package com.mapr.fs.cldb.http.login;

import com.google.protobuf.InvalidProtocolBufferException;
import com.mapr.baseutils.JVMProperties;
import com.mapr.baseutils.audit.AuditRecord;
import com.mapr.baseutils.audit.AuditRecordLogger;
import com.mapr.fs.cldb.CLDBServerHolder;
import com.mapr.fs.cldb.conf.CLDBConfiguration;
import com.mapr.fs.cldb.conf.CLDBConfigurationHolder;
import com.mapr.fs.cldb.table.Table;
import com.mapr.fs.proto.Security;
import com.mapr.login.PasswordAuthentication;
import com.mapr.login.common.AuthResponse;
import com.mapr.login.common.GenTicketTypeRequest;
import com.mapr.login.common.KerberosAuthRequest;
import com.mapr.login.common.PasswordAuthRequest;
import com.mapr.login.common.RenewRequest;
import com.mapr.security.MutableInt;
import com.mapr.security.UnixUserGroupHelper;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.DatatypeConverter;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.log4j.Logger;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.json.JSONException;

/* loaded from: input_file:com/mapr/fs/cldb/http/login/MapRLoginServlet.class */
public class MapRLoginServlet extends HttpServlet {
    public static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    public static final String NT_GSS_KRB5_PRINCIPAL = "1.2.840.113554.1.2.2.1";
    private static Logger LOG = Logger.getLogger(MapRLoginServlet.class);
    private LoginContext kerberosIdentity = null;
    private static final long MAX_TICKET_LIFE = 315569520000L;
    private SlaveAuditConfig slaveAuditConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/mapr/fs/cldb/http/login/MapRLoginServlet$SlaveAuditConfig.class */
    public class SlaveAuditConfig {
        private boolean auditEnabled = true;
        private long addedTime = 0;
        private long expiryInterval = 60000;
        private CLDBConfiguration conf = CLDBConfigurationHolder.getInstance();
        private final String enabledVal = "1";

        SlaveAuditConfig() {
        }

        public boolean isAuditEnabled() {
            if (isValid()) {
                return this.auditEnabled;
            }
            try {
                if (MapRLoginServlet.LOG.isDebugEnabled()) {
                    MapRLoginServlet.LOG.debug("Reading the cluster management audit configuration from table");
                }
                Table table = Table.getInstance();
                this.conf.getClass();
                String lookupConfig = table.lookupConfig("mapr.audit.cluster.mgmt.ops");
                if (lookupConfig != null && !lookupConfig.isEmpty()) {
                    setAuditEnabled(lookupConfig.equals("1"));
                    return this.auditEnabled;
                }
                if (!MapRLoginServlet.LOG.isDebugEnabled()) {
                    return true;
                }
                MapRLoginServlet.LOG.debug("Audit cluster management configuratoin lookup returned unexpected empty result");
                return true;
            } catch (Exception e) {
                MapRLoginServlet.LOG.error("Exception occured during reading the audit management configuration on slave");
                return true;
            }
        }

        public void setAuditEnabled(boolean z) {
            this.auditEnabled = z;
            this.addedTime = System.currentTimeMillis();
        }

        public boolean isValid() {
            return System.currentTimeMillis() < this.addedTime + this.expiryInterval;
        }
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        JVMProperties.init();
        this.slaveAuditConfig = new SlaveAuditConfig();
    }

