package org.apache.solr.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.invoke.MethodHandles;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.commons.collections.iterators.IteratorEnumeration;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
import org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenManager;
import org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder;
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
import org.apache.solr.common.util.SuppressForbidden;
import org.apache.solr.core.CoreContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:Disk1/InstData/Resource1.zip:$IA_PROJECT_DIR$/hotfix/dist_zg_ia_sf.jar:cfusion/jetty/webapps/solr.war:WEB-INF/lib/solr-core-7.2.1.jar:org/apache/solr/security/KerberosPlugin.class */
public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBuilderPlugin {
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    Krb5HttpClientBuilder kerberosBuilder = new Krb5HttpClientBuilder();
    private Filter kerberosFilter;
    public static final String NAME_RULES_PARAM = "solr.kerberos.name.rules";
    public static final String COOKIE_DOMAIN_PARAM = "solr.kerberos.cookie.domain";
    public static final String COOKIE_PATH_PARAM = "solr.kerberos.cookie.path";
    public static final String PRINCIPAL_PARAM = "solr.kerberos.principal";
    public static final String KEYTAB_PARAM = "solr.kerberos.keytab";
    public static final String TOKEN_VALID_PARAM = "solr.kerberos.token.valid";
    public static final String COOKIE_PORT_AWARE_PARAM = "solr.kerberos.cookie.portaware";
    public static final String IMPERSONATOR_PREFIX = "solr.kerberos.impersonator.user.";
    public static final String DELEGATION_TOKEN_ENABLED = "solr.kerberos.delegation.token.enabled";
    public static final String DELEGATION_TOKEN_KIND = "solr.kerberos.delegation.token.kind";
    public static final String DELEGATION_TOKEN_VALIDITY = "solr.kerberos.delegation.token.validity";
    public static final String DELEGATION_TOKEN_SECRET_PROVIDER = "solr.kerberos.delegation.token.signer.secret.provider";
    public static final String DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH = "solr.kerberos.delegation.token.signer.secret.provider.zookeper.path";
    public static final String DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH = "solr.kerberos.delegation.token.secret.manager.znode.working.path";
    public static final String DELEGATION_TOKEN_TYPE_DEFAULT = "solr-dt";
    public static final String IMPERSONATOR_DO_AS_HTTP_PARAM = "doAs";
    public static final String IMPERSONATOR_USER_NAME = "solr.impersonator.user.name";
    static final String DELEGATION_TOKEN_ZK_CLIENT = "solr.kerberos.delegation.token.zk.client";
    private final CoreContainer coreContainer;

    public KerberosPlugin(CoreContainer coreContainer) {
        this.coreContainer = coreContainer;
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    public void init(Map<String, Object> map) {
        try {
            this.kerberosFilter.init(getInitFilterConfig(map, false));
        } catch (ServletException e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error initializing kerberos authentication plugin: " + e);
        }
    }

