package org.apache.hive.hcatalog.templeton;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.Groups;

/* loaded from: input_file:org/apache/hive/hcatalog/templeton/ProxyUserSupport.class */
final class ProxyUserSupport {
    private static final String CONF_PROXYUSER_PREFIX = "webhcat.proxyuser.";
    private static final String CONF_GROUPS_SUFFIX = ".groups";
    private static final String CONF_HOSTS_SUFFIX = ".hosts";
    private static final Log LOG = LogFactory.getLog(ProxyUserSupport.class);
    private static final Set<String> WILD_CARD = Collections.unmodifiableSet(new HashSet(0));
    private static final Map<String, Set<String>> proxyUserGroups = new HashMap();
    private static final Map<String, Set<String>> proxyUserHosts = new HashMap();

    ProxyUserSupport() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void processProxyuserConfig(AppConfig appConfig) {
        Set<String> emptySet;
        Set<String> emptySet2;
        Iterator it = appConfig.iterator();
        while (it.hasNext()) {
            Map.Entry entry = (Map.Entry) it.next();
            if (((String) entry.getKey()).startsWith(CONF_PROXYUSER_PREFIX) && ((String) entry.getKey()).endsWith(CONF_GROUPS_SUFFIX)) {
                String substring = ((String) entry.getKey()).substring(CONF_PROXYUSER_PREFIX.length(), ((String) entry.getKey()).lastIndexOf(CONF_GROUPS_SUFFIX));
                if ("*".equals(entry.getValue())) {
                    emptySet2 = WILD_CARD;
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User [" + substring + "] is authorized to do doAs any user.");
                    }
                } else if (entry.getValue() == null || ((String) entry.getValue()).trim().length() <= 0) {
                    emptySet2 = Collections.emptySet();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User [" + substring + "] is authorized to do doAs for users in the following groups: []");
                    }
                } else {
                    emptySet2 = new HashSet(Arrays.asList(((String) entry.getValue()).trim().split(",")));
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User [" + substring + "] is authorized to do doAs for users in the following groups: [" + ((String) entry.getValue()).trim() + "]");
                    }
                }
                proxyUserGroups.put(substring, emptySet2);
            } else if (((String) entry.getKey()).startsWith(CONF_PROXYUSER_PREFIX) && ((String) entry.getKey()).endsWith(CONF_HOSTS_SUFFIX)) {
                String substring2 = ((String) entry.getKey()).substring(CONF_PROXYUSER_PREFIX.length(), ((String) entry.getKey()).lastIndexOf(CONF_HOSTS_SUFFIX));
                if ("*".equals(entry.getValue())) {
                    emptySet = WILD_CARD;
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User [" + substring2 + "] is authorized to do doAs from any host.");
                    }
                } else if (entry.getValue() == null || ((String) entry.getValue()).trim().length() <= 0) {
                    emptySet = Collections.emptySet();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User [" + substring2 + "] is authorized to do doAs from the following hosts: []");
                    }
                } else {
                    String[] split = ((String) entry.getValue()).trim().split(",");
                    emptySet = new HashSet();
                    for (String str : split) {
                        String normalizeHostname = normalizeHostname(str);
                        if (normalizeHostname != null) {
                            emptySet.add(normalizeHostname);
                        }
                    }
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("User [" + substring2 + "] is authorized to do doAs from the following hosts: [" + ((String) entry.getValue()).trim() + "]");
                    }
                }
                proxyUserHosts.put(substring2, emptySet);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validate(String str, String str2, String str3) throws NotAuthorizedException {
        assertNotEmpty(str, "proxyUser", "If you're attempting to use user-impersonation via a proxy user, please make sure that webhcat.proxyuser.#USER#.hosts and webhcat.proxyuser.#USER#.groups are configured correctly");
        assertNotEmpty(str2, "proxyHost", "If you're attempting to use user-impersonation via a proxy user, please make sure that webhcat.proxyuser." + str + CONF_HOSTS_SUFFIX + " and " + CONF_PROXYUSER_PREFIX + str + CONF_GROUPS_SUFFIX + " are configured correctly");
        assertNotEmpty(str3, Server.DO_AS_PARAM);
        LOG.debug(MessageFormat.format("Authorization check proxyuser [{0}] host [{1}] doAs [{2}]", str, str2, str3));
        if (!proxyUserHosts.containsKey(str)) {
            throw new NotAuthorizedException(MessageFormat.format("User [{0}] not defined as proxyuser", str));
        }
        validateRequestorHost(str, normalizeHostname(str2));
        validateGroup(str, str3);
    }

    private static void validateRequestorHost(String str, String str2) throws NotAuthorizedException {
        Set<String> set = proxyUserHosts.get(str);
        if (set == WILD_CARD) {
            return;
        }
        if (set == null || !set.contains(str2)) {
            throw new NotAuthorizedException(MessageFormat.format("Unauthorized host [{0}] for proxyuser [{1}]", str2, str));
        }
    }

    private static void validateGroup(String str, String str2) throws NotAuthorizedException {
        Set<String> set = proxyUserGroups.get(str);
        if (set == WILD_CARD) {
            return;
        }
        if (set == null || set.isEmpty()) {
            throw new NotAuthorizedException(MessageFormat.format("Unauthorized proxyuser [{0}] for doAsUser [{1}], not in proxyuser groups", str, str2));
        }
        try {
            List groups = new Groups(Main.getAppConfigInstance()).getGroups(str2);
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (groups.contains(it.next())) {
                    return;
                }
            }
        } catch (IOException e) {
            LOG.warn(MessageFormat.format("Unable to get list of groups for doAsUser [{0}].", str2), e);
        }
        throw new NotAuthorizedException(MessageFormat.format("Unauthorized proxyuser [{0}] for doAsUser [{1}], not in proxyuser groups", str, str2));
    }

    private static String normalizeHostname(String str) {
        try {
            return InetAddress.getByName("localhost".equalsIgnoreCase(str) ? null : str).getCanonicalHostName();
        } catch (UnknownHostException e) {
            LOG.warn(MessageFormat.format("Unable to normalize hostname [{0}]", str));
            return null;
        }
    }

    private static String assertNotEmpty(String str, String str2) {
        return assertNotEmpty(str, str2, null);
    }

    private static String assertNotEmpty(String str, String str2, String str3) {
        if (str == null) {
            throw new IllegalArgumentException(str2 + " cannot be null" + (str3 == null ? "" : ", " + str3));
        }
        if (str.length() == 0) {
            throw new IllegalArgumentException(str2 + " cannot be empty" + (str3 == null ? "" : ", " + str3));
        }
        return str;
    }
}
