package com.huawei.es.security.auth.server;

import com.huawei.es.security.audit.AuditLogUtil;
import com.huawei.es.security.auth.common.AuthConstants;
import com.huawei.es.security.auth.common.AuthenticationExcutor;
import com.huawei.es.security.auth.common.BasicAuthenticationExecutor;
import com.huawei.es.security.auth.common.HttpHelper;
import com.huawei.es.security.auth.common.InitHandlerException;
import com.huawei.es.security.auth.common.KerberosAuthenticationExecutor;
import com.huawei.es.security.auth.signer.Signer;
import com.huawei.es.security.author.bean.OpType;
import com.huawei.es.security.author.handler.BulkSizeChecker;
import com.huawei.es.security.author.parsers.customized.CustomizedAuthorizeTool;
import com.huawei.es.security.author.server.AuthorityLeaderHandler;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.author.tool.AuthorityUtil;
import com.huawei.es.security.author.tool.HttpResponseParser;
import com.huawei.es.security.cluster.ClusterStateManager;
import com.huawei.es.security.index.SecurityIndexManager;
import com.huawei.es.security.plugin.KerberosPlugin;
import com.huawei.es.security.util.ZkAclUtil;
import com.huawei.solr.security.auth.common.AuthenticationException;
import com.huawei.solr.security.auth.server.AuthenticationToken;
import com.huawei.solr.security.auth.util.SignerException;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.codec.http.DefaultFullHttpRequest;
import io.netty.handler.codec.http.DefaultFullHttpResponse;
import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.FullHttpResponse;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpUtil;
import io.netty.handler.codec.http.cookie.Cookie;
import io.netty.util.ReferenceCountUtil;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import org.apache.logging.log4j.Logger;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.ZooKeeper;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.http.HttpPipelinedRequest;
import org.elasticsearch.http.HttpPipelinedResponse;
import org.elasticsearch.http.netty4.Netty4HttpRequest;
import org.elasticsearch.http.netty4.pipelining.AddHeadersChannelHandler;
import org.elasticsearch.http.netty4.pipelining.UpdateIndexInfo2HiddenIndexChannelHandler;
import org.elasticsearch.http.netty4.pipelining.UpdateIndexInfo2ZKChannelHandler;

@ChannelHandler.Sharable
/* loaded from: input_file:com/huawei/es/security/auth/server/KerberosHandler.class */
public class KerberosHandler extends ChannelInboundHandlerAdapter {
    public static final String COOKIE_PATH = "cookie.path";
    private static final Logger LOG = Loggers.getLogger(KerberosHandler.class, new String[]{"KerberosHandler"});
    private static final String USER_NAME_KEY = "userName";
    private static final int SECOND_TO_MILLI = 1000;
    private static AuthenticationExcutor authExecutor;
    private final SecurityIndexManager securityIndexManager;
    private final Settings settings;
    private KerberosHttpServerTransport transport;
    private AuthorityLeaderHandler authorityLeaderHandler;
    private Signer signer;
    private BasicAuthenticationExecutor basicAuthenticationExcutor;
    private long validity;
    private String cookiePath;
    private BulkSizeChecker bulkSizeChecker;

    public static AuthenticationExcutor getAuthExecutor() {
        return authExecutor;
    }

    public KerberosHandler(KerberosHttpServerTransport kerberosHttpServerTransport, SolrZkClient solrZkClient, ClusterStateManager clusterStateManager, BulkSizeChecker bulkSizeChecker, Signer signer, SecurityIndexManager securityIndexManager, Settings settings) throws Exception {
        this.transport = kerberosHttpServerTransport;
        init();
        this.signer = signer;
        this.authorityLeaderHandler = new AuthorityLeaderHandler(this.transport, solrZkClient, clusterStateManager);
        this.bulkSizeChecker = bulkSizeChecker;
        this.securityIndexManager = securityIndexManager;
        this.settings = settings;
    }

