package com.cloudera.server.cmf;

import com.cloudera.cmf.Environment;
import com.cloudera.cmf.ProductState;
import com.cloudera.cmf.model.DbConfigContainerConfigProvider;
import com.cloudera.cmf.model.DbUser;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.security.components.SecurityUtils;
import com.cloudera.cmf.service.ServiceDataProvider;
import com.cloudera.cmf.service.Validation;
import com.cloudera.cmf.service.ValidationContext;
import com.cloudera.cmf.service.auth.AuthServiceUtil;
import com.cloudera.cmf.service.config.CMURLEvaluator;
import com.cloudera.cmf.service.config.EnumParamSpec;
import com.cloudera.cmf.service.hue.HueLoadBalancerRoleHandler;
import com.cloudera.cmf.service.scm.SAMLValidator;
import com.cloudera.cmf.service.scm.ScmHandler;
import com.cloudera.cmf.service.scm.ScmParamTrackerStore;
import com.cloudera.cmf.service.scm.ScmParams;
import com.cloudera.enterprise.HttpServerUtil;
import com.cloudera.enterprise.KeystoreUtil;
import com.cloudera.enterprise.TLSUtil;
import com.cloudera.server.cmf.clientprotocol.ClientProtocol;
import com.cloudera.server.cmf.components.CmServerState;
import com.cloudera.server.cmf.session.SessionService;
import com.cloudera.server.common.BoundedQueuedThreadPool;
import com.cloudera.server.web.cmf.AppContext;
import com.cloudera.server.web.cmf.CMFKerberosUserDetailsService;
import com.cloudera.server.web.cmf.CMFUserDetailsService;
import com.cloudera.server.web.cmf.CmfAuthenticationProvider;
import com.cloudera.server.web.cmf.CmfExternalScriptAuthenticationProvider;
import com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider;
import com.cloudera.server.web.cmf.CmfPamAuthenticationProvider;
import com.cloudera.server.web.cmf.DatabaseUserDetailsChecker;
import com.cloudera.server.web.cmf.DebugController;
import com.cloudera.server.web.cmf.KeyManagerProxy;
import com.cloudera.server.web.cmf.UserMapper;
import com.cloudera.server.web.cmf.WebController;
import com.cloudera.server.web.cmf.security.CmfApiAuthEntryPoint;
import com.cloudera.server.web.cmf.security.CmfWebAuthEntryPoint;
import com.cloudera.server.web.cmf.security.DoAsAuthenticationProvider;
import com.cloudera.server.web.common.JamonModelAndView;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.io.File;
import java.lang.management.ManagementFactory;
import java.net.MalformedURLException;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.persistence.EntityManagerFactory;
import org.apache.avro.ipc.stats.StatsServlet;
import org.apache.commons.compress.utils.Lists;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringUtils;
import org.eclipse.jetty.io.ConnectionStatistics;
import org.eclipse.jetty.jmx.MBeanContainer;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.handler.StatisticsHandler;
import org.eclipse.jetty.server.handler.gzip.GzipHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.webapp.WebAppContext;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosTicketValidator;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.metadata.CachingMetadataManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.metadata.MetadataGenerator;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.metadata.MetadataMemoryProvider;
import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;

/* loaded from: input_file:com/cloudera/server/cmf/WebServerImpl.class */
public class WebServerImpl extends Thread {

    @Deprecated
    private static final String JETTY_MAX_FORM_SIZE = "org.eclipse.jetty.Request.maxFormContentSize";
    private static final String JETTY_MAX_FORM_SIZE_JETTY_9 = "org.eclipse.jetty.server.Request.maxFormContentSize";
    private static final String DEFAULT_AUTHENTICATION_FILTER_BEAN = "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0";
    private static final String WEBAPPDIR = "webapp";
    private static final String CONTEXTPATH = "/";
    public static final String AUTH_MANAGER_ALIAS = "authenticationManager";
    public static final String CMF_USER_DETAILS_SERVICE_ALIAS = "cmfUserDetailsService";
    public static final String API_ENTRY_POINT_ALIAS = "basicAuthOrSpnegoEntryPoint";
    public static final String WEB_ENTRY_POINT_ALIAS = "forwardingLoginUrlAuthenticationEntryPoint";
    private final Server server;
    private final EntityManagerFactory emf;
    private final ServiceDataProvider sdp;
    private final ClientProtocol cp;
    private final HeartbeatHandlerInfoCache heartbeatInfoCache;
    private final ScmParamTrackerStore spts;
    private final CmServerState cmss;
    private final WebAppContext webAppContext;
    private static Logger LOG = LoggerFactory.getLogger(WebServerImpl.class);
    private static final int MAX_THREADS = Integer.getInteger("com.cloudera.server.cmf.WebServerImpl.MAX_THREADS", 100).intValue();
    private static final int MAX_QUEUE_SIZE = Integer.getInteger("com.cloudera.server.cmf.WebServerImpl.MAX_QUEUE_SIZE", 10000).intValue();

