package org.apache.sentry.binding.solr.authz;

import com.google.common.base.Preconditions;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.http.auth.BasicUserPrincipal;
import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.solr.AdminOperation;
import org.apache.sentry.core.model.solr.SolrModelAction;
import org.apache.sentry.provider.file.SimpleFileProviderBackend;
import org.apache.solr.common.SolrException;
import org.apache.solr.security.AuthorizationContext;
import org.apache.solr.security.AuthorizationPlugin;
import org.apache.solr.security.AuthorizationResponse;
import org.apache.solr.security.PermissionNameProvider;
import org.apache.solr.sentry.AuditLogger;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.class */
public class SentrySolrPluginImpl implements AuthorizationPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(SentrySolrPluginImpl.class);
    private static final String SYSPROP_PREFIX_PROPERTY = "sysPropPrefix";
    private static final String AUTH_CONFIG_NAMES_PROPERTY = "authConfigs";
    private static final String DEFAULT_AUTH_CONFIGS_PROPERTY = "defaultConfigs";
    public static final String SNTRY_SITE_LOCATION_PROPERTY = "authorization.sentry.site";
    public static final String SENTRY_SOLR_AUTH_SUPERUSER = "authorization.superuser";
    public static final String SENTRY_ENABLE_SOLR_AUDITLOG = "authorization.enable.auditlog";
    public static final String SENTRY_HADOOP_CONF_DIR_PROPERTY = "authorization.sentry.hadoop.conf";
    public static final String SENTRY_HDFS_KERBEROS_PRINCIPAL = "authorization.hdfs.kerberos.principal";
    public static final String SENTRY_HDFS_KERBEROS_KEYTAB = "authorization.hdfs.kerberos.keytabfile";
    private String solrSuperUser;
    private SolrAuthzBinding binding;
    private Optional<AuditLogger> auditLog = Optional.empty();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name = new int[PermissionNameProvider.Name.values().length];

        static {
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.READ_PERM.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.UPDATE_PERM.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.SECURITY_EDIT_PERM.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.SECURITY_READ_PERM.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.CORE_READ_PERM.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.CORE_EDIT_PERM.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.COLL_READ_PERM.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.COLL_EDIT_PERM.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.CONFIG_EDIT_PERM.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.CONFIG_READ_PERM.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.SCHEMA_EDIT_PERM.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.SCHEMA_READ_PERM.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.METRICS_READ_PERM.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.AUTOSCALING_READ_PERM.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.AUTOSCALING_HISTORY_READ_PERM.ordinal()] = 15;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.AUTOSCALING_WRITE_PERM.ordinal()] = 16;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[PermissionNameProvider.Name.ALL.ordinal()] = 17;
            } catch (NoSuchFieldError e17) {
            }
        }
    }

    public void init(Map<String, Object> map) {
        HashMap hashMap = new HashMap();
        String str = (String) map.getOrDefault(SYSPROP_PREFIX_PROPERTY, "solr.");
        Collection<String> collection = (Collection) map.getOrDefault(AUTH_CONFIG_NAMES_PROPERTY, Collections.emptyList());
        Map map2 = (Map) map.getOrDefault(DEFAULT_AUTH_CONFIGS_PROPERTY, Collections.emptyMap());
        for (String str2 : collection) {
            String property = System.getProperty(str + str2, (String) map2.get(str2));
            if (property != null) {
                hashMap.put(str2, property);
            }
        }
        initializeSentry(hashMap);
    }

    public void close() throws IOException {
        if (this.binding != null) {
            this.binding.close();
        }
    }

