package com.datastax.bdp.cassandra.auth.http;

import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.graph.api.schema.SchemaImpl;
import com.datastax.bdp.transport.common.ServicePrincipal;
import com.datastax.bdp.util.Addresses;
import com.datastax.dse.byos.shade.com.google.common.collect.Sets;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.gms.Gossiper;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.HttpStatus;
import org.gridkit.jvmtool.cmd.AntPathMatcher;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/http/DseAuthenticationFilter.class */
public class DseAuthenticationFilter implements Filter {
    private static final Pattern SERVICE_PRINCIPAL_PATTERN = Pattern.compile("(.+)/(.+)@(.+)");
    private Filter gssapiFilter;
    private Filter plainFilter;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/http/DseAuthenticationFilter$FilterConfigWrapper.class */
    public static class FilterConfigWrapper implements FilterConfig {
        private final String filterName;
        private final FilterConfig wrappedConfig;
        private final Map<String, String> defaultConfig;

        private FilterConfigWrapper(String str, FilterConfig filterConfig, Map<String, String> map) {
            this.filterName = str;
            this.wrappedConfig = filterConfig;
            this.defaultConfig = map;
        }

        public String getFilterName() {
            return this.filterName;
        }

        public ServletContext getServletContext() {
            return this.wrappedConfig.getServletContext();
        }

        public String getInitParameter(String str) {
            String initParameter = this.wrappedConfig.getInitParameter(str);
            return initParameter != null ? initParameter : this.defaultConfig.get(str);
        }

        public Enumeration<String> getInitParameterNames() {
            return Collections.enumeration(Sets.union(Sets.newHashSet(Collections.list(this.wrappedConfig.getInitParameterNames())), this.defaultConfig.keySet()));
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        if (DseConfig.isKerberosEnabled()) {
            this.gssapiFilter = new DseHttpKerberosAuthenticationFilter();
            this.gssapiFilter.init(kerberosAuthenticationFilterConfig(filterConfig));
        }
        if (DseConfig.isPlainTextAuthEnabled()) {
            this.plainFilter = new DseHttpBasicAuthenticationFilter();
            this.plainFilter.init(passwordAuthenticationFilterConfig(filterConfig));
        }
        if (this.gssapiFilter == null && this.plainFilter == null && DatabaseDescriptor.getAuthenticator().requireAuthentication()) {
            throw new ServletException("DseAuthenticationFilter can be used only with one of: DseAuthenticator, KerberosAuthenticator, LdapAuthenticator, PasswordAuthenticator, AllowAllAuthenticator");
        }
    }

    private FilterConfig passwordAuthenticationFilterConfig(FilterConfig filterConfig) {
        return new FilterConfigWrapper("PasswordAuthenticationFilter", filterConfig, Collections.emptyMap());
    }

    private FilterConfig kerberosAuthenticationFilterConfig(FilterConfig filterConfig) {
        return new FilterConfigWrapper("KerberosAuthenticationFilter", filterConfig, new HashMap<String, String>() { // from class: com.datastax.bdp.cassandra.auth.http.DseAuthenticationFilter.1
            {
                put("type", "kerberos");
                put("token.validity", "3600");
                put("cookie.path", AntPathMatcher.DEFAULT_PATH_SEPARATOR);
                if (DseConfig.isKerberosEnabled()) {
                    put("kerberos.principal", DseConfig.getHttpKrbprincipal().asLocal());
                    put("kerberos.keytab", DseConfig.getDseServiceKeytab());
                }
            }
        });
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.plainFilter != null && hasPlainTextCredentials(servletRequest)) {
            this.plainFilter.doFilter(servletRequest, servletResponse, filterChain);
            return;
        }
        if (this.gssapiFilter != null) {
            this.gssapiFilter.doFilter(servletRequest, servletResponse, filterChain);
            return;
        }
        if (this.plainFilter == null && this.gssapiFilter == null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + Addresses.Internode.getBroadcastAddress().getHostName() + SchemaImpl.QM);
        httpServletResponse.sendError(HttpStatus.SC_UNAUTHORIZED, "This node requires authentication");
    }

    public void destroy() {
        if (this.plainFilter != null) {
            this.plainFilter.destroy();
        }
        if (this.gssapiFilter != null) {
            this.gssapiFilter.destroy();
        }
    }

    public static boolean isTrustedDseNode(HttpServletRequest httpServletRequest) throws UnknownHostException {
        if (!DseConfig.isKerberosEnabled()) {
            return false;
        }
        ServicePrincipal dseServicePrincipal = DseConfig.getDseServicePrincipal();
        Matcher matcher = SERVICE_PRINCIPAL_PATTERN.matcher(httpServletRequest.getUserPrincipal().getName());
        return matcher.matches() && matcher.group(1).equals(dseServicePrincipal.service) && matcher.group(3).equals(dseServicePrincipal.realm) && Gossiper.instance.isKnownEndpoint(InetAddress.getByName(httpServletRequest.getRemoteAddr()));
    }

    private boolean hasPlainTextCredentials(ServletRequest servletRequest) {
        String header = ((HttpServletRequest) servletRequest).getHeader("Authorization");
        if (header == null || !header.startsWith("Basic")) {
            return false;
        }
        String[] split = header.split(" ");
        return split.length == 2 && new String(Base64.decodeBase64(split[1])).split(":").length == 2;
    }
}