    @VisibleForTesting
    static final Runnable CHECK_CLEAN_OPEN_CONNECTION_LEFT_BY_MISTAKE = new Runnable() { // from class: com.cloudera.server.cmf.WebServerImpl.1
        @Override // java.lang.Runnable
        public void run() {
            String openConnectionCallStack = CmfEntityManager.getOpenConnectionCallStack();
            if (openConnectionCallStack == null) {
                return;
            }
            WebServerImpl.LOG.warn(String.format("There is an open connection attached to the thread %s. Culprit call site: \n %s", Thread.currentThread().getName(), openConnectionCallStack));
            CmfEntityManager cmfEntityManager = (CmfEntityManager) Preconditions.checkNotNull(CmfEntityManager.currentCmfEntityManager());
            try {
                try {
                    if (cmfEntityManager.isOpen()) {
                        cmfEntityManager.rollback();
                        WebServerImpl.LOG.info(String.format("Rolled back transaction that was not cleaned up properly and was associated with thread %s", Thread.currentThread().getName()));
                    }
                } catch (Throwable th) {
                    WebServerImpl.LOG.error("Error occured rollingback pending connection", th);
                    try {
                        cmfEntityManager.close();
                    } catch (Throwable th2) {
                        WebServerImpl.LOG.error("Error occured closing/releasing pending connection", th2);
                    }
                }
            } finally {
                try {
                    cmfEntityManager.close();
                } catch (Throwable th3) {
                    WebServerImpl.LOG.error("Error occured closing/releasing pending connection", th3);
                }
            }
        }
    };
    private static final int HTTP_HEADER_SIZE_BYTES = Integer.parseInt(System.getProperty("com.cloudera.server.cmf.WebServerImpl.HTTP_HEADER_SIZE_BYTES", "8192"));
    private static final int HTTPS_HEADER_SIZE_BYTES = Integer.parseInt(System.getProperty("com.cloudera.server.cmf.WebServerImpl.HTTPS_HEADER_SIZE_BYTES", "8192"));
    private static final int CONNECTION_IDLE_TIMEOUT_SECONDS = Integer.parseInt(System.getProperty("com.cloudera.server.cmf.WebServerImpl.CONNECTION_IDLE_TIMEOUT_SECONDS", "300"));

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.cloudera.server.cmf.WebServerImpl$2, reason: invalid class name */
    /* loaded from: input_file:com/cloudera/server/cmf/WebServerImpl$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLBinding;
        static final /* synthetic */ int[] $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo;
        static final /* synthetic */ int[] $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder = new int[ScmParams.AuthBackendOrder.values().length];

        static {
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder[ScmParams.AuthBackendOrder.DB_THEN_LDAP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder[ScmParams.AuthBackendOrder.LDAP_THEN_DB.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder[ScmParams.AuthBackendOrder.LDAP_ONLY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder[ScmParams.AuthBackendOrder.EXTERNAL_ONLY_WITHOUT_DB_ADMINS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder[ScmParams.AuthBackendOrder.DB_ONLY.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo = new int[ScmParams.SAMLSignAlgo.values().length];
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo[ScmParams.SAMLSignAlgo.RSA_SHA1.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo[ScmParams.SAMLSignAlgo.RSA_SHA256.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo[ScmParams.SAMLSignAlgo.RSA_SHA384.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo[ScmParams.SAMLSignAlgo.RSA_SHA512.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
            $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLBinding = new int[ScmParams.SAMLBinding.values().length];
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLBinding[ScmParams.SAMLBinding.ARTIFACT.ordinal()] = 1;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLBinding[ScmParams.SAMLBinding.POST.ordinal()] = 2;
            } catch (NoSuchFieldError e11) {
            }
        }
    }

