package org.apache.solr.security;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.security.PublicKey;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.http.HttpEntity;
import org.apache.http.HttpException;
import org.apache.http.HttpRequest;
import org.apache.http.HttpRequestInterceptor;
import org.apache.http.auth.BasicUserPrincipal;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.apache.solr.client.solrj.impl.Http2SolrClient;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.HttpListenerFactory;
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
import org.apache.solr.common.util.Base64;
import org.apache.solr.common.util.ExecutorUtil;
import org.apache.solr.common.util.StrUtils;
import org.apache.solr.common.util.SuppressForbidden;
import org.apache.solr.common.util.Utils;
import org.apache.solr.core.CoreContainer;
import org.apache.solr.handler.admin.MetricsHandler;
import org.apache.solr.request.SolrRequestInfo;
import org.apache.solr.util.CryptoKeys;
import org.eclipse.jetty.client.api.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/security/PKIAuthenticationPlugin.class */
public class PKIAuthenticationPlugin extends AuthenticationPlugin implements HttpClientBuilderPlugin {
    private final PublicKeyHandler publicKeyHandler;
    private final CoreContainer cores;
    private final String myNodeName;
    public static final String HEADER = "SolrAuth";
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    public static final String NODE_IS_USER = "$";
    private static final Principal SU = new BasicUserPrincipal(NODE_IS_USER);
    private final Map<String, PublicKey> keyCache = new ConcurrentHashMap();
    private final int MAX_VALIDITY = Integer.parseInt(System.getProperty("pkiauth.ttl", "15000"));
    private final HttpHeaderClientInterceptor interceptor = new HttpHeaderClientInterceptor();
    private boolean interceptorRegistered = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/solr/security/PKIAuthenticationPlugin$HttpHeaderClientInterceptor.class */
    public class HttpHeaderClientInterceptor implements HttpRequestInterceptor {
        public HttpHeaderClientInterceptor() {
        }

        @Override // org.apache.http.HttpRequestInterceptor
        public void process(HttpRequest httpRequest, HttpContext httpContext) throws HttpException, IOException {
            if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin() == null) {
                return;
            }
            if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().interceptInternodeRequest(httpRequest, httpContext)) {
                if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                    PKIAuthenticationPlugin.log.debug("{} secures this internode request", PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().getClass().getSimpleName());
                }
            } else {
                if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                    PKIAuthenticationPlugin.log.debug("{} secures this internode request", getClass().getSimpleName());
                }
                PKIAuthenticationPlugin.this.setHeader(httpRequest);
            }
        }
    }

    /* loaded from: input_file:org/apache/solr/security/PKIAuthenticationPlugin$PKIHeaderData.class */
    public static class PKIHeaderData {
        String userName;
        long timestamp;
    }

    public boolean isInterceptorRegistered() {
        return this.interceptorRegistered;
    }

    public PKIAuthenticationPlugin(CoreContainer coreContainer, String str, PublicKeyHandler publicKeyHandler) {
        this.publicKeyHandler = publicKeyHandler;
        this.cores = coreContainer;
        this.myNodeName = str;
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    public void init(Map<String, Object> map) {
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    @SuppressForbidden(reason = "Needs currentTimeMillis to compare against time in header")
    public boolean doAuthenticate(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws Exception {
        if (((HttpServletRequest) servletRequest).getRequestURI().endsWith(PublicKeyHandler.PATH)) {
            this.numPassThrough.inc();
            filterChain.doFilter(servletRequest, servletResponse);
            return true;
        }
        long currentTimeMillis = System.currentTimeMillis();
        String header = ((HttpServletRequest) servletRequest).getHeader(HEADER);
        if (header == null) {
            log.error("No SolrAuth header present");
            this.numMissingCredentials.inc();
            filterChain.doFilter(servletRequest, servletResponse);
            return true;
        }
        List splitWS = StrUtils.splitWS(header, false);
        if (splitWS.size() < 2) {
            log.error("Invalid SolrAuth Header {}", header);
            this.numErrors.mark();
            filterChain.doFilter(servletRequest, servletResponse);
            return true;
        }
        PKIHeaderData decipherHeader = decipherHeader((String) splitWS.get(0), (String) splitWS.get(1));
        if (decipherHeader == null) {
            log.error("Could not decipher a header {} . No principal set", header);
            this.numMissingCredentials.inc();
            filterChain.doFilter(servletRequest, servletResponse);
            return true;
        }
        if (currentTimeMillis - decipherHeader.timestamp > this.MAX_VALIDITY) {
            log.error("Invalid key request timestamp: {} , received timestamp: {} , TTL: {}", new Object[]{Long.valueOf(decipherHeader.timestamp), Long.valueOf(currentTimeMillis), Integer.valueOf(this.MAX_VALIDITY)});
            this.numErrors.mark();
            filterChain.doFilter(servletRequest, servletResponse);
            return true;
        }
        Principal basicUserPrincipal = NODE_IS_USER.equals(decipherHeader.userName) ? SU : new BasicUserPrincipal(decipherHeader.userName);
        this.numAuthenticated.inc();
        filterChain.doFilter(getWrapper((HttpServletRequest) servletRequest, basicUserPrincipal), servletResponse);
        return true;
    }

