package org.apache.knox.gateway.filter;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.knox.gateway.audit.api.AuditServiceFactory;
import org.apache.knox.gateway.audit.api.Auditor;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.security.GroupPrincipal;
import org.apache.knox.gateway.security.ImpersonatedPrincipal;
import org.apache.knox.gateway.security.PrimaryPrincipal;

/* loaded from: input_file:org/apache/knox/gateway/filter/AclsAuthorizationFilter.class */
public class AclsAuthorizationFilter implements Filter {
    private static AclsAuthorizationMessages log = (AclsAuthorizationMessages) MessagesFactory.get(AclsAuthorizationMessages.class);
    private static Auditor auditor = AuditServiceFactory.getAuditService().getAuditor("audit", "knox", "knox");
    private String resourceRole = null;
    private String aclProcessingMode = null;
    private AclParser parser = new AclParser();
    private ArrayList<String> adminGroups = new ArrayList<>();
    private ArrayList<String> adminUsers = new ArrayList<>();

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("knox.admin.groups");
        if (initParameter != null) {
            parseAdminGroupConfig(initParameter);
        }
        String initParameter2 = filterConfig.getInitParameter("knox.admin.users");
        if (initParameter2 != null) {
            parseAdminUserConfig(initParameter2);
        }
        this.resourceRole = getInitParameter(filterConfig, "resource.role");
        log.initializingForResourceRole(this.resourceRole);
        this.aclProcessingMode = getInitParameter(filterConfig, this.resourceRole + ".acl.mode");
        if (this.aclProcessingMode == null) {
            this.aclProcessingMode = getInitParameter(filterConfig, "acl.mode");
            if (this.aclProcessingMode == null) {
                this.aclProcessingMode = "AND";
            }
        }
        log.aclProcessingMode(this.aclProcessingMode);
        this.parser.parseAcls(this.resourceRole, getInitParameter(filterConfig, this.resourceRole + ".acl"));
    }

    private String getInitParameter(FilterConfig filterConfig, String str) {
        return filterConfig.getInitParameter(str.toLowerCase(Locale.ROOT));
    }

    private void parseAdminGroupConfig(String str) {
        Collections.addAll(this.adminGroups, str.split(","));
    }

    private void parseAdminUserConfig(String str) {
        Collections.addAll(this.adminUsers, str.split(","));
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        boolean enforceAclAuthorizationPolicy = enforceAclAuthorizationPolicy(servletRequest, servletResponse, filterChain);
        log.accessGranted(enforceAclAuthorizationPolicy);
        String str = (String) servletRequest.getAttribute("sourceRequestContextUrl");
        if (enforceAclAuthorizationPolicy) {
            auditor.audit("authorization", str, "uri", "success");
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            auditor.audit("authorization", str, "uri", "failure");
            sendForbidden((HttpServletResponse) servletResponse);
        }
    }

    protected boolean enforceAclAuthorizationPolicy(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) {
        boolean checkUserAcls;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (this.parser.users.size() == 0 && this.parser.groups.size() == 0 && this.parser.ipv.getIPAddresses().size() == 0) {
            return true;
        }
        boolean z = false;
        Subject subject = Subject.getSubject(AccessController.getContext());
        Principal principal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
        log.primaryPrincipal(principal.getName());
        Object[] array = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
        if (array.length > 0) {
            log.impersonatedPrincipal(((Principal) array[0]).getName());
            checkUserAcls = checkUserAcls((Principal) array[0]);
            log.impersonatedPrincipalHasAccess(checkUserAcls);
        } else {
            checkUserAcls = checkUserAcls(principal);
            log.primaryPrincipalHasAccess(checkUserAcls);
        }
        Object[] array2 = subject.getPrincipals(GroupPrincipal.class).toArray();
        if (array2.length > 0) {
            z = checkGroupAcls(array2);
            log.groupPrincipalHasAccess(z);
        } else if (this.parser.anyGroup && "AND".equals(this.aclProcessingMode)) {
            z = true;
        }
        log.remoteIPAddress(httpServletRequest.getRemoteAddr());
        boolean checkRemoteIpAcls = checkRemoteIpAcls(httpServletRequest.getRemoteAddr());
        log.remoteIPAddressHasAccess(checkRemoteIpAcls);
        if (!"OR".equals(this.aclProcessingMode)) {
            return "AND".equals(this.aclProcessingMode) && checkUserAcls && z && checkRemoteIpAcls;
        }
        if (this.parser.anyUser) {
            checkUserAcls = false;
        }
        if (this.parser.anyGroup) {
            z = false;
        }
        if (this.parser.ipv.allowsAnyIP()) {
            checkRemoteIpAcls = false;
        }
        return checkUserAcls || z || checkRemoteIpAcls;
    }

    private boolean checkRemoteIpAcls(String str) {
        if (str == null) {
            return false;
        }
        return this.parser.ipv.validateIpAddress(str);
    }

    boolean checkUserAcls(Principal principal) {
        boolean z = false;
        if (principal == null) {
            return false;
        }
        if (this.parser.anyUser) {
            z = true;
        } else if (this.parser.users.contains(principal.getName())) {
            z = true;
        } else if (this.parser.users.contains("KNOX_ADMIN_USERS") && this.adminUsers.contains(principal.getName())) {
            z = true;
        }
        return z;
    }

    boolean checkGroupAcls(Object[] objArr) {
        boolean hasAllowedPrincipal;
        if (objArr == null) {
            return false;
        }
        if (this.parser.anyGroup) {
            hasAllowedPrincipal = true;
        } else {
            hasAllowedPrincipal = hasAllowedPrincipal(this.parser.groups, objArr);
            if (!hasAllowedPrincipal && this.parser.groups.contains("KNOX_ADMIN_GROUPS")) {
                hasAllowedPrincipal = hasAllowedPrincipal(this.adminGroups, objArr);
            }
        }
        return hasAllowedPrincipal;
    }

    private boolean hasAllowedPrincipal(List<String> list, Object[] objArr) {
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= objArr.length) {
                break;
            }
            if (list.contains(((Principal) objArr[i]).getName())) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }

    private void sendForbidden(HttpServletResponse httpServletResponse) {
        sendErrorCode(httpServletResponse, 403);
    }

    private void sendErrorCode(HttpServletResponse httpServletResponse, int i) {
        try {
            httpServletResponse.sendError(i);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}
