package org.apache.hadoop.lib.service.security;

import java.io.IOException;
import java.net.InetAddress;
import java.security.AccessControlException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.lib.lang.XException;
import org.apache.hadoop.lib.server.BaseService;
import org.apache.hadoop.lib.server.ServiceException;
import org.apache.hadoop.lib.service.Groups;
import org.apache.hadoop.lib.service.ProxyUser;
import org.apache.hadoop.lib.util.Check;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:classes/org/apache/hadoop/lib/service/security/ProxyUserService.class
  input_file:hadoop-hdfs-httpfs-2.4.1-mapr-4.0.1-SNAPSHOT/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/classes/org/apache/hadoop/lib/service/security/ProxyUserService.class
  input_file:webhdfs.war:WEB-INF/classes/org/apache/hadoop/lib/service/security/ProxyUserService.class
 */
@InterfaceAudience.Private
/* loaded from: input_file:webhdfs/WEB-INF/classes/org/apache/hadoop/lib/service/security/ProxyUserService.class */
public class ProxyUserService extends BaseService implements ProxyUser {
    private static Logger LOG = LoggerFactory.getLogger(ProxyUserService.class);
    private static final String PREFIX = "proxyuser";
    private static final String GROUPS = ".groups";
    private static final String HOSTS = ".hosts";
    private Map<String, Set<String>> proxyUserHosts;
    private Map<String, Set<String>> proxyUserGroups;

    /* JADX WARN: Classes with same name are omitted:
      input_file:classes/org/apache/hadoop/lib/service/security/ProxyUserService$ERROR.class
      input_file:hadoop-hdfs-httpfs-2.4.1-mapr-4.0.1-SNAPSHOT/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/classes/org/apache/hadoop/lib/service/security/ProxyUserService$ERROR.class
      input_file:webhdfs.war:WEB-INF/classes/org/apache/hadoop/lib/service/security/ProxyUserService$ERROR.class
     */
    @InterfaceAudience.Private
    /* loaded from: input_file:webhdfs/WEB-INF/classes/org/apache/hadoop/lib/service/security/ProxyUserService$ERROR.class */
    public enum ERROR implements XException.ERROR {
        PRXU01("Could not normalize host name [{0}], {1}"),
        PRXU02("Missing [{0}] property");

        private String template;

        ERROR(String str) {
            this.template = str;
        }

        @Override // org.apache.hadoop.lib.lang.XException.ERROR
        public String getTemplate() {
            return this.template;
        }
    }

    public ProxyUserService() {
        super(PREFIX);
        this.proxyUserHosts = new HashMap();
        this.proxyUserGroups = new HashMap();
    }

    @Override // org.apache.hadoop.lib.server.Service
    public Class getInterface() {
        return ProxyUser.class;
    }

    @Override // org.apache.hadoop.lib.server.BaseService, org.apache.hadoop.lib.server.Service
    public Class[] getServiceDependencies() {
        return new Class[]{Groups.class};
    }

    @Override // org.apache.hadoop.lib.server.BaseService
    protected void init() throws ServiceException {
        Iterator<Map.Entry<String, String>> it = getServiceConfig().iterator();
        while (it.hasNext()) {
            Map.Entry<String, String> next = it.next();
            String key = next.getKey();
            if (key.endsWith(".groups")) {
                String substring = key.substring(0, key.lastIndexOf(".groups"));
                if (getServiceConfig().get(substring + HOSTS) == null) {
                    throw new ServiceException(ERROR.PRXU02, getPrefixedName(substring + HOSTS));
                }
                String trim = next.getValue().trim();
                LOG.info("Loading proxyuser settings [{}]=[{}]", key, trim);
                this.proxyUserGroups.put(substring, trim.equals("*") ? null : new HashSet(Arrays.asList(trim.split(","))));
            }
            if (key.endsWith(HOSTS)) {
                String substring2 = key.substring(0, key.lastIndexOf(HOSTS));
                if (getServiceConfig().get(substring2 + ".groups") == null) {
                    throw new ServiceException(ERROR.PRXU02, getPrefixedName(substring2 + ".groups"));
                }
                String trim2 = next.getValue().trim();
                LOG.info("Loading proxyuser settings [{}]=[{}]", key, trim2);
                HashSet hashSet = null;
                if (!trim2.equals("*")) {
                    String[] split = trim2.split(",");
                    for (int i = 0; i < split.length; i++) {
                        String str = split[i];
                        try {
                            split[i] = normalizeHostname(str);
                            LOG.info("  Hostname, original [{}], normalized [{}]", str, split[i]);
                        } catch (Exception e) {
                            throw new ServiceException(ERROR.PRXU01, str, e.getMessage(), e);
                        }
                    }
                    hashSet = new HashSet(Arrays.asList(split));
                }
                this.proxyUserHosts.put(substring2, hashSet);
            }
        }
    }

    @Override // org.apache.hadoop.lib.service.ProxyUser
    public void validate(String str, String str2, String str3) throws IOException, AccessControlException {
        Check.notEmpty(str, "proxyUser");
        Check.notEmpty(str2, "proxyHost");
        Check.notEmpty(str3, "doAsUser");
        LOG.debug("Authorization check proxyuser [{}] host [{}] doAs [{}]", str, str2, str3);
        if (!this.proxyUserHosts.containsKey(str)) {
            throw new AccessControlException(MessageFormat.format("User [{0}] not defined as proxyuser", str));
        }
        validateRequestorHost(str, normalizeHostname(str2), this.proxyUserHosts.get(str));
        validateGroup(str, str3, this.proxyUserGroups.get(str));
    }

    private void validateRequestorHost(String str, String str2, Set<String> set) throws IOException, AccessControlException {
        if (set != null && !set.contains(str2) && !set.contains(normalizeHostname(str2))) {
            throw new AccessControlException(MessageFormat.format("Unauthorized host [{0}] for proxyuser [{1}]", str2, str));
        }
    }

    private void validateGroup(String str, String str2, Set<String> set) throws IOException, AccessControlException {
        if (set != null) {
            List<String> groups = ((Groups) getServer().get(Groups.class)).getGroups(str2);
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (groups.contains(it.next())) {
                    return;
                }
            }
            throw new AccessControlException(MessageFormat.format("Unauthorized proxyuser [{0}] for user [{1}], not in proxyuser groups", str, str2));
        }
    }

    private String normalizeHostname(String str) {
        try {
            return InetAddress.getByName(str).getCanonicalHostName();
        } catch (IOException e) {
            throw new AccessControlException(MessageFormat.format("Could not resolve host [{0}], {1}", str, e.getMessage()));
        }
    }
}