    private synchronized void initKerberos() {
        if (this.kerberosIdentity != null) {
            return;
        }
        try {
            this.kerberosIdentity = new LoginContext("MAPR_SERVER_KERBEROS");
            this.kerberosIdentity.login();
            this.kerberosIdentity.getSubject().getPrincipals().iterator().next().getName();
            HadoopKerberosName.setConfiguration(new Configuration());
        } catch (IOException e) {
            LOG.error("Failed to load Hadoop core-site.xml, continuing anyway...", e);
            this.kerberosIdentity = null;
        } catch (Exception e2) {
            LOG.error("Failed to obtain kerberos identity, continuing anyway...", e2);
            this.kerberosIdentity = null;
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        AuthResponse handleGenerateTicket;
        String requestURI = httpServletRequest.getRequestURI();
        String requestString = getRequestString(httpServletRequest);
        AuditRecord auditRecord = getAuditRecord(httpServletRequest);
        if (CLDBConfigurationHolder.getInstance().getMode() == CLDBConfiguration.CLDBMode.BECOMING_SLAVE) {
            handleGenerateTicket = new AuthResponse();
            handleGenerateTicket.setStatus(30);
            handleGenerateTicket.setError("Cannot process maprlogin request as CLDB's mode is " + CLDBConfiguration.CLDBMode.BECOMING_SLAVE.name());
        } else if ("/login/password".equals(requestURI)) {
            handleGenerateTicket = handlePasswordAuth(requestString, auditRecord);
        } else if ("/login/kerberos".equals(requestURI)) {
            handleGenerateTicket = handleKerberosAuth(requestString, auditRecord);
        } else if ("/renew".equals(requestURI)) {
            handleGenerateTicket = renewTicket(requestString, auditRecord);
        } else {
            if (!"/gentickettype".equals(requestURI)) {
                LOG.error("Unsupported authentication scheme: " + requestURI);
                httpServletResponse.setStatus(404);
                return;
            }
            handleGenerateTicket = handleGenerateTicket(requestString, auditRecord);
        }
        auditRecord.setStatus(handleGenerateTicket.getStatus());
        auditOperation(auditRecord);
        try {
            httpServletResponse.setContentType("text/html");
            httpServletResponse.setStatus(200);
            httpServletResponse.getWriter().print(AuthResponse.toJSON(handleGenerateTicket));
        } catch (JSONException e) {
            LOG.error("Exception while converting auth response into JSON. AuthResponse: " + handleGenerateTicket.toString());
        }
    }

    private AuthResponse handlePasswordAuth(String str, AuditRecord auditRecord) {
        AuthResponse authResponse = new AuthResponse();
        auditRecord.setOp(AuditRecord.Op.passwordAuth);
        try {
            PasswordAuthRequest fromJSON = PasswordAuthRequest.fromJSON(str);
            String userName = fromJSON.getUserName();
            String passWord = fromJSON.getPassWord();
            auditRecord.setUsername(userName);
            if (PasswordAuthentication.authenticate(userName, passWord)) {
                Security.TicketAndKey generateNewTicket = generateNewTicket(fromJSON.getUserName(), fromJSON.getTicketDurInSecs(), auditRecord);
                if (generateNewTicket == null) {
                    authResponse.setStatus(10004);
                    authResponse.setError("Could not generate ticket for user: " + userName);
                } else {
                    authResponse.setTicketAndKeyString(DatatypeConverter.printBase64Binary(generateNewTicket.toByteArray()));
                }
            } else {
                authResponse.setStatus(22);
                authResponse.setError("Authentication failed. Invalid username/password.");
            }
        } catch (JSONException e) {
            LOG.error("Exception parsing json: " + str, e);
            authResponse.setStatus(10004);
            authResponse.setError("Invalid JSON in request: " + str);
        }
        return authResponse;
    }

    private AuthResponse renewTicket(String str, AuditRecord auditRecord) {
        AuthResponse authResponse = new AuthResponse();
        auditRecord.setOp(AuditRecord.Op.renewTicket);
        try {
            RenewRequest fromJSON = RenewRequest.fromJSON(str);
            Security.TicketAndKey parseFrom = Security.TicketAndKey.parseFrom(DatatypeConverter.parseBase64Binary(fromJSON.getTicketAndKeyString()));
            auditRecord.setCreds(parseFrom.getUserCreds());
            if (com.mapr.security.Security.ValidateTicketAndKey(parseFrom, new MutableInt()) == null) {
                authResponse.setStatus(22);
                authResponse.setError("Unable to generate a renewed ticket. The current ticket is either expired or tampered. Please authenticate to the cluster again.");
            } else {
                Security.TicketAndKey generateRenewedTicket = generateRenewedTicket(parseFrom, fromJSON.getTicketDurInSecs());
                if (generateRenewedTicket == null) {
                    authResponse.setStatus(22);
                    authResponse.setError("Unable to generate a renewed ticket. The current ticket is either not renewable or exceeded max renewal time. Please authenticate to the cluster again.");
                } else {
                    authResponse.setTicketAndKeyString(DatatypeConverter.printBase64Binary(generateRenewedTicket.toByteArray()));
                }
            }
        } catch (JSONException e) {
            LOG.error("Exception parsing json: " + str, e);
            authResponse.setStatus(10004);
            authResponse.setError("Invalid JSON in request: " + str);
        } catch (InvalidProtocolBufferException e2) {
            authResponse.setStatus(10004);
            authResponse.setError("Error parsing base64 encoded ticket and key string into proto object");
            LOG.error("Error parsing base64 encoded ticket and key string into proto object");
        }
        return authResponse;
    }