    public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) {
        if (!(obj instanceof HttpPipelinedRequest)) {
            channelHandlerContext.fireChannelRead(obj);
            return;
        }
        HttpPipelinedRequest httpPipelinedRequest = (HttpPipelinedRequest) obj;
        Netty4HttpRequest delegateRequest = httpPipelinedRequest.getDelegateRequest();
        FullHttpRequest nettyRequest = delegateRequest.nettyRequest();
        if (httpPipelinedRequest.getInboundException() != null) {
            LOG.error("The request : {} decoder result is failure, cause : {}.", httpPipelinedRequest.uri(), httpPipelinedRequest.getInboundException().getCause());
            channelHandlerContext.fireChannelRead(obj);
            return;
        }
        DefaultFullHttpResponse defaultFullHttpResponse = new DefaultFullHttpResponse(nettyRequest.protocolVersion(), HttpResponseStatus.OK);
        try {
            if (nettyRequest.uri().contains(AuthorityConstants.BULK_REQUEST)) {
                this.bulkSizeChecker.checkBulkSize(HttpUtil.getContentLength(nettyRequest));
            }
            if (doAuthenticate(channelHandlerContext, nettyRequest, defaultFullHttpResponse) && doAuthorize(nettyRequest, defaultFullHttpResponse)) {
                readyToAddFutureResponseHeader(channelHandlerContext, defaultFullHttpResponse);
                readyToUpdateIndexInfo(channelHandlerContext, defaultFullHttpResponse);
                AuditLogUtil.readyToAddAuditLog(channelHandlerContext, delegateRequest, defaultFullHttpResponse);
                channelHandlerContext.fireChannelRead(obj);
            } else {
                whenAuthFailureOrException(channelHandlerContext, obj, delegateRequest, HttpHelper.buildHttpPipelinedResponseWithOutJson(httpPipelinedRequest, defaultFullHttpResponse));
            }
        } catch (Exception e) {
            LOG.error("Some error occur.", e);
            HttpHelper.reBuildResponse(defaultFullHttpResponse, HttpResponseStatus.INTERNAL_SERVER_ERROR, e.getMessage());
            whenAuthFailureOrException(channelHandlerContext, obj, delegateRequest, HttpHelper.buildHttpPipelinedResponseWithOutJson(httpPipelinedRequest, defaultFullHttpResponse));
        }
    }

    private void readyToUpdateIndexInfo(ChannelHandlerContext channelHandlerContext, FullHttpResponse fullHttpResponse) {
        String str = fullHttpResponse.headers().get(AuthorityConstants.CUSTOMISED_HTTP_RESPONSE_HEAD_NAME_FOR_USERNAME);
        Map<String, OpType> parseIndex2TypeFromHttpResponse = HttpResponseParser.parseIndex2TypeFromHttpResponse(fullHttpResponse);
        Map<String, OpType> parseTemplate2TypeFromHttpResponse = HttpResponseParser.parseTemplate2TypeFromHttpResponse(fullHttpResponse);
        Map<String, OpType> parsePipeline2TypeFromHttpResponse = HttpResponseParser.parsePipeline2TypeFromHttpResponse(fullHttpResponse);
        Map<String, OpType> parseRollup2TypeFromHttpResponse = HttpResponseParser.parseRollup2TypeFromHttpResponse(fullHttpResponse);
        if (str == null || !needUpdateIndexInfo(parseIndex2TypeFromHttpResponse, parseTemplate2TypeFromHttpResponse, parsePipeline2TypeFromHttpResponse, parseRollup2TypeFromHttpResponse)) {
            return;
        }
        if (!AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
            readyToUpdateIndexInfo2Zk(channelHandlerContext, fullHttpResponse, str, parseIndex2TypeFromHttpResponse, parseTemplate2TypeFromHttpResponse, parsePipeline2TypeFromHttpResponse, parseRollup2TypeFromHttpResponse);
        }
        readyToUpdateIndexInfo2HiddenIndex(channelHandlerContext, str, parseIndex2TypeFromHttpResponse, parseTemplate2TypeFromHttpResponse, parsePipeline2TypeFromHttpResponse, parseRollup2TypeFromHttpResponse);
    }

    private void readyToUpdateIndexInfo2HiddenIndex(ChannelHandlerContext channelHandlerContext, String str, Map<String, OpType> map, Map<String, OpType> map2, Map<String, OpType> map3, Map<String, OpType> map4) {
        if (((Boolean) KerberosPlugin.STORE_SECURITY_INFO.get(this.settings)).booleanValue()) {
            if (channelHandlerContext.pipeline().get(AuthConstants.UPDATE_INDEX_SECURITY_INFO_HANDLER_NAME) != null) {
                channelHandlerContext.pipeline().remove(AuthConstants.UPDATE_INDEX_SECURITY_INFO_HANDLER_NAME);
            }
            if (channelHandlerContext.pipeline().get(AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME) != null) {
                channelHandlerContext.pipeline().addAfter(AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME, AuthConstants.UPDATE_INDEX_SECURITY_INFO_HANDLER_NAME, new UpdateIndexInfo2HiddenIndexChannelHandler(this.securityIndexManager, str, map, map2, map3, map4));
            } else {
                channelHandlerContext.pipeline().addAfter(AuthConstants.PIPELINE_HANDLER_NAME, AuthConstants.UPDATE_INDEX_SECURITY_INFO_HANDLER_NAME, new UpdateIndexInfo2HiddenIndexChannelHandler(this.securityIndexManager, str, map, map2, map3, map4));
            }
        }
    }

