package org.apache.hive.service.cli.thrift;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.NewCookie;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.shims.HadoopShims;
import org.apache.hadoop.hive.shims.HttpUtils;
import org.apache.hadoop.hive.shims.ShimLoader;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hive.service.CookieSigner;
import org.apache.hive.service.auth.AuthenticationProviderFactory;
import org.apache.hive.service.auth.HiveAuthFactory;
import org.apache.hive.service.auth.HttpAuthUtils;
import org.apache.hive.service.auth.HttpAuthenticationException;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.session.SessionManager;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TProtocolFactory;
import org.apache.thrift.server.TServlet;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/cli/thrift/ThriftHttpServlet.class */
public class ThriftHttpServlet extends TServlet {
    private static final long serialVersionUID = 1;
    private final String authType;
    private final UserGroupInformation serviceUGI;
    private final UserGroupInformation httpUGI;
    private HiveConf hiveConf;
    private CookieSigner signer;
    public static final String AUTH_COOKIE = "hive.server2.auth";
    private boolean isCookieAuthEnabled;
    private String cookieDomain;
    private String cookiePath;
    private int cookieMaxAge;
    private boolean isCookieSecure;
    private boolean isHttpOnlyCookie;
    private final HiveAuthFactory hiveAuthFactory;
    private static final String HIVE_DELEGATION_TOKEN_HEADER = "X-Hive-Delegation-Token";
    private static final String X_FORWARDED_FOR = "X-Forwarded-For";
    public static final Logger LOG = LoggerFactory.getLogger(ThriftHttpServlet.class.getName());
    private static final Random RAN = new Random();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hive/service/cli/thrift/ThriftHttpServlet$HttpKerberosServerAction.class */
    public class HttpKerberosServerAction implements PrivilegedExceptionAction<String> {
        HttpServletRequest request;
        UserGroupInformation serviceUGI;

        HttpKerberosServerAction(HttpServletRequest httpServletRequest, UserGroupInformation userGroupInformation) {
            this.request = httpServletRequest;
            this.serviceUGI = userGroupInformation;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public String run() throws HttpAuthenticationException {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSContext gSSContext = null;
            String principalWithoutRealm = getPrincipalWithoutRealm(this.serviceUGI.getUserName());
            try {
                try {
                    GSSContext createContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(principalWithoutRealm, new Oid("1.2.840.113554.1.2.2.1")), 0, new Oid[]{new Oid("1.2.840.113554.1.2.2"), new Oid("1.3.6.1.5.5.2")}, 2));
                    byte[] decodeBase64 = Base64.decodeBase64(ThriftHttpServlet.this.getAuthHeader(this.request, ThriftHttpServlet.this.authType).getBytes());
                    createContext.acceptSecContext(decodeBase64, 0, decodeBase64.length);
                    if (!createContext.isEstablished()) {
                        throw new HttpAuthenticationException("Kerberos authentication failed: unable to establish context with the service ticket provided by the client.");
                    }
                    String principalWithoutRealmAndHost = getPrincipalWithoutRealmAndHost(createContext.getSrcName().toString());
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e) {
                        }
                    }
                    return principalWithoutRealmAndHost;
                } catch (GSSException e2) {
                    throw new HttpAuthenticationException("Kerberos authentication failed: ", e2);
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e3) {
                    }
                }
                throw th;
            }
        }

        private String getPrincipalWithoutRealm(String str) throws HttpAuthenticationException {
            try {
                HadoopShims.KerberosNameShim kerberosNameShim = ShimLoader.getHadoopShims().getKerberosNameShim(str);
                String serviceName = kerberosNameShim.getServiceName();
                String hostName = kerberosNameShim.getHostName();
                String str2 = serviceName;
                if (hostName != null) {
                    str2 = serviceName + "/" + hostName;
                }
                return str2;
            } catch (IOException e) {
                throw new HttpAuthenticationException(e);
            }
        }

        private String getPrincipalWithoutRealmAndHost(String str) throws HttpAuthenticationException {
            try {
                return ShimLoader.getHadoopShims().getKerberosNameShim(str).getShortName();
            } catch (IOException e) {
                throw new HttpAuthenticationException(e);
            }
        }
    }

