package org.apache.knox.gateway.identityasserter.common.filter;

import java.io.IOException;
import java.security.AccessController;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.IdentityAsserterMessages;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.plang.AbstractSyntaxTree;
import org.apache.knox.gateway.plang.Parser;
import org.apache.knox.gateway.plang.SyntaxException;
import org.apache.knox.gateway.security.GroupPrincipal;
import org.apache.knox.gateway.security.SubjectUtils;
import org.apache.knox.gateway.security.principal.PrincipalMappingException;
import org.apache.knox.gateway.security.principal.SimplePrincipalMapper;
import org.apache.knox.gateway.util.AuthFilterUtils;
import org.apache.knox.gateway.util.AuthorizationException;
import org.apache.knox.gateway.util.HttpExceptionUtils;

/* loaded from: input_file:org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.class */
public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilter {
    private static final IdentityAsserterMessages LOG = (IdentityAsserterMessages) MessagesFactory.get(IdentityAsserterMessages.class);
    public static final String VIRTUAL_GROUP_MAPPING_PREFIX = "group.mapping.";
    public static final String GROUP_PRINCIPAL_MAPPING = "group.principal.mapping";
    public static final String PRINCIPAL_MAPPING = "principal.mapping";
    private static final String PRINCIPAL_PARAM = "user.name";
    private static final String DOAS_PRINCIPAL_PARAM = "doAs";
    static final String IMPERSONATION_ENABLED_PARAM = "hadoop.proxyuser.impersonation.enabled";
    private VirtualGroupMapper virtualGroupMapper;
    protected boolean impersonationEnabled;
    private String topologyName;
    private SimplePrincipalMapper mapper = new SimplePrincipalMapper();
    private final Parser parser = new Parser();
    protected final List<String> impersonationParamsList = new ArrayList();

    public void init(FilterConfig filterConfig) throws ServletException {
        this.topologyName = (String) filterConfig.getServletContext().getAttribute("org.apache.knox.gateway.gateway.cluster");
        String initParameter = filterConfig.getInitParameter(PRINCIPAL_MAPPING);
        if (initParameter == null || initParameter.isEmpty()) {
            initParameter = filterConfig.getServletContext().getInitParameter(PRINCIPAL_MAPPING);
        }
        String initParameter2 = filterConfig.getInitParameter(GROUP_PRINCIPAL_MAPPING);
        if (initParameter2 == null || initParameter2.isEmpty()) {
            initParameter2 = filterConfig.getServletContext().getInitParameter(GROUP_PRINCIPAL_MAPPING);
        }
        if ((initParameter != null && !initParameter.isEmpty()) || (initParameter2 != null && !initParameter2.isEmpty())) {
            try {
                this.mapper.loadMappingTable(initParameter, initParameter2);
            } catch (PrincipalMappingException e) {
                throw new ServletException("Unable to load principal mapping table.", e);
            }
        }
        List<String> initParameterNamesAsList = AuthFilterUtils.getInitParameterNamesAsList(filterConfig);
        this.virtualGroupMapper = new VirtualGroupMapper(loadVirtualGroups(filterConfig, initParameterNamesAsList));
        initImpersonationParamsList(filterConfig);
        initProxyUserConfiguration(filterConfig, initParameterNamesAsList);
    }

    private void initImpersonationParamsList(FilterConfig filterConfig) {
        String initParameter = filterConfig.getInitParameter(AbstractIdentityAsserterDeploymentContributor.IMPERSONATION_PARAMS);
        if (initParameter == null || initParameter.isEmpty()) {
            initParameter = filterConfig.getServletContext().getInitParameter(AbstractIdentityAsserterDeploymentContributor.IMPERSONATION_PARAMS);
        }
        this.impersonationParamsList.add(DOAS_PRINCIPAL_PARAM);
        this.impersonationParamsList.add(PRINCIPAL_PARAM);
        if (initParameter == null || initParameter.isEmpty()) {
            return;
        }
        LOG.impersonationConfig(initParameter);
        StringTokenizer stringTokenizer = new StringTokenizer(initParameter, ",");
        while (stringTokenizer.hasMoreElements()) {
            String trim = stringTokenizer.nextToken().trim();
            if (!this.impersonationParamsList.contains(trim)) {
                this.impersonationParamsList.add(trim);
            }
        }
    }

    private void initProxyUserConfiguration(FilterConfig filterConfig, List<String> list) {
        String initParameter = filterConfig.getInitParameter(IMPERSONATION_ENABLED_PARAM);
        this.impersonationEnabled = initParameter == null ? Boolean.FALSE.booleanValue() : Boolean.parseBoolean(initParameter);
        if (!this.impersonationEnabled) {
            filterConfig.getServletContext().setAttribute("org.apache.knox.gateway.gateway.proxyuser.impersonation.enabled", Boolean.FALSE);
        } else if (AuthFilterUtils.hasProxyConfig(this.topologyName, "HadoopAuth")) {
            LOG.ignoreProxyuserConfig();
            this.impersonationEnabled = false;
        } else {
            AuthFilterUtils.refreshSuperUserGroupsConfiguration(filterConfig, list, this.topologyName, "identity-assertion");
            filterConfig.getServletContext().setAttribute("org.apache.knox.gateway.gateway.proxyuser.impersonation.enabled", Boolean.TRUE);
        }
    }

