package com.cloudera.api.filter;

import com.cloudera.api.dao.impl.RedirectLinkGenerator;
import com.cloudera.api.filter.FilterContext;
import com.cloudera.api.internal.Internal;
import com.cloudera.server.cmf.CurrentUserManager;
import com.cloudera.server.web.cmf.SearchController;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Method;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.core.Response;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.net.URLCodec;
import org.apache.commons.lang.NotImplementedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.context.expression.BeanFactoryResolver;
import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.expression.BeanResolver;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;

/* loaded from: input_file:com/cloudera/api/filter/ApiAuthFilter.class */
public class ApiAuthFilter implements RequestFilter {
    private static final String DISABLE_SECURITY_PROP = "cmf.api.disable.security";
    private final CurrentUserManager userManager;
    private final BeanResolver br;
    private static final Logger LOG = LoggerFactory.getLogger(ApiAuthFilter.class);
    private static final ImmutableSet<String> TEMPLATE_PARAMS = ImmutableSet.of("clusterName", "serviceName", "roleName", SearchController.HOSTNAME_TYPE);
    private final Map<Method, SecurityConstraints> cache = Maps.newConcurrentMap();
    private final ExpressionParser ep = new SpelExpressionParser();
    private final ParameterNameDiscoverer pnd = new LocalVariableTableParameterNameDiscoverer();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/cloudera/api/filter/ApiAuthFilter$ContextRoot.class */
    public static class ContextRoot {
        public final Authentication authentication;

        /* loaded from: input_file:com/cloudera/api/filter/ApiAuthFilter$ContextRoot$StubAuthentication.class */
        private static class StubAuthentication implements Authentication {
            private final Collection<? extends GrantedAuthority> authorities;

            public StubAuthentication(Set<String> set) {
                this.authorities = AuthorityUtils.createAuthorityList((String[]) set.toArray(new String[0]));
            }

            public String getName() {
                throw new NotImplementedException();
            }

            public Collection<? extends GrantedAuthority> getAuthorities() {
                return this.authorities;
            }

            public Object getCredentials() {
                throw new NotImplementedException();
            }

            public Object getDetails() {
                throw new NotImplementedException();
            }

            public Object getPrincipal() {
                throw new NotImplementedException();
            }

            public boolean isAuthenticated() {
                throw new NotImplementedException();
            }

            public void setAuthenticated(boolean z) throws IllegalArgumentException {
                throw new NotImplementedException();
            }
        }

        public ContextRoot(Set<String> set) {
            this.authentication = new StubAuthentication(set);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/cloudera/api/filter/ApiAuthFilter$SecurityConstraints.class */
    public static class SecurityConstraints {
        final String[] roles;
        final boolean allowInternal;
        final boolean allowAnonymous;

        SecurityConstraints(Set<String> set, boolean z, boolean z2) {
            this.roles = (String[]) set.toArray(new String[set.size()]);
            this.allowInternal = z;
            this.allowAnonymous = z2;
        }
    }

    public ApiAuthFilter(CurrentUserManager currentUserManager, ApplicationContext applicationContext) {
        this.userManager = currentUserManager;
        this.br = new BeanFactoryResolver(applicationContext);
    }

    private SecurityConstraints getConstraints(FilterContext filterContext) {
        Method resourceMethod = filterContext.getResourceMethod();
        SecurityConstraints securityConstraints = this.cache.get(resourceMethod);
        if (securityConstraints != null) {
            return securityConstraints;
        }
        boolean z = false;
        boolean z2 = false;
        HashSet newHashSet = Sets.newHashSet();
        RolesAllowed findAnnotation = AnnotationUtils.findAnnotation(resourceMethod.getDeclaringClass(), resourceMethod.getName(), resourceMethod.getParameterTypes(), PermitAll.class, RolesAllowed.class);
        if (findAnnotation instanceof PermitAll) {
            z = true;
        } else if (findAnnotation != null) {
            Collections.addAll(newHashSet, findAnnotation.value());
        }
        if (AnnotationUtils.findAnnotation(resourceMethod.getDeclaringClass(), resourceMethod.getName(), resourceMethod.getParameterTypes(), Internal.class) != null) {
            z2 = true;
        }
        if (AnnotationUtils.findAnnotation(resourceMethod.getDeclaringClass(), resourceMethod.getName(), resourceMethod.getParameterTypes(), GET.class) == null && newHashSet.isEmpty()) {
            newHashSet.add("ROLE_ADMIN");
        }
        SecurityConstraints securityConstraints2 = new SecurityConstraints(newHashSet, z2, z);
        this.cache.put(resourceMethod, securityConstraints2);
        return securityConstraints2;
    }