    public ThriftHttpServlet(TProcessor tProcessor, TProtocolFactory tProtocolFactory, String str, UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2, HiveAuthFactory hiveAuthFactory) {
        super(tProcessor, tProtocolFactory);
        this.hiveConf = new HiveConf();
        this.authType = str;
        this.serviceUGI = userGroupInformation;
        this.httpUGI = userGroupInformation2;
        this.hiveAuthFactory = hiveAuthFactory;
        this.isCookieAuthEnabled = this.hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_COOKIE_AUTH_ENABLED);
        if (this.isCookieAuthEnabled) {
            String l = Long.toString(RAN.nextLong());
            LOG.debug("Using the random number as the secret for cookie generation " + l);
            this.signer = new CookieSigner(l.getBytes());
            this.cookieMaxAge = (int) this.hiveConf.getTimeVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_COOKIE_MAX_AGE, TimeUnit.SECONDS);
            this.cookieDomain = this.hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_COOKIE_DOMAIN);
            this.cookiePath = this.hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_COOKIE_PATH);
            this.isCookieSecure = this.hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_USE_SSL);
            this.isHttpOnlyCookie = this.hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_COOKIE_IS_HTTPONLY);
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String str = null;
        boolean z = false;
        try {
            try {
                if (this.hiveConf.getBoolean(HiveConf.ConfVars.HIVE_SERVER2_XSRF_FILTER_ENABLED.varname, false) && !HttpUtils.doXsrfFilter(httpServletRequest, httpServletResponse, (Set) null, (String) null)) {
                    LOG.warn("Request did not have valid XSRF header, rejecting.");
                    SessionManager.clearUserName();
                    SessionManager.clearIpAddress();
                    SessionManager.clearProxyUserName();
                    SessionManager.clearForwardedAddresses();
                    return;
                }
                if (this.isCookieAuthEnabled) {
                    str = validateCookie(httpServletRequest);
                    z = str == null;
                    if (z) {
                        LOG.info("Could not validate cookie sent, will try to generate a new cookie");
                    }
                }
                if (str == null) {
                    if (isKerberosAuthMode(this.authType)) {
                        String header = httpServletRequest.getHeader(HIVE_DELEGATION_TOKEN_HEADER);
                        str = (header == null || header.isEmpty()) ? doKerberosAuth(httpServletRequest) : doTokenAuth(httpServletRequest, httpServletResponse);
                    } else {
                        str = doPasswdAuth(httpServletRequest, this.authType);
                    }
                }
                LOG.debug("Client username: " + str);
                SessionManager.setUserName(str);
                String doAsQueryParam = getDoAsQueryParam(httpServletRequest.getQueryString());
                if (doAsQueryParam != null) {
                    SessionManager.setProxyUserName(doAsQueryParam);
                }
                String remoteAddr = httpServletRequest.getRemoteAddr();
                LOG.debug("Client IP Address: " + remoteAddr);
                SessionManager.setIpAddress(remoteAddr);
                String header2 = httpServletRequest.getHeader(X_FORWARDED_FOR);
                if (header2 != null) {
                    LOG.debug("{}:{}", X_FORWARDED_FOR, header2);
                    SessionManager.setForwardedAddresses(Arrays.asList(header2.split(",")));
                } else {
                    SessionManager.setForwardedAddresses(Collections.emptyList());
                }
                if (z && !this.authType.equalsIgnoreCase(HiveAuthFactory.AuthTypes.NOSASL.toString())) {
                    Cookie createCookie = createCookie(this.signer.signCookie(HttpAuthUtils.createCookieToken(str)));
                    if (this.isHttpOnlyCookie) {
                        httpServletResponse.setHeader("SET-COOKIE", getHttpOnlyCookieHeader(createCookie));
                    } else {
                        httpServletResponse.addCookie(createCookie);
                    }
                    LOG.info("Cookie added for clientUserName " + str);
                }
                super.doPost(httpServletRequest, httpServletResponse);
                SessionManager.clearUserName();
                SessionManager.clearIpAddress();
                SessionManager.clearProxyUserName();
                SessionManager.clearForwardedAddresses();
            } catch (HttpAuthenticationException e) {
                LOG.error("Error: ", e);
                httpServletResponse.setStatus(401);
                if (isKerberosAuthMode(this.authType)) {
                    httpServletResponse.addHeader(HttpAuthUtils.WWW_AUTHENTICATE, HttpAuthUtils.NEGOTIATE);
                }
                httpServletResponse.getWriter().println("Authentication Error: " + e.getMessage());
                SessionManager.clearUserName();
                SessionManager.clearIpAddress();
                SessionManager.clearProxyUserName();
                SessionManager.clearForwardedAddresses();
            }
        } catch (Throwable th) {
            SessionManager.clearUserName();
            SessionManager.clearIpAddress();
            SessionManager.clearProxyUserName();
            SessionManager.clearForwardedAddresses();
            throw th;
        }
    }

    private String getClientNameFromCookie(Cookie[] cookieArr) {
        for (Cookie cookie : cookieArr) {
            if (cookie.getName().equals(AUTH_COOKIE)) {
                String verifyAndExtract = this.signer.verifyAndExtract(cookie.getValue());
                if (verifyAndExtract == null) {
                    continue;
                } else {
                    String userNameFromCookieToken = HttpAuthUtils.getUserNameFromCookieToken(verifyAndExtract);
                    if (userNameFromCookieToken != null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Validated the cookie for user " + userNameFromCookieToken);
                        }
                        return userNameFromCookieToken;
                    }
                    LOG.warn("Invalid cookie token " + verifyAndExtract);
                }
            }
        }
        return null;
    }

    private String toCookieStr(Cookie[] cookieArr) {
        String str = "";
        for (Cookie cookie : cookieArr) {
            str = str + cookie.getName() + "=" + cookie.getValue() + " ;\n";
        }
        return str;
    }

