package com.cloudera.server.web.cmf.security;

import com.cloudera.api.dao.impl.RedirectLinkGenerator;
import com.cloudera.server.web.cmf.CmfUserLoader;
import com.cloudera.server.web.cmf.KerberosRequestAuthenticationDetails;
import com.cloudera.server.web.cmf.UserDetailsAndGroups;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.eclipse.jetty.util.MultiMap;
import org.eclipse.jetty.util.UrlEncoded;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.security.kerberos.authentication.KerberosTicketValidator;

/* loaded from: input_file:com/cloudera/server/web/cmf/security/DoAsAuthenticationProvider.class */
public class DoAsAuthenticationProvider extends KerberosServiceAuthenticationProvider {
    private static final String IMPERSONATION_FIELD = "doAs";
    private static final Logger LOG = LoggerFactory.getLogger(DoAsAuthenticationProvider.class);
    private KerberosTicketValidator ticketValidator;
    private UserDetailsService userDetailsService;
    private CmfUserLoader cmfUserLoader;
    private boolean initialized = false;
    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
    private Map<String, ProxyUserRestrictions> proxyUserConfig = Maps.newHashMap();

    /* loaded from: input_file:com/cloudera/server/web/cmf/security/DoAsAuthenticationProvider$ProxyUserRestrictions.class */
    public static class ProxyUserRestrictions {
        private final Set<String> proxyGroups;
        private final Set<String> proxyHosts;
        private final Set<String> proxyUsers;

        public ProxyUserRestrictions(Set<String> set, Set<String> set2, Set<String> set3) {
            this.proxyGroups = set;
            this.proxyHosts = set2;
            this.proxyUsers = set3;
        }

        public Set<String> getProxyGroups() {
            return this.proxyGroups;
        }

        public Set<String> getProxyHosts() {
            return this.proxyHosts;
        }

        public Set<String> getProxyUsers() {
            return this.proxyUsers;
        }
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Preconditions.checkState(this.initialized);
        return proxyAuthenticate(authentication != null ? authentication.getDetails() : null, super.authenticate(authentication));
    }

    @VisibleForTesting
    Authentication proxyAuthenticate(Object obj, Authentication authentication) {
        UserDetails loadUserByUsername;
        if (authentication == null || !authentication.isAuthenticated() || !(authentication instanceof KerberosServiceRequestToken)) {
            return authentication;
        }
        KerberosServiceRequestToken kerberosServiceRequestToken = (KerberosServiceRequestToken) authentication;
        LOG.debug("Using DoAsAuthenticationProvider to process Kerberos auth request");
        if (authentication.getPrincipal() == null || !(authentication.getPrincipal() instanceof UserDetails)) {
            LOG.warn("No principal present in authentication");
            return authentication;
        }
        String username = ((UserDetails) authentication.getPrincipal()).getUsername();
        if (username == null || !this.proxyUserConfig.containsKey(username)) {
            return authentication;
        }
        LOG.debug("Authentication from proxy user: " + username);
        if (obj == null || !(obj instanceof KerberosRequestAuthenticationDetails)) {
            LOG.warn("No web request present in authentication");
            return authentication;
        }
        KerberosRequestAuthenticationDetails kerberosRequestAuthenticationDetails = (KerberosRequestAuthenticationDetails) obj;
        try {
            String doAsUser = getDoAsUser(kerberosRequestAuthenticationDetails.getQueryString());
            LOG.debug("DoAs: " + doAsUser);
            if (doAsUser == null) {
                LOG.warn("Proxy user is not allowed to make non-proxy requests");
                authentication.setAuthenticated(false);
                return authentication;
            }
            Collection<GrantedAuthority> collection = null;
            if (this.cmfUserLoader != null) {
                UserDetailsAndGroups loadUserByUsername2 = this.cmfUserLoader.loadUserByUsername(doAsUser);
                loadUserByUsername = loadUserByUsername2.getUserDetails();
                collection = loadUserByUsername2.getGroups();
            } else {
                loadUserByUsername = this.userDetailsService.loadUserByUsername(doAsUser);
            }
            this.userDetailsChecker.check(loadUserByUsername);
            additionalAuthenticationChecks(loadUserByUsername, kerberosServiceRequestToken);
            ProxyUserRestrictions proxyUserRestrictions = this.proxyUserConfig.get(username);
            checkProxyGroups(collection, proxyUserRestrictions.getProxyGroups());
            checkProxyHosts(kerberosRequestAuthenticationDetails, proxyUserRestrictions.getProxyHosts());
            checkProxyUsers(doAsUser, proxyUserRestrictions.getProxyUsers());
            KerberosServiceRequestToken kerberosServiceRequestToken2 = new KerberosServiceRequestToken(loadUserByUsername, kerberosServiceRequestToken.getTicketValidation(), loadUserByUsername.getAuthorities(), kerberosServiceRequestToken.getToken());
            kerberosServiceRequestToken2.setDetails(kerberosServiceRequestToken.getDetails());
            LOG.debug("New authentication: " + kerberosServiceRequestToken2);
            kerberosRequestAuthenticationDetails.setLoggedInPrincipal(username);
            LOG.info("Proxy user: " + username + " is impersonating user: " + doAsUser);
            return kerberosServiceRequestToken2;
        } catch (SecurityException | UsernameNotFoundException e) {
            LOG.error("Failed to impersonate user. Failing authentication.", e);
            authentication.setAuthenticated(false);
            return authentication;
        }
    }

