package org.apache.ranger.authorization.knox;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.knox.gateway.security.GroupPrincipal;
import org.apache.knox.gateway.security.ImpersonatedPrincipal;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.knox.KnoxRangerPlugin;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerPerfTracer;

/* loaded from: input_file:org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.class */
public class RangerPDPKnoxFilter implements Filter {
    private static final String KNOX_GATEWAY_JASS_CONFIG_SECTION = "com.sun.security.jgss.initiate";
    private String resourceRole = null;
    private static final Log LOG = LogFactory.getLog(RangerPDPKnoxFilter.class);
    private static final Log PERF_KNOXAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("knoxauth.request");
    private static volatile KnoxRangerPlugin plugin = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.resourceRole = getInitParameter(filterConfig, "resource.role");
        if (plugin == null) {
            synchronized (RangerPDPKnoxFilter.class) {
                if (plugin == null) {
                    try {
                        MiscUtil.setUGIFromJAASConfig(KNOX_GATEWAY_JASS_CONFIG_SECTION);
                        LOG.info("LoginUser=" + MiscUtil.getUGILoginUser());
                    } catch (Throwable th) {
                        LOG.error("Error while setting UGI for Knox Plugin...", th);
                    }
                    LOG.info("Creating KnoxRangerPlugin");
                    plugin = new KnoxRangerPlugin();
                    plugin.init();
                }
            }
        }
    }

    private String getInitParameter(FilterConfig filterConfig, String str) {
        return filterConfig.getInitParameter(str.toLowerCase());
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String str = (String) servletRequest.getAttribute("sourceRequestContextUrl");
        String topologyName = getTopologyName(str);
        String serviceName = getServiceName();
        RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(PERF_KNOXAUTH_REQUEST_LOG) ? RangerPerfTracer.getPerfTracer(PERF_KNOXAUTH_REQUEST_LOG, "RangerPDPKnoxFilter.doFilter(url=" + str + ", topologyName=" + topologyName + ")") : null;
        Subject subject = Subject.getSubject(AccessController.getContext());
        String name = ((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName();
        String str2 = null;
        Object[] array = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
        if (array != null && array.length > 0) {
            str2 = ((Principal) array[0]).getName();
        }
        String str3 = str2 != null ? str2 : name;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking access primaryUser: " + name + ", impersonatedUser: " + str2 + ", effectiveUser: " + str3);
        }
        Object[] array2 = subject.getPrincipals(GroupPrincipal.class).toArray();
        HashSet hashSet = new HashSet();
        for (Object obj : array2) {
            hashSet.add(((Principal) obj).getName());
        }
        String remoteAddr = servletRequest.getRemoteAddr();
        List<String> forwardedAddresses = getForwardedAddresses(servletRequest);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking access primaryUser: " + name + ", impersonatedUser: " + str2 + ", effectiveUser: " + str3 + ", groups: " + hashSet + ", clientIp: " + remoteAddr + ", remoteIp: " + remoteAddr + ", forwardedAddresses: " + forwardedAddresses);
        }
        RangerAccessRequest build = new KnoxRangerPlugin.RequestBuilder().service(serviceName).topology(topologyName).user(str3).groups(hashSet).clientIp(remoteAddr).remoteIp(remoteAddr).forwardedAddresses(forwardedAddresses).build();
        boolean z = false;
        if (plugin != null) {
            RangerAccessResult isAccessAllowed = plugin.isAccessAllowed(build);
            z = isAccessAllowed != null && isAccessAllowed.getIsAllowed();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Access allowed: " + z);
        }
        RangerPerfTracer.log(perfTracer);
        if (z) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            sendForbidden((HttpServletResponse) servletResponse);
        }
    }

    private List<String> getForwardedAddresses(ServletRequest servletRequest) {
        String header;
        List<String> list = null;
        if ((servletRequest instanceof HttpServletRequest) && (header = ((HttpServletRequest) servletRequest).getHeader("X-Forwarded-For")) != null) {
            list = Arrays.asList(header.split(","));
        }
        return list;
    }

    private void sendForbidden(HttpServletResponse httpServletResponse) {
        sendErrorCode(httpServletResponse, 403);
    }

    private void sendErrorCode(HttpServletResponse httpServletResponse, int i) {
        try {
            httpServletResponse.sendError(i);
        } catch (IOException e) {
            LOG.error("Error while redirecting:", e);
        }
    }

    private String getTopologyName(String str) {
        if (str == null) {
            return null;
        }
        String[] split = str.trim().split("/");
        if (split.length > 2) {
            return split[2];
        }
        return null;
    }

    private String getServiceName() {
        return this.resourceRole;
    }
}
