package org.apache.hadoop.hdfs.server.common;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.function.BiFunction;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.net.util.SubnetUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.201-eep-911.jar:org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.class */
public class HostRestrictingAuthorizationFilter implements Filter {
    public static final String HDFS_CONFIG_PREFIX = "dfs.web.authentication.";
    public static final String RESTRICTION_CONFIG = "host.allow.rules";
    private final Map<String, CopyOnWriteArrayList<Rule>> rulemap = new ConcurrentHashMap();
    public static final Predicate<String> RESTRICTED_OPERATIONS = str -> {
        return str.trim().equalsIgnoreCase("op=OPEN") || str.trim().equalsIgnoreCase("op=GETDELEGATIONTOKEN");
    };
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) HostRestrictingAuthorizationFilter.class);

    /* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.201-eep-911.jar:org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter$HttpInteraction.class */
    public interface HttpInteraction {
        boolean isCommitted();

        String getRemoteAddr();

        String getRemoteUser();

        String getRequestURI();

        String getQueryString();

        String getMethod();

        void proceed() throws IOException, ServletException;

        void sendError(int i, String str) throws IOException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.201-eep-911.jar:org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter$Rule.class */
    public static class Rule {
        private final SubnetUtils.SubnetInfo subnet;
        private final String path;

        Rule(SubnetUtils.SubnetInfo subnetInfo, String str) {
            this.subnet = subnetInfo;
            this.path = str;
        }

        public SubnetUtils.SubnetInfo getSubnet() {
            return this.subnet;
        }

        public String getPath() {
            return this.path;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.201-eep-911.jar:org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter$ServletFilterHttpInteraction.class */
    private static final class ServletFilterHttpInteraction implements HttpInteraction {
        private final FilterChain chain;
        private final HttpServletRequest httpRequest;
        private final HttpServletResponse httpResponse;

        public ServletFilterHttpInteraction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
            this.httpRequest = httpServletRequest;
            this.httpResponse = httpServletResponse;
            this.chain = filterChain;
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public boolean isCommitted() {
            return this.httpResponse.isCommitted();
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public String getRemoteAddr() {
            return this.httpRequest.getRemoteAddr();
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public String getRemoteUser() {
            return this.httpRequest.getRemoteUser();
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public String getRequestURI() {
            return this.httpRequest.getRequestURI();
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public String getQueryString() {
            return this.httpRequest.getQueryString();
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public String getMethod() {
            return this.httpRequest.getMethod();
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public void proceed() throws IOException, ServletException {
            this.chain.doFilter(this.httpRequest, this.httpResponse);
        }

        @Override // org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.HttpInteraction
        public void sendError(int i, String str) throws IOException {
            this.httpResponse.sendError(i, str);
        }
    }

    public static Map<String, String> getFilterParams(Configuration configuration, String str) {
        return configuration.getPropsWithPrefix(str);
    }

    private boolean matchRule(String str, String str2, String str3) {
        String str4 = str != null ? str : "";
        String str5 = str3 != null ? str3 : "";
        LOG.trace("Got user: {}, remoteIp: {}, path: {}", str4, str2, str5);
        if (str2 == null) {
            LOG.trace("Returned false due to null rempteIp");
            return false;
        }
        CopyOnWriteArrayList<Rule> copyOnWriteArrayList = this.rulemap.get(str4);
        List arrayList = copyOnWriteArrayList != null ? copyOnWriteArrayList : new ArrayList();
        CopyOnWriteArrayList<Rule> copyOnWriteArrayList2 = this.rulemap.get("*");
        for (Rule rule : (List) Stream.of((Object[]) new List[]{arrayList, copyOnWriteArrayList2 != null ? copyOnWriteArrayList2 : new ArrayList()}).flatMap(list -> {
            return list.stream();
        }).collect(Collectors.toList())) {
            SubnetUtils.SubnetInfo subnet = rule.getSubnet();
            String path = rule.getPath();
            LOG.trace("Evaluating rule, subnet: {}, path: {}", subnet != null ? subnet.getCidrSignature() : "*", path);
            if (subnet != null) {
                try {
                    if (!subnet.isInRange(str2)) {
                        continue;
                    }
                } catch (IOException e) {
                    LOG.warn("Got IOException {}; returned false", (Throwable) e);
                    return false;
                }
            }
            if (FilenameUtils.directoryContains(path, str5)) {
                LOG.debug("Found matching rule, subnet: {}, path: {}; returned true", rule.getSubnet() != null ? subnet.getCidrSignature() : null, path);
                return true;
            }
        }
        LOG.trace("Found no rules for user");
        return false;
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        loadRuleMap(filterConfig.getInitParameter(RESTRICTION_CONFIG));
    }

