package org.apache.ambari.logsearch.web.filters;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.ambari.logsearch.conf.LogSearchSpnegoConfig;
import org.apache.commons.collections.iterators.IteratorEnumeration;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:org/apache/ambari/logsearch/web/filters/LogsearchKRBAuthenticationFilter.class */
public class LogsearchKRBAuthenticationFilter extends LogsearchKrbFilter {

    @Inject
    private LogSearchSpnegoConfig logSearchSpnegoConfig;
    private static final String NAME_RULES_PARAM = "kerberos.name.rules";
    private static final String TOKEN_VALID_PARAM = "token.validity";
    private static final String COOKIE_DOMAIN_PARAM = "cookie.domain";
    private static final String COOKIE_PATH_PARAM = "cookie.path";
    private static final String PRINCIPAL_PARAM = "kerberos.principal";
    private static final String KEYTAB_PARAM = "kerberos.keytab";
    private static final String AUTH_TYPE = "type";
    private static final String AUTH_COOKIE_NAME = "hadoop.auth";
    private static final String DEFAULT_USER_ROLE = "ROLE_USER";
    private String authType = "simple";
    private RequestMatcher requestMatcher;
    private static final Logger logger = LoggerFactory.getLogger(LogsearchKRBAuthenticationFilter.class);
    private static final NoServletContext NO_SERVLET_CONTEXT = new NoServletContext();
    private static final Pattern usernamePattern = Pattern.compile("(?<=u=)(.*?)(?=&)|(?<=u=)(.*)");
    private static boolean spnegoEnable = false;

    public LogsearchKRBAuthenticationFilter(RequestMatcher requestMatcher) {
        this.requestMatcher = new NegatedRequestMatcher(requestMatcher);
    }

    @PostConstruct
    public void postConstruct() {
        try {
            isSpnegoEnable();
            init(null);
        } catch (ServletException e) {
            logger.error("Error while initializing Filter : " + e.getMessage());
        }
    }

    @Override // org.apache.ambari.logsearch.web.filters.LogsearchKrbFilter
    public void init(final FilterConfig filterConfig) throws ServletException {
        this.logSearchSpnegoConfig.getHostName();
        final HashMap hashMap = new HashMap();
        if (spnegoEnable) {
            this.authType = "kerberos";
        }
        hashMap.put("type", this.authType);
        hashMap.put(NAME_RULES_PARAM, this.logSearchSpnegoConfig.getNameRules());
        hashMap.put("token.validity", this.logSearchSpnegoConfig.getTokenValid());
        hashMap.put("cookie.domain", this.logSearchSpnegoConfig.getCookieDomain());
        hashMap.put("cookie.path", this.logSearchSpnegoConfig.getCookiePath());
        hashMap.put(PRINCIPAL_PARAM, this.logSearchSpnegoConfig.getPrincipal());
        hashMap.put(KEYTAB_PARAM, this.logSearchSpnegoConfig.getKeyTab());
        super.init(new FilterConfig() { // from class: org.apache.ambari.logsearch.web.filters.LogsearchKRBAuthenticationFilter.1
            public ServletContext getServletContext() {
                return filterConfig != null ? filterConfig.getServletContext() : LogsearchKRBAuthenticationFilter.NO_SERVLET_CONTEXT;
            }

            public Enumeration<String> getInitParameterNames() {
                return new IteratorEnumeration(hashMap.keySet().iterator());
            }

            public String getInitParameter(String str) {
                return (String) hashMap.get(str);
            }