    public WebServerImpl(EntityManagerFactory entityManagerFactory, ServiceDataProvider serviceDataProvider, ClientProtocol clientProtocol, StatsServlet statsServlet, HeartbeatHandlerInfoCache heartbeatHandlerInfoCache, ScmParamTrackerStore scmParamTrackerStore, CmServerState cmServerState) {
        super("WebServerImpl");
        Preconditions.checkArgument(MAX_THREADS >= 3);
        this.emf = entityManagerFactory;
        this.sdp = serviceDataProvider;
        this.cp = clientProtocol;
        this.cmss = cmServerState;
        this.heartbeatInfoCache = heartbeatHandlerInfoCache;
        this.spts = scmParamTrackerStore;
        long longValue = Long.getLong(JETTY_MAX_FORM_SIZE_JETTY_9, Long.getLong(JETTY_MAX_FORM_SIZE, 10485760L).longValue()).longValue();
        BoundedQueuedThreadPool build = BoundedQueuedThreadPool.builder().bound(MAX_QUEUE_SIZE).before(CHECK_CLEAN_OPEN_CONNECTION_LEFT_BY_MISTAKE).after(CHECK_CLEAN_OPEN_CONNECTION_LEFT_BY_MISTAKE).build();
        build.setName("scm-web");
        build.setDaemon(true);
        build.setMaxThreads(MAX_THREADS);
        this.server = new Server(build);
        this.server.setAttribute(JETTY_MAX_FORM_SIZE_JETTY_9, Long.valueOf(longValue));
        GzipHandler gzipHandler = new GzipHandler();
        gzipHandler.setIncludedMimeTypes(new String[]{JamonModelAndView.JamonView.CONTENT_TYPE_TEXT_HTML, "text/plain", "text/xml", "application/xhtml+xml", "text/css", "application/javascript", JamonModelAndView.JamonView.CONTENT_TYPE_TEXT_JSON, "image/svg+xml"});
        this.server.insertHandler(gzipHandler);
        this.server.addEventListener(new MBeanContainer(ManagementFactory.getPlatformMBeanServer()));
        String concat = FilenameUtils.concat(Environment.getHomeDir(), WEBAPPDIR);
        LOG.info("Using webapp:" + concat);
        this.webAppContext = new WebAppContext(concat, "/");
        this.webAppContext.getSessionHandler().setHttpOnly(true);
        this.webAppContext.getSessionHandler().setSecureRequestOnly(true);
        Map initParams = this.webAppContext.getInitParams();
        initParams.put("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
        if (Environment.getDevMode()) {
            LOG.info("In dev mode; disabling jetty static default servlet caching.");
            initParams.put("org.eclipse.jetty.servlet.Default.cacheControl", "max-age=0,public");
        }
        this.server.insertHandler(this.webAppContext);
        ServerConnector serverConnector = new ServerConnector(this.server, 1, 1);
        serverConnector.addBean(new ConnectionStatistics());
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.setRequestHeaderSize(HTTP_HEADER_SIZE_BYTES);
        httpConfiguration.setSendXPoweredBy(false);
        httpConfiguration.setSendServerVersion(false);
        serverConnector.addConnectionFactory(new HttpConnectionFactory(httpConfiguration));
        CmfEntityManager cmfEntityManager = new CmfEntityManager(entityManagerFactory);
        try {
            cmfEntityManager.beginForRollbackAndReadonly();
            DbConfigContainerConfigProvider scmConfigProvider = cmfEntityManager.getScmConfigProvider();
            int intValue = ((Long) ScmHandler.getScmConfigValue(ScmParams.HTTP_PORT, scmConfigProvider)).intValue();
            int intValue2 = ((Long) ScmHandler.getScmConfigValue(ScmParams.HTTPS_PORT, scmConfigProvider)).intValue();
            serverConnector.setPort(intValue);
            LOG.info("Plaintext web connections will use port: " + intValue);
            serverConnector.setIdleTimeout(TimeUnit.SECONDS.toMillis(CONNECTION_IDLE_TIMEOUT_SECONDS));
            if (((Boolean) ScmHandler.getScmConfigValue(ScmParams.WEB_TLS, scmConfigProvider)).booleanValue()) {
                String string = ((ScmParams.KeyStoreType) ScmHandler.getScmConfigValue(ScmParams.KEYSTORE_TYPE, scmConfigProvider)).getString();
                String str = (String) ScmHandler.getScmConfigValue(ScmParams.KEYSTORE_PATH, scmConfigProvider);
                String str2 = (String) ScmHandler.getScmConfigValue(ScmParams.KEYSTORE_PASSWORD, scmConfigProvider);
                boolean z = false;
                try {
                    KeystoreUtil.validateKeyStore(str, str2, string);
                    z = true;
                } catch (IllegalArgumentException e) {
                    this.cmss.setTLSConfigurationFailed();
                    LOG.error("Invalid TLS keystore config. Starting server without TLS.", e);
                }
                if (z) {
                    TLSUtil.setupTLSConnection(intValue2, str, str2, string, this.server, serverConnector, this.webAppContext, EnumParamSpec.getEnumConfigFileString((Enum) ScmHandler.getScmConfigValue(ScmParams.TLS_VERSIONS, scmConfigProvider)), HTTPS_HEADER_SIZE_BYTES);
                    LOG.info("TLS web connections will use port: " + intValue2);
                }
            }
            this.server.addConnector(serverConnector);
            this.webAppContext.addServlet(new ServletHolder(statsServlet), "/rpcStats");
            HttpServerUtil.constrainHttpMethods(this.webAppContext);
            this.server.insertHandler(new StatisticsHandler());
        } finally {
            cmfEntityManager.close();
        }
    }