    @VisibleForTesting
    protected FilterConfig getInitFilterConfig(Map<String, Object> map, boolean z) {
        final HashMap hashMap = new HashMap();
        hashMap.put("type", KerberosAuthenticationHandler.TYPE);
        putParam(hashMap, KerberosAuthenticationHandler.NAME_RULES, NAME_RULES_PARAM, "DEFAULT");
        putParam(hashMap, "token.valid", TOKEN_VALID_PARAM, "30");
        putParam(hashMap, AuthenticationFilter.COOKIE_PATH, COOKIE_PATH_PARAM, "/");
        if (z) {
            putParamOptional(hashMap, KerberosAuthenticationHandler.PRINCIPAL, PRINCIPAL_PARAM);
            putParamOptional(hashMap, KerberosAuthenticationHandler.KEYTAB, KEYTAB_PARAM);
        } else {
            putParam(hashMap, KerberosAuthenticationHandler.PRINCIPAL, PRINCIPAL_PARAM, null);
            putParam(hashMap, KerberosAuthenticationHandler.KEYTAB, KEYTAB_PARAM, null);
        }
        String property = System.getProperty(DELEGATION_TOKEN_ENABLED, null);
        boolean parseBoolean = property == null ? false : Boolean.parseBoolean(property);
        ZkController zkController = this.coreContainer.getZkController();
        if (parseBoolean) {
            putParam(hashMap, DelegationTokenAuthenticationHandler.TOKEN_KIND, DELEGATION_TOKEN_KIND, DELEGATION_TOKEN_TYPE_DEFAULT);
            if (this.coreContainer.isZooKeeperAware()) {
                putParam(hashMap, AuthenticationFilter.SIGNER_SECRET_PROVIDER, DELEGATION_TOKEN_SECRET_PROVIDER, "zookeeper");
                if ("zookeeper".equals(hashMap.get(AuthenticationFilter.SIGNER_SECRET_PROVIDER))) {
                    String zkServerAddress = zkController.getZkServerAddress();
                    putParam(hashMap, AuthenticationFilter.AUTH_TOKEN_VALIDITY, DELEGATION_TOKEN_VALIDITY, "36000");
                    hashMap.put(DelegationTokenManager.ENABLE_ZK_KEY, "true");
                    String str = (zkServerAddress.contains("/") ? zkServerAddress.substring(zkServerAddress.indexOf("/")) : "") + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm";
                    putParam(hashMap, ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH, DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH, str.startsWith("/") ? str.substring(1) : str);
                    putParam(hashMap, ZKSignerSecretProvider.ZOOKEEPER_PATH, DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH, "/token");
                    getHttpClientBuilder(SolrHttpClientBuilder.create());
                }
            } else {
                log.info("CoreContainer is not ZooKeeperAware, not setting ZK-related delegation token properties");
            }
        }
        String property2 = System.getProperty(COOKIE_PORT_AWARE_PARAM, null);
        if ((property2 == null ? false : Boolean.parseBoolean(property2)) && this.coreContainer.isZooKeeperAware()) {
            String property3 = System.getProperty(COOKIE_DOMAIN_PARAM, null);
            if (property3 == null) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Missing required parameter 'solr.kerberos.cookie.domain'.");
            }
            hashMap.put(AuthenticationFilter.COOKIE_DOMAIN, property3 + ":" + zkController.getHostPort());
        } else {
            putParam(hashMap, AuthenticationFilter.COOKIE_DOMAIN, COOKIE_DOMAIN_PARAM, null);
        }
        Enumeration<?> propertyNames = System.getProperties().propertyNames();
        while (propertyNames.hasMoreElements()) {
            String obj = propertyNames.nextElement().toString();
            if (obj.startsWith(IMPERSONATOR_PREFIX)) {
                if (!parseBoolean) {
                    throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Impersonator configuration requires delegation tokens to be enabled: " + obj);
                }
                hashMap.put(obj, System.getProperty(obj));
            }
        }
        final AttributeOnlyServletContext attributeOnlyServletContext = new AttributeOnlyServletContext();
        if (zkController != null) {
            attributeOnlyServletContext.setAttribute(DELEGATION_TOKEN_ZK_CLIENT, zkController.getZkClient());
        }
        if (parseBoolean) {
            this.kerberosFilter = new DelegationTokenKerberosFilter();
        } else {
            this.kerberosFilter = new KerberosFilter();
        }
        log.info("Params: " + hashMap);
        return new FilterConfig() { // from class: org.apache.solr.security.KerberosPlugin.1
            @Override // javax.servlet.FilterConfig
            public ServletContext getServletContext() {
                return attributeOnlyServletContext;
            }

            @Override // javax.servlet.FilterConfig
            public Enumeration<String> getInitParameterNames() {
                return new IteratorEnumeration(hashMap.keySet().iterator());
            }

            @Override // javax.servlet.FilterConfig
            public String getInitParameter(String str2) {
                return (String) hashMap.get(str2);
            }

            @Override // javax.servlet.FilterConfig
            public String getFilterName() {
                return "KerberosFilter";
            }
        };
    }

    private void putParam(Map<String, String> map, String str, String str2, String str3) {
        String property = System.getProperty(str2, str3);
        if (property == null) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Missing required parameter '" + str2 + "'.");
        }
        map.put(str, property);
    }

    private void putParamOptional(Map<String, String> map, String str, String str2) {
        String property = System.getProperty(str2);
        if (property != null) {
            map.put(str, property);
        }
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    public boolean doAuthenticate(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws Exception {
        log.debug("Request to authenticate using kerberos: " + servletRequest);
        final HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        this.kerberosFilter.doFilter(servletRequest, new HttpServletResponseWrapper(httpServletResponse) { // from class: org.apache.solr.security.KerberosPlugin.2
            @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
            @SuppressForbidden(reason = "Hadoop DelegationTokenAuthenticationFilter uses response writer, thisis providing a CloseShield on top of that")
            public PrintWriter getWriter() throws IOException {
                return new PrintWriterWrapper(httpServletResponse.getWriter()) { // from class: org.apache.solr.security.KerberosPlugin.2.1
                    @Override // org.apache.solr.security.PrintWriterWrapper, java.io.PrintWriter, java.io.Writer, java.io.Closeable, java.lang.AutoCloseable
                    public void close() {
                    }
                };
            }
        }, filterChain);
        String str = (String) servletRequest.getAttribute("org.apache.solr.security.authentication.requestcontinues");
        if (str != null) {
            return Boolean.parseBoolean(str);
        }
        log.warn("Could not find org.apache.solr.security.authentication.requestcontinues");
        return false;
    }

    @Override // org.apache.solr.security.HttpClientBuilderPlugin
    public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder solrHttpClientBuilder) {
        return this.kerberosBuilder.getBuilder(solrHttpClientBuilder);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.kerberosFilter.destroy();
        this.kerberosBuilder.close();
    }

    protected Filter getKerberosFilter() {
        return this.kerberosFilter;
    }

    protected void setKerberosFilter(Filter filter) {
        this.kerberosFilter = filter;
    }
}
