package org.apache.solr.security;

import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.lang.invoke.MethodHandles;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Collections;
import java.util.Enumeration;
import java.util.EventListener;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.FilterRegistration;
import javax.servlet.RequestDispatcher;
import javax.servlet.Servlet;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRegistration;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;
import javax.servlet.descriptor.JspConfigDescriptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.commons.collections.iterators.IteratorEnumeration;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.kafka.common.config.internals.BrokerSecurityConfigs;
import org.apache.solr.client.solrj.impl.HttpClientConfigurer;
import org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer;
import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
import org.apache.solr.common.util.SuppressForbidden;
import org.apache.solr.core.CoreContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/security/KerberosPlugin.class */
public class KerberosPlugin extends AuthenticationPlugin implements HttpClientInterceptorPlugin {
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    HttpClientConfigurer kerberosConfigurer = new Krb5HttpClientConfigurer();
    Filter kerberosFilter;
    public static final String NAME_RULES_PARAM = "solr.kerberos.name.rules";
    public static final String COOKIE_DOMAIN_PARAM = "solr.kerberos.cookie.domain";
    public static final String COOKIE_PATH_PARAM = "solr.kerberos.cookie.path";
    public static final String PRINCIPAL_PARAM = "solr.kerberos.principal";
    public static final String KEYTAB_PARAM = "solr.kerberos.keytab";
    public static final String TOKEN_VALID_PARAM = "solr.kerberos.token.valid";
    public static final String COOKIE_PORT_AWARE_PARAM = "solr.kerberos.cookie.portaware";
    public static final String DELEGATION_TOKEN_ENABLED = "solr.kerberos.delegation.token.enabled";
    public static final String DELEGATION_TOKEN_KIND = "solr.kerberos.delegation.token.kind";
    public static final String DELEGATION_TOKEN_VALIDITY = "solr.kerberos.delegation.token.validity";
    public static final String DELEGATION_TOKEN_SECRET_PROVIDER = "solr.kerberos.delegation.token.signer.secret.provider";
    public static final String DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH = "solr.kerberos.delegation.token.signer.secret.provider.zookeper.path";
    public static final String DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH = "solr.kerberos.delegation.token.secret.manager.znode.working.path";
    public static final String DELEGATION_TOKEN_TYPE_DEFAULT = "solr-dt";
    static final String REQUEST_CONTINUES_ATTR = "org.apache.solr.security.kerberosplugin.requestcontinues";
    static final String DELEGATION_TOKEN_ZK_CLIENT = "solr.kerberos.delegation.token.zk.client";
    public static final String AUTH_HANDLER_PARAM = "solr.kerberos.auth.handler";
    private final CoreContainer coreContainer;

    /* loaded from: input_file:org/apache/solr/security/KerberosPlugin$AttributeOnlyServletContext.class */
    protected static class AttributeOnlyServletContext implements ServletContext {
        private Map<String, Object> attributes = new HashMap();

        protected AttributeOnlyServletContext() {
        }

        public void setSessionTrackingModes(Set<SessionTrackingMode> set) {
        }

        public boolean setInitParameter(String str, String str2) {
            return false;
        }

        public void setAttribute(String str, Object obj) {
            this.attributes.put(str, obj);
        }

        public void removeAttribute(String str) {
            this.attributes.remove(str);
        }

        public void log(String str, Throwable th) {
        }

        public void log(Exception exc, String str) {
        }

        public void log(String str) {
        }

        public String getVirtualServerName() {
            return null;
        }

        public SessionCookieConfig getSessionCookieConfig() {
            return null;
        }

        public Enumeration<Servlet> getServlets() {
            return null;
        }

        public Map<String, ? extends ServletRegistration> getServletRegistrations() {
            return null;
        }

        public ServletRegistration getServletRegistration(String str) {
            return null;
        }

        public Enumeration<String> getServletNames() {
            return null;
        }

        public String getServletContextName() {
            return null;
        }

        public Servlet getServlet(String str) throws ServletException {
            return null;
        }

        public String getServerInfo() {
            return null;
        }

        public Set<String> getResourcePaths(String str) {
            return null;
        }

        public InputStream getResourceAsStream(String str) {
            return null;
        }

        public URL getResource(String str) throws MalformedURLException {
            return null;
        }

        public RequestDispatcher getRequestDispatcher(String str) {
            return null;
        }

        public String getRealPath(String str) {
            return null;
        }

        public RequestDispatcher getNamedDispatcher(String str) {
            return null;
        }