    @Override // java.lang.Thread, java.lang.Runnable
    public void run() {
        try {
            this.webAppContext.start();
            CmfEntityManager cmfEntityManager = new CmfEntityManager(this.emf);
            try {
                cmfEntityManager.beginForRollbackAndReadonly();
                if (!((Boolean) ScmHandler.getScmConfigValue(ScmParams.SHOW_STACKTRACES, cmfEntityManager.getScmConfigProvider())).booleanValue()) {
                    this.webAppContext.getErrorHandler().setShowStacks(false);
                }
                cmfEntityManager.close();
                initializeAuthentication();
                patchSpringAuthenticationProvider();
                initializeControllers();
                invalidateSessionsAfterUpgrade();
                this.server.start();
                LOG.info("Started Jetty server.");
            } catch (Throwable th) {
                cmfEntityManager.close();
                throw th;
            }
        } catch (Exception e) {
            LOG.error("Jetty server failed.  Quitting.", e);
            System.err.println("Couldn't start web server.  Quitting.");
            System.err.println(e);
            System.exit(2);
        }
    }

    private void invalidateSessionsAfterUpgrade() {
        if (ProductState.isFirstRunAfterUpgrade()) {
            LOG.info("Invalidating web sessions of users on upgrade.");
            CmfEntityManager cmfEntityManager = new CmfEntityManager(this.emf);
            try {
                try {
                    cmfEntityManager.beginForRollbackAndReadonly();
                    List findAllUsers = cmfEntityManager.findAllUsers();
                    ArrayList newArrayList = Lists.newArrayList();
                    Iterator it = findAllUsers.iterator();
                    while (it.hasNext()) {
                        newArrayList.add(((DbUser) it.next()).getName());
                    }
                    ((SessionService) getApplicationContext().getBean(SessionService.class)).invalidateSessionsAfterUpgrade(newArrayList);
                    cmfEntityManager.close();
                } catch (Exception e) {
                    LOG.error("Invalidating sessions failed. ", e);
                    cmfEntityManager.close();
                }
            } catch (Throwable th) {
                cmfEntityManager.close();
                throw th;
            }
        }
    }

    private void patchSpringAuthenticationProvider() {
        List providers = ((ProviderManager) getApplicationContext().getBean(AUTH_MANAGER_ALIAS)).getProviders();
        for (int i = 0; i < providers.size(); i++) {
            AuthenticationProvider authenticationProvider = (AuthenticationProvider) providers.get(i);
            if (authenticationProvider instanceof DaoAuthenticationProvider) {
                providers.set(i, new CmfDefaultAuthenticationProvider(authenticationProvider));
                return;
            }
        }
    }