    public static void whenAuthFailureOrException(ChannelHandlerContext channelHandlerContext, Object obj, Netty4HttpRequest netty4HttpRequest, HttpPipelinedResponse httpPipelinedResponse) {
        AuditLogUtil.writeAuditlogWhenAuthFailure(channelHandlerContext, netty4HttpRequest, httpPipelinedResponse.getDelegateRequest());
        releaseReference(channelHandlerContext, obj, netty4HttpRequest, httpPipelinedResponse);
    }

    public static void releaseReference(ChannelHandlerContext channelHandlerContext, Object obj, Netty4HttpRequest netty4HttpRequest, HttpPipelinedResponse httpPipelinedResponse) {
        ChannelFuture writeAndFlush = channelHandlerContext.channel().writeAndFlush(httpPipelinedResponse);
        if (writeAndFlush != null) {
            writeAndFlush.addListener(ChannelFutureListener.CLOSE);
        }
        netty4HttpRequest.release();
        if (obj != null) {
            ReferenceCountUtil.release(obj);
        }
    }

    private boolean doAuthorize(FullHttpRequest fullHttpRequest, FullHttpResponse fullHttpResponse) {
        return CustomizedAuthorizeTool.isDoAuthorizeByUserOrDefault(fullHttpRequest) ? CustomizedAuthorizeTool.doAuthorize(fullHttpRequest, fullHttpResponse) : this.authorityLeaderHandler.doAuthorize(fullHttpRequest, fullHttpResponse);
    }

    public static boolean needUpdateIndexInfo(Map<String, OpType> map, Map<String, OpType> map2, Map<String, OpType> map3, Map<String, OpType> map4) {
        return ((map == null || map.isEmpty()) && (map2 == null || map2.isEmpty()) && ((map3 == null || map3.isEmpty()) && (map4 == null || map4.isEmpty()))) ? false : true;
    }

    private void readyToUpdateIndexInfo2Zk(ChannelHandlerContext channelHandlerContext, FullHttpResponse fullHttpResponse, String str, Map<String, OpType> map, Map<String, OpType> map2, Map<String, OpType> map3, Map<String, OpType> map4) {
        if (channelHandlerContext.pipeline().get(AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME) != null) {
            LOG.debug("Remove old handler : {}.", AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME);
            channelHandlerContext.pipeline().remove(AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME);
        }
        try {
            if (!this.authorityLeaderHandler.getZkClient().exists(AuthorityConstants.ES_AUTHOR_INDEXOWNER_ZKPATH_DEFAULT, false).booleanValue()) {
                setResponseWhenZookeeperUnavailable(fullHttpResponse);
                return;
            }
        } catch (KeeperException | InterruptedException e) {
            if (this.authorityLeaderHandler.getZkClient().getSolrZooKeeper().getState() != ZooKeeper.States.CLOSED) {
                LOG.error("Test Zk failed.", e);
                setResponseWhenZookeeperUnavailable(fullHttpResponse);
                return;
            } else {
                LOG.error("Test Zk failed, because keeper was closed, will create a new one.");
                this.authorityLeaderHandler.setZkClient(ZkAclUtil.getNewZkClient(this.authorityLeaderHandler.getZkClient()));
            }
        }
        LOG.debug("Add new handler named as {}.", AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME);
        channelHandlerContext.pipeline().addAfter(AuthConstants.PIPELINE_HANDLER_NAME, AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME, new UpdateIndexInfo2ZKChannelHandler(this.authorityLeaderHandler.getZkClient(), str, map, map2, map3, map4));
    }

    private static void setResponseWhenZookeeperUnavailable(FullHttpResponse fullHttpResponse) {
        LOG.error("Zookeeper service is unavailable.");
        HttpHelper.reBuildResponse(fullHttpResponse, HttpResponseStatus.SERVICE_UNAVAILABLE, "Zookeeper service is unavailable.");
    }

