package org.apache.hadoop.fs.azure;

import com.fasterxml.jackson.core.JsonParseException;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.PrivilegedExceptionAction;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.Validate;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.azure.security.Constants;
import org.apache.hadoop.fs.azure.security.SecurityUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.codehaus.jackson.map.JsonMappingException;
import org.codehaus.jackson.map.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.class */
public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
    public static final Logger LOG = LoggerFactory.getLogger(RemoteWasbAuthorizerImpl.class);
    public static final String KEY_REMOTE_AUTH_SERVICE_URL = "fs.azure.authorization.remote.service.url";
    private static final String CHECK_AUTHORIZATION_OP = "CHECK_AUTHORIZATION";
    private static final String ACCESS_OPERATION_QUERY_PARAM_NAME = "operation_type";
    private static final String WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME = "wasb_absolute_path";
    private static final String DELEGATION_TOKEN_QUERY_PARAM_NAME = "delegation";
    private String delegationToken;
    private boolean isSecurityEnabled;
    private boolean isKerberosSupportEnabled;
    private String remoteAuthorizerServiceUrl = null;
    private WasbRemoteCallHelper remoteCallHelper = null;

    @VisibleForTesting
    public void updateWasbRemoteCallHelper(WasbRemoteCallHelper wasbRemoteCallHelper) {
        this.remoteCallHelper = wasbRemoteCallHelper;
    }

    @Override // org.apache.hadoop.fs.azure.WasbAuthorizerInterface
    public void init(Configuration configuration) throws WasbAuthorizationException, IOException {
        LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
        try {
            this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
            this.remoteAuthorizerServiceUrl = SecurityUtils.getRemoteAuthServiceUrls(configuration);
            if (this.remoteAuthorizerServiceUrl == null || this.remoteAuthorizerServiceUrl.isEmpty()) {
                throw new WasbAuthorizationException("fs.azure.authorization.remote.service.url config not set in configuration.");
            }
            this.remoteCallHelper = new WasbRemoteCallHelper();
            this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
            this.isKerberosSupportEnabled = configuration.getBoolean(Constants.AZURE_KERBEROS_SUPPORT_PROPERTY_NAME, false);
        } catch (IOException e) {
            LOG.error("Error in fetching the WASB delegation token", e);
            throw new IOException("Error in fetching the WASB delegation token", e);
        }
    }

    @Override // org.apache.hadoop.fs.azure.WasbAuthorizerInterface
    public boolean authorize(String str, String str2) throws WasbAuthorizationException, IOException {
        try {
            final URIBuilder uRIBuilder = new URIBuilder(this.remoteAuthorizerServiceUrl);
            uRIBuilder.setPath("/CHECK_AUTHORIZATION");
            uRIBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME, str);
            uRIBuilder.addParameter(ACCESS_OPERATION_QUERY_PARAM_NAME, str2);
            if (this.isSecurityEnabled && StringUtils.isNotEmpty(this.delegationToken)) {
                uRIBuilder.addParameter(DELEGATION_TOKEN_QUERY_PARAM_NAME, this.delegationToken);
            }
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            UserGroupInformation realUser = currentUser.getRealUser();
            if (realUser == null) {
                realUser = currentUser;
            } else {
                uRIBuilder.addParameter(Constants.DOAS_PARAM, currentUser.getShortUserName());
            }
            if (this.isSecurityEnabled && !realUser.hasKerberosCredentials()) {
                realUser = UserGroupInformation.getLoginUser();
            }
            realUser.checkTGTAndReloginFromKeytab();
            try {
                RemoteAuthorizerResponse remoteAuthorizerResponse = (RemoteAuthorizerResponse) new ObjectMapper().readValue((String) realUser.doAs(new PrivilegedExceptionAction<String>() { // from class: org.apache.hadoop.fs.azure.RemoteWasbAuthorizerImpl.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public String run() throws Exception {
                        HttpGet httpGet = new HttpGet(uRIBuilder.build());
                        if (RemoteWasbAuthorizerImpl.this.isKerberosSupportEnabled && UserGroupInformation.isSecurityEnabled() && (RemoteWasbAuthorizerImpl.this.delegationToken == null || RemoteWasbAuthorizerImpl.this.delegationToken.isEmpty())) {
                            AuthenticatedURL.Token token = new AuthenticatedURL.Token();
                            try {
                                new KerberosDelegationTokenAuthenticator().authenticate(uRIBuilder.build().toURL(), token);
                                Validate.isTrue(token.isSet(), "Authenticated Token is NOT present. The request cannot proceed.");
                                if (token != null) {
                                    httpGet.setHeader("Cookie", "hadoop.auth=" + token);
                                }
                            } catch (AuthenticationException e) {
                                throw new IOException("Authentication failed in check authorization", e);
                            }
                        }
                        return RemoteWasbAuthorizerImpl.this.remoteCallHelper.makeRemoteGetRequest(httpGet);
                    }
                }), RemoteAuthorizerResponse.class);
                if (remoteAuthorizerResponse == null) {
                    throw new WasbAuthorizationException("RemoteAuthorizerResponse object null from remote call");
                }
                if (remoteAuthorizerResponse.getResponseCode() == 0) {
                    return remoteAuthorizerResponse.getAuthorizationResult();
                }
                throw new WasbAuthorizationException("Remote authorization serivce encountered an error " + remoteAuthorizerResponse.getResponseMessage());
            } catch (InterruptedException e) {
                LOG.error("Error in check authorization", e);
                throw new WasbAuthorizationException("Error in check authorize", e);
            }
        } catch (URISyntaxException | WasbRemoteCallException | JsonParseException | JsonMappingException e2) {
            throw new WasbAuthorizationException(e2);
        }
    }
}