    private void initializeAuthentication() throws Exception {
        CmfEntityManager cmfEntityManager = new CmfEntityManager(this.emf);
        try {
            try {
                cmfEntityManager.beginForRollbackAndReadonly();
                DbConfigContainerConfigProvider scmConfigProvider = cmfEntityManager.getScmConfigProvider();
                if (!((Boolean) ScmHandler.getScmConfigValue(ScmParams.SESSION_REMEMBER_ME, scmConfigProvider)).booleanValue()) {
                    disableRememberMeAuth();
                }
                limitConcurrentSessions((Long) ScmHandler.getScmConfigValue(ScmParams.SESSION_LIMIT_CONCURRENCY, scmConfigProvider));
                boolean hasFeature = ((FeatureManager) getApplicationContext().getBean(FeatureManager.class)).hasFeature(ProductState.Feature.LDAP);
                boolean z = hasFeature && ((Boolean) ScmHandler.getScmConfigValue(ScmParams.KRB_AUTH_ENABLE, scmConfigProvider)).booleanValue();
                DoAsAuthenticationProvider doAsAuthenticationProvider = null;
                configureAuthEntryPoint(z);
                if (!hasFeature) {
                    cmfEntityManager.close();
                    return;
                }
                if (z) {
                    doAsAuthenticationProvider = configureKerberosAuthentication(cmfEntityManager, scmConfigProvider);
                }
                ScmParams.ExternalAuthType externalAuthType = (ScmParams.ExternalAuthType) ScmHandler.getScmConfigValue(ScmParams.EXTERNAL_AUTH_TYPE, scmConfigProvider);
                if (externalAuthType == ScmParams.ExternalAuthType.SAML) {
                    configureSAMLAuthentication(cmfEntityManager, scmConfigProvider);
                    cmfEntityManager.close();
                    return;
                }
                if (AuthServiceUtil.useAuthService(this.spts)) {
                    cmfEntityManager.close();
                    return;
                }
                ScmParams.AuthBackendOrder authBackendOrder = (ScmParams.AuthBackendOrder) ScmHandler.getScmConfigValue(ScmParams.AUTH_BACKEND_ORDER, scmConfigProvider);
                if (authBackendOrder != ScmParams.AuthBackendOrder.DB_ONLY) {
                    String str = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_URL, scmConfigProvider);
                    String str2 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_BIND_DN, scmConfigProvider);
                    String str3 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_BIND_PW, scmConfigProvider);
                    String str4 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_DN_PATTERN, scmConfigProvider);
                    String str5 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_USER_SEARCH_BASE, scmConfigProvider);
                    String str6 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_USER_SEARCH_FILTER, scmConfigProvider);
                    String str7 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_GROUP_SEARCH_BASE, scmConfigProvider);
                    String str8 = (String) ScmHandler.getScmConfigValue(ScmParams.LDAP_GROUP_SEARCH_FILTER, scmConfigProvider);
                    String str9 = (String) ScmHandler.getScmConfigValue(ScmParams.NT_DOMAIN, scmConfigProvider);
                    String str10 = (String) ScmHandler.getScmConfigValue(ScmParams.AUTH_SCRIPT, scmConfigProvider);
                    String str11 = (String) ScmHandler.getScmConfigValue(ScmParams.PAM_SERVICE_NAME, scmConfigProvider);
                    if (externalAuthType == ScmParams.ExternalAuthType.PAM) {
                        if (StringUtils.isEmpty(str11)) {
                            throw new RuntimeException("PAM configuration is incomplete");
                        }
                    } else if ((StringUtils.isEmpty(str) || (StringUtils.isEmpty(str4) && StringUtils.isEmpty(str5) && StringUtils.isEmpty(str9))) && ScmParams.ExternalAuthType.SCRIPT != externalAuthType) {
                        throw new RuntimeException("LDAP configuration is incomplete");
                    }
                    List<String> ldapUrlsList = getLdapUrlsList(str);
                    ProviderManager providerManager = (ProviderManager) getApplicationContext().getBean(AUTH_MANAGER_ALIAS);
                    CmfAuthenticationProvider cmfAuthenticationProvider = null;
                    if (externalAuthType == ScmParams.ExternalAuthType.ACTIVE_DIRECTORY) {
                        if (!StringUtils.isEmpty(str4)) {
                            LOG.warn("LDAP configuration settings were ambiguous: both an NT domain and LDAP DN pattern were specified. Defaulting to authenticate against ActiveDirectory");
                        }
                        cmfAuthenticationProvider = new CmfLdapAuthenticationProvider(str9, ldapUrlsList);
                        LOG.info("Using ActiveDirectory authentication with NT domain {}", str9);
                    } else if (externalAuthType == ScmParams.ExternalAuthType.LDAP) {
                        cmfAuthenticationProvider = new CmfLdapAuthenticationProvider(ldapUrlsList, str2, str3, str4, str5, str6, str7, str8);
                        LOG.info("Using LDAP authentication with properties: DN pattern=(" + str4 + ") user search base=(" + str5 + ") user search filter=(" + str6 + ") group search base=(" + str7 + ") group search filter=(" + str8 + ")");
                        ScmParams.AuthorizationBackendOrder authorizationBackendOrder = (ScmParams.AuthorizationBackendOrder) ScmHandler.getScmConfigValue(ScmParams.AUTHOR_BACKEND, scmConfigProvider);
                        if (doAsAuthenticationProvider != null && authorizationBackendOrder != ScmParams.AuthorizationBackendOrder.DB_ONLY) {
                            LOG.info("Enabling LDAP authorzation for Kerberos authentication");
                            doAsAuthenticationProvider.setCmfUserLoader((CmfLdapAuthenticationProvider) cmfAuthenticationProvider);
                            ((CMFKerberosUserDetailsService) doAsAuthenticationProvider.getUserDetailsService()).setCmfUserLoader(doAsAuthenticationProvider.getCmfUserLoader());
                        }
                    } else if (externalAuthType == ScmParams.ExternalAuthType.SCRIPT) {
                        if (StringUtils.isEmpty(str10)) {
                            throw new RuntimeException("External authentication requested but script not specified");
                        }
                        cmfAuthenticationProvider = new CmfExternalScriptAuthenticationProvider(str10);
                        LOG.info("Using External authentication with program: {}", str10);
                    } else if (externalAuthType == ScmParams.ExternalAuthType.PAM) {
                        LOG.info("Enabling PAM authentication");
                        cmfAuthenticationProvider = new CmfPamAuthenticationProvider(str11);
                        ScmParams.AuthorizationBackendOrder authorizationBackendOrder2 = (ScmParams.AuthorizationBackendOrder) ScmHandler.getScmConfigValue(ScmParams.AUTHOR_BACKEND, scmConfigProvider);
                        if (doAsAuthenticationProvider != null && authorizationBackendOrder2 != ScmParams.AuthorizationBackendOrder.DB_ONLY) {
                            LOG.info("Enabling PAM authorization for Kerberos authentication");
                            doAsAuthenticationProvider.setCmfUserLoader((CmfPamAuthenticationProvider) cmfAuthenticationProvider);
                            ((CMFKerberosUserDetailsService) doAsAuthenticationProvider.getUserDetailsService()).setCmfUserLoader(doAsAuthenticationProvider.getCmfUserLoader());
                        }
                    }
                    Preconditions.checkNotNull(cmfAuthenticationProvider);
                    cmfAuthenticationProvider.initialize(this.emf, new UserMapper(this.emf, this.sdp.getOperationsManager()), this.spts);
                    configureAuthProviders(providerManager.getProviders(), cmfAuthenticationProvider, authBackendOrder);
                }
                cmfEntityManager.close();
            } catch (Exception e) {
                this.cmss.setAuthConfigurationFailed();
                LOG.error("Failed to configure external authentication. Server will act as if 'Database Only' authentication has been configured.", e);
                cmfEntityManager.close();
            }
        } catch (Throwable th) {
            cmfEntityManager.close();
            throw th;
        }
    }

