_8));
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                } else {
                    sb.append(readLine);
                }
            }
            ((HttpPut) httpPut).setEntity(new StringEntity(sb.toString()));
        }
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str3 = (String) headerNames.nextElement();
            if (PASS_THROUGH_HEADERS.contains(str3)) {
                String header = httpServletRequest.getHeader(str3);
                LOG.debug("REQ HEADER: {} : {}", str3, header);
                httpPut.setHeader(str3, header);
            }
        }
        String remoteUser = httpServletRequest.getRemoteUser();
        if (remoteUser != null && !remoteUser.isEmpty()) {
            httpPut.setHeader("Cookie", "proxy-user=" + URLEncoder.encode(remoteUser, "ASCII"));
        }
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        try {
            HttpResponse execute = create.build().execute(httpPut);
            httpServletResponse.setStatus(execute.getStatusLine().getStatusCode());
            for (Header header2 : execute.getAllHeaders()) {
                httpServletResponse.setHeader(header2.getName(), header2.getValue());
            }
            if (cookie != null) {
                httpServletResponse.addCookie(cookie);
            }
            InputStream content = execute.getEntity().getContent();
            if (content != null) {
                IOUtils.copyBytes(content, outputStream, 4096, true);
            }
        } finally {
            httpPut.releaseConnection();
        }
    }

    private static String getCheckCookieName(ApplicationId applicationId) {
        return "checked_" + applicationId;
    }

    private static Cookie makeCheckCookie(ApplicationId applicationId, boolean z) {
        Cookie cookie = new Cookie(getCheckCookieName(applicationId), String.valueOf(z));
        cookie.setHttpOnly(true);
        cookie.setPath(ProxyUriUtils.getPath(applicationId));
        cookie.setMaxAge(7200);
        return cookie;
    }

    private boolean isSecurityEnabled() {
        Boolean bool = (Boolean) getServletContext().getAttribute(WebAppProxy.IS_SECURITY_ENABLED_ATTRIBUTE);
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    private AppReportFetcher.FetchedAppReport getApplicationReport(ApplicationId applicationId) throws IOException, YarnException {
        return ((AppReportFetcher) getServletContext().getAttribute(WebAppProxy.FETCHER_ATTRIBUTE)).getApplicationReport(applicationId);
    }

    private ProxyCA getProxyCA() {
        return (ProxyCA) getServletContext().getAttribute(WebAppProxy.PROXY_CA);
    }

    private String getProxyHost() throws IOException {
        return (String) getServletContext().getAttribute(WebAppProxy.PROXY_HOST_ATTRIBUTE);
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        methodAction(httpServletRequest, httpServletResponse, HTTP.GET);
    }

    protected final void doPut(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        methodAction(httpServletRequest, httpServletResponse, HTTP.PUT);
    }

    private void methodAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HTTP http) throws ServletException, IOException {
        AppReportFetcher.FetchedAppReport fetchedAppReport;
        try {
            boolean z = false;
            boolean parseBoolean = Boolean.parseBoolean(httpServletRequest.getParameter(ProxyUriUtils.PROXY_APPROVAL_PARAM));
            boolean isSecurityEnabled = isSecurityEnabled();
            boolean z2 = false;
            String pathInfo = httpServletRequest.getPathInfo();
            String remoteUser = httpServletRequest.getRemoteUser();
            String[] strArr = null;
            if (pathInfo != null) {
                if (pathInfo.startsWith(REDIRECT)) {
                    pathInfo = pathInfo.substring(REDIRECT.length());
                    z2 = true;
                }
                strArr = pathInfo.split("/", 3);
            }
            if (strArr == null || strArr.length < 2) {
                LOG.warn("{} gave an invalid proxy path {}", remoteUser, pathInfo);
                notFound(httpServletResponse, "Your path appears to be formatted incorrectly.");
                return;
            }
            String str = strArr[1];
            String str2 = strArr.length > 2 ? strArr[2] : "";
            ApplicationId appID = Apps.toAppID(str);
            if (appID == null) {
                LOG.warn("{} attempting to access {} that is invalid", remoteUser, str);
                notFound(httpServletResponse, str + " appears to be formatted incorrectly.");
                return;
            }
            if (z2 && handleRedirect(str, httpServletRequest, httpServletResponse)) {
                return;
            }
            if (isSecurityEnabled) {
                String checkCookieName = getCheckCookieName(appID);
                Cookie[] cookies = httpServletRequest.getCookies();
                if (cookies != null) {
                    int length = cookies.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        Cookie cookie = cookies[i];
                        if (checkCookieName.equals(cookie.getName())) {
                            z = true;
                            parseBoolean = parseBoolean || Boolean.parseBoolean(cookie.getValue());
                        } else {
                            i++;
                        }
                    }
                }
            }
            boolean z3 = isSecurityEnabled && !(z && parseBoolean);
            try {
                fetchedAppReport = getFetchedAppReport(appID);
            } catch (ApplicationNotFoundException e) {
                fetchedAppReport = null;
            }
            ApplicationReport applicationReport = null;
            if (fetchedAppReport != null) {
                applicationReport = fetchedAppReport.getApplicationReport();
            }
            if (applicationReport == null) {
                LOG.warn("{} attempting to access {} that was not found", remoteUser, appID);
                URI uriFromTrackingPlugins = ProxyUriUtils.getUriFromTrackingPlugins(appID, this.trackingUriPlugins);
                if (uriFromTrackingPlugins != null) {
                    ProxyUtils.sendRedirect(httpServletRequest, httpServletResponse, uriFromTrackingPlugins.toString());
                    return;
                } else {
                    notFound(httpServletResponse, "Application " + str + " could not be found in RM or history server");
                    return;
                }
            }
            URI trackingUri = getTrackingUri(httpServletRequest, httpServletResponse, appID, applicationReport.getOriginalTrackingUrl(), fetchedAppReport.getAppReportSource());
            if (trackingUri == null || checkHttpsStrictAndNotProvided(httpServletResponse, trackingUri, this.conf)) {
                return;
            }
            String user = applicationReport.getUser();
            if (z3 && !user.equals(remoteUser)) {
                LOG.info("Asking {} if they want to connect to the app master GUI of {} owned by {}", new Object[]{remoteUser, str, user});
                warnUserPage(httpServletResponse, ProxyUriUtils.getPathAndQuery(appID, str2, httpServletRequest.getQueryString(), true), user, appID);
                return;
            }
            URI buildTrackingUrl = buildTrackingUrl(trackingUri, httpServletRequest, str2);
            LOG.info("{} is accessing unchecked {} which is the app master GUI of {} owned by {}", new Object[]{remoteUser, buildTrackingUrl, str, user});
            switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$yarn$api$records$YarnApplicationState[applicationReport.getYarnApplicationState().ordinal()]) {
                case 1:
                case 2:
                case 3:
                    ProxyUtils.sendRedirect(httpServletRequest, httpServletResponse, buildTrackingUrl.toString());
                    return;
                default:
                    Cookie cookie2 = null;
                    if (z && parseBoolean) {
                        cookie2 = makeCheckCookie(appID, true);
                    }
                    proxyLink(httpServletRequest, httpServletResponse, buildTrackingUrl, cookie2, getProxyHost(), http, appID);
                    return;
            }
        } catch (URISyntaxException | YarnException e2) {
            throw new IOException(e2);
        }
    }

