package org.apache.drill.exec.server.rest.auth;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.common.exceptions.DrillException;
import org.apache.drill.common.map.CaseInsensitiveMap;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.exception.DrillbitStartupException;
import org.apache.drill.exec.rpc.security.AuthStringUtil;
import org.apache.drill.exec.server.DrillbitContext;
import org.apache.drill.exec.server.rest.WebServerConstants;
import org.apache.drill.exec.server.rest.header.ResponseHeadersSettingFilter;
import org.apache.drill.shaded.guava.com.google.common.base.Preconditions;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/server/rest/auth/DrillHttpSecurityHandlerProvider.class */
public class DrillHttpSecurityHandlerProvider extends ConstraintSecurityHandler {
    private static final Logger logger = LoggerFactory.getLogger(DrillHttpSecurityHandlerProvider.class);
    private final Map<String, DrillHttpConstraintSecurityHandler> securityHandlers = CaseInsensitiveMap.newHashMapWithExpectedSize(2);
    private final Map<String, String> responseHeaders;

    public DrillHttpSecurityHandlerProvider(DrillConfig drillConfig, DrillbitContext drillbitContext) throws DrillbitStartupException {
        Preconditions.checkState(drillConfig.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED));
        this.responseHeaders = ResponseHeadersSettingFilter.retrieveResponseHeaders(drillConfig);
        Set<String> httpAuthMechanisms = getHttpAuthMechanisms(drillConfig);
        Set<Class> implementations = drillbitContext.getClasspathScan().getImplementations(DrillHttpConstraintSecurityHandler.class);
        logger.debug("Found DrillHttpConstraintSecurityHandler implementations: {}", implementations);
        for (Class cls : implementations) {
            if (httpAuthMechanisms.isEmpty()) {
                break;
            }
            Constructor<?> constructor = null;
            Constructor<?>[] constructors = cls.getConstructors();
            int length = constructors.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Constructor<?> constructor2 = constructors[i];
                if (constructor2.getParameterTypes().length == 0) {
                    constructor = constructor2;
                    break;
                }
                i++;
            }
            if (constructor == null) {
                logger.warn("Skipping DrillHttpConstraintSecurityHandler class {}. It must implement at least one constructor with signature [{}()]", cls.getCanonicalName(), cls.getName());
            } else {
                try {
                    DrillHttpConstraintSecurityHandler drillHttpConstraintSecurityHandler = (DrillHttpConstraintSecurityHandler) constructor.newInstance(new Object[0]);
                    if (httpAuthMechanisms.remove(drillHttpConstraintSecurityHandler.getImplName())) {
                        drillHttpConstraintSecurityHandler.doSetup(drillbitContext);
                        this.securityHandlers.put(drillHttpConstraintSecurityHandler.getImplName(), drillHttpConstraintSecurityHandler);
                    }
                } catch (IllegalArgumentException | ReflectiveOperationException | DrillException e) {
                    logger.warn(String.format("Failed to create DrillHttpConstraintSecurityHandler of type '%s'", cls.getCanonicalName()), e);
                }
            }
        }
        if (this.securityHandlers.size() == 0) {
            throw new DrillbitStartupException("Authentication is enabled for WebServer but none of the security mechanism was configured properly. Please verify the configurations and try again.");
        }
        logger.info("Configure auth mechanisms for WebServer are: {}", this.securityHandlers.keySet());
    }

    public void doStart() throws Exception {
        super.doStart();
        Iterator<DrillHttpConstraintSecurityHandler> it = this.securityHandlers.values().iterator();
        while (it.hasNext()) {
            it.next().doStart();
        }
    }

    public void handle(String str, Request request, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        Preconditions.checkState(this.securityHandlers.size() > 0);
        Map<String, String> map = this.responseHeaders;
        Objects.requireNonNull(httpServletResponse);
        map.forEach(httpServletResponse::setHeader);
        SessionAuthentication sessionAuthentication = (SessionAuthentication) httpServletRequest.getSession(true).getAttribute("org.eclipse.jetty.security.UserIdentity");
        String requestURI = httpServletRequest.getRequestURI();
        if (sessionAuthentication != null) {
            this.securityHandlers.get(sessionAuthentication.getAuthMethod()).handle(str, request, httpServletRequest, httpServletResponse);
            return;
        }
        if (isSpnegoEnabled() && (!isFormEnabled() || requestURI.equals(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH))) {
            this.securityHandlers.get("SPNEGO").handle(str, request, httpServletRequest, httpServletResponse);
            return;
        }
        if (isBasicEnabled() && httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.asString()) != null) {
            this.securityHandlers.get("BASIC").handle(str, request, httpServletRequest, httpServletResponse);
        } else if (isFormEnabled()) {
            this.securityHandlers.get("FORM").handle(str, request, httpServletRequest, httpServletResponse);
        }
    }

    public void setHandler(Handler handler) {
        super.setHandler(handler);
        Iterator<DrillHttpConstraintSecurityHandler> it = this.securityHandlers.values().iterator();
        while (it.hasNext()) {
            it.next().setHandler(handler);
        }
    }

    public void doStop() throws Exception {
        super.doStop();
        Iterator<DrillHttpConstraintSecurityHandler> it = this.securityHandlers.values().iterator();
        while (it.hasNext()) {
            it.next().doStop();
        }
    }

    public boolean isSpnegoEnabled() {
        return this.securityHandlers.containsKey("SPNEGO");
    }

    public boolean isFormEnabled() {
        return this.securityHandlers.containsKey("FORM");
    }

    public boolean isBasicEnabled() {
        return this.securityHandlers.containsKey("BASIC");
    }

    public static Set<String> getHttpAuthMechanisms(DrillConfig drillConfig) {
        HashSet hashSet = new HashSet();
        if (drillConfig.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED)) {
            if (drillConfig.hasPath(ExecConstants.HTTP_AUTHENTICATION_MECHANISMS)) {
                hashSet.addAll(AuthStringUtil.asSet(drillConfig.getStringList(ExecConstants.HTTP_AUTHENTICATION_MECHANISMS)));
            } else {
                hashSet.add("FORM");
            }
        }
        return hashSet;
    }
}