        public int getMinorVersion() {
            return 0;
        }

        public String getMimeType(String str) {
            return null;
        }

        public int getMajorVersion() {
            return 0;
        }

        public JspConfigDescriptor getJspConfigDescriptor() {
            return null;
        }

        public Enumeration<String> getInitParameterNames() {
            return null;
        }

        public String getInitParameter(String str) {
            return null;
        }

        public Map<String, ? extends FilterRegistration> getFilterRegistrations() {
            return null;
        }

        public FilterRegistration getFilterRegistration(String str) {
            return null;
        }

        public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
            return null;
        }

        public int getEffectiveMinorVersion() {
            return 0;
        }

        public int getEffectiveMajorVersion() {
            return 0;
        }

        public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
            return null;
        }

        public String getContextPath() {
            return null;
        }

        public ServletContext getContext(String str) {
            return null;
        }

        public ClassLoader getClassLoader() {
            return null;
        }

        public Enumeration<String> getAttributeNames() {
            return Collections.enumeration(this.attributes.keySet());
        }

        public Object getAttribute(String str) {
            return this.attributes.get(str);
        }

        public void declareRoles(String... strArr) {
        }

        public <T extends Servlet> T createServlet(Class<T> cls) throws ServletException {
            return null;
        }

        public <T extends EventListener> T createListener(Class<T> cls) throws ServletException {
            return null;
        }

        public <T extends Filter> T createFilter(Class<T> cls) throws ServletException {
            return null;
        }

        public ServletRegistration.Dynamic addServlet(String str, Class<? extends Servlet> cls) {
            return null;
        }

        public ServletRegistration.Dynamic addServlet(String str, Servlet servlet) {
            return null;
        }

        public ServletRegistration.Dynamic addServlet(String str, String str2) {
            return null;
        }

        public void addListener(Class<? extends EventListener> cls) {
        }

        public <T extends EventListener> void addListener(T t) {
        }

        public void addListener(String str) {
        }

        public FilterRegistration.Dynamic addFilter(String str, Class<? extends Filter> cls) {
            return null;
        }

        public FilterRegistration.Dynamic addFilter(String str, Filter filter) {
            return null;
        }

        public FilterRegistration.Dynamic addFilter(String str, String str2) {
            return null;
        }
    }

    /* loaded from: input_file:org/apache/solr/security/KerberosPlugin$RequestContinuesRecorderAuthenticationHandler.class */
    public static class RequestContinuesRecorderAuthenticationHandler implements AuthenticationHandler {
        private AuthenticationHandler authHandler;

        public void setAuthHandler(AuthenticationHandler authenticationHandler) {
            this.authHandler = authenticationHandler;
        }

        public String getType() {
            return this.authHandler.getType();
        }

        public void init(Properties properties) throws ServletException {
        }

        public void destroy() {
            this.authHandler.destroy();
        }

        public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
            boolean managementOperation = this.authHandler.managementOperation(authenticationToken, httpServletRequest, httpServletResponse);
            httpServletRequest.setAttribute(KerberosPlugin.REQUEST_CONTINUES_ATTR, new Boolean(managementOperation).toString());
            return managementOperation;
        }

        public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
            return this.authHandler.authenticate(httpServletRequest, httpServletResponse);
        }
    }

