package org.apache.doris.httpv2.controller;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.handler.codec.base64.Base64;
import io.netty.util.CharsetUtil;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.doris.analysis.CompoundPredicate;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.Resource;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AuthenticationException;
import org.apache.doris.common.Config;
import org.apache.doris.common.util.NetUtils;
import org.apache.doris.common.util.S3URI;
import org.apache.doris.httpv2.HttpAuthManager;
import org.apache.doris.httpv2.exception.UnauthorizedException;
import org.apache.doris.httpv2.rest.manager.NodeAction;
import org.apache.doris.mysql.privilege.PrivBitSet;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.mysql.privilege.Privilege;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.service.FrontendOptions;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:org/apache/doris/httpv2/controller/BaseController.class */
public class BaseController {
    private static final Logger LOG = LogManager.getLogger(BaseController.class);
    public static final String PALO_SESSION_ID = "PALO_SESSION_ID";
    private static final int PALO_SESSION_EXPIRED_TIME = 86400;

    /* loaded from: input_file:org/apache/doris/httpv2/controller/BaseController$ActionAuthorizationInfo.class */
    public static class ActionAuthorizationInfo {
        public String fullUserName;
        public String remoteIp;
        public String password;
        public String cluster;

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("user: ").append(this.fullUserName).append(", remote ip: ").append(this.remoteIp);
            sb.append(", password: ").append("********").append(", cluster: ").append(this.cluster);
            return sb.toString();
        }
    }

    public void checkAuthWithCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        checkWithCookie(httpServletRequest, httpServletResponse, true);
    }

    public ActionAuthorizationInfo checkWithCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) {
        if (httpServletRequest.getHeader(NodeAction.AUTHORIZATION) == null) {
            ActionAuthorizationInfo checkCookie = checkCookie(httpServletRequest, httpServletResponse, z);
            if (checkCookie == null) {
                throw new UnauthorizedException("Cookie is invalid");
            }
            return checkCookie;
        }
        ActionAuthorizationInfo authorizationInfo = getAuthorizationInfo(httpServletRequest);
        UserIdentity checkPassword = checkPassword(authorizationInfo);
        if (z) {
            checkGlobalAuth(checkPassword, PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV, Privilege.NODE_PRIV), CompoundPredicate.Operator.OR));
        }
        HttpAuthManager.SessionValue sessionValue = new HttpAuthManager.SessionValue();
        sessionValue.currentUser = checkPassword;
        sessionValue.password = authorizationInfo.password;
        addSession(httpServletRequest, httpServletResponse, sessionValue);
        ConnectContext connectContext = new ConnectContext();
        connectContext.setQualifiedUser(authorizationInfo.fullUserName);
        connectContext.setRemoteIP(authorizationInfo.remoteIp);
        connectContext.setCurrentUserIdentity(checkPassword);
        connectContext.setEnv(Env.getCurrentEnv());
        connectContext.setCluster("default_cluster");
        connectContext.setThreadLocalInfo();
        LOG.debug("check auth without cookie success for user: {}, thread: {}", checkPassword, Long.valueOf(Thread.currentThread().getId()));
        return authorizationInfo;
    }

    protected void addSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpAuthManager.SessionValue sessionValue) {
        String uuid = UUID.randomUUID().toString();
        Cookie cookie = new Cookie(PALO_SESSION_ID, uuid);
        cookie.setSecure(false);
        cookie.setMaxAge(PALO_SESSION_EXPIRED_TIME);
        cookie.setPath(S3URI.PATH_DELIM);
        cookie.setHttpOnly(true);
        httpServletResponse.addCookie(cookie);
        LOG.debug("add session cookie: {} {}", PALO_SESSION_ID, uuid);
        HttpAuthManager.getInstance().addSessionValue(uuid, sessionValue);
    }

    private ActionAuthorizationInfo checkCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) {
        HttpAuthManager.SessionValue sessionValue;
        List<String> cookieValues = getCookieValues(httpServletRequest, PALO_SESSION_ID, httpServletResponse);
        if (cookieValues.isEmpty() || (sessionValue = HttpAuthManager.getInstance().getSessionValue(cookieValues)) == null) {
            return null;
        }
        if (z && !Env.getCurrentEnv().getAccessManager().checkGlobalPriv(sessionValue.currentUser, PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV, Privilege.NODE_PRIV), CompoundPredicate.Operator.OR))) {
            return null;
        }
        updateCookieAge(httpServletRequest, PALO_SESSION_ID, PALO_SESSION_EXPIRED_TIME, httpServletResponse);
        ConnectContext connectContext = new ConnectContext();
        connectContext.setQualifiedUser(sessionValue.currentUser.getQualifiedUser());
        connectContext.setRemoteIP(httpServletRequest.getRemoteHost());
        connectContext.setCurrentUserIdentity(sessionValue.currentUser);
        connectContext.setEnv(Env.getCurrentEnv());
        connectContext.setCluster("default_cluster");
        connectContext.setThreadLocalInfo();
        LOG.debug("check cookie success for user: {}, thread: {}", sessionValue.currentUser, Long.valueOf(Thread.currentThread().getId()));
        ActionAuthorizationInfo actionAuthorizationInfo = new ActionAuthorizationInfo();
        actionAuthorizationInfo.fullUserName = sessionValue.currentUser.getQualifiedUser();
        actionAuthorizationInfo.remoteIp = httpServletRequest.getRemoteHost();
        actionAuthorizationInfo.password = sessionValue.password;
        actionAuthorizationInfo.cluster = "default_cluster";
        return actionAuthorizationInfo;
    }

