package org.apache.solr.security;

import java.io.IOException;
import java.util.LinkedList;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.curator.framework.AuthInfo;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.solr.common.cloud.ZkACLProvider;
import org.apache.solr.common.cloud.ZkCredentialsProvider;
import org.apache.zookeeper.data.ACL;

/* loaded from: input_file:WEB-INF/lib/solr-core-6.4.2.jar:org/apache/solr/security/HadoopAuthFilter.class */
public class HadoopAuthFilter extends DelegationTokenAuthenticationFilter {
    static final String DELEGATION_TOKEN_ZK_CLIENT = "solr.kerberos.delegation.token.zk.client";
    private CuratorFramework curatorFramework;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/solr-core-6.4.2.jar:org/apache/solr/security/HadoopAuthFilter$SolrZkToCuratorCredentialsACLs.class */
    public static class SolrZkToCuratorCredentialsACLs {
        private final ACLProvider aclProvider;
        private final List<AuthInfo> authInfos;

        public SolrZkToCuratorCredentialsACLs(SolrZkClient solrZkClient) {
            this.aclProvider = createACLProvider(solrZkClient);
            this.authInfos = createAuthInfo(solrZkClient);
        }

        public ACLProvider getACLProvider() {
            return this.aclProvider;
        }

        public List<AuthInfo> getAuthInfos() {
            return this.authInfos;
        }

        private ACLProvider createACLProvider(SolrZkClient solrZkClient) {
            final ZkACLProvider zkACLProvider = solrZkClient.getZkACLProvider();
            return new ACLProvider() { // from class: org.apache.solr.security.HadoopAuthFilter.SolrZkToCuratorCredentialsACLs.1
                @Override // org.apache.curator.framework.api.ACLProvider, org.apache.curator.utils.InternalACLProvider
                public List<ACL> getDefaultAcl() {
                    return zkACLProvider.getACLsToAdd(null);
                }

                @Override // org.apache.curator.framework.api.ACLProvider, org.apache.curator.utils.InternalACLProvider
                public List<ACL> getAclForPath(String str) {
                    return zkACLProvider.getACLsToAdd(str);
                }
            };
        }

        private List<AuthInfo> createAuthInfo(SolrZkClient solrZkClient) {
            LinkedList linkedList = new LinkedList();
            for (ZkCredentialsProvider.ZkCredentials zkCredentials : solrZkClient.getZkClientConnectionStrategy().getZkCredentialsToAddAutomatically().getCredentials()) {
                linkedList.add(new AuthInfo(zkCredentials.getScheme(), zkCredentials.getAuth()));
            }
            return linkedList;
        }
    }

    @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        if (filterConfig != null && "zookeeper".equals(filterConfig.getInitParameter(AuthenticationFilter.SIGNER_SECRET_PROVIDER))) {
            filterConfig.getServletContext().setAttribute(ZKSignerSecretProvider.ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE, getCuratorClient((SolrZkClient) filterConfig.getServletContext().getAttribute(DELEGATION_TOKEN_ZK_CLIENT)));
        }
        super.init(filterConfig);
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String queryString = httpServletRequest.getQueryString();
        final String str = queryString == null ? "" : queryString;
        super.doFilter((ServletRequest) new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.solr.security.HadoopAuthFilter.1
            public String getQueryString() {
                return str;
            }
        }, servletResponse, new FilterChain() { // from class: org.apache.solr.security.HadoopAuthFilter.2
            public void doFilter(ServletRequest servletRequest2, ServletResponse servletResponse2) throws IOException, ServletException {
                UserGroupInformation realUser;
                HttpServletRequest httpServletRequest2 = (HttpServletRequest) servletRequest2;
                UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
                if (userGroupInformation != null && userGroupInformation.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY && (realUser = userGroupInformation.getRealUser()) != null) {
                    httpServletRequest2.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUser.getShortUserName());
                }
                filterChain.doFilter(servletRequest2, servletResponse2);
            }
        });
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void destroy() {
        super.destroy();
        if (this.curatorFramework != null) {
            this.curatorFramework.close();
        }
        this.curatorFramework = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter, org.apache.hadoop.security.authentication.server.AuthenticationFilter
    public void initializeAuthHandler(String str, FilterConfig filterConfig) throws ServletException {
        super.initializeAuthHandler(str, filterConfig);
        AuthenticationHandler authenticationHandler = getAuthenticationHandler();
        super.initializeAuthHandler(RequestContinuesRecorderAuthenticationHandler.class.getName(), filterConfig);
        ((RequestContinuesRecorderAuthenticationHandler) getAuthenticationHandler()).setAuthHandler(authenticationHandler);
    }

    protected CuratorFramework getCuratorClient(SolrZkClient solrZkClient) {
        ExponentialBackoffRetry exponentialBackoffRetry = new ExponentialBackoffRetry(1000, 3);
        if (solrZkClient == null) {
            throw new IllegalArgumentException("zkClient required");
        }
        String zkServerAddress = solrZkClient.getZkServerAddress();
        String str = (zkServerAddress.contains("/") ? zkServerAddress.substring(zkServerAddress.indexOf("/")) : "") + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH;
        String substring = str.startsWith("/") ? str.substring(1) : str;
        String substring2 = zkServerAddress.contains("/") ? zkServerAddress.substring(0, zkServerAddress.indexOf("/")) : zkServerAddress;
        SolrZkToCuratorCredentialsACLs solrZkToCuratorCredentialsACLs = new SolrZkToCuratorCredentialsACLs(solrZkClient);
        this.curatorFramework = CuratorFrameworkFactory.builder().namespace(substring).connectString(substring2).retryPolicy(exponentialBackoffRetry).aclProvider(solrZkToCuratorCredentialsACLs.getACLProvider()).authorization(solrZkToCuratorCredentialsACLs.getAuthInfos()).sessionTimeoutMs(solrZkClient.getZkClientTimeout()).connectionTimeoutMs(30000).build();
        this.curatorFramework.start();
        return this.curatorFramework;
    }
}