    private URI buildTrackingUrl(URI uri, HttpServletRequest httpServletRequest, String str) throws UriBuilderException {
        UriBuilder fromUri = UriBuilder.fromUri(uri);
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            for (NameValuePair nameValuePair : URLEncodedUtils.parse(queryString, (Charset) null)) {
                fromUri.queryParam(nameValuePair.getName(), new Object[]{nameValuePair.getValue()});
            }
        }
        return fromUri.path(str).build(new Object[0]);
    }

    private URI getTrackingUri(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ApplicationId applicationId, String str, AppReportFetcher.AppReportSource appReportSource) throws IOException, URISyntaxException, YarnException {
        URI uri = null;
        if (str != null && !str.equals("N/A") && !str.equals("")) {
            uri = ProxyUriUtils.getSchemeFromUrl(str).isEmpty() ? ProxyUriUtils.getUriFromAMUrl(WebAppUtils.getHttpSchemePrefix(this.conf), str) : new URI(str);
        } else if (appReportSource == AppReportFetcher.AppReportSource.RM) {
            LOG.debug("Original tracking url is '{}'. Redirecting to RM app page", str == null ? "NULL" : str);
            ProxyUtils.sendRedirect(httpServletRequest, httpServletResponse, StringHelper.pjoin(new Object[]{getRmAppPageUrlBase(applicationId), applicationId.toString()}));
        } else if (appReportSource == AppReportFetcher.AppReportSource.AHS) {
            LOG.debug("Original tracking url is '{}'. Redirecting to AHS app page", str == null ? "NULL" : str);
            ProxyUtils.sendRedirect(httpServletRequest, httpServletResponse, StringHelper.pjoin(new Object[]{getAhsAppPageUrlBase(), applicationId.toString()}));
        }
        return uri;
    }

    private AppReportFetcher.FetchedAppReport getFetchedAppReport(ApplicationId applicationId) throws IOException, YarnException {
        AppReportFetcher.FetchedAppReport applicationReport = getApplicationReport(applicationId);
        if (applicationReport == null || applicationReport.getAppReportSource() == AppReportFetcher.AppReportSource.RM || applicationReport.getAppReportSource() == AppReportFetcher.AppReportSource.AHS) {
            return applicationReport;
        }
        throw new UnsupportedOperationException("Application report not fetched from RM or history server.");
    }

    private boolean handleRedirect(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        boolean z = false;
        try {
            z = NetUtils.getLocalInetAddress(httpServletRequest.getRemoteHost()) != null;
        } catch (SocketException e) {
        }
        if (z) {
            LOG.error("The AM's web app redirected the RM web proxy's request back to the web proxy. The typical cause is that the AM is resolving the RM's address as something other than what it expects. Check your network configuration and the value of the yarn.web-proxy.address property. Once the host resolution issue has been resolved, you will likely need to delete the misbehaving application, " + str);
            String pjoin = StringHelper.pjoin(new Object[]{this.failurePageUrlBase, str});
            LOG.error("REDIRECT: sending redirect to " + pjoin);
            ProxyUtils.sendRedirect(httpServletRequest, httpServletResponse, pjoin);
        }
        return z;
    }

    private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
        objectInputStream.defaultReadObject();
        this.conf = new YarnConfiguration();
        this.trackingUriPlugins = this.conf.getInstances("yarn.tracking.url.generator", TrackingUriPlugin.class);
    }
}