    private static HttpServletRequestWrapper getWrapper(HttpServletRequest httpServletRequest, final Principal principal) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: org.apache.solr.security.PKIAuthenticationPlugin.1
            public Principal getUserPrincipal() {
                return principal;
            }
        };
    }

    private PKIHeaderData decipherHeader(String str, String str2) {
        PublicKey publicKey = this.keyCache.get(str);
        if (publicKey == null) {
            log.debug("No key available for node : {} fetching now ", str);
            publicKey = getRemotePublicKey(str);
            log.debug("public key obtained {} ", publicKey);
        }
        PKIHeaderData parseCipher = parseCipher(str2, publicKey);
        if (parseCipher != null) {
            return parseCipher;
        }
        log.warn("Failed to decrypt header, trying after refreshing the key ");
        return parseCipher(str2, getRemotePublicKey(str));
    }

    private static PKIHeaderData parseCipher(String str, PublicKey publicKey) {
        try {
            String trim = new String(CryptoKeys.decryptRSA(Base64.base64ToByteArray(str), publicKey), StandardCharsets.UTF_8).trim();
            String[] split = trim.split(" ");
            if (split.length < 2) {
                log.warn("Invalid cipher {} deciphered data {}", str, trim);
                return null;
            }
            PKIHeaderData pKIHeaderData = new PKIHeaderData();
            try {
                pKIHeaderData.timestamp = Long.parseLong(split[1]);
                pKIHeaderData.userName = split[0];
                log.debug("Successfully decrypted header {} {}", pKIHeaderData.userName, Long.valueOf(pKIHeaderData.timestamp));
                return pKIHeaderData;
            } catch (NumberFormatException e) {
                log.warn("Invalid cipher {}", str);
                return null;
            }
        } catch (Exception e2) {
            log.error("Decryption failed , key must be wrong", e2);
            return null;
        }
    }

    PublicKey getRemotePublicKey(String str) {
        if (!this.cores.getZkController().getZkStateReader().getClusterState().getLiveNodes().contains(str)) {
            return null;
        }
        String baseUrlForNodeName = this.cores.getZkController().getZkStateReader().getBaseUrlForNodeName(str);
        try {
            try {
                String str2 = baseUrlForNodeName + PublicKeyHandler.PATH + "?wt=json&omitHeader=true";
                log.debug("Fetching fresh public key from : {}", str2);
                HttpEntity entity = this.cores.getUpdateShardHandler().getDefaultHttpClient().execute((HttpUriRequest) new HttpGet(str2), (HttpContext) HttpClientUtil.createNewHttpClientRequestContext()).getEntity();
                String str3 = (String) ((Map) Utils.fromJSON(EntityUtils.toByteArray(entity))).get(MetricsHandler.KEY_PARAM);
                if (str3 == null) {
                    log.error("No key available from {} {}", baseUrlForNodeName, PublicKeyHandler.PATH);
                    Utils.consumeFully(entity);
                    return null;
                }
                log.info("New Key obtained from  node: {} / {}", str, str3);
                PublicKey deserializeX509PublicKey = CryptoKeys.deserializeX509PublicKey(str3);
                this.keyCache.put(str, deserializeX509PublicKey);
                Utils.consumeFully(entity);
                return deserializeX509PublicKey;
            } catch (Exception e) {
                log.error("Exception trying to get public key from : {}", baseUrlForNodeName, e);
                Utils.consumeFully((HttpEntity) null);
                return null;
            }
        } catch (Throwable th) {
            Utils.consumeFully((HttpEntity) null);
            throw th;
        }
    }