            public String getFilterName() {
                return "KerberosFilter";
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.ambari.logsearch.web.filters.LogsearchKrbFilter
    public void doFilter(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        logger.debug("LogsearchKRBAuthenticationFilter private filter");
        String usernameFromResponse = getUsernameFromResponse(httpServletResponse);
        if (!StringUtils.isNotEmpty(usernameFromResponse)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated()) {
            try {
                super.doFilter(filterChain, httpServletRequest, httpServletResponse);
                return;
            } catch (Exception e) {
                logger.error("Error LogsearchKRBAuthenticationFilter : " + e.getMessage());
                return;
            }
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SimpleGrantedAuthority(DEFAULT_USER_ROLE));
        AbstractAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(usernameFromResponse, "", arrayList), "", arrayList);
        usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(getGrantedAuthority(authenticate(usernamePasswordAuthenticationToken)));
        httpServletRequest.getSession(true).setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());
        httpServletRequest.setAttribute("spnegoEnabled", true);
        logger.info("Logged into Logsearch as = " + usernameFromResponse);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    @Override // org.apache.ambari.logsearch.web.filters.LogsearchKrbFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!this.requestMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        logger.debug("LogsearchKRBAuthenticationFilter public filter path >>>>" + httpServletRequest.getPathInfo());
        SecurityContextImpl securityContextImpl = (SecurityContextImpl) httpServletRequest.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT");
        Authentication authentication = null;
        if (securityContextImpl != null) {
            authentication = securityContextImpl.getAuthentication();
        }
        if (isLoginRequest(httpServletRequest) || !spnegoEnable || (authentication != null && authentication.isAuthenticated())) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        KerberosName.setRules(this.logSearchSpnegoConfig.getNameRules());
        String usernameFromRequest = getUsernameFromRequest(httpServletRequest);
        if ((authentication != null && authentication.isAuthenticated()) || !StringUtils.isNotEmpty(usernameFromRequest)) {
            try {
                super.doFilter(servletRequest, servletResponse, filterChain);
                return;
            } catch (Exception e) {
                logger.error("Error LogsearchKRBAuthenticationFilter : " + e.getMessage());
                return;
            }
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SimpleGrantedAuthority(DEFAULT_USER_ROLE));
        AbstractAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(usernameFromRequest, "", arrayList), "", arrayList);
        usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(getGrantedAuthority(authenticate(usernamePasswordAuthenticationToken)));
        servletRequest.setAttribute("spnegoEnabled", true);
        logger.info("Logged into Logsearch as = " + usernameFromRequest);
    }

    private void isSpnegoEnable() {
        spnegoEnable = this.logSearchSpnegoConfig.isKerberosEnabled();
        if (spnegoEnable) {
            spnegoEnable = false;
            String keyTab = this.logSearchSpnegoConfig.getKeyTab();
            String principal = this.logSearchSpnegoConfig.getPrincipal();
            String hostName = this.logSearchSpnegoConfig.getHostName();
            if (StringUtils.isNotEmpty(keyTab) && StringUtils.isNotEmpty(principal) && StringUtils.isNotEmpty(hostName)) {
                spnegoEnable = true;
            }
        }
    }

    private Authentication getGrantedAuthority(Authentication authentication) {
        if (authentication == null || !authentication.isAuthenticated()) {
            return authentication;
        }
        List<GrantedAuthority> authorities = getAuthorities();
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(authentication.getName().toString(), authentication.getCredentials().toString(), authorities), authentication.getCredentials(), authorities);
        usernamePasswordAuthenticationToken.setDetails(authentication.getDetails());
        return usernamePasswordAuthenticationToken;
    }

    private List<GrantedAuthority> getAuthorities() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SimpleGrantedAuthority(DEFAULT_USER_ROLE));
        return arrayList;
    }

    private Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String name = authentication.getName();
        String str = (String) authentication.getCredentials();
        String unescapeHtml = StringEscapeUtils.unescapeHtml(name);
        if (StringUtils.isEmpty(unescapeHtml)) {
            throw new BadCredentialsException("Username can't be null or empty.");
        }
        new org.apache.ambari.logsearch.web.model.User().setUsername(unescapeHtml);
        return new UsernamePasswordAuthenticationToken(unescapeHtml, str, getAuthorities());
    }

    private String getUsernameFromRequest(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName().equalsIgnoreCase(AUTH_COOKIE_NAME)) {
                    Matcher matcher = usernamePattern.matcher(cookie.getName() + "=" + cookie.getValue());
                    if (matcher.find()) {
                        str = matcher.group(1);
                    }
                }
            }
        }
        logger.debug("kerberos username  from  request >>>>>>>>" + str);
        return str;
    }

    private String getUsernameFromResponse(HttpServletResponse httpServletResponse) {
        Collection<String> headers;
        String str = null;
        if (httpServletResponse.containsHeader("Set-Cookie") && (headers = httpServletResponse.getHeaders("Set-Cookie")) != null) {
            for (String str2 : headers) {
                if (StringUtils.isNotEmpty(str2) && str2.toLowerCase().startsWith(AUTH_COOKIE_NAME.toLowerCase())) {
                    Matcher matcher = usernamePattern.matcher(str2);
                    if (matcher.find()) {
                        str = matcher.group(1);
                    }
                }
                if (StringUtils.isNotEmpty(str)) {
                    break;
                }
            }
        }
        logger.debug("kerberos username  from  response >>>>>>>>" + str);
        return str;
    }

    private boolean isLoginRequest(HttpServletRequest httpServletRequest) {
        boolean z = false;
        if ("POST".equalsIgnoreCase(httpServletRequest.getMethod()) && "/login".equalsIgnoreCase(httpServletRequest.getRequestURI().toString())) {
            z = true;
        }
        return z;
    }
}