    @VisibleForTesting
    static List<String> getLdapUrlsList(String str) {
        List newArrayList = Lists.newArrayList();
        if (!StringUtils.isEmpty(str)) {
            Pattern compile = Pattern.compile("(l|L)(d|D)(a|A)(p|P)(s|S){0,1}://");
            Matcher matcher = compile.matcher(str);
            ArrayList newArrayList2 = Lists.newArrayList();
            while (matcher.find()) {
                newArrayList2.add(matcher.group());
            }
            int i = 0;
            for (String str2 : compile.split(str)) {
                if (str2.length() != 0) {
                    newArrayList.add(((String) newArrayList2.get(i)) + str2.trim());
                    i++;
                }
            }
            newArrayList = ImmutableList.copyOf(newArrayList);
        }
        return newArrayList;
    }

    @VisibleForTesting
    void configureSAMLAuthentication(CmfEntityManager cmfEntityManager, DbConfigContainerConfigProvider dbConfigContainerConfigProvider) throws UnknownHostException, MalformedURLException, MetadataProviderException {
        for (Validation validation : new SAMLValidator().validate(this.sdp.getServiceHandlerRegistry(), ValidationContext.of(cmfEntityManager.getScmConfigProvider().getConfigContainer()))) {
            if (validation.getState() != Validation.ValidationState.CHECK) {
                throw new RuntimeException("SAML configuration is invalid: " + validation.getMessage());
            }
        }
        String str = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_METADATA, dbConfigContainerConfigProvider);
        String str2 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_KEYSTORE, dbConfigContainerConfigProvider);
        String str3 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_KEYSTORE_PASSWORD, dbConfigContainerConfigProvider);
        String str4 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_KEY_ALIAS, dbConfigContainerConfigProvider);
        String str5 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_KEY_PASSWORD, dbConfigContainerConfigProvider);
        String str6 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_ENTITY_ID, dbConfigContainerConfigProvider);
        String str7 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_ENTITY_ALIAS, dbConfigContainerConfigProvider);
        String str8 = (String) ScmHandler.getScmConfigValue(ScmParams.SAML_ENTITY_BASE_URL, dbConfigContainerConfigProvider);
        ScmParams.SAMLBinding sAMLBinding = (ScmParams.SAMLBinding) ScmHandler.getScmConfigValue(ScmParams.SAML_RESPONSE_BINDING, dbConfigContainerConfigProvider);
        ScmParams.SAMLSignAlgo sAMLSignAlgo = (ScmParams.SAMLSignAlgo) ScmHandler.getScmConfigValue(ScmParams.SAML_SIGNATURE_ALGO, dbConfigContainerConfigProvider);
        KeyManager jKSKeyManager = new JKSKeyManager(new FileSystemResource(str2), str3, ImmutableMap.of(str4, str5), str4);
        ((KeyManagerProxy) getApplicationContext().getBean(KeyManagerProxy.class)).setKeyManager(jKSKeyManager);
        MetadataManager metadataManager = (MetadataManager) getApplicationContext().getBean(CachingMetadataManager.class);
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setKeyManager(jKSKeyManager);
        metadataGenerator.setEntityId(str6);
        if (str8 == null) {
            str8 = CMURLEvaluator.getCmUrl(cmfEntityManager).toString();
        }
        metadataGenerator.setEntityBaseURL(str8);
        switch (AnonymousClass2.$SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLBinding[sAMLBinding.ordinal()]) {
            case 1:
                metadataGenerator.setBindingsSSO(ImmutableList.of("artifact", "post", "paos"));
                metadataGenerator.setBindingsHoKSSO(ImmutableList.of("artifact", "post"));
                break;
            case HueLoadBalancerRoleHandler.HUE_LOAD_BALANCER_SUGGESTED_MAX /* 2 */:
                metadataGenerator.setBindingsSSO(ImmutableList.of("post", "artifact", "paos"));
                metadataGenerator.setBindingsHoKSSO(ImmutableList.of("post", "artifact"));
                break;
            default:
                throw new RuntimeException("Unrecognised SAML Response Binding: " + sAMLBinding.name());
        }
        ExtendedMetadata generateExtendedMetadata = metadataGenerator.generateExtendedMetadata();
        if (!StringUtils.isEmpty(str7)) {
            generateExtendedMetadata.setAlias(str7);
        }
        switch (AnonymousClass2.$SwitchMap$com$cloudera$cmf$service$scm$ScmParams$SAMLSignAlgo[sAMLSignAlgo.ordinal()]) {
            case 1:
                generateExtendedMetadata.setSigningAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
                generateExtendedMetadata.setDigestMethodAlgorithm("http://www.w3.org/2000/09/xmldsig#sha1");
                break;
            case HueLoadBalancerRoleHandler.HUE_LOAD_BALANCER_SUGGESTED_MAX /* 2 */:
                generateExtendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
                generateExtendedMetadata.setDigestMethodAlgorithm("http://www.w3.org/2001/04/xmlenc#sha256");
                break;
            case 3:
                generateExtendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384");
                generateExtendedMetadata.setDigestMethodAlgorithm("http://www.w3.org/2001/04/xmldsig-more#sha384");
                break;
            case 4:
                generateExtendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
                generateExtendedMetadata.setDigestMethodAlgorithm("http://www.w3.org/2001/04/xmlenc#sha512");
                break;
        }
        generateExtendedMetadata.setSignMetadata(true);
        metadataGenerator.setExtendedMetadata(generateExtendedMetadata);
        EntityDescriptor generateMetadata = metadataGenerator.generateMetadata();
        MetadataMemoryProvider metadataMemoryProvider = new MetadataMemoryProvider(generateMetadata);
        metadataMemoryProvider.initialize();
        metadataManager.addMetadataProvider(new ExtendedMetadataDelegate(metadataMemoryProvider, generateExtendedMetadata));
        metadataManager.setHostedSPName(generateMetadata.getEntityID());
        FilesystemMetadataProvider filesystemMetadataProvider = new FilesystemMetadataProvider(new File(str));
        filesystemMetadataProvider.setParserPool((ParserPool) getApplicationContext().getBean(StaticBasicParserPool.class));
        filesystemMetadataProvider.initialize();
        metadataManager.addMetadataProvider(new ExtendedMetadataDelegate(filesystemMetadataProvider));
        metadataManager.refreshMetadata();
    }

