package org.apache.atlas.web.filters;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Properties;
import java.util.TimeZone;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.RequestContext;
import org.apache.atlas.utils.AuthenticationUtil;
import org.apache.atlas.web.listeners.LoginProcessor;
import org.apache.atlas.web.util.Servlets;
import org.apache.commons.collections.iterators.IteratorEnumeration;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.log4j.NDC;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

/* loaded from: input_file:org/apache/atlas/web/filters/AtlasAuthenticationFilter.class */
public class AtlasAuthenticationFilter extends AuthenticationFilter {
    static final String PREFIX = "atlas.authentication.method";
    private Signer signer;
    private SignerSecretProvider secretProvider;
    public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled();
    private HttpServlet optionsServlet;
    private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthenticationFilter.class);
    protected static ServletContext nullContext = new NullServletContext();

    public AtlasAuthenticationFilter() {
        try {
            LOG.info("AtlasAuthenticationFilter initialization started");
            init(null);
        } catch (ServletException e) {
            LOG.error("Error while initializing AtlasAuthenticationFilter : " + e.getMessage());
        }
    }

    public void init(final FilterConfig filterConfig) throws ServletException {
        LOG.info("AtlasAuthenticationFilter initialization started");
        final HashMap hashMap = new HashMap();
        super.init(new FilterConfig() { // from class: org.apache.atlas.web.filters.AtlasAuthenticationFilter.1
            public ServletContext getServletContext() {
                return filterConfig != null ? filterConfig.getServletContext() : AtlasAuthenticationFilter.nullContext;
            }

            public Enumeration<String> getInitParameterNames() {
                return new IteratorEnumeration(hashMap.keySet().iterator());
            }

            public String getInitParameter(String str) {
                return (String) hashMap.get(str);
            }

            public String getFilterName() {
                return "AtlasAuthenticationFilter";
            }
        });
        this.optionsServlet = new HttpServlet() { // from class: org.apache.atlas.web.filters.AtlasAuthenticationFilter.2
        };
        this.optionsServlet.init();
    }

    public void initializeSecretProvider(FilterConfig filterConfig) throws ServletException {
        LOG.debug("AtlasAuthenticationFilter :: initializeSecretProvider " + filterConfig);
        this.secretProvider = (SignerSecretProvider) filterConfig.getServletContext().getAttribute("signer.secret.provider.object");
        if (this.secretProvider == null) {
            String initParameter = filterConfig.getInitParameter("config.prefix");
            try {
                this.secretProvider = AuthenticationFilter.constructSecretProvider(filterConfig.getServletContext(), super.getConfiguration(initParameter != null ? initParameter + "." : "", filterConfig), false);
            } catch (Exception e) {
                throw new ServletException(e);
            }
        }
        this.signer = new Signer(this.secretProvider);
    }

    protected Properties getConfiguration(String str, FilterConfig filterConfig) throws ServletException {
        try {
            Configuration configuration = ApplicationProperties.get();
            Properties properties = new Properties();
            String string = configuration != null ? configuration.getString(LoginProcessor.AUTHENTICATION_KERBEROS_METHOD) : null;
            Object obj = "";
            if (string == null || string.equalsIgnoreCase("false")) {
                LOG.info("No authentication method configured.  Defaulting to simple authentication");
                obj = "simple";
            } else if (string.equalsIgnoreCase("true")) {
                obj = "kerberos";
            }
            if (configuration.getString("atlas.authentication.method.kerberos.name.rules") != null) {
                properties.put("kerberos.name.rules", configuration.getString("atlas.authentication.method.kerberos.name.rules"));
            }
            if (configuration.getString("atlas.authentication.method.kerberos.keytab") != null) {
                properties.put("kerberos.keytab", configuration.getString("atlas.authentication.method.kerberos.keytab"));
            }
            if (configuration.getString("atlas.authentication.method.kerberos.principal") != null) {
                properties.put("kerberos.principal", configuration.getString("atlas.authentication.method.kerberos.principal"));
            }
            properties.put("type", obj);
            properties.put("cookie.path", "/");
            Enumeration initParameterNames = filterConfig.getInitParameterNames();
            while (initParameterNames.hasMoreElements()) {
                String str2 = (String) initParameterNames.nextElement();
                properties.put(str2, filterConfig.getInitParameter(str2));
            }
            String string2 = configuration.getString("atlas.server.bind.address");
            if (string2 == null) {
                LOG.info("No host name configured.  Defaulting to local host name.");
                try {
                    string2 = InetAddress.getLocalHost().getHostName();
                } catch (UnknownHostException e) {
                    throw new ServletException("Unable to obtain host name", e);
                }
            }
            String property = properties.getProperty("kerberos.principal");
            if (property != null) {
                try {
                    properties.put("kerberos.principal", SecurityUtil.getServerPrincipal(property, string2));
                } catch (IOException e2) {
                    throw new RuntimeException("Could not resolve Kerberos principal name: " + e2.toString(), e2);
                }
            }
            LOG.debug(" AuthenticationFilterConfig: {}", properties);
            return properties;
        } catch (Exception e3) {
            throw new ServletException(e3);
        }
    }