    private void readyToAddFutureResponseHeader(ChannelHandlerContext channelHandlerContext, FullHttpResponse fullHttpResponse) {
        String[] strArr = {HttpHeaderNames.SET_COOKIE.toString(), HttpHeaderNames.WWW_AUTHENTICATE.toString(), HttpHeaderNames.SERVER.toString()};
        HashMap hashMap = new HashMap();
        for (String str : strArr) {
            if (fullHttpResponse.headers().get(str) != null) {
                hashMap.put(str, fullHttpResponse.headers().get(str));
            }
        }
        if (hashMap.isEmpty()) {
            return;
        }
        if (channelHandlerContext.pipeline().get(AuthConstants.ADD_HTTP_HEADER_HANDLER_NAME) != null) {
            LOG.debug("remove old handler : {}. ", AuthConstants.ADD_HTTP_HEADER_HANDLER_NAME);
            channelHandlerContext.pipeline().remove(AuthConstants.ADD_HTTP_HEADER_HANDLER_NAME);
        }
        LOG.debug("need to add [{}] headers to future response.", Integer.valueOf(hashMap.size()));
        channelHandlerContext.pipeline().addAfter(AuthConstants.PIPELINE_HANDLER_NAME, AuthConstants.ADD_HTTP_HEADER_HANDLER_NAME, new AddHeadersChannelHandler(hashMap));
    }

    private void init() throws InitHandlerException {
        Settings settings = this.transport.settings();
        this.validity = Long.parseLong(settings.get("token.validity", "36000")) * 1000;
        this.basicAuthenticationExcutor = new BasicAuthenticationExecutor(getValidity() * 1000);
        try {
            initializeAuthHandler(settings);
            this.cookiePath = settings.get(COOKIE_PATH, (String) null);
            CustomizedAuthorizeTool.initCustomizedAuthorizeSettings(settings);
        } catch (Exception e) {
            LOG.error("Failed to init the authentication filter and signer secret provider for exception.", e);
            throw new InitHandlerException(e.getMessage(), e);
        }
    }

    private void initializeAuthHandler(Settings settings) throws Exception {
        try {
            authExecutor = new KerberosAuthenticationExecutor();
            authExecutor.init(settings);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            throw new InitHandlerException(e.getMessage(), e);
        }
    }

    protected long getValidity() {
        return this.validity / 1000;
    }

    protected String getCookiePath() {
        return this.cookiePath;
    }

    public void destroy() {
        if (authExecutor != null) {
            authExecutor.destroy();
            authExecutor = null;
        }
    }

    protected AuthenticationToken getToken(FullHttpRequest fullHttpRequest, String str) throws AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String str2 = null;
        Set<Cookie> cookies = HttpHelper.getCookies(fullHttpRequest);
        if (cookies != null) {
            Iterator<Cookie> it = cookies.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Cookie next = it.next();
                if (next.name().equals(AuthConstants.AUTH_COOKIE)) {
                    try {
                        str2 = this.signer.verifyAndExtract(next.value());
                        break;
                    } catch (SignerException e) {
                        throw new AuthenticationException(e);
                    }
                }
            }
        }
        if (str2 != null) {
            authenticationToken = AuthenticationToken.parse(str2);
            String type = authenticationToken.getType();
            if (AuthConstants.UNKNOWN.equals(str)) {
                if (!type.equals(authExecutor.getType()) && !type.equals(this.basicAuthenticationExcutor.getType())) {
                    throw new AuthenticationException(String.format(Locale.ROOT, "Invalid AuthenticationToken type, the token type is : %s", type));
                }
            } else if (!type.equals(str)) {
                throw new AuthenticationException(String.format(Locale.ROOT, "Invalid AuthenticationToken type, the token type is : %s, the auty type is %s", type, str));
            }
            if (authenticationToken.isExpired()) {
                throw new AuthenticationException(String.format(Locale.ROOT, "AuthenticationToken expired, the token expires time is : %s", Long.valueOf(authenticationToken.getExpires())));
            }
        }
        return authenticationToken;
    }

