package org.apache.drill.exec.server.rest;

import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.servlets.MetricsServlet;
import com.codahale.metrics.servlets.ThreadDumpServlet;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.math.BigInteger;
import java.net.BindException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.EnumSet;
import javax.servlet.DispatcherType;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.common.exceptions.DrillException;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.exception.DrillbitStartupException;
import org.apache.drill.exec.planner.sql.parser.impl.DrillParserImplConstants;
import org.apache.drill.exec.server.BootStrapContext;
import org.apache.drill.exec.server.Drillbit;
import org.apache.drill.exec.server.rest.auth.DrillRestLoginService;
import org.apache.drill.exec.server.rest.auth.DrillUserPrincipal;
import org.apache.drill.exec.ssl.SSLConfig;
import org.apache.drill.exec.ssl.SSLConfigBuilder;
import org.apache.drill.exec.work.WorkManager;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.security.authentication.FormAuthenticator;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.ErrorHandler;
import org.eclipse.jetty.server.session.HashSessionManager;
import org.eclipse.jetty.server.session.SessionHandler;
import org.eclipse.jetty.servlet.DefaultServlet;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.servlets.CrossOriginFilter;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.glassfish.jersey.servlet.ServletContainer;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/server/rest/WebServer.class */
public class WebServer implements AutoCloseable {
    private static final Logger logger = LoggerFactory.getLogger(WebServer.class);
    private static final int PORT_HUNT_TRIES = 100;
    private final DrillConfig config;
    private final MetricRegistry metrics;
    private final WorkManager workManager;
    private final BootStrapContext context;
    private Server embeddedJetty;
    private final Drillbit drillbit;
    private int port;
    private static final String BASE_STATIC_PATH = "/rest/static/";
    private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH = "img/drill.ico";

    public WebServer(BootStrapContext bootStrapContext, WorkManager workManager, Drillbit drillbit) {
        this.context = bootStrapContext;
        this.config = bootStrapContext.getConfig();
        this.metrics = bootStrapContext.getMetrics();
        this.workManager = workManager;
        this.drillbit = drillbit;
    }

    public static boolean isImpersonationOnlyEnabled(DrillConfig drillConfig) {
        return !drillConfig.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED) && drillConfig.getBoolean(ExecConstants.IMPERSONATION_ENABLED);
    }

    public void start() throws Exception {
        if (this.config.getBoolean(ExecConstants.HTTP_ENABLE)) {
            boolean z = this.config.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED);
            if (z && !this.context.getAuthProvider().containsFactory("PLAIN")) {
                logger.warn("Not starting web server. Currently Drill supports web authentication only through username/password. But PLAIN mechanism is not configured.");
                return;
            }
            this.port = this.config.getInt(ExecConstants.HTTP_PORT);
            boolean z2 = this.config.getBoolean(ExecConstants.HTTP_PORT_HUNT);
            int i = 0;
            while (i < 100) {
                this.embeddedJetty = new Server();
                this.embeddedJetty.setHandler(createServletContextHandler(z));
                this.embeddedJetty.addConnector(createConnector(this.port));
                try {
                    this.embeddedJetty.start();
                    break;
                } catch (BindException e) {
                    if (!z2) {
                        throw e;
                    }
                    int i2 = this.port + 1;
                    logger.info("Failed to start on port {}, trying port {}", Integer.valueOf(this.port), Integer.valueOf(i2));
                    this.port = i2;
                    this.embeddedJetty.stop();
                    i++;
                }
            }
            if (i == 100) {
                throw new IOException("Failed to find a port");
            }
        }
    }