    private AuthResponse handleGenerateTicket(String str, AuditRecord auditRecord) {
        GenTicketTypeRequest fromJSON;
        Security.TicketAndKey parseFrom;
        Security.ServerKeyType serverKeyType;
        AuthResponse authResponse = new AuthResponse();
        auditRecord.setOp(AuditRecord.Op.generateTicket);
        try {
            fromJSON = GenTicketTypeRequest.fromJSON(str);
            parseFrom = Security.TicketAndKey.parseFrom(DatatypeConverter.parseBase64Binary(fromJSON.getTicketAndKeyString()));
            auditRecord.setCreds(parseFrom.getUserCreds());
        } catch (Exception e) {
            String str2 = "Error in generating ticket as : " + e.getMessage();
            LOG.error(str2);
            authResponse.setError(str2);
            authResponse.setStatus(10004);
        } catch (InvalidProtocolBufferException e2) {
            authResponse.setStatus(10004);
            authResponse.setError("Error parsing base64 encoded ticket and key string into proto object");
            LOG.error("Error parsing base64 encoded ticket and key string into proto object");
        } catch (JSONException e3) {
            LOG.error("Exception parsing json: " + str, e3);
            authResponse.setStatus(10004);
            authResponse.setError("Invalid JSON in request: " + str);
        }
        if (com.mapr.security.Security.ValidateTicketAndKey(parseFrom, new MutableInt()) == null || !com.mapr.security.Security.IsTicketAndKeyUsable(parseFrom)) {
            authResponse.setStatus(22);
            authResponse.setError("Unable to generate a renewed ticket. The current ticket is either expired or tampered. Please authenticate to the cluster again.");
            return authResponse;
        }
        if (!isAuthorizedToGenerateTicket(parseFrom.getUserCreds())) {
            String str3 = "User " + parseFrom.getUserCreds().getUserName() + " does not have permissions to generate ticket";
            authResponse.setStatus(1);
            authResponse.setError(str3);
            return authResponse;
        }
        boolean z = false;
        if (fromJSON.getTicketType() == GenTicketTypeRequest.TicketType.SERVICE) {
            serverKeyType = Security.ServerKeyType.ServerKey;
            z = true;
        } else {
            serverKeyType = Security.ServerKeyType.ClusterKey;
        }
        auditRecord.setPopulateTargetUser(true);
        Security.TicketAndKey generateNewTicket = generateNewTicket(serverKeyType, fromJSON.getTargetUserName(), fromJSON.getTicketDurInSecs(), fromJSON.getTicketRenewInSecs(), z, auditRecord);
        if (generateNewTicket == null) {
            authResponse.setStatus(22);
            authResponse.setError("Unable to generate ticket. The current ticket is either not renewable or exceeded max renewal time. Please authenticate to the cluster again.");
        } else {
            authResponse.setTicketAndKeyString(DatatypeConverter.printBase64Binary(generateNewTicket.toByteArray()));
        }
        return authResponse;
    }

    private boolean isAuthorizedToGenerateTicket(Security.CredentialsMsg credentialsMsg) {
        return CLDBServerHolder.getInstance().isCallerFC(credentialsMsg);
    }