    @VisibleForTesting
    void doAuthCheck(FilterContext filterContext) {
        SecurityConstraints constraints = getConstraints(filterContext);
        if (constraints.allowAnonymous) {
            return;
        }
        String username = this.userManager.getUsername();
        if (username.isEmpty()) {
            throw new SecurityException();
        }
        Method resourceMethod = filterContext.getResourceMethod();
        PreAuthorize findAnnotation = AnnotationUtils.findAnnotation(resourceMethod.getDeclaringClass(), resourceMethod.getName(), resourceMethod.getParameterTypes(), PreAuthorize.class);
        if (findAnnotation != null) {
            if (!evaluatePreAuthorize(findAnnotation.value(), filterContext)) {
                throw new SecurityException();
            }
            return;
        }
        if (constraints.allowInternal) {
            if ((username != null && username.startsWith("__cloudera_internal_user__")) || this.userManager.hasAuthority("ROLE_ADMIN")) {
                return;
            }
        } else if (constraints.roles.length == 0 || this.userManager.hasAnyAuthority(constraints.roles)) {
            return;
        }
        throw new SecurityException();
    }

    @Override // com.cloudera.api.filter.RequestFilter
    public FilterContext.FilterAction preFilter(FilterContext filterContext) {
        if (!filterContext.isSubResourceLocator() && !System.getProperties().containsKey(DISABLE_SECURITY_PROP)) {
            try {
                doAuthCheck(filterContext);
            } catch (SecurityException e) {
                filterContext.setResponse(Response.status(Response.Status.FORBIDDEN).build());
                return FilterContext.FilterAction.STOP;
            }
        }
        return FilterContext.FilterAction.NEXT;
    }

    private boolean evaluatePreAuthorize(String str, FilterContext filterContext) {
        StandardEvaluationContext standardEvaluationContext = new StandardEvaluationContext();
        standardEvaluationContext.setBeanResolver(this.br);
        standardEvaluationContext.setRootObject(new ContextRoot(this.userManager.getAuthorities()));
        for (Map.Entry entry : filterContext.getTemplateParams().entrySet()) {
            if (TEMPLATE_PARAMS.contains(entry.getKey())) {
                try {
                    String str2 = new String(URLCodec.decodeUrl(((String) Iterables.getOnlyElement((Iterable) entry.getValue())).getBytes(RedirectLinkGenerator.ENCODE_SCHEME)), RedirectLinkGenerator.ENCODE_SCHEME);
                    LOG.trace("Parameter: {} | {}", entry.getKey(), str2);
                    standardEvaluationContext.setVariable((String) entry.getKey(), str2);
                } catch (UnsupportedEncodingException e) {
                    throw new RuntimeException(e);
                } catch (DecoderException e2) {
                    throw new RuntimeException(e2);
                }
            }
        }
        String[] parameterNames = this.pnd.getParameterNames(filterContext.getResourceMethod());
        List<?> resourceParams = filterContext.getResourceParams();
        for (int i = 0; i < parameterNames.length; i++) {
            LOG.trace("Method Parameter: {} | {}", parameterNames[i], resourceParams.get(i));
            standardEvaluationContext.setVariable(parameterNames[i], resourceParams.get(i));
        }
        boolean booleanValue = ((Boolean) this.ep.parseExpression(str).getValue(standardEvaluationContext, Boolean.class)).booleanValue();
        LOG.debug("PreAuthorize expression '{}': {}", str, Boolean.valueOf(booleanValue));
        return booleanValue;
    }
}
