package org.apache.druid.server.security;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.druid.java.util.common.ISE;
import org.apache.druid.java.util.emitter.EmittingLogger;
import org.apache.druid.query.QueryInterruptedException;
import org.apache.druid.server.DruidNode;

/* loaded from: input_file:org/apache/druid/server/security/PreResponseAuthorizationCheckFilter.class */
public class PreResponseAuthorizationCheckFilter implements Filter {
    private static final EmittingLogger log = new EmittingLogger(PreResponseAuthorizationCheckFilter.class);
    private final List<Authenticator> authenticators;
    private final ObjectMapper jsonMapper;

    public PreResponseAuthorizationCheckFilter(List<Authenticator> list, ObjectMapper objectMapper) {
        this.authenticators = list;
        this.jsonMapper = objectMapper;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) == null) {
            handleUnauthenticatedRequest(httpServletResponse);
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
        Boolean bool = (Boolean) servletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED);
        if (bool == null && statusIsSuccess(httpServletResponse.getStatus())) {
            handleAuthorizationCheckError("Request did not have an authorization check performed.", httpServletRequest, httpServletResponse);
        }
        if (bool == null || bool.booleanValue() || httpServletResponse.getStatus() == 403) {
            return;
        }
        handleAuthorizationCheckError("Request's authorization check failed but status code was not 403.", httpServletRequest, httpServletResponse);
    }

    public void destroy() {
    }

    private void handleUnauthenticatedRequest(HttpServletResponse httpServletResponse) throws IOException {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<Authenticator> it = this.authenticators.iterator();
        while (it.hasNext()) {
            String authChallengeHeader = it.next().getAuthChallengeHeader();
            if (authChallengeHeader != null) {
                newHashSet.add(authChallengeHeader);
            }
        }
        Iterator it2 = newHashSet.iterator();
        while (it2.hasNext()) {
            httpServletResponse.addHeader("WWW-Authenticate", (String) it2.next());
        }
        QueryInterruptedException queryInterruptedException = new QueryInterruptedException("Unauthorized request.", (String) null, (String) null, DruidNode.getDefaultHost());
        queryInterruptedException.setStackTrace(new StackTraceElement[0]);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        sendJsonError(httpServletResponse, 401, this.jsonMapper.writeValueAsString(queryInterruptedException), outputStream);
        outputStream.close();
    }

    private void handleAuthorizationCheckError(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        log.makeAlert(str, new Object[0]).addData("uri", httpServletRequest.getRequestURI()).addData("method", httpServletRequest.getMethod()).addData("remoteAddr", httpServletRequest.getRemoteAddr()).addData("remoteHost", httpServletRequest.getRemoteHost()).emit();
        if (httpServletResponse.isCommitted()) {
            throw new ISE(str, new Object[0]);
        }
        try {
            httpServletResponse.sendError(403);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static boolean statusIsSuccess(int i) {
        return 200 <= i && i < 300;
    }

    public static void sendJsonError(HttpServletResponse httpServletResponse, int i, String str, OutputStream outputStream) {
        httpServletResponse.setStatus(i);
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setCharacterEncoding("UTF-8");
        try {
            outputStream.write(str.getBytes(StandardCharsets.UTF_8));
        } catch (IOException e) {
            log.error("WTF? Can't get writer from HTTP response.", new Object[0]);
        }
    }
}
