package org.apache.ranger.audit.destination;

import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.File;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import org.apache.commons.lang.StringUtils;
import org.apache.http.HttpHost;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.ranger.audit.model.AuditEventBase;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.credutils.CredentialsProviderUtil;
import org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider;
import org.opensearch.action.admin.indices.open.OpenIndexRequest;
import org.opensearch.action.bulk.BulkItemResponse;
import org.opensearch.action.bulk.BulkRequest;
import org.opensearch.action.bulk.BulkResponse;
import org.opensearch.action.index.IndexRequest;
import org.opensearch.client.RequestOptions;
import org.opensearch.client.RestClient;
import org.opensearch.client.RestClientBuilder;
import org.opensearch.client.RestHighLevelClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/audit/destination/OpenSearchAuditDestination.class */
public class OpenSearchAuditDestination extends AuditDestination {
    private static final Logger LOG = LoggerFactory.getLogger(OpenSearchAuditDestination.class);
    public static final String CONFIG_URLS = "urls";
    public static final String CONFIG_PORT = "port";
    public static final String CONFIG_USER = "user";
    public static final String CONFIG_PWRD = "password";
    public static final String CONFIG_PROTOCOL = "protocol";
    public static final String CONFIG_INDEX = "index";
    public static final String CONFIG_PREFIX = "ranger.audit.opensearch";
    public static final String DEFAULT_INDEX = "ranger_audits";
    private String protocol;
    private String user;
    private int port;
    private String passwd;
    private String hosts;
    private Subject subject;
    private String index = CONFIG_INDEX;
    private volatile RestHighLevelClient client = null;
    private final AtomicLong lastLoggedAt = new AtomicLong(0);

    public OpenSearchAuditDestination() {
        this.propPrefix = CONFIG_PREFIX;
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.BaseAuditHandler, org.apache.ranger.audit.provider.AuditHandler
    public void init(Properties properties, String str) {
        super.init(properties, str);
        this.protocol = getStringProperty(properties, str + "." + CONFIG_PROTOCOL, "http");
        this.user = getStringProperty(properties, str + "." + CONFIG_USER, "");
        this.passwd = getStringProperty(properties, str + "." + CONFIG_PWRD, "");
        this.port = MiscUtil.getIntProperty(properties, str + "." + CONFIG_PORT, 9200);
        this.index = getStringProperty(properties, str + "." + CONFIG_INDEX, "ranger_audits");
        this.hosts = getHosts();
        LOG.info("Connecting to OpenSearch... " + connectionString());
        getClient();
    }

    private String connectionString() {
        return String.format(Locale.ROOT, "User:%s, %s://%s:%s/%s", this.user, this.protocol, this.hosts, Integer.valueOf(this.port), this.index);
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.AuditHandler
    public void stop() {
        super.stop();
        logStatus();
    }

    @Override // org.apache.ranger.audit.provider.AuditHandler
    public boolean log(Collection<AuditEventBase> collection) {
        RestHighLevelClient client;
        boolean z = false;
        try {
            logStatusIfRequired();
            addTotalCount(collection.size());
            client = getClient();
        } catch (Throwable th) {
            addDeferredCount(collection.size());
            logError("Error sending message to OpenSearch", th);
        }
        if (null == client) {
            addDeferredCount(collection.size());
            return false;
        }
        ArrayList arrayList = new ArrayList(collection);
        BulkRequest bulkRequest = new BulkRequest();
        try {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                AuthzAuditEvent authzAuditEvent = (AuthzAuditEvent) ((AuditEventBase) it.next());
                bulkRequest.add(new IndexRequest(this.index).id(authzAuditEvent.getEventId()).source(toDoc(authzAuditEvent)));
            }
        } catch (Exception e) {
            addFailedCount(arrayList.size());
            logFailedEvent(arrayList, e);
        }
        BulkResponse bulk = client.bulk(bulkRequest, RequestOptions.DEFAULT);
        if (bulk.status().getStatus() >= 400) {
            addFailedCount(arrayList.size());
            logFailedEvent(arrayList, "HTTP " + bulk.status().getStatus());
        } else {
            BulkItemResponse[] items = bulk.getItems();
            for (int i = 0; i < items.length; i++) {
                AuditEventBase auditEventBase = (AuditEventBase) arrayList.get(i);
                BulkItemResponse bulkItemResponse = items[i];
                if (bulkItemResponse.isFailed()) {
                    addFailedCount(1);
                    logFailedEvent(Arrays.asList(auditEventBase), bulkItemResponse.getFailureMessage());
                } else {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("Indexed %s", auditEventBase.getEventKey()));
                    }
                    addSuccessCount(1);
                    z = true;
                }
            }
        }
        return z;
    }

