package com.mapr.web.security;

import com.mapr.baseutils.cldbutils.CLDBRpcCommonUtils;
import com.mapr.fs.proto.Security;
import com.mapr.security.JNISecurity;
import com.mapr.security.MutableInt;
import com.mapr.security.Security;
import com.mapr.security.UnixUserGroupHelper;
import java.io.File;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.http.HttpStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/mapr/web/security/ImpersonationFilter.class */
public class ImpersonationFilter extends GenericFilterBean {
    private static final Logger log = LoggerFactory.getLogger(ImpersonationFilter.class);
    private static final String IMPERSONATED_USER_HEADER = "X-MAPR-IMPERSONATED-USER";

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && authentication.isAuthenticated()) {
            String header = httpServletRequest.getHeader(IMPERSONATED_USER_HEADER);
            if (StringUtils.isNotBlank(header)) {
                if (isAllowedToImpersonate(SecurityUtils.getCurrentUserName())) {
                    log.debug("Impersonating user: {}", header);
                } else {
                    httpServletResponse.sendError(HttpStatus.SC_FORBIDDEN, "Unable to impersonate user: " + URLEncoder.encode(header, StandardCharsets.UTF_8.displayName()));
                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private static boolean isAllowedToImpersonate(String str) {
        String currentClusterName = CLDBRpcCommonUtils.getInstance().getCurrentClusterName();
        if (JNISecurity.IsSecurityEnabled(currentClusterName)) {
            return Security.GetTicketAndKeyForCluster(Security.ServerKeyType.ServerKey, currentClusterName, new MutableInt()).getUserCreds().getUid() == new UnixUserGroupHelper().getUserId(str);
        }
        return new File((WebSecurityConfig.CONFIG.getMaprHome() + "/conf/proxy/") + str).exists();
    }
}