    private ServletContextHandler createServletContextHandler(boolean z) {
        ErrorHandler errorHandler = new ErrorHandler();
        errorHandler.setShowStacks(true);
        errorHandler.setShowMessageInTitle(true);
        ServletContextHandler servletContextHandler = new ServletContextHandler(1);
        servletContextHandler.setErrorHandler(errorHandler);
        servletContextHandler.setContextPath("/");
        ServletHolder servletHolder = new ServletHolder(new ServletContainer(new DrillRestServer(this.workManager, servletContextHandler.getServletContext(), this.drillbit)));
        servletHolder.setInitOrder(1);
        servletContextHandler.addServlet(servletHolder, "/*");
        servletContextHandler.addServlet(new ServletHolder(new MetricsServlet(this.metrics)), "/status/metrics");
        servletContextHandler.addServlet(new ServletHolder(new ThreadDumpServlet()), "/status/threads");
        ServletHolder servletHolder2 = new ServletHolder("static", DefaultServlet.class);
        String url = Resource.newClassPathResource("/rest/static/img/drill.ico").getURL().toString();
        servletHolder2.setInitParameter("resourceBase", url.substring(0, url.length() - DRILL_ICON_RESOURCE_RELATIVE_PATH.length()));
        servletHolder2.setInitParameter("dirAllowed", "false");
        servletHolder2.setInitParameter("pathInfoOnly", "true");
        servletContextHandler.addServlet(servletHolder2, "/static/*");
        if (z) {
            servletContextHandler.setSecurityHandler(createSecurityHandler());
            servletContextHandler.setSessionHandler(createSessionHandler(servletContextHandler.getSecurityHandler()));
        }
        if (isImpersonationOnlyEnabled(this.workManager.getContext().getConfig())) {
            for (String str : new String[]{"/query", "/query.json"}) {
                servletContextHandler.addFilter(UserNameFilter.class, str, EnumSet.of(DispatcherType.REQUEST));
            }
        }
        if (this.config.getBoolean(ExecConstants.HTTP_CORS_ENABLED)) {
            FilterHolder filterHolder = new FilterHolder(CrossOriginFilter.class);
            filterHolder.setInitParameter("allowedOrigins", StringUtils.join(this.config.getStringList(ExecConstants.HTTP_CORS_ALLOWED_ORIGINS), ","));
            filterHolder.setInitParameter("allowedMethods", StringUtils.join(this.config.getStringList(ExecConstants.HTTP_CORS_ALLOWED_METHODS), ","));
            filterHolder.setInitParameter("allowedHeaders", StringUtils.join(this.config.getStringList(ExecConstants.HTTP_CORS_ALLOWED_HEADERS), ","));
            filterHolder.setInitParameter("allowCredentials", String.valueOf(this.config.getBoolean(ExecConstants.HTTP_CORS_CREDENTIALS)));
            for (String str2 : new String[]{"*.json", "/storage/*/enable/*", "/status*"}) {
                servletContextHandler.addFilter(filterHolder, str2, EnumSet.of(DispatcherType.REQUEST));
            }
        }
        return servletContextHandler;
    }

    private SessionHandler createSessionHandler(final SecurityHandler securityHandler) {
        HashSessionManager hashSessionManager = new HashSessionManager();
        hashSessionManager.setMaxInactiveInterval(this.config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS));
        hashSessionManager.addEventListener(new HttpSessionListener() { // from class: org.apache.drill.exec.server.rest.WebServer.1
            public void sessionCreated(HttpSessionEvent httpSessionEvent) {
            }

            public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
                HttpSession session = httpSessionEvent.getSession();
                if (session == null) {
                    return;
                }
                Object attribute = session.getAttribute("org.eclipse.jetty.security.UserIdentity");
                if (attribute != null) {
                    securityHandler.logout((SessionAuthentication) attribute);
                    session.removeAttribute("org.eclipse.jetty.security.UserIdentity");
                }
                WebSessionResources webSessionResources = (WebSessionResources) session.getAttribute(WebSessionResources.class.getSimpleName());
                if (webSessionResources != null) {
                    webSessionResources.close();
                    session.removeAttribute(WebSessionResources.class.getSimpleName());
                }
            }
        });
        return new SessionHandler(hashSessionManager);
    }