    @Override // org.apache.ranger.audit.destination.AuditDestination, org.apache.ranger.audit.provider.AuditHandler
    public void flush() {
    }

    public boolean isAsync() {
        return true;
    }

    synchronized RestHighLevelClient getClient() {
        if (this.client == null) {
            synchronized (OpenSearchAuditDestination.class) {
                if (this.client == null) {
                    this.client = newClient();
                }
            }
        }
        if (this.subject != null) {
            KerberosTicket tgt = CredentialsProviderUtil.getTGT(this.subject);
            try {
                if (new Date().getTime() > tgt.getEndTime().getTime()) {
                    this.client = null;
                    CredentialsProviderUtil.ticketExpireTime80 = 0L;
                    newClient();
                } else if (CredentialsProviderUtil.ticketWillExpire(tgt).booleanValue()) {
                    this.subject = CredentialsProviderUtil.login(this.user, this.passwd);
                }
            } catch (PrivilegedActionException e) {
                LOG.error("PrivilegedActionException:", e);
                throw new RuntimeException(e);
            }
        }
        return this.client;
    }

    public static RestClientBuilder getRestClientBuilder(String str, String str2, String str3, String str4, int i) {
        RestClientBuilder builder = RestClient.builder((HttpHost[]) MiscUtil.toArray(str, ",").stream().map(str5 -> {
            return new HttpHost(str5, i, str2);
        }).toArray(i2 -> {
            return new HttpHost[i2];
        }));
        ThreadFactory build = new ThreadFactoryBuilder().setNameFormat("OpenSearch rest client %s").setDaemon(true).build();
        if (!StringUtils.isNotBlank(str3) || !StringUtils.isNotBlank(str4) || str3.equalsIgnoreCase("NONE") || str4.equalsIgnoreCase("NONE")) {
            LOG.error("OpenSearch Credentials not provided!!");
            CredentialsProvider credentialsProvider = null;
            builder.setHttpClientConfigCallback(httpAsyncClientBuilder -> {
                httpAsyncClientBuilder.setThreadFactory(build);
                httpAsyncClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                return httpAsyncClientBuilder;
            });
        } else if (str4.contains("keytab") && new File(str4).exists()) {
            KerberosCredentialsProvider kerberosCredentials = CredentialsProviderUtil.getKerberosCredentials(str3, str4);
            Registry build2 = RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory()).build();
            builder.setHttpClientConfigCallback(httpAsyncClientBuilder2 -> {
                httpAsyncClientBuilder2.setThreadFactory(build);
                httpAsyncClientBuilder2.setDefaultCredentialsProvider(kerberosCredentials);
                httpAsyncClientBuilder2.setDefaultAuthSchemeRegistry(build2);
                return httpAsyncClientBuilder2;
            });
        } else {
            CredentialsProvider basicCredentials = CredentialsProviderUtil.getBasicCredentials(str3, str4);
            builder.setHttpClientConfigCallback(httpAsyncClientBuilder3 -> {
                httpAsyncClientBuilder3.setThreadFactory(build);
                httpAsyncClientBuilder3.setDefaultCredentialsProvider(basicCredentials);
                return httpAsyncClientBuilder3;
            });
        }
        return builder;
    }