    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        FilterChain filterChain2 = new FilterChain() { // from class: org.apache.atlas.web.filters.AtlasAuthenticationFilter.3
            public void doFilter(ServletRequest servletRequest2, ServletResponse servletResponse2) throws IOException, ServletException {
                HttpServletRequest httpServletRequest2 = (HttpServletRequest) servletRequest2;
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse2;
                if (AtlasAuthenticationFilter.this.isKerberos) {
                    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                    String readUserFromCookie = AtlasAuthenticationFilter.readUserFromCookie(httpServletResponse);
                    if (StringUtils.isEmpty(readUserFromCookie) && !StringUtils.isEmpty(httpServletRequest2.getRemoteUser())) {
                        readUserFromCookie = httpServletRequest2.getRemoteUser();
                    }
                    if ((authentication == null || !authentication.isAuthenticated()) && !StringUtils.isEmpty(readUserFromCookie)) {
                        String[] groupNames = UserGroupInformation.getLoginUser().getGroupNames();
                        ArrayList arrayList = new ArrayList();
                        for (String str : groupNames) {
                            arrayList.add(new SimpleGrantedAuthority(str));
                        }
                        AbstractAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new User(readUserFromCookie, "", arrayList), "", arrayList);
                        usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest2));
                        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
                        servletRequest.setAttribute("atlas.http.authentication.type", true);
                        AtlasAuthenticationFilter.LOG.info("Logged into Atlas as = " + readUserFromCookie);
                    }
                }
                if (httpServletRequest2.getMethod().equals("OPTIONS")) {
                    AtlasAuthenticationFilter.this.optionsServlet.service(servletRequest, servletResponse);
                    return;
                }
                try {
                    String remoteUser = httpServletRequest2.getRemoteUser();
                    NDC.push(remoteUser + ":" + httpServletRequest2.getMethod() + httpServletRequest2.getRequestURI());
                    RequestContext requestContext = RequestContext.get();
                    if (requestContext != null) {
                        requestContext.setUser(remoteUser);
                    }
                    AtlasAuthenticationFilter.LOG.info("Request from authenticated user: {}, URL={}", remoteUser, Servlets.getRequestURI(httpServletRequest2));
                    filterChain.doFilter(servletRequest2, servletResponse2);
                } finally {
                    NDC.pop();
                }
            }
        };
        try {
            String header = httpServletRequest.getHeader("Authorization");
            if (header != null && header.startsWith("Basic")) {
                filterChain.doFilter(servletRequest, servletResponse);
            } else if (this.isKerberos) {
                doKerberosAuth(servletRequest, servletResponse, filterChain2);
            } else {
                filterChain.doFilter(servletRequest, servletResponse);
            }
        } catch (NullPointerException e) {
            LOG.error("Exception in AtlasAuthenticationFilter ", e);
            ((HttpServletResponse) servletResponse).sendError(Response.Status.BAD_REQUEST.getStatusCode(), "Authentication is enabled and user is not specified. Specify user.name parameter");
        }
    }

    public void doKerberosAuth(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        AuthenticationToken authenticationToken;
        boolean z = true;
        int i = 401;
        AuthenticationException authenticationException = null;
        ServletRequest servletRequest2 = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean equals = "https".equals(servletRequest2.getScheme());
        AuthenticationHandler authenticationHandler = getAuthenticationHandler();
        boolean z2 = false;
        try {
            try {
                authenticationToken = getToken(servletRequest2);
            } catch (AuthenticationException e) {
                LOG.warn("AuthenticationToken ignored: " + e.getMessage());
                authenticationException = e;
                authenticationToken = null;
            }
            if (authenticationHandler.managementOperation(authenticationToken, servletRequest2, httpServletResponse)) {
                if (authenticationToken == null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Request [{}] triggering authentication", getRequestURL(servletRequest2));
                    }
                    authenticationToken = authenticationHandler.authenticate(servletRequest2, httpServletResponse);
                    if (authenticationToken != null && authenticationToken.getExpires() != 0 && authenticationToken != AuthenticationToken.ANONYMOUS) {
                        authenticationToken.setExpires(System.currentTimeMillis() + (getValidity() * 1000));
                    }
                    z2 = true;
                }
                if (authenticationToken != null) {
                    z = false;
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Request [{}] user [{}] authenticated", getRequestURL(servletRequest2), authenticationToken.getUserName());
                    }
                    final AuthenticationToken authenticationToken2 = authenticationToken;
                    servletRequest2 = new HttpServletRequestWrapper(servletRequest2) { // from class: org.apache.atlas.web.filters.AtlasAuthenticationFilter.4
                        public String getAuthType() {
                            return authenticationToken2.getType();
                        }

