package com.cloudera.cmf.service.config;

import com.cloudera.api.fiql.FIQLParser;
import com.cloudera.cmf.Constants;
import com.cloudera.cmf.model.ConfigValueProvider;
import com.cloudera.cmf.model.DbRole;
import com.cloudera.cmf.model.DbService;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.security.components.SecurityUtils;
import com.cloudera.cmf.service.RoleHandler;
import com.cloudera.cmf.service.SecurityParams;
import com.cloudera.cmf.service.ServiceDataProvider;
import com.cloudera.cmf.service.hdfs.DfsConnector;
import com.cloudera.cmf.service.hdfs.HdfsConnector;
import com.cloudera.cmf.service.sentry.SentryParams;
import com.cloudera.cmf.version.CdhReleases;
import com.cloudera.cmf.version.Release;
import com.cloudera.server.common.KerberosAuthentication;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableRangeMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.List;

/* loaded from: input_file:com/cloudera/cmf/service/config/SecureWebUIEvaluator.class */
public class SecureWebUIEvaluator extends AbstractGenericConfigEvaluator {
    private static final ImmutableRangeMap<Release, String> SECURE_AUTH_FILTERS = new ImmutableRangeMap.Builder().put(Constants.SERVICE_VERSIONS_PRIOR_TO_CDH7_0_0, "org.apache.hadoop.security.AuthenticationFilterInitializer").put(Constants.SERVICE_VERSIONS_SINCE_CDH7_0_0, "org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer").build();
    private static final ImmutableRangeMap<Release, String> UNSECURE_AUTH_FILTERS = new ImmutableRangeMap.Builder().put(Constants.SERVICE_VERSIONS_SINCE_CDH7_0_0, "org.apache.hadoop.security.AuthenticationFilterInitializer").build();
    private final BooleanParamSpec secureWebUiParamSpec;

    public SecureWebUIEvaluator(BooleanParamSpec booleanParamSpec) {
        super(booleanParamSpec.getRoleTypesToEmitFor(), null);
        this.secureWebUiParamSpec = booleanParamSpec;
    }

    public SecureWebUIEvaluator() {
        this(SecurityParams.SECURE_WEB_UI);
    }

    @Override // com.cloudera.cmf.service.config.AbstractGenericConfigEvaluator
    protected List<EvaluatedConfig> evaluateConfig(ConfigEvaluationContext configEvaluationContext, String str) throws ConfigGenException {
        ServiceDataProvider sdp = configEvaluationContext.getSdp();
        DbService service = configEvaluationContext.getService();
        DbRole role = configEvaluationContext.getRole();
        RoleHandler rh = configEvaluationContext.getRh();
        CmfEntityManager currentCmfEntityManager = CmfEntityManager.currentCmfEntityManager();
        HdfsConnector hdfsConnector = (HdfsConnector) ConfigEvaluatorHelpers.getCurrentOrDependencyConnector(sdp.getServiceHandlerRegistry(), service, HdfsConnector.TYPE);
        ArrayList newArrayList = Lists.newArrayList();
        boolean needsSecurityConfigs = needsSecurityConfigs(hdfsConnector, rh, currentCmfEntityManager, role, service);
        addFilterConfig(newArrayList, configEvaluationContext, needsSecurityConfigs);
        if (needsSecurityConfigs) {
            DfsConnector dfsConnector = (DfsConnector) ConfigEvaluatorHelpers.getCurrentOrDependencyConnector(sdp.getServiceHandlerRegistry(), service, DfsConnector.TYPE);
            newArrayList.add(new EvaluatedConfig("hadoop.http.authentication.type", SentryParams.SECURITY_MODE_KERBEROS));
            newArrayList.add(new EvaluatedConfig("hadoop.http.authentication.signature.secret.file", "{{CMF_CONF_DIR}}/http-auth-signature-secret"));
            newArrayList.add(new EvaluatedConfig("hadoop.http.authentication.cookie.domain", dfsConnector.getHttpAuthCookieDomain()));
            newArrayList.add(new EvaluatedConfig("hadoop.http.authentication.kerberos.principal", rh.getRequiredPrincipals(role, SecurityUtils.HADOOP_HOST_WILDCARD).get(KerberosAuthentication.KERBEROS_HTTP_PRINCIPAL)));
            String str2 = null;
            for (ConfigFileGenerator configFileGenerator : rh.getConfigSpec().getAllGenerators()) {
                if (configFileGenerator instanceof KerberosKeytabGenerator) {
                    Preconditions.checkState(0 == 0);
                    KerberosKeytabGenerator kerberosKeytabGenerator = (KerberosKeytabGenerator) configFileGenerator;
                    ImmutableSet<String> allowedPrincipals = kerberosKeytabGenerator.getAllowedPrincipals(configEvaluationContext);
                    if (allowedPrincipals == null || allowedPrincipals.contains("HTTP")) {
                        str2 = kerberosKeytabGenerator.getOutputFileName();
                        break;
                    }
                }
            }
            Preconditions.checkNotNull(str2);
            newArrayList.add(new EvaluatedConfig("hadoop.http.authentication.kerberos.keytab", str2));
        }
        return newArrayList;
    }

    private void addFilterConfig(List<EvaluatedConfig> list, ConfigEvaluationContext configEvaluationContext, boolean z) {
        ArrayList arrayList = new ArrayList();
        if (needsCORSFilter(configEvaluationContext)) {
            arrayList.add("org.apache.hadoop.security.HttpCrossOriginFilterInitializer");
        }
        String str = z ? (String) SECURE_AUTH_FILTERS.get(configEvaluationContext.getRelease()) : (String) UNSECURE_AUTH_FILTERS.get(configEvaluationContext.getRelease());
        if (str != null) {
            arrayList.add(str);
        }
        if (arrayList.isEmpty()) {
            return;
        }
        list.add(new EvaluatedConfig("hadoop.http.filter.initializers", String.join(FIQLParser.OR, arrayList)));
    }

    private boolean needsCORSFilter(ConfigEvaluationContext configEvaluationContext) {
        return configEvaluationContext.getRelease().atLeast(CdhReleases.CDH7_0_0);
    }

    private boolean needsSecurityConfigs(HdfsConnector hdfsConnector, RoleHandler roleHandler, CmfEntityManager cmfEntityManager, DbRole dbRole, DbService dbService) {
        if (hdfsConnector == null || !roleHandler.requiresCredentials(cmfEntityManager, dbRole)) {
            return false;
        }
        try {
            return Boolean.TRUE.equals(this.secureWebUiParamSpec.extract((ConfigValueProvider) dbService));
        } catch (ParamParseException e) {
            return false;
        }
    }
}
