package com.datatorrent.stram.security;

import com.datatorrent.stram.webapp.WebServices;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datatorrent/stram/security/StramWSFilter.class */
public class StramWSFilter implements Filter {
    private static final Logger logger = LoggerFactory.getLogger(StramWSFilter.class);
    public static final String PROXY_HOST = "PROXY_HOST";
    public static final String PROXY_DELIMITER = ",";
    private static final long updateInterval = 300000;
    public static final String CLIENT_COOKIE = "dt-client";
    private static final long DELEGATION_KEY_UPDATE_INTERVAL = 86400000;
    private static final long DELEGATION_TOKEN_MAX_LIFETIME = 5400000;
    private static final long DELEGATION_TOKEN_RENEW_INTERVAL = 5400000;
    private static final long DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL = 1800000;
    private static final String WEBAPP_PROXY_USER = "proxy-user";
    private String[] proxyHosts;
    private Set<String> proxyAddresses = null;
    private long lastUpdate;
    private StramDelegationTokenManager tokenManager;
    private AtomicInteger sequenceNumber;
    private String loginUser;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.proxyHosts = filterConfig.getInitParameter(PROXY_HOST).split(",");
        this.tokenManager = new StramDelegationTokenManager(DELEGATION_KEY_UPDATE_INTERVAL, 5400000L, 5400000L, DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL);
        this.sequenceNumber = new AtomicInteger(0);
        try {
            UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
            if (loginUser != null) {
                this.loginUser = loginUser.getUserName();
            }
            this.tokenManager.startThreads();
        } catch (IOException e) {
            throw new ServletException(e);
        }
    }

    protected Set<String> getProxyAddresses() throws ServletException {
        Set<String> set;
        long currentTimeMillis = System.currentTimeMillis();
        synchronized (this) {
            if (this.proxyAddresses == null || this.lastUpdate + updateInterval >= currentTimeMillis) {
                this.proxyAddresses = new HashSet();
                for (String str : this.proxyHosts) {
                    try {
                        logger.debug("resolving proxy hostname {}", str);
                        for (InetAddress inetAddress : InetAddress.getAllByName(str)) {
                            logger.debug("proxy address is: {}", inetAddress.getHostAddress());
                            this.proxyAddresses.add(inetAddress.getHostAddress());
                        }
                        this.lastUpdate = currentTimeMillis;
                    } catch (UnknownHostException e) {
                        throw new ServletException("Could not locate " + str, e);
                    }
                }
            }
            set = this.proxyAddresses;
        }
        return set;
    }

    public void destroy() {
        this.tokenManager.stopThreads();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException("This filter only works for HTTP/HTTPS");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String remoteAddr = httpServletRequest.getRemoteAddr();
        String requestURI = httpServletRequest.getRequestURI();
        boolean z = true;
        String str = null;
        if (getProxyAddresses().contains(httpServletRequest.getRemoteAddr())) {
            if (httpServletRequest.getCookies() != null) {
                Cookie[] cookies = httpServletRequest.getCookies();
                int length = cookies.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    Cookie cookie = cookies[i];
                    if (WEBAPP_PROXY_USER.equals(cookie.getName())) {
                        str = cookie.getValue();
                        break;
                    }
                    i++;
                }
            }
            if (!requestURI.equals(WebServices.PATH) || str == null) {
                logger.info("{}: proxy access to URI {} by user {}, no cookie created", new Object[]{remoteAddr, requestURI, str});
            } else {
                String createClientToken = createClientToken(str, httpServletRequest.getLocalAddr());
                logger.debug("{}: creating token {}", remoteAddr, createClientToken);
                httpServletResponse.addCookie(new Cookie(CLIENT_COOKIE, createClientToken));
            }
            z = false;
        }
        if (z) {
            Cookie cookie2 = null;
            if (httpServletRequest.getCookies() != null) {
                Cookie[] cookies2 = httpServletRequest.getCookies();
                int length2 = cookies2.length;
                int i2 = 0;
                while (true) {
                    if (i2 >= length2) {
                        break;
                    }
                    Cookie cookie3 = cookies2[i2];
                    if (cookie3.getName().equals(CLIENT_COOKIE)) {
                        cookie2 = cookie3;
                        break;
                    }
                    i2++;
                }
            }
            boolean z2 = false;
            if (cookie2 != null) {
                str = verifyClientToken(cookie2.getValue(), remoteAddr);
                if (str != null) {
                    z2 = true;
                } else {
                    logger.debug("{}: invalid cookie {}", remoteAddr, cookie2.getValue());
                }
            } else {
                logger.debug("{}: cookie not found {}", remoteAddr, CLIENT_COOKIE);
            }
            if (!z2) {
                logger.debug("{}: auth failure", remoteAddr);
                httpServletResponse.sendError(401);
                return;
            }
        }
        if (str != null) {
            filterChain.doFilter(new StramWSServletRequestWrapper(httpServletRequest, new StramWSPrincipal(str)), servletResponse);
        } else {
            logger.debug("{}: could not find user, so user principal will not be set", remoteAddr);
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private String createClientToken(String str, String str2) throws IOException {
        Token token = new Token(new StramDelegationTokenIdentifier(new Text(str), new Text(this.loginUser), new Text()), this.tokenManager);
        token.setService(new Text(str2));
        return token.encodeToUrlString();
    }

    private String verifyClientToken(String str, String str2) throws IOException {
        Token token = new Token();
        try {
            token.decodeFromUrlString(str);
            byte[] identifier = token.getIdentifier();
            byte[] password = token.getPassword();
            StramDelegationTokenIdentifier stramDelegationTokenIdentifier = new StramDelegationTokenIdentifier();
            try {
                stramDelegationTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(identifier)));
                try {
                    this.tokenManager.verifyToken(stramDelegationTokenIdentifier, password);
                    return stramDelegationTokenIdentifier.getOwner().toString();
                } catch (SecretManager.InvalidToken e) {
                    logger.debug("{}: invalid token {}: {}", new Object[]{str2, stramDelegationTokenIdentifier, e.getMessage()});
                    return null;
                }
            } catch (IOException e2) {
                logger.debug("{}: error decoding identifier: {}", str2, e2.getMessage());
                return null;
            }
        } catch (IOException e3) {
            logger.debug("{}: error decoding token: {}", str2, e3.getMessage());
            return null;
        }
    }
}
