package org.apache.hadoop.crypto.key.kms.server;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.util.Map;
import java.util.Properties;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.KMSDelegationToken;
import org.apache.hadoop.http.HtmlQuoting;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler;
import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.class */
public class KMSAuthenticationFilter extends DelegationTokenAuthenticationFilter {
    public static final String CONFIG_PREFIX = "hadoop.kms.authentication.";
    static final String RANGER_KMS_REST_API_PATH = "/kms/api/status";

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter$KMSResponse.class */
    private static class KMSResponse extends HttpServletResponseWrapper {
        public int statusCode;
        public String msg;

        public KMSResponse(ServletResponse servletResponse) {
            super((HttpServletResponse) servletResponse);
        }

        public void setStatus(int i) {
            this.statusCode = i;
            super.setStatus(i);
        }

        public void sendError(int i, String str) throws IOException {
            this.statusCode = i;
            this.msg = str;
            super.sendError(i, HtmlQuoting.quoteHtmlChars(str));
        }

        public void sendError(int i) throws IOException {
            this.statusCode = i;
            super.sendError(i);
        }

        public void setStatus(int i, String str) {
            this.statusCode = i;
            this.msg = str;
            super.setStatus(i, str);
        }
    }

    protected Properties getConfiguration(String str, FilterConfig filterConfig) {
        return getKMSConfiguration(KMSWebApp.getConfiguration());
    }

    @VisibleForTesting
    Properties getKMSConfiguration(Configuration configuration) {
        Properties properties = new Properties();
        for (Map.Entry entry : configuration.getPropsWithPrefix(CONFIG_PREFIX).entrySet()) {
            properties.setProperty((String) entry.getKey(), (String) entry.getValue());
        }
        String property = properties.getProperty("type", "simple");
        if (property.equals("simple")) {
            properties.setProperty("type", PseudoDelegationTokenAuthenticationHandler.class.getName());
        } else if (property.equals("kerberos")) {
            properties.setProperty("type", KerberosDelegationTokenAuthenticationHandler.class.getName());
        }
        properties.setProperty("delegation-token.token-kind", KMSDelegationToken.TOKEN_KIND.toString());
        return properties;
    }

    protected Configuration getProxyuserConfiguration(FilterConfig filterConfig) {
        Map valByRegex = KMSWebApp.getConfiguration().getValByRegex("hadoop\\.kms\\.proxyuser\\.");
        Configuration configuration = new Configuration(false);
        for (Map.Entry entry : valByRegex.entrySet()) {
            configuration.set(((String) entry.getKey()).substring(KMSConfiguration.CONFIG_PREFIX.length()), (String) entry.getValue());
        }
        return configuration;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        KMSResponse kMSResponse = new KMSResponse(servletResponse);
        if (((HttpServletRequest) servletRequest).getRequestURI().startsWith(RANGER_KMS_REST_API_PATH)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        super.doFilter(servletRequest, kMSResponse, filterChain);
        if (kMSResponse.statusCode != 200 && kMSResponse.statusCode != 201 && kMSResponse.statusCode != 401) {
            KMSWebApp.getInvalidCallsMeter().mark();
        }
        if (kMSResponse.statusCode == 401) {
            KMSWebApp.getUnauthenticatedCallsMeter().mark();
            String method = ((HttpServletRequest) servletRequest).getMethod();
            StringBuffer requestURL = ((HttpServletRequest) servletRequest).getRequestURL();
            String queryString = ((HttpServletRequest) servletRequest).getQueryString();
            if (queryString != null) {
                requestURL.append("?").append(queryString);
            }
            if (method.equals("OPTIONS")) {
                return;
            }
            KMSWebApp.getKMSAudit().unauthenticated(servletRequest.getRemoteHost(), method, requestURL.toString(), kMSResponse.msg);
        }
    }
}