    private void configureAuthEntryPoint(boolean z) {
        CmfApiAuthEntryPoint cmfApiAuthEntryPoint = (CmfApiAuthEntryPoint) getApplicationContext().getBean(API_ENTRY_POINT_ALIAS);
        cmfApiAuthEntryPoint.initialize(true, z);
        if (!cmfApiAuthEntryPoint.isInitialized()) {
            LOG.error("Error configuring authentication entry point. API access may be broken.");
        } else {
            ((CmfWebAuthEntryPoint) getApplicationContext().getBean(WEB_ENTRY_POINT_ALIAS)).setSpnegoEnabled(z);
            LOG.info("SPNEGO authentication is " + (z ? "enabled" : "not enabled"));
        }
    }

    private DoAsAuthenticationProvider configureKerberosAuthentication(CmfEntityManager cmfEntityManager, DbConfigContainerConfigProvider dbConfigContainerConfigProvider) {
        LOG.info("Initializing Kerberos authentication provider");
        KerberosTicketValidator sunJaasKerberosTicketValidator = new SunJaasKerberosTicketValidator();
        String str = (String) ScmHandler.getScmConfigValue(ScmParams.KRB_AUTH_PRINCIPAL, dbConfigContainerConfigProvider);
        if (StringUtils.isNotEmpty(str)) {
            sunJaasKerberosTicketValidator.setServicePrincipal(str);
        } else {
            try {
                String scmHttpPrincipal = SecurityUtils.getScmHttpPrincipal(this.sdp);
                LOG.info("Kerberos authentication will use default principal: " + scmHttpPrincipal);
                sunJaasKerberosTicketValidator.setServicePrincipal(scmHttpPrincipal);
                SecurityUtils.writeScmHttpKeytab(cmfEntityManager, this.sdp);
            } catch (IllegalStateException e) {
                LOG.error("Failed to retrieve SCM HTTP keytab. You must manually set KRB_AUTH_PRINCIPAL and KRB_AUTH_KEYTAB.", e);
                return null;
            } catch (UnknownHostException e2) {
                LOG.error("Service principal is empty. Not initializing Kerberos authentication.");
                return null;
            }
        }
        String scmHttpKeytabFile = SecurityUtils.getScmHttpKeytabFile(this.sdp);
        if (!StringUtils.isNotEmpty(scmHttpKeytabFile)) {
            LOG.error("Keytab location is empty. Not initializing Kerberos authentication.");
            return null;
        }
        sunJaasKerberosTicketValidator.setKeyTabLocation(new FileSystemResource(scmHttpKeytabFile));
        try {
            sunJaasKerberosTicketValidator.afterPropertiesSet();
            CMFUserDetailsService cMFUserDetailsService = (CMFUserDetailsService) getApplicationContext().getBean(CMF_USER_DETAILS_SERVICE_ALIAS);
            CMFKerberosUserDetailsService cMFKerberosUserDetailsService = new CMFKerberosUserDetailsService(this.emf);
            cMFKerberosUserDetailsService.setDelegateUds(cMFUserDetailsService);
            DoAsAuthenticationProvider doAsAuthenticationProvider = new DoAsAuthenticationProvider();
            doAsAuthenticationProvider.setTicketValidator(sunJaasKerberosTicketValidator);
            doAsAuthenticationProvider.setUserDetailsService(cMFKerberosUserDetailsService);
            String str2 = (String) ScmHandler.getScmConfigValue(ScmParams.PROXYUSER_KNOX_PRINCIPAL, dbConfigContainerConfigProvider);
            if (StringUtils.isNotBlank(str2)) {
                List list = (List) ScmHandler.getScmConfigValue(ScmParams.PROXYUSER_KNOX_GROUPS, dbConfigContainerConfigProvider);
                List list2 = (List) ScmHandler.getScmConfigValue(ScmParams.PROXYUSER_KNOX_HOSTS, dbConfigContainerConfigProvider);
                List list3 = (List) ScmHandler.getScmConfigValue(ScmParams.PROXYUSER_KNOX_USERS, dbConfigContainerConfigProvider);
                doAsAuthenticationProvider.addProxyUserConfig(str2, list != null ? Sets.newHashSet(list) : ImmutableSet.of(), list2 != null ? Sets.newHashSet(list2) : ImmutableSet.of(), list3 != null ? Sets.newHashSet(list3) : ImmutableSet.of());
            }
            if (!doAsAuthenticationProvider.isInitialized()) {
                LOG.error("Failed to initialize Kerberos authentication provider. Check your Kerberos settings.");
                return null;
            }
            ((ProviderManager) getApplicationContext().getBean(AUTH_MANAGER_ALIAS)).getProviders().add(doAsAuthenticationProvider);
            LOG.info("Kerberos authentication provider initialized");
            return doAsAuthenticationProvider;
        } catch (Exception e3) {
            LOG.error("Failed to initialize Kerberos ticket validator: ", e3);
            throw new IllegalStateException(e3);
        }
    }

