package com.huawei.hadoop.adapter.sso;

import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.PrivilegedAction;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.Authenticator;
import org.apache.hadoop.security.ssl.KeyStoresFactory;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/huawei/hadoop/adapter/sso/JmxAuthFilter.class */
public class JmxAuthFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger(JmxAuthFilter.class);
    private static final long MAX_REFRESH_TIME = 1800000;
    private static final int AUTH_CONNECT_TIMEOUT = 30000;
    public static final String HADOOP_AUTH_COOKIE_NAME = "hadoop.auth";
    public static final String JMX_AUTH_URL = "jmx.auth.url";
    public static final String JMX_AUTH_PRINCIPAL = "jmx.auth.principal";
    public static final String JMX_AUTH_KEYTAB = "jmx.auth.keytab";
    private AuthenticatedURL authenticatedURL;
    private volatile Cookie cookie;
    private URL jmxURL;
    private UserGroupInformation ugi;
    private volatile long refreshTime;
    private AuthenticatedURL.Token token = new AuthenticatedURL.Token();
    private Object lock = new Object();

    public void init(FilterConfig filterConfig) throws ServletException {
        LOG.info("Init with configs: {}", filterConfig);
        String initParameter = filterConfig.getInitParameter(JMX_AUTH_URL);
        try {
            this.jmxURL = new URL(initParameter);
            Configuration configuration = new Configuration(false);
            configuration.setClass("hadoop.ssl.keystores.factory.class", KeyStoresFactoryImpl.class, KeyStoresFactory.class);
            configuration.set("hadoop.ssl.hostname.verifier", "ALLOW_ALL");
            if (StringUtils.startsWith(this.jmxURL.getProtocol(), "https")) {
                SSLFactory sSLFactory = new SSLFactory(SSLFactory.Mode.CLIENT, configuration);
                try {
                    sSLFactory.init();
                    this.authenticatedURL = new AuthenticatedURL((Authenticator) null, sSLFactory);
                } catch (Exception e) {
                    throw new ServletException("Failed to init SSLFactory", e);
                }
            } else {
                this.authenticatedURL = new AuthenticatedURL();
            }
            String initParameter2 = filterConfig.getInitParameter(JMX_AUTH_PRINCIPAL);
            String initParameter3 = filterConfig.getInitParameter(JMX_AUTH_KEYTAB);
            try {
                configuration.set("hadoop.security.authentication", "kerberos");
                configuration.set("hadoop.security.auth_to_local", "RULE:[1:$1] RULE:[2:$1] DEFAULT");
                UserGroupInformation.setConfiguration(configuration);
                UserGroupInformation.loginUserFromKeytab(initParameter2, initParameter3);
                this.ugi = UserGroupInformation.getLoginUser();
            } catch (IOException e2) {
                throw new ServletException("Failed to loginUserFromKeytab", e2);
            }
        } catch (MalformedURLException e3) {
            throw new ServletException("URL is invalid: " + initParameter, e3);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!StringUtils.startsWith(httpServletRequest.getServletPath(), "/jmx")) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        final Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null && cookies.length != 0) {
            for (Cookie cookie : cookies) {
                if (StringUtils.equals(cookie.getName(), HADOOP_AUTH_COOKIE_NAME)) {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                }
            }
        }
        try {
            checkAndRefreshCookie();
        } catch (IOException e) {
            LOG.error("Failed to checkAndRefreshCookie", e);
        }
        if (this.cookie == null) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            filterChain.doFilter(new HttpServletRequestWrapper(httpServletRequest) { // from class: com.huawei.hadoop.adapter.sso.JmxAuthFilter.1
                public Cookie[] getCookies() {
                    Cookie[] cookieArr;
                    if (cookies == null) {
                        cookieArr = new Cookie[1];
                    } else {
                        cookieArr = new Cookie[cookies.length + 1];
                        for (int i = 0; i < cookies.length; i++) {
                            cookieArr[i] = cookies[i];
                        }
                    }
                    cookieArr[cookieArr.length - 1] = JmxAuthFilter.this.cookie;
                    return cookieArr;
                }
            }, servletResponse);
        }
    }

    private void checkAndRefreshCookie() throws IOException {
        if (System.currentTimeMillis() - this.refreshTime < MAX_REFRESH_TIME) {
            return;
        }
        synchronized (this.lock) {
            if (System.currentTimeMillis() - this.refreshTime < MAX_REFRESH_TIME) {
                return;
            }
            this.ugi.checkTGTAndReloginFromKeytab();
            this.ugi.doAs(new PrivilegedAction<Void>() { // from class: com.huawei.hadoop.adapter.sso.JmxAuthFilter.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    JmxAuthFilter.this.refreshCookie();
                    return null;
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void refreshCookie() {
        LOG.info("Start refresh cookie by {}", this.jmxURL);
        HttpURLConnection httpURLConnection = null;
        try {
            try {
                this.token = new AuthenticatedURL.Token();
                HttpURLConnection openConnection = this.authenticatedURL.openConnection(this.jmxURL, this.token);
                openConnection.setConnectTimeout(AUTH_CONNECT_TIMEOUT);
                openConnection.connect();
                if (this.token.isSet()) {
                    LOG.info("New token is set.");
                    this.cookie = new Cookie(HADOOP_AUTH_COOKIE_NAME, this.token.toString());
                    this.refreshTime = System.currentTimeMillis();
                } else {
                    LOG.error("Token is not set, some error happens.");
                }
                if (openConnection != null) {
                    try {
                        openConnection.disconnect();
                    } catch (Exception e) {
                    }
                }
            } catch (Exception e2) {
                LOG.error("Failed to open {}", this.jmxURL, e2);
                if (0 != 0) {
                    try {
                        httpURLConnection.disconnect();
                    } catch (Exception e3) {
                    }
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    httpURLConnection.disconnect();
                } catch (Exception e4) {
                }
            }
            throw th;
        }
    }

    public void destroy() {
    }
}