    private void loadRuleMap(String str) throws IllegalArgumentException {
        if (str == null || str.equals("")) {
            LOG.debug("Got no rules - will disallow anyone access");
            return;
        }
        Pattern compile = Pattern.compile(",");
        Pattern compile2 = Pattern.compile("\\||\n");
        Map map = (Map) compile2.splitAsStream(str).map(str2 -> {
            return compile.split(str2, 3);
        }).collect(Collectors.groupingBy(strArr -> {
            return Integer.valueOf(strArr.length);
        }));
        if (!map.keySet().equals(Collections.singleton(3))) {
            throw new IllegalArgumentException("Bad rule definition: " + ((String) compile2.splitAsStream(str).filter(str3 -> {
                return compile.split(str3, 3).length != 3;
            }).collect(Collectors.joining("\n"))));
        }
        BiFunction<? super CopyOnWriteArrayList<Rule>, ? super CopyOnWriteArrayList<Rule>, ? extends CopyOnWriteArrayList<Rule>> biFunction = (copyOnWriteArrayList, copyOnWriteArrayList2) -> {
            copyOnWriteArrayList.addAll(copyOnWriteArrayList2);
            return copyOnWriteArrayList;
        };
        for (String[] strArr2 : (List) map.get(3)) {
            LOG.debug("Loaded rule: user: {}, network/bits: {} path: {}", strArr2[0], strArr2[1], strArr2[2]);
            final Rule rule = strArr2[1].trim().equals("*") ? new Rule(null, strArr2[2]) : new Rule(new SubnetUtils(strArr2[1]).getInfo(), strArr2[2]);
            this.rulemap.merge(strArr2[0], new CopyOnWriteArrayList<Rule>() { // from class: org.apache.hadoop.hdfs.server.common.HostRestrictingAuthorizationFilter.1
                {
                    add(rule);
                }
            }, biFunction);
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        handleInteraction(new ServletFilterHttpInteraction((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain));
    }

    public void handleInteraction(HttpInteraction httpInteraction) throws IOException, ServletException {
        String remoteAddr = httpInteraction.getRemoteAddr();
        String queryString = httpInteraction.getQueryString();
        String requestURI = httpInteraction.getRequestURI();
        if (!requestURI.startsWith("/webhdfs/v1")) {
            LOG.trace("Rejecting interaction; wrong URI: {}", requestURI);
            httpInteraction.sendError(404, "The request URI must start with /webhdfs/v1");
            return;
        }
        String substring = requestURI.substring("/webhdfs/v1".length());
        String remoteUser = httpInteraction.getRemoteUser();
        LOG.trace("Got request user: {}, remoteIp: {}, query: {}, path: {}", remoteUser, remoteAddr, queryString, substring);
        boolean anyMatch = Arrays.stream(((String) Optional.ofNullable(queryString).orElse("")).trim().split("&")).anyMatch(RESTRICTED_OPERATIONS);
        if (!httpInteraction.isCommitted() && anyMatch) {
            String[] split = queryString.split("&");
            if (remoteUser == null) {
                LOG.trace("Looking for delegation token to identify user");
                for (String str : split) {
                    if (str.trim().startsWith("delegation=")) {
                        Token token = new Token();
                        token.decodeFromUrlString(str.split(AbstractGangliaSink.EQUAL, 2)[1]);
                        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(token.getIdentifier());
                        DelegationTokenIdentifier delegationTokenIdentifier = new DelegationTokenIdentifier();
                        delegationTokenIdentifier.readFields(new DataInputStream(byteArrayInputStream));
                        remoteUser = delegationTokenIdentifier.getUser().getUserName();
                        LOG.trace("Updated request user: {}, remoteIp: {}, query: {}, path: {}", remoteUser, remoteAddr, queryString, substring);
                    }
                }
            }
            if (anyMatch && !matchRule("*", remoteAddr, substring) && !matchRule(remoteUser, remoteAddr, substring)) {
                LOG.trace("Rejecting interaction; no rule found");
                httpInteraction.sendError(403, "WebHDFS is configured write-only for " + remoteUser + "@" + remoteAddr + " for file: " + substring);
                return;
            }
        }
        LOG.trace("Proceeding with interaction");
        httpInteraction.proceed();
    }
}