    private synchronized AuthResponse handleKerberosAuth(String str, AuditRecord auditRecord) {
        KerberosAuthRequest fromJSON;
        String token;
        final AuthResponse authResponse = new AuthResponse();
        auditRecord.setOp(AuditRecord.Op.kerberosAuth);
        initKerberos();
        if (this.kerberosIdentity == null) {
            authResponse.setStatus(126);
            authResponse.setError("No server Kerberos identity available");
            return authResponse;
        }
        try {
            fromJSON = KerberosAuthRequest.fromJSON(str);
            token = fromJSON.getToken();
        } catch (JSONException e) {
            LOG.error("Exception parsing json: " + str, e);
            authResponse.setStatus(10004);
            authResponse.setError("Invalid JSON in request: " + str);
        } catch (Exception e2) {
            e = e2;
            if (e instanceof PrivilegedActionException) {
                e = ((PrivilegedActionException) e).getException();
            }
            LOG.error("Exception handling kerberos", e);
            authResponse.setStatus(10004);
            authResponse.setError("Failure in kerberos handshake " + e.getMessage());
        }
        if (token == null) {
            authResponse.setStatus(126);
            authResponse.setError("No Kerberos identity from client");
            return authResponse;
        }
        Subject subject = this.kerberosIdentity.getSubject();
        final Oid oid = new Oid(SPNEGO_OID);
        final byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(token);
        String str2 = (String) Subject.doAs(subject, new PrivilegedExceptionAction<String>() { // from class: com.mapr.fs.cldb.http.login.MapRLoginServlet.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public String run() throws Exception {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext createContext = gSSManager.createContext(gSSManager.createCredential((GSSName) null, 0, oid, 2));
                byte[] acceptSecContext = createContext.acceptSecContext(parseBase64Binary, 0, parseBase64Binary.length);
                if (!createContext.isEstablished()) {
                    MapRLoginServlet.LOG.error("Unexpected failure to establish Kerberos context on first pass. Failing request.");
                    return null;
                }
                authResponse.setToken(DatatypeConverter.printBase64Binary(acceptSecContext));
                MapRLoginServlet.LOG.debug("Client principal is " + createContext.getSrcName());
                return createContext.getSrcName().toString();
            }
        });
        if (str2 == null) {
            authResponse.setStatus(10004);
            authResponse.setError("internal error, unable to complete kerberos handshake");
        } else {
            String mapKerberosId = mapKerberosId(str2);
            auditRecord.setUsername(mapKerberosId);
            Security.TicketAndKey generateNewTicket = generateNewTicket(mapKerberosId, fromJSON.getTicketDurInSecs(), auditRecord);
            if (generateNewTicket == null) {
                authResponse.setStatus(10004);
                authResponse.setError("Could not generate ticket for user: " + str2);
            } else {
                authResponse.setTicketAndKeyString(DatatypeConverter.printBase64Binary(generateNewTicket.toByteArray()));
            }
        }
        return authResponse;
    }

    private Security.TicketAndKey generateNewTicket(String str, Long l, AuditRecord auditRecord) {
        return generateNewTicket(Security.ServerKeyType.ServerKey, str, l, auditRecord);
    }

    private Security.TicketAndKey generateNewTicket(Security.ServerKeyType serverKeyType, String str, Long l, AuditRecord auditRecord) {
        return generateNewTicket(serverKeyType, str, l, null, false, auditRecord);
    }

    private Security.TicketAndKey generateNewTicket(Security.ServerKeyType serverKeyType, String str, Long l, Long l2, boolean z, AuditRecord auditRecord) {
        UnixUserGroupHelper unixUserGroupHelper = new UnixUserGroupHelper();
        int userId = unixUserGroupHelper.getUserId(str);
        int[] groups = unixUserGroupHelper.getGroups(str);
        if (auditRecord.populateTargetUser()) {
            auditRecord.setTargetUid(userId);
            auditRecord.setTargetGid(groups[0]);
        } else {
            auditRecord.setUsername(str);
            auditRecord.setUid(userId);
            auditRecord.setGid(groups[0]);
        }
        long securityUserTicketDurationSeconds = CLDBConfigurationHolder.getInstance().securityUserTicketDurationSeconds();
        long securityUserTicketRenewDurationSeconds = CLDBConfigurationHolder.getInstance().securityUserTicketRenewDurationSeconds();
        if (l != null && l.longValue() > MAX_TICKET_LIFE) {
            l = Long.valueOf(MAX_TICKET_LIFE);
        }
        if (l2 != null && l2.longValue() > MAX_TICKET_LIFE) {
            l2 = Long.valueOf(MAX_TICKET_LIFE);
        }
        if (z) {
            if (l != null) {
                securityUserTicketDurationSeconds = l.longValue();
            }
            if (l2 != null) {
                securityUserTicketRenewDurationSeconds = l2.longValue();
            }
            if (l != null && l2 != null && l.longValue() > l2.longValue()) {
                securityUserTicketRenewDurationSeconds = l.longValue();
            }
        }
        long currentTimeMillis = (System.currentTimeMillis() / 1000) + securityUserTicketDurationSeconds;
        if (l != null && l.longValue() < securityUserTicketDurationSeconds) {
            currentTimeMillis = (System.currentTimeMillis() / 1000) + l.longValue();
        }
        MutableInt mutableInt = new MutableInt();
        Security.TicketAndKey GenerateTicketAndKey = com.mapr.security.Security.GenerateTicketAndKey(serverKeyType, str, userId, groups, currentTimeMillis, securityUserTicketRenewDurationSeconds, true, mutableInt);
        if (GenerateTicketAndKey == null) {
            LOG.error("Could not generate ticket for user: " + str + ". Error: " + mutableInt.GetValue());
        }
        return GenerateTicketAndKey;
    }