    private RestHighLevelClient newClient() {
        try {
            if (StringUtils.isNotBlank(this.user) && StringUtils.isNotBlank(this.passwd) && this.passwd.contains("keytab") && new File(this.passwd).exists()) {
                this.subject = CredentialsProviderUtil.login(this.user, this.passwd);
            }
            RestHighLevelClient restHighLevelClient = new RestHighLevelClient(getRestClientBuilder(this.hosts, this.protocol, this.user, this.passwd, this.port));
            if (LOG.isDebugEnabled()) {
                LOG.debug("Initialized client");
            }
            boolean z = false;
            try {
                z = restHighLevelClient.indices().open(new OpenIndexRequest(new String[]{this.index}), RequestOptions.DEFAULT).isShardsAcknowledged();
            } catch (Exception e) {
                LOG.warn("Error validating index " + this.index);
            }
            if (!z) {
                LOG.info("Index does not exist");
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("Index exists");
            }
            return restHighLevelClient;
        } catch (Throwable th) {
            this.lastLoggedAt.updateAndGet(j -> {
                long currentTimeMillis = System.currentTimeMillis();
                if (currentTimeMillis - j <= TimeUnit.MINUTES.toMillis(1L)) {
                    return j;
                }
                LOG.error("Can't connect to opensearch server: " + connectionString(), th);
                return currentTimeMillis;
            });
            return null;
        }
    }

    private String getHosts() {
        String stringProperty = MiscUtil.getStringProperty(this.props, this.propPrefix + ".urls");
        if (stringProperty != null) {
            stringProperty = stringProperty.trim();
        }
        if ("NONE".equalsIgnoreCase(stringProperty)) {
            stringProperty = null;
        }
        return stringProperty;
    }

    private String getStringProperty(Properties properties, String str, String str2) {
        String stringProperty = MiscUtil.getStringProperty(properties, str);
        return null == stringProperty ? str2 : stringProperty;
    }

    Map<String, Object> toDoc(AuthzAuditEvent authzAuditEvent) {
        HashMap hashMap = new HashMap();
        hashMap.put("id", authzAuditEvent.getEventId());
        hashMap.put("access", authzAuditEvent.getAccessType());
        hashMap.put("enforcer", authzAuditEvent.getAclEnforcer());
        hashMap.put("agent", authzAuditEvent.getAgentId());
        hashMap.put("repo", authzAuditEvent.getRepositoryName());
        hashMap.put("sess", authzAuditEvent.getSessionId());
        hashMap.put("reqUser", authzAuditEvent.getUser());
        hashMap.put("reqData", authzAuditEvent.getRequestData());
        hashMap.put("resource", authzAuditEvent.getResourcePath());
        hashMap.put("cliIP", authzAuditEvent.getClientIP());
        hashMap.put("logType", authzAuditEvent.getLogType());
        hashMap.put("result", Short.valueOf(authzAuditEvent.getAccessResult()));
        hashMap.put("policy", Long.valueOf(authzAuditEvent.getPolicyId()));
        hashMap.put("repoType", Integer.valueOf(authzAuditEvent.getRepositoryType()));
        hashMap.put("resType", authzAuditEvent.getResourceType());
        hashMap.put("reason", authzAuditEvent.getResultReason());
        hashMap.put("action", authzAuditEvent.getAction());
        hashMap.put("evtTime", authzAuditEvent.getEventTime());
        hashMap.put("seq_num", Long.valueOf(authzAuditEvent.getSeqNum()));
        hashMap.put("event_count", Long.valueOf(authzAuditEvent.getEventCount()));
        hashMap.put("event_dur_ms", Long.valueOf(authzAuditEvent.getEventDurationMS()));
        hashMap.put("tags", authzAuditEvent.getTags());
        hashMap.put("cluster", authzAuditEvent.getClusterName());
        hashMap.put("zoneName", authzAuditEvent.getZoneName());
        hashMap.put("agentHost", authzAuditEvent.getAgentHostname());
        hashMap.put("policyVersion", authzAuditEvent.getPolicyVersion());
        return hashMap;
    }
}