    private String validateCookie(HttpServletRequest httpServletRequest) throws UnsupportedEncodingException {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Received cookies: " + toCookieStr(cookies));
            }
            return getClientNameFromCookie(cookies);
        }
        if (!LOG.isDebugEnabled()) {
            return null;
        }
        LOG.debug("No valid cookies associated with the request " + httpServletRequest);
        return null;
    }

    private Cookie createCookie(String str) throws UnsupportedEncodingException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Cookie name = hive.server2.auth value = " + str);
        }
        Cookie cookie = new Cookie(AUTH_COOKIE, str);
        cookie.setMaxAge(this.cookieMaxAge);
        if (this.cookieDomain != null) {
            cookie.setDomain(this.cookieDomain);
        }
        if (this.cookiePath != null) {
            cookie.setPath(this.cookiePath);
        }
        cookie.setSecure(this.isCookieSecure);
        return cookie;
    }

    private static String getHttpOnlyCookieHeader(Cookie cookie) {
        return new NewCookie(cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getVersion(), cookie.getComment(), cookie.getMaxAge(), cookie.getSecure()) + "; HttpOnly";
    }

    private String doPasswdAuth(HttpServletRequest httpServletRequest, String str) throws HttpAuthenticationException {
        String username = getUsername(httpServletRequest, str);
        if (!str.equalsIgnoreCase(HiveAuthFactory.AuthTypes.NOSASL.toString())) {
            try {
                AuthenticationProviderFactory.getAuthenticationProvider(AuthenticationProviderFactory.AuthMethods.getValidAuthMethod(str), this.hiveConf).Authenticate(username, getPassword(httpServletRequest, str));
            } catch (Exception e) {
                throw new HttpAuthenticationException(e);
            }
        }
        return username;
    }

    private String doTokenAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws HttpAuthenticationException {
        try {
            return this.hiveAuthFactory.verifyDelegationToken(httpServletRequest.getHeader(HIVE_DELEGATION_TOKEN_HEADER));
        } catch (HiveSQLException e) {
            throw new HttpAuthenticationException(e);
        }
    }

    private String doKerberosAuth(HttpServletRequest httpServletRequest) throws HttpAuthenticationException {
        if (this.httpUGI != null) {
            try {
                return (String) this.httpUGI.doAs(new HttpKerberosServerAction(httpServletRequest, this.httpUGI));
            } catch (Exception e) {
                LOG.info("Failed to authenticate with http/_HOST kerberos principal, trying with hive/_HOST kerberos principal");
            }
        }
        try {
            return (String) this.serviceUGI.doAs(new HttpKerberosServerAction(httpServletRequest, this.serviceUGI));
        } catch (Exception e2) {
            LOG.error("Failed to authenticate with hive/_HOST kerberos principal");
            throw new HttpAuthenticationException(e2);
        }
    }

    private String getUsername(HttpServletRequest httpServletRequest, String str) throws HttpAuthenticationException {
        String[] authHeaderTokens = getAuthHeaderTokens(httpServletRequest, str);
        if (authHeaderTokens[0] == null || authHeaderTokens[0].isEmpty()) {
            throw new HttpAuthenticationException("Authorization header received from the client does not contain username.");
        }
        return authHeaderTokens[0];
    }

    private String getPassword(HttpServletRequest httpServletRequest, String str) throws HttpAuthenticationException {
        String[] authHeaderTokens = getAuthHeaderTokens(httpServletRequest, str);
        if (authHeaderTokens[1] == null || authHeaderTokens[1].isEmpty()) {
            throw new HttpAuthenticationException("Authorization header received from the client does not contain username.");
        }
        return authHeaderTokens[1];
    }

    private String[] getAuthHeaderTokens(HttpServletRequest httpServletRequest, String str) throws HttpAuthenticationException {
        return StringUtils.newStringUtf8(Base64.decodeBase64(getAuthHeader(httpServletRequest, str).getBytes())).split(":");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getAuthHeader(HttpServletRequest httpServletRequest, String str) throws HttpAuthenticationException {
        String header = httpServletRequest.getHeader(HttpAuthUtils.AUTHORIZATION);
        if (header == null || header.isEmpty()) {
            throw new HttpAuthenticationException("Authorization header received from the client is empty.");
        }
        String substring = header.substring(isKerberosAuthMode(str) ? "Negotiate ".length() : "Basic ".length());
        if (substring == null || substring.isEmpty()) {
            throw new HttpAuthenticationException("Authorization header received from the client does not contain any data.");
        }
        return substring;
    }

    private boolean isKerberosAuthMode(String str) {
        return str.equalsIgnoreCase(HiveAuthFactory.AuthTypes.KERBEROS.toString());
    }

    private static String getDoAsQueryParam(String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("URL query string:" + str);
        }
        if (str == null) {
            return null;
        }
        Hashtable parseQueryString = javax.servlet.http.HttpUtils.parseQueryString(str);
        for (String str2 : parseQueryString.keySet()) {
            if (str2.equalsIgnoreCase("doAs")) {
                return ((String[]) parseQueryString.get(str2))[0];
            }
        }
        return null;
    }
}