    private Security.TicketAndKey generateRenewedTicket(Security.TicketAndKey ticketAndKey, Long l) {
        long securityUserTicketDurationSeconds = CLDBConfigurationHolder.getInstance().securityUserTicketDurationSeconds();
        long currentTimeMillis = (System.currentTimeMillis() / 1000) + securityUserTicketDurationSeconds;
        if (l != null && l.longValue() < securityUserTicketDurationSeconds) {
            currentTimeMillis = (System.currentTimeMillis() / 1000) + l.longValue();
        }
        MutableInt mutableInt = new MutableInt();
        Security.TicketAndKey RenewTicketAndKey = com.mapr.security.Security.RenewTicketAndKey(Security.ServerKeyType.ServerKey, ticketAndKey, currentTimeMillis, mutableInt);
        if (RenewTicketAndKey == null) {
            LOG.error("Could not generate new ticket for user: " + ticketAndKey.getUserCreds().getUserName() + ". Error: " + mutableInt.GetValue());
        }
        return RenewTicketAndKey;
    }

    private String mapKerberosId(String str) throws IOException {
        String shortName = new KerberosName(str).getShortName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Kerberos id = " + str + ", mapped id = " + shortName);
        }
        return shortName;
    }

    private String getRequestString(HttpServletRequest httpServletRequest) throws IOException {
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpServletRequest.getInputStream()));
        StringBuilder sb = new StringBuilder();
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                bufferedReader.close();
                return sb.toString();
            }
            sb.append(readLine);
        }
    }

    private AuditRecord getAuditRecord(HttpServletRequest httpServletRequest) {
        AuditRecord auditRecord = new AuditRecord();
        String header = httpServletRequest.getHeader("X-FORWARDED-FOR");
        if (header == null) {
            header = httpServletRequest.getRemoteAddr();
        }
        auditRecord.init(header);
        return auditRecord;
    }

    private boolean isClusterMgmtAuditEnabled() {
        boolean z;
        switch (CLDBConfigurationHolder.getInstance().getMode()) {
            case MASTER_READ_WRITE:
                z = CLDBConfigurationHolder.getInstance().auditClusterMgmtOps() == 1;
                break;
            case SLAVE_READ_ONLY:
                z = this.slaveAuditConfig.isAuditEnabled();
                break;
            default:
                z = true;
                break;
        }
        return z;
    }

    private void auditOperation(AuditRecord auditRecord) {
        if (!isClusterMgmtAuditEnabled()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Audit of the cluster management operations is not enabled. Not Logging the authentication event for " + auditRecord.getUsername());
                return;
            }
            return;
        }
        if (auditRecord.getStatus() != 0 && auditRecord.getUsername() != null && !auditRecord.getUsername().isEmpty() && auditRecord.getUid() == -1) {
            try {
                String username = auditRecord.getUsername();
                UnixUserGroupHelper unixUserGroupHelper = new UnixUserGroupHelper();
                int userId = unixUserGroupHelper.getUserId(username);
                int[] groups = unixUserGroupHelper.getGroups(username);
                auditRecord.setUid(userId);
                auditRecord.setGid(groups[0]);
            } catch (Exception e) {
            }
        }
        auditRecord.setResource("cluster");
        AuditRecordLogger.getInstance().logAuditRecord(auditRecord);
    }
}