                        public String getRemoteUser() {
                            return authenticationToken2.getUserName();
                        }

                        public Principal getUserPrincipal() {
                            if (authenticationToken2 != AuthenticationToken.ANONYMOUS) {
                                return authenticationToken2;
                            }
                            return null;
                        }
                    };
                    if (z2 && !authenticationToken.isExpired() && authenticationToken != AuthenticationToken.ANONYMOUS) {
                        createAuthCookie(httpServletResponse, this.signer.sign(authenticationToken.toString()), getCookieDomain(), getCookiePath(), authenticationToken.getExpires(), equals);
                    }
                    filterChain.doFilter(servletRequest2, httpServletResponse);
                }
            } else {
                z = false;
            }
        } catch (AuthenticationException e2) {
            i = 403;
            authenticationException = e2;
            LOG.warn("Authentication exception: " + e2.getMessage(), e2);
        }
        if (!z || httpServletResponse.isCommitted()) {
            return;
        }
        createAuthCookie(httpServletResponse, "", getCookieDomain(), getCookiePath(), 0L, equals);
        if (i == 401 && !httpServletResponse.containsHeader("WWW-Authenticate")) {
            i = 403;
        }
        if (authenticationException != null) {
            httpServletResponse.sendError(i, authenticationException.getMessage());
            return;
        }
        boolean z3 = true;
        Iterator it = httpServletResponse.getHeaderNames().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String str = (String) it.next();
            String header = httpServletResponse.getHeader(str);
            if (str.equalsIgnoreCase("Set-Cookie") && header.startsWith("JSESSIONID")) {
                z3 = false;
                break;
            }
        }
        String header2 = servletRequest2.getHeader("Authorization");
        if (header2 == null && z3) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            if (header2 == null || !header2.startsWith("Basic")) {
                return;
            }
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    public void destroy() {
        this.optionsServlet.destroy();
        super.destroy();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String readUserFromCookie(HttpServletResponse httpServletResponse) {
        Collection<String> headers;
        String[] split;
        int indexOf;
        int indexOf2;
        String str = null;
        if (httpServletResponse.containsHeader("Set-Cookie") && (headers = httpServletResponse.getHeaders("Set-Cookie")) != null) {
            for (String str2 : headers) {
                if (!StringUtils.isEmpty(str2) && str2.toLowerCase().startsWith("hadoop.auth".toLowerCase()) && str2.contains("u=") && (split = str2.split(";")) != null) {
                    for (String str3 : split) {
                        if (!StringUtils.isEmpty(str3) && str3.toLowerCase().startsWith("hadoop.auth".toLowerCase()) && (indexOf = str3.indexOf("u=")) != -1 && (indexOf2 = str3.indexOf("&", indexOf)) != -1) {
                            try {
                                str = str3.substring(indexOf + 2, indexOf2);
                                break;
                            } catch (Exception e) {
                                str = null;
                            }
                        }
                    }
                }
            }
        }
        return str;
    }

    public static void createAuthCookie(HttpServletResponse httpServletResponse, String str, String str2, String str3, long j, boolean z) {
        StringBuilder append = new StringBuilder("hadoop.auth").append("=");
        if (str != null && str.length() > 0) {
            append.append("\"").append(str).append("\"");
        }
        append.append("; Version=1");
        if (str3 != null) {
            append.append("; Path=").append(str3);
        }
        if (str2 != null) {
            append.append("; Domain=").append(str2);
        }
        if (j >= 0) {
            Date date = new Date(j);
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz");
            simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
            append.append("; Expires=").append(simpleDateFormat.format(date));
        }
        if (z) {
            append.append("; Secure");
        }
        append.append("; HttpOnly");
        httpServletResponse.addHeader("Set-Cookie", append.toString());
    }
}