    public boolean doAuthenticate(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest, FullHttpResponse fullHttpResponse) throws IOException {
        String str = fullHttpRequest.headers().get(AuthorityConstants.KIBANA_PROXY_USERNAME);
        boolean z = false;
        HttpResponseStatus httpResponseStatus = HttpResponseStatus.UNAUTHORIZED;
        AuthenticationException authenticationException = null;
        AuthenticationToken authenticationToken = null;
        String authType = HttpHelper.getAuthType(fullHttpRequest.headers().get("Authorization"));
        if (str != null && !str.isEmpty() && !authType.startsWith(AuthConstants.BASIC)) {
            authType = AuthConstants.BASIC;
            fullHttpRequest.headers().remove("Authorization");
            fullHttpRequest.headers().add("Authorization", "Basic " + str);
        }
        boolean z2 = false;
        try {
            try {
                authenticationToken = getToken(fullHttpRequest, authType);
                if (authenticationToken == null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Request [{}] triggering authentication and Method [{}]", fullHttpRequest.uri(), fullHttpRequest.method());
                    }
                    authenticationToken = AuthConstants.BASIC.equals(authType) ? this.basicAuthenticationExcutor.authenticate(fullHttpRequest, fullHttpResponse) : authExecutor.authenticate(fullHttpRequest, fullHttpResponse);
                    if (authenticationToken != null && authenticationToken.getExpires() != 0 && authenticationToken != AuthenticationToken.ANONYMOUS) {
                        authenticationToken.setExpires(System.currentTimeMillis() + (getValidity() * 1000));
                        fullHttpRequest.headers().add(USER_NAME_KEY, authenticationToken.getUserName());
                    }
                    z2 = true;
                }
                if (authenticationToken != null) {
                    z = true;
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Request [{}] authenticated", fullHttpRequest.uri());
                    }
                    fullHttpRequest = new DefaultFullHttpRequest(fullHttpRequest.protocolVersion(), fullHttpRequest.method(), fullHttpRequest.uri()) { // from class: com.huawei.es.security.auth.server.KerberosHandler.1
                    };
                    if (z2 && !authenticationToken.isExpired() && authenticationToken != AuthenticationToken.ANONYMOUS) {
                        createAuthCookie(fullHttpResponse, this.signer.sign(authenticationToken.toString()), getCookiePath(), authenticationToken.getExpires(), KerberosPlugin.isRestSslEnable());
                    }
                }
            } catch (AuthenticationException e) {
                LOG.warn("AuthenticationToken ignored: {}.", e.getMessage());
                fullHttpResponse.headers().set("WWW-Authenticate", authType);
                generateResponse(fullHttpRequest, fullHttpResponse, false, httpResponseStatus, e, KerberosPlugin.isRestSslEnable(), authenticationToken);
                return false;
            }
        } catch (AuthenticationException e2) {
            httpResponseStatus = HttpResponseStatus.FORBIDDEN;
            authenticationException = e2;
            LOG.warn("Authentication exception:", e2);
        }
        generateResponse(fullHttpRequest, fullHttpResponse, z, httpResponseStatus, authenticationException, KerberosPlugin.isRestSslEnable(), authenticationToken);
        return z;
    }

    private void generateResponse(FullHttpRequest fullHttpRequest, FullHttpResponse fullHttpResponse, boolean z, HttpResponseStatus httpResponseStatus, AuthenticationException authenticationException, boolean z2, AuthenticationToken authenticationToken) {
        if (!z) {
            createAuthCookie(fullHttpResponse, AuthorityConstants.EMPYT_STRING, getCookiePath(), 0L, z2);
            if (httpResponseStatus.code() == HttpResponseStatus.UNAUTHORIZED.code() && !fullHttpResponse.headers().contains("WWW-Authenticate")) {
                httpResponseStatus = HttpResponseStatus.FORBIDDEN;
            }
            HttpHelper.reBuildResponse(fullHttpResponse, httpResponseStatus, authenticationException == null ? "Authentication required" : authenticationException.getMessage());
        }
        if (authenticationToken == null || authenticationToken.getUserName() == null) {
            return;
        }
        fullHttpResponse.headers().add(AuthorityConstants.CUSTOMISED_HTTP_RESPONSE_HEAD_NAME_FOR_USERNAME, authenticationToken.getUserName());
    }

    public static void createAuthCookie(FullHttpResponse fullHttpResponse, String str, String str2, long j, boolean z) {
        StringBuilder createAuthCookie = createAuthCookie(str, str2, j, z);
        createAuthCookie.append("; HttpOnly");
        fullHttpResponse.headers().add("Set-Cookie", createAuthCookie.toString());
    }

    public static StringBuilder createAuthCookie(String str, String str2, long j, boolean z) {
        StringBuilder append = new StringBuilder(AuthConstants.AUTH_COOKIE).append("=");
        if (str != null && str.length() > 0) {
            append.append("\"").append(str).append("\"");
        }
        if (str2 != null) {
            append.append("; Path=").append(str2);
        }
        if (j >= 0) {
            Date date = new Date(j);
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd-MMM-yyyy HH:mm:ss zzz", Locale.ENGLISH);
            simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
            append.append("; Expires=").append(simpleDateFormat.format(date));
        }
        if (z) {
            append.append("; Secure");
        }
        return append;
    }
}