    @Override // org.apache.solr.security.HttpClientBuilderPlugin
    public void setup(Http2SolrClient http2SolrClient) {
        HttpListenerFactory.RequestResponseListener requestResponseListener = new HttpListenerFactory.RequestResponseListener() { // from class: org.apache.solr.security.PKIAuthenticationPlugin.2
            public void onQueued(Request request) {
                PKIAuthenticationPlugin.log.trace("onQueued: {}", request);
                if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin() == null) {
                    PKIAuthenticationPlugin.log.trace("no authentication plugin, skipping");
                    return;
                }
                if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().interceptInternodeRequest(request)) {
                    if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                        PKIAuthenticationPlugin.log.debug("{} secures this internode request", PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().getClass().getSimpleName());
                    }
                } else {
                    if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                        PKIAuthenticationPlugin.log.debug("{} secures this internode request", getClass().getSimpleName());
                    }
                    PKIAuthenticationPlugin.this.generateToken().ifPresent(str -> {
                        request.header(PKIAuthenticationPlugin.HEADER, PKIAuthenticationPlugin.this.myNodeName + " " + str);
                    });
                }
            }
        };
        http2SolrClient.addListenerFactory(() -> {
            return requestResponseListener;
        });
    }

    @Override // org.apache.solr.security.HttpClientBuilderPlugin
    public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder solrHttpClientBuilder) {
        HttpClientUtil.addRequestInterceptor(this.interceptor);
        this.interceptorRegistered = true;
        return solrHttpClientBuilder;
    }

    public boolean needsAuthorization(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getUserPrincipal() != SU;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @SuppressForbidden(reason = "Needs currentTimeMillis to set current time in header")
    public Optional<String> generateToken() {
        String str;
        SolrRequestInfo requestInfo = getRequestInfo();
        if (requestInfo != null) {
            Principal userPrincipal = requestInfo.getUserPrincipal();
            if (userPrincipal == null) {
                log.debug("generateToken: principal is null");
                return Optional.empty();
            }
            str = userPrincipal.getName();
        } else {
            if (!isSolrThread()) {
                log.debug("generateToken: not a solr (server) thread");
                return Optional.empty();
            }
            str = NODE_IS_USER;
        }
        String byteArrayToBase64 = Base64.byteArrayToBase64(this.publicKeyHandler.keyPair.encrypt(ByteBuffer.wrap((str + " " + System.currentTimeMillis()).getBytes(StandardCharsets.UTF_8))));
        log.trace("generateToken: usr={} token={}", str, byteArrayToBase64);
        return Optional.of(byteArrayToBase64);
    }

    void setHeader(HttpRequest httpRequest) {
        generateToken().ifPresent(str -> {
            httpRequest.setHeader(HEADER, this.myNodeName + " " + str);
        });
    }

    boolean isSolrThread() {
        return ExecutorUtil.isSolrServerThread();
    }

    SolrRequestInfo getRequestInfo() {
        return SolrRequestInfo.getRequestInfo();
    }

    @Override // org.apache.solr.metrics.SolrMetricProducer, java.lang.AutoCloseable, java.io.Closeable
    public void close() throws IOException {
        HttpClientUtil.removeRequestInterceptor(this.interceptor);
        this.interceptorRegistered = false;
    }

    public String getPublicKey() {
        return this.publicKeyHandler.getPublicKey();
    }
}