    private ConstraintSecurityHandler createSecurityHandler() {
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.setConstraintMappings(Collections.emptyList(), ImmutableSet.of(DrillUserPrincipal.AUTHENTICATED_ROLE, DrillUserPrincipal.ADMIN_ROLE));
        constraintSecurityHandler.setAuthenticator(new FormAuthenticator("/login", "/login", true));
        constraintSecurityHandler.setLoginService(new DrillRestLoginService(this.workManager.getContext()));
        return constraintSecurityHandler;
    }

    public int getPort() {
        if (this.config.getBoolean(ExecConstants.HTTP_ENABLE)) {
            return this.port;
        }
        throw new UnsupportedOperationException("Http is not enabled");
    }

    private ServerConnector createConnector(int i) throws Exception {
        ServerConnector createHttpsConnector;
        if (this.config.getBoolean(ExecConstants.HTTP_ENABLE_SSL)) {
            try {
                createHttpsConnector = createHttpsConnector(i);
            } catch (DrillException e) {
                throw new DrillbitStartupException(e.getMessage(), e);
            }
        } else {
            createHttpsConnector = createHttpConnector(i);
        }
        return createHttpsConnector;
    }

    private ServerConnector createHttpsConnector(int i) throws Exception {
        logger.info("Setting up HTTPS connector for web server");
        SslContextFactory sslContextFactory = new SslContextFactory();
        SSLConfig build = new SSLConfigBuilder().config(this.config).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).build();
        if (build.isSslValid()) {
            logger.info("Using configured SSL settings for web server");
            sslContextFactory.setKeyStorePath(build.getKeyStorePath());
            sslContextFactory.setKeyStorePassword(build.getKeyStorePassword());
            sslContextFactory.setKeyManagerPassword(build.getKeyPassword());
            if (build.hasTrustStorePath()) {
                sslContextFactory.setTrustStorePath(build.getTrustStorePath());
                if (build.hasTrustStorePassword()) {
                    sslContextFactory.setTrustStorePassword(build.getTrustStorePassword());
                }
            }
        } else {
            logger.info("Using generated self-signed SSL settings for web server");
            SecureRandom secureRandom = new SecureRandom();
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(1024, secureRandom);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            DateTime now = DateTime.now();
            X500NameBuilder addRDN = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.OU, "Apache Drill (auth-generated)").addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)").addRDN(BCStyle.CN, this.workManager.getContext().getEndpoint().getAddress());
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(new JcaX509v3CertificateBuilder(addRDN.build(), new BigInteger(DrillParserImplConstants.DEFAULT_KW, secureRandom), now.minusMinutes(1).toDate(), now.plusYears(5).toDate(), addRDN.build(), generateKeyPair.getPublic()).build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(generateKeyPair.getPrivate())));
            certificate.checkValidity(now.toDate());
            certificate.verify(certificate.getPublicKey());
            String random = RandomStringUtils.random(20);
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
            keyStore.setKeyEntry("DrillAutoGeneratedCert", generateKeyPair.getPrivate(), random.toCharArray(), new Certificate[]{certificate});
            sslContextFactory.setKeyStore(keyStore);
            sslContextFactory.setKeyStorePassword(random);
        }
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.addCustomizer(new SecureRequestCustomizer());
        ServerConnector serverConnector = new ServerConnector(this.embeddedJetty, new ConnectionFactory[]{new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpConfiguration)});
        serverConnector.setPort(i);
        return serverConnector;
    }

    private ServerConnector createHttpConnector(int i) throws Exception {
        logger.info("Setting up HTTP connector for web server");
        ServerConnector serverConnector = new ServerConnector(this.embeddedJetty, new ConnectionFactory[]{new HttpConnectionFactory(new HttpConfiguration())});
        serverConnector.setPort(i);
        return serverConnector;
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
        if (this.embeddedJetty != null) {
            this.embeddedJetty.stop();
        }
    }
}