    @VisibleForTesting
    static void configureAuthProviders(List<AuthenticationProvider> list, CmfAuthenticationProvider cmfAuthenticationProvider, ScmParams.AuthBackendOrder authBackendOrder) {
        DaoAuthenticationProvider daoAuthenticationProvider = list.get(0);
        EnumSet noneOf = EnumSet.noneOf(DatabaseUserDetailsChecker.RejectTypes.class);
        switch (AnonymousClass2.$SwitchMap$com$cloudera$cmf$service$scm$ScmParams$AuthBackendOrder[authBackendOrder.ordinal()]) {
            case 1:
                noneOf = EnumSet.of(DatabaseUserDetailsChecker.RejectTypes.EXTERNAL);
                list.add(cmfAuthenticationProvider);
                LOG.info("Authenticating against database, then LDAP");
                break;
            case HueLoadBalancerRoleHandler.HUE_LOAD_BALANCER_SUGGESTED_MAX /* 2 */:
                noneOf = EnumSet.of(DatabaseUserDetailsChecker.RejectTypes.EXTERNAL);
                list.add(0, cmfAuthenticationProvider);
                LOG.info("Authenticating against LDAP, then database");
                break;
            case 3:
                noneOf = EnumSet.of(DatabaseUserDetailsChecker.RejectTypes.EXTERNAL, DatabaseUserDetailsChecker.RejectTypes.NON_ADMINS);
                list.add(cmfAuthenticationProvider);
                LOG.info("Authenticating against LDAP, then admins from database");
                break;
            case 4:
                noneOf = EnumSet.of(DatabaseUserDetailsChecker.RejectTypes.NON_INTERNAL);
                list.add(cmfAuthenticationProvider);
                LOG.info("Authenticating against LDAP only");
                break;
            case 5:
                LOG.warn("Incorrectly called for DB_ONLY");
                break;
        }
        daoAuthenticationProvider.setPreAuthenticationChecks(new DatabaseUserDetailsChecker(noneOf));
    }

    private void initializeControllers() {
        Iterator it = getApplicationContext().getBeansOfType(WebController.class).values().iterator();
        while (it.hasNext()) {
            ((WebController) it.next()).initialize(this.emf, this.sdp, this.cp);
        }
        Iterator it2 = getApplicationContext().getBeansOfType(DebugController.class).values().iterator();
        while (it2.hasNext()) {
            ((DebugController) it2.next()).setHeartbeatHandlerInfoCache(this.heartbeatInfoCache);
        }
    }

    private void disableRememberMeAuth() {
        UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = (UsernamePasswordAuthenticationFilter) getApplicationContext().getBean(DEFAULT_AUTHENTICATION_FILTER_BEAN);
        if (usernamePasswordAuthenticationFilter == null) {
            LOG.warn("Could not find default authentication filter: 'Remember Me' cannot be disabled.");
        } else {
            usernamePasswordAuthenticationFilter.setRememberMeServices(new NullRememberMeServices());
        }
    }

    private void limitConcurrentSessions(Long l) {
        if (l.longValue() == 0) {
            l = -1L;
        }
        ((ConcurrentSessionControlAuthenticationStrategy) getApplicationContext().getBean(ConcurrentSessionControlAuthenticationStrategy.class)).setMaximumSessions(l.intValue());
    }

    @VisibleForTesting
    ApplicationContext getApplicationContext() {
        return AppContext.getApplicationContext();
    }
}