    public AuthorizationResponse authorize(AuthorizationContext authorizationContext) {
        if (authorizationContext.getUserPrincipal() == null) {
            return AuthorizationResponse.PROMPT;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authorizing a request with authorization context {} ", SolrAuthzUtil.toString(authorizationContext));
        }
        String shortUserName = getShortUserName(authorizationContext.getUserPrincipal());
        if (this.solrSuperUser.equals(shortUserName)) {
            return AuthorizationResponse.OK;
        }
        if (authorizationContext.getHandler() instanceof PermissionNameProvider) {
            Subject subject = new Subject(shortUserName);
            PermissionNameProvider.Name permissionName = ((PermissionNameProvider) authorizationContext.getHandler()).getPermissionName(authorizationContext);
            switch (AnonymousClass1.$SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[permissionName.ordinal()]) {
                case AuditLogger.ALLOWED /* 1 */:
                case 2:
                    AuthorizationResponse authorizationResponse = AuthorizationResponse.FORBIDDEN;
                    Set<SolrModelAction> set = permissionName == PermissionNameProvider.Name.READ_PERM ? SolrAuthzBinding.QUERY : SolrAuthzBinding.UPDATE;
                    Iterator it = authorizationContext.getCollectionRequests().iterator();
                    while (it.hasNext()) {
                        authorizationResponse = this.binding.authorizeCollection(subject, new org.apache.sentry.core.model.solr.Collection(((AuthorizationContext.CollectionRequest) it.next()).collectionName), set);
                        if (!AuthorizationResponse.OK.equals(authorizationResponse)) {
                            audit(permissionName, authorizationContext, authorizationResponse);
                            return authorizationResponse;
                        }
                    }
                    audit(permissionName, authorizationContext, authorizationResponse);
                    return authorizationResponse;
                case 3:
                    return this.binding.authorize(subject, Collections.singleton(AdminOperation.SECURITY), SolrAuthzBinding.UPDATE);
                case 4:
                    return this.binding.authorize(subject, Collections.singleton(AdminOperation.SECURITY), SolrAuthzBinding.QUERY);
                case 5:
                case 6:
                case 7:
                case 8:
                    AuthorizationResponse authorizationResponse2 = AuthorizationResponse.FORBIDDEN;
                    AuthorizationResponse authorize = this.binding.authorize(subject, Collections.singleton((permissionName == PermissionNameProvider.Name.COLL_READ_PERM || permissionName == PermissionNameProvider.Name.COLL_EDIT_PERM) ? AdminOperation.COLLECTIONS : AdminOperation.CORES), (permissionName == PermissionNameProvider.Name.COLL_READ_PERM || permissionName == PermissionNameProvider.Name.CORE_READ_PERM) ? SolrAuthzBinding.QUERY : SolrAuthzBinding.UPDATE);
                    audit(permissionName, authorizationContext, authorize);
                    if (AuthorizationResponse.OK.equals(authorize)) {
                        for (Map.Entry<String, SolrModelAction> entry : SolrAuthzUtil.getCollectionsForAdminOp(authorizationContext).entrySet()) {
                            authorize = this.binding.authorizeCollection(subject, new org.apache.sentry.core.model.solr.Collection(entry.getKey()), Collections.singleton(entry.getValue()));
                            audit(entry.getValue().equals(SolrModelAction.UPDATE) ? PermissionNameProvider.Name.UPDATE_PERM : PermissionNameProvider.Name.READ_PERM, authorizationContext, authorize);
                            if (!AuthorizationResponse.OK.equals(authorize)) {
                            }
                        }
                    }
                    return authorize;
                case 9:
                    return this.binding.authorize(subject, SolrAuthzUtil.getConfigAuthorizables(authorizationContext), SolrAuthzBinding.UPDATE);
                case 10:
                    return this.binding.authorize(subject, SolrAuthzUtil.getConfigAuthorizables(authorizationContext), SolrAuthzBinding.QUERY);
                case 11:
                    return this.binding.authorize(subject, SolrAuthzUtil.getSchemaAuthorizables(authorizationContext), SolrAuthzBinding.UPDATE);
                case 12:
                    return this.binding.authorize(subject, SolrAuthzUtil.getSchemaAuthorizables(authorizationContext), SolrAuthzBinding.QUERY);
                case 13:
                    return this.binding.authorize(subject, Collections.singleton(AdminOperation.METRICS), SolrAuthzBinding.QUERY);
                case 14:
                case 15:
                    return this.binding.authorize(subject, Collections.singleton(AdminOperation.AUTOSCALING), SolrAuthzBinding.QUERY);
                case 16:
                    return this.binding.authorize(subject, Collections.singleton(AdminOperation.AUTOSCALING), SolrAuthzBinding.UPDATE);
                case 17:
                    return AuthorizationResponse.OK;
            }
        }
        return AuthorizationResponse.OK;
    }

    public Set<String> getRoles(String str) {
        return this.binding.getRoles(str);
    }

    private void initializeSentry(Map<String, String> map) {
        String str = (String) Preconditions.checkNotNull(map.get(SNTRY_SITE_LOCATION_PROPERTY), "The authorization plugin configuration is missing authorization.sentry.site property");
        try {
            List<URL> hadoopConfigFiles = getHadoopConfigFiles(map.get(SENTRY_HADOOP_CONF_DIR_PROPERTY));
            hadoopConfigFiles.add(new File(str).toURI().toURL());
            SolrAuthzConf solrAuthzConf = new SolrAuthzConf(hadoopConfigFiles);
            if (shouldInitializeKereberos(solrAuthzConf)) {
                initKerberos(solrAuthzConf, (String) Preconditions.checkNotNull(map.get(SENTRY_HDFS_KERBEROS_KEYTAB), "The authorization plugin is missing the authorization.hdfs.kerberos.keytabfile property."), (String) Preconditions.checkNotNull(map.get(SENTRY_HDFS_KERBEROS_PRINCIPAL), "The authorization plugin is missing the authorization.hdfs.kerberos.principal property."));
            }
            this.binding = new SolrAuthzBinding(solrAuthzConf);
            LOG.info("SolrAuthzBinding created successfully");
            this.solrSuperUser = (String) Preconditions.checkNotNull(map.get(SENTRY_SOLR_AUTH_SUPERUSER));
            if (Boolean.parseBoolean((String) Preconditions.checkNotNull(map.get(SENTRY_ENABLE_SOLR_AUDITLOG)))) {
                this.auditLog = Optional.of(new AuditLogger());
            }
        } catch (Exception e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Unable to create SolrAuthzBinding", e);
        }
    }