    public KerberosPlugin(CoreContainer coreContainer) {
        this.coreContainer = coreContainer;
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    public void init(Map<String, Object> map) {
        try {
            final HashMap hashMap = new HashMap();
            putParam(hashMap, "type", AUTH_HANDLER_PARAM, "kerberos");
            putParam(hashMap, "kerberos.name.rules", NAME_RULES_PARAM, BrokerSecurityConfigs.DEFAULT_SSL_PRINCIPAL_MAPPING_RULES);
            putParam(hashMap, "token.valid", TOKEN_VALID_PARAM, "30");
            putParam(hashMap, "cookie.path", COOKIE_PATH_PARAM, "/");
            if ("kerberos".equals(hashMap.get("type"))) {
                putParam(hashMap, "kerberos.principal", PRINCIPAL_PARAM, null);
                putParam(hashMap, "kerberos.keytab", KEYTAB_PARAM, null);
            } else {
                putParamOptional(hashMap, "kerberos.principal", PRINCIPAL_PARAM);
                putParamOptional(hashMap, "kerberos.keytab", KEYTAB_PARAM);
            }
            String property = System.getProperty(DELEGATION_TOKEN_ENABLED, null);
            boolean parseBoolean = property == null ? false : Boolean.parseBoolean(property);
            ZkController zkController = this.coreContainer.getZkController();
            if (parseBoolean) {
                putParam(hashMap, "delegation-token.token-kind", DELEGATION_TOKEN_KIND, DELEGATION_TOKEN_TYPE_DEFAULT);
                if (this.coreContainer.isZooKeeperAware()) {
                    putParam(hashMap, "signer.secret.provider", DELEGATION_TOKEN_SECRET_PROVIDER, "zookeeper");
                    if ("zookeeper".equals(hashMap.get("signer.secret.provider"))) {
                        String zkServerAddress = zkController.getZkServerAddress();
                        putParam(hashMap, "token.validity", DELEGATION_TOKEN_VALIDITY, "36000");
                        hashMap.put("zk-dt-secret-manager.enable", "true");
                        String str = (zkServerAddress.contains("/") ? zkServerAddress.substring(zkServerAddress.indexOf("/")) : "") + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm";
                        putParam(hashMap, "zk-dt-secret-manager.znodeWorkingPath", DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH, str.startsWith("/") ? str.substring(1) : str);
                        putParam(hashMap, "signer.secret.provider.zookeeper.path", DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH, "/token");
                    }
                } else {
                    log.info("CoreContainer is not ZooKeeperAware, not setting ZK-related delegation token properties");
                }
            }
            String property2 = System.getProperty(COOKIE_PORT_AWARE_PARAM, null);
            if ((property2 == null ? false : Boolean.parseBoolean(property2)) && this.coreContainer.isZooKeeperAware()) {
                String property3 = System.getProperty(COOKIE_DOMAIN_PARAM, null);
                if (property3 == null) {
                    throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Missing required parameter 'solr.kerberos.cookie.domain'.");
                }
                hashMap.put("cookie.domain", property3 + ":" + zkController.getHostPort());
            } else {
                putParam(hashMap, "cookie.domain", COOKIE_DOMAIN_PARAM, null);
            }
            final AttributeOnlyServletContext attributeOnlyServletContext = new AttributeOnlyServletContext();
            if (parseBoolean) {
                this.kerberosFilter = new DelegationTokenKerberosFilter();
                if (zkController != null) {
                    attributeOnlyServletContext.setAttribute(DELEGATION_TOKEN_ZK_CLIENT, zkController.getZkClient());
                }
            } else {
                this.kerberosFilter = new KerberosFilter();
            }
            log.info("Params: " + hashMap);
            this.kerberosFilter.init(new FilterConfig() { // from class: org.apache.solr.security.KerberosPlugin.1
                public ServletContext getServletContext() {
                    return attributeOnlyServletContext;
                }

                public Enumeration<String> getInitParameterNames() {
                    return new IteratorEnumeration(hashMap.keySet().iterator());
                }

                public String getInitParameter(String str2) {
                    return (String) hashMap.get(str2);
                }

                public String getFilterName() {
                    return "KerberosFilter";
                }
            });
        } catch (ServletException e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error initializing kerberos authentication plugin: " + e);
        }
    }

    private void putParam(Map<String, String> map, String str, String str2, String str3) {
        String property = System.getProperty(str2, str3);
        if (property == null) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Missing required parameter '" + str2 + "'.");
        }
        map.put(str, property);
    }

    private void putParamOptional(Map<String, String> map, String str, String str2) {
        String property = System.getProperty(str2);
        if (property != null) {
            map.put(str, property);
        }
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    public boolean doAuthenticate(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws Exception {
        log.debug("Request to authenticate using kerberos: " + servletRequest);
        final HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        this.kerberosFilter.doFilter(servletRequest, new HttpServletResponseWrapper(httpServletResponse) { // from class: org.apache.solr.security.KerberosPlugin.2
            @SuppressForbidden(reason = "Hadoop DelegationTokenAuthenticationFilter uses response writer, thisis providing a CloseShield on top of that")
            public PrintWriter getWriter() throws IOException {
                return new PrintWriterWrapper(httpServletResponse.getWriter()) { // from class: org.apache.solr.security.KerberosPlugin.2.1
                    @Override // org.apache.solr.security.PrintWriterWrapper, java.io.PrintWriter, java.io.Writer, java.io.Closeable, java.lang.AutoCloseable
                    public void close() {
                    }
                };
            }
        }, filterChain);
        String str = (String) servletRequest.getAttribute(REQUEST_CONTINUES_ATTR);
        if (str != null) {
            return Boolean.parseBoolean(str);
        }
        log.warn("Could not find org.apache.solr.security.kerberosplugin.requestcontinues");
        return false;
    }

    @Override // org.apache.solr.security.HttpClientInterceptorPlugin
    public HttpClientConfigurer getClientConfigurer() {
        return this.kerberosConfigurer;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.kerberosFilter.destroy();
    }
}