    private void checkProxyGroups(Collection<GrantedAuthority> collection, Set<String> set) {
        if (set == null || collection == null) {
            return;
        }
        Iterator<GrantedAuthority> it = collection.iterator();
        while (it.hasNext()) {
            if (set.contains(it.next().getAuthority())) {
                return;
            }
        }
        throw new SecurityException("Impersonated user has the following groups: " + collection + ", but needs to belong to one of the following: " + set);
    }

    private void checkProxyHosts(KerberosRequestAuthenticationDetails kerberosRequestAuthenticationDetails, Set<String> set) {
        if (set == null) {
            return;
        }
        String remoteAddress = kerberosRequestAuthenticationDetails.getRemoteAddress();
        if (set.contains(remoteAddress)) {
            return;
        }
        try {
            String canonicalHostName = InetAddress.getByName(remoteAddress).getCanonicalHostName();
            if (set.contains(canonicalHostName)) {
            } else {
                throw new SecurityException("Proxy request from: " + remoteAddress + " and hostname " + canonicalHostName + " did not match one of the following: " + set);
            }
        } catch (UnknownHostException e) {
            throw new SecurityException("Proxy request from: " + remoteAddress + " did not match one of the following: " + set + ", and reverse DNS lookup failed");
        }
    }

    private void checkProxyUsers(String str, Set<String> set) {
        if (set != null && !set.contains(str)) {
            throw new SecurityException("Impersonated user: " + str + " did not match one of the following: " + set);
        }
    }

    public KerberosTicketValidator getTicketValidator() {
        return this.ticketValidator;
    }

    public void setTicketValidator(KerberosTicketValidator kerberosTicketValidator) {
        super.setTicketValidator(kerberosTicketValidator);
        this.ticketValidator = kerberosTicketValidator;
        initialize();
    }

    public UserDetailsService getUserDetailsService() {
        return this.userDetailsService;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        super.setUserDetailsService(userDetailsService);
        this.userDetailsService = userDetailsService;
        initialize();
    }

    public boolean supports(Class<?> cls) {
        return this.initialized && super.supports(cls);
    }

    public UserDetailsChecker getUserDetailsChecker() {
        return this.userDetailsChecker;
    }

    public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) {
        this.userDetailsChecker = userDetailsChecker;
    }

    public CmfUserLoader getCmfUserLoader() {
        return this.cmfUserLoader;
    }

    public void setCmfUserLoader(CmfUserLoader cmfUserLoader) {
        this.cmfUserLoader = cmfUserLoader;
    }

    public void addProxyUserConfig(String str, Set<String> set, Set<String> set2, Set<String> set3) {
        Preconditions.checkNotNull(str);
        this.proxyUserConfig.put(str, new ProxyUserRestrictions(checkForStar(set), checkForStar(set2), checkForStar(set3)));
    }

    private Set<String> checkForStar(Set<String> set) {
        if (set == null || set.contains("*")) {
            return null;
        }
        return set;
    }

    public void removeProxyUserConfig(String str) {
        Preconditions.checkNotNull(str);
        this.proxyUserConfig.remove(str);
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    private String getDoAsUser(String str) {
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        MultiMap multiMap = new MultiMap();
        UrlEncoded.decodeTo(str, multiMap, RedirectLinkGenerator.ENCODE_SCHEME);
        List list = (List) multiMap.get(IMPERSONATION_FIELD);
        if (list == null || list.size() == 0) {
            return null;
        }
        if (list.size() > 1) {
            throw new SecurityException("Multiple doAs users specified in query string");
        }
        return (String) list.get(0);
    }

    protected void initialize() {
        if (this.ticketValidator == null || this.userDetailsService == null) {
            return;
        }
        this.initialized = true;
    }
}