    boolean isImpersonationEnabled() {
        return this.impersonationEnabled;
    }

    private Map<String, AbstractSyntaxTree> loadVirtualGroups(FilterConfig filterConfig, List<String> list) {
        HashMap hashMap = new HashMap();
        loadVirtualGroupConfig(filterConfig, list, hashMap);
        if (hashMap.isEmpty() && filterConfig.getServletContext() != null) {
            loadVirtualGroupConfig(filterConfig.getServletContext(), hashMap);
        }
        return hashMap;
    }

    private void loadVirtualGroupConfig(FilterConfig filterConfig, List<String> list, Map<String, AbstractSyntaxTree> map) {
        for (String str : virtualGroupParameterNames(list)) {
            addGroup(map, str, filterConfig.getInitParameter(str));
        }
    }

    private void loadVirtualGroupConfig(ServletContext servletContext, Map<String, AbstractSyntaxTree> map) {
        for (String str : virtualGroupParameterNames(servletContext.getInitParameterNames() == null ? Collections.emptyList() : Collections.list(servletContext.getInitParameterNames()))) {
            addGroup(map, str, servletContext.getInitParameter(str));
        }
    }

    private void addGroup(Map<String, AbstractSyntaxTree> map, String str, String str2) {
        try {
            AbstractSyntaxTree parse = this.parser.parse(str2);
            String trim = str.substring(VIRTUAL_GROUP_MAPPING_PREFIX.length()).trim();
            if (StringUtils.isBlank(trim)) {
                LOG.missingVirtualGroupName();
            } else {
                map.put(trim, parse);
            }
        } catch (SyntaxException e) {
            LOG.parseError(str, str2, e);
        }
    }

    private static List<String> virtualGroupParameterNames(List<String> list) {
        return list == null ? new ArrayList() : (List) list.stream().filter(str -> {
            return str.startsWith(VIRTUAL_GROUP_MAPPING_PREFIX);
        }).collect(Collectors.toList());
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject == null) {
            LOG.subjectNotAvailable();
            throw new IllegalStateException("Required Subject Missing");
        }
        try {
            String mapUserPrincipal = mapUserPrincipal(mapUserPrincipalBase(handleProxyUserImpersonation(servletRequest, subject)));
            String[] mapGroupPrincipalsBase = mapGroupPrincipalsBase(mapUserPrincipal, subject);
            String[] mapGroupPrincipals = mapGroupPrincipals(mapUserPrincipal, subject);
            continueChainAsPrincipal(wrapHttpServletRequest(servletRequest, mapUserPrincipal), servletResponse, filterChain, mapUserPrincipal, unique(combineGroupMappings((String[]) this.virtualGroupMapper.mapGroups(mapUserPrincipal, combine(subject, mapGroupPrincipals), servletRequest).toArray(new String[0]), combineGroupMappings(mapGroupPrincipalsBase, mapGroupPrincipals))));
        } catch (AuthorizationException e) {
            LOG.hadoopAuthProxyUserFailed(e);
            HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse) servletResponse, 403, e);
        }
    }

    private String handleProxyUserImpersonation(ServletRequest servletRequest, Subject subject) throws AuthorizationException {
        String parameter;
        String effectivePrincipalName = SubjectUtils.getEffectivePrincipalName(subject);
        if (this.impersonationEnabled && (parameter = servletRequest.getParameter(DOAS_PRINCIPAL_PARAM)) != null && !parameter.equals(effectivePrincipalName)) {
            LOG.hadoopAuthDoAsUser(parameter, effectivePrincipalName, servletRequest.getRemoteAddr());
            if (effectivePrincipalName != null) {
                AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest) servletRequest, effectivePrincipalName, parameter, this.topologyName, "identity-assertion");
                LOG.hadoopAuthProxyUserSuccess();
                effectivePrincipalName = parameter;
            }
        }
        return effectivePrincipalName;
    }

    private Set<String> combine(Subject subject, String[] strArr) {
        Set<String> groups = groups(subject);
        if (strArr != null) {
            groups.addAll(Arrays.asList(strArr));
        }
        return groups;
    }

    private static String[] unique(String[] strArr) {
        return (String[]) new HashSet(Arrays.asList(strArr)).toArray(new String[0]);
    }

    protected String[] combineGroupMappings(String[] strArr, String[] strArr2) {
        return (strArr == null || strArr2 == null) ? strArr2 != null ? strArr2 : strArr : (String[]) ArrayUtils.addAll(strArr, strArr2);
    }

    public HttpServletRequestWrapper wrapHttpServletRequest(ServletRequest servletRequest, String str) {
        return new IdentityAsserterHttpServletRequestWrapper((HttpServletRequest) servletRequest, str, this.impersonationParamsList);
    }

    protected String[] mapGroupPrincipalsBase(String str, Subject subject) {
        return this.mapper.mapGroupPrincipal(str);
    }

    protected String mapUserPrincipalBase(String str) {
        return this.mapper.mapUserPrincipal(str);
    }

    private Set<String> groups(Subject subject) {
        return (Set) subject.getPrincipals(GroupPrincipal.class).stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
    }

    @Override // org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter
    public String[] mapGroupPrincipals(String str, Subject subject) {
        return null;
    }

    @Override // org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter
    public String mapUserPrincipal(String str) {
        return str;
    }
}