    private void audit(PermissionNameProvider.Name name, AuthorizationContext authorizationContext, AuthorizationResponse authorizationResponse) {
        if (this.auditLog.isPresent() && this.auditLog.get().isLogEnabled()) {
            String shortUserName = getShortUserName(authorizationContext.getUserPrincipal());
            String remoteAddr = authorizationContext.getRemoteAddr();
            long currentTimeMillis = System.currentTimeMillis();
            int i = authorizationResponse.statusCode == AuthorizationResponse.OK.statusCode ? 1 : 0;
            String solrParams = authorizationContext.getParams().toString();
            switch (AnonymousClass1.$SwitchMap$org$apache$solr$security$PermissionNameProvider$Name[name.ordinal()]) {
                case AuditLogger.ALLOWED /* 1 */:
                case 2:
                    ArrayList arrayList = new ArrayList();
                    Iterator it = authorizationContext.getCollectionRequests().iterator();
                    while (it.hasNext()) {
                        arrayList.add(((AuthorizationContext.CollectionRequest) it.next()).collectionName);
                    }
                    this.auditLog.get().log(shortUserName, null, remoteAddr, name == PermissionNameProvider.Name.READ_PERM ? "query" : "update", solrParams, currentTimeMillis, i, String.join(",", arrayList));
                    return;
                case 3:
                case 4:
                default:
                    return;
                case 5:
                case 6:
                    this.auditLog.get().log(shortUserName, null, remoteAddr, authorizationContext.getParams().get("action") != null ? "CoreAdminAction." + authorizationContext.getParams().get("action") : "CoreAdminAction.STATUS", solrParams, currentTimeMillis, i, "admin");
                    return;
                case 7:
                case 8:
                    this.auditLog.get().log(shortUserName, null, remoteAddr, authorizationContext.getParams().get("action") != null ? "CollectionAction." + authorizationContext.getParams().get("action") : authorizationContext.getHandler().getClass().getName(), solrParams, currentTimeMillis, i, "admin");
                    return;
            }
        }
    }

    public static String getShortUserName(Principal principal) {
        if (principal instanceof BasicUserPrincipal) {
            return principal.getName();
        }
        try {
            return new KerberosName(principal.getName()).getShortName();
        } catch (IOException e) {
            LOG.error("Error converting kerberos name. principal = {}, KerberosName.rules = {}", principal, KerberosName.getRules());
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Unexpected error converting a kerberos name", e);
        }
    }

    private List<URL> getHadoopConfigFiles(String str) {
        ArrayList arrayList = new ArrayList();
        if (str != null && !str.isEmpty()) {
            File file = new File(str);
            if (!file.exists()) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified Sentry hadoop config directory does not exist: " + file.getAbsolutePath());
            }
            if (!file.isDirectory()) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified Sentry hadoop config directory path is not a directory: " + file.getAbsolutePath());
            }
            if (!file.canRead()) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Specified Sentry hadoop config directory must be readable by the Solr process: " + file.getAbsolutePath());
            }
            Iterator it = Arrays.asList("core-site.xml", "hdfs-site.xml", "ssl-client.xml").iterator();
            while (it.hasNext()) {
                File file2 = new File(file, (String) it.next());
                if (file2.exists()) {
                    try {
                        arrayList.add(file2.toURI().toURL());
                    } catch (MalformedURLException e) {
                        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e.getMessage(), e);
                    }
                }
            }
        }
        return arrayList;
    }

    private void initKerberos(SolrAuthzConf solrAuthzConf, String str, String str2) {
        synchronized (SentrySolrPluginImpl.class) {
            UserGroupInformation.setConfiguration(solrAuthzConf);
            LOG.info("Attempting to acquire kerberos ticket with keytab: {}, principal: {} ", str, str2);
            try {
                UserGroupInformation.loginUserFromKeytab(str2, str);
                LOG.info("Got Kerberos ticket");
            } catch (IOException e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
            }
        }
    }

    private boolean shouldInitializeKereberos(SolrAuthzConf solrAuthzConf) {
        return SimpleFileProviderBackend.class.getName().equals(solrAuthzConf.get(SolrAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar())) && "kerberos".equalsIgnoreCase(solrAuthzConf.get("hadoop.security.authentication"));
    }
}