    public List<String> getCookieValues(HttpServletRequest httpServletRequest, String str, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        ArrayList newArrayList = Lists.newArrayList();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName() != null && cookie.getName().equals(str)) {
                    newArrayList.add(cookie.getValue());
                }
            }
        }
        return newArrayList;
    }

    public void updateCookieAge(HttpServletRequest httpServletRequest, String str, int i, HttpServletResponse httpServletResponse) {
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (cookie.getName() != null && cookie.getName().equals(str)) {
                cookie.setMaxAge(i);
                cookie.setPath(S3URI.PATH_DELIM);
                httpServletResponse.addCookie(cookie);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkGlobalAuth(UserIdentity userIdentity, PrivPredicate privPredicate) throws UnauthorizedException {
        if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(userIdentity, privPredicate)) {
            throw new UnauthorizedException("Access denied; you need (at least one of) the " + privPredicate.getPrivs().toString() + " privilege(s) for this operation");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkDbAuth(UserIdentity userIdentity, String str, PrivPredicate privPredicate) throws UnauthorizedException {
        if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(userIdentity, str, privPredicate)) {
            throw new UnauthorizedException("Access denied; you need (at least one of) the " + privPredicate.getPrivs().toString() + " privilege(s) for this operation");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkTblAuth(UserIdentity userIdentity, String str, String str2, PrivPredicate privPredicate) throws UnauthorizedException {
        if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(userIdentity, str, str2, privPredicate)) {
            throw new UnauthorizedException("Access denied; you need (at least one of) the " + privPredicate.getPrivs().toString() + " privilege(s) for this operation");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UserIdentity checkPassword(ActionAuthorizationInfo actionAuthorizationInfo) throws UnauthorizedException {
        ArrayList newArrayList = Lists.newArrayList();
        try {
            Env.getCurrentEnv().getAuth().checkPlainPassword(actionAuthorizationInfo.fullUserName, actionAuthorizationInfo.remoteIp, actionAuthorizationInfo.password, newArrayList);
            Preconditions.checkState(newArrayList.size() == 1);
            return (UserIdentity) newArrayList.get(0);
        } catch (AuthenticationException e) {
            throw new UnauthorizedException(e.formatErrMsg());
        }
    }

    public ActionAuthorizationInfo getAuthorizationInfo(HttpServletRequest httpServletRequest) throws UnauthorizedException {
        ActionAuthorizationInfo actionAuthorizationInfo = new ActionAuthorizationInfo();
        if (parseAuthInfo(httpServletRequest, actionAuthorizationInfo)) {
            LOG.debug("get auth info: {}", actionAuthorizationInfo);
            return actionAuthorizationInfo;
        }
        LOG.info("parse auth info failed, Authorization header {}, url {}", httpServletRequest.getHeader(NodeAction.AUTHORIZATION), httpServletRequest.getRequestURI());
        throw new UnauthorizedException("Need auth information.");
    }

    private boolean parseAuthInfo(HttpServletRequest httpServletRequest, ActionAuthorizationInfo actionAuthorizationInfo) {
        String header = httpServletRequest.getHeader(NodeAction.AUTHORIZATION);
        if (Strings.isNullOrEmpty(header)) {
            return false;
        }
        String[] split = header.split("\\s+");
        if (split.length != 2) {
            return false;
        }
        ByteBuf byteBuf = null;
        ByteBuf byteBuf2 = null;
        try {
            byteBuf = Unpooled.copiedBuffer(ByteBuffer.wrap(split[1].getBytes()));
            byteBuf2 = Base64.decode(byteBuf);
            String byteBuf3 = byteBuf2.toString(CharsetUtil.UTF_8);
            int indexOf = byteBuf3.indexOf(ClusterNamespace.CLUSTER_DELIMITER);
            actionAuthorizationInfo.fullUserName = byteBuf3.substring(0, indexOf);
            String[] split2 = actionAuthorizationInfo.fullUserName.split(Resource.REFERENCE_SPLIT);
            if (split2 != null && split2.length < 2) {
                actionAuthorizationInfo.fullUserName = ClusterNamespace.getFullName("default_cluster", actionAuthorizationInfo.fullUserName);
                actionAuthorizationInfo.cluster = "default_cluster";
            } else if (split2 != null && split2.length == 2) {
                actionAuthorizationInfo.fullUserName = ClusterNamespace.getFullName(split2[1], split2[0]);
                actionAuthorizationInfo.cluster = split2[1];
            }
            actionAuthorizationInfo.password = byteBuf3.substring(indexOf + 1);
            actionAuthorizationInfo.remoteIp = httpServletRequest.getRemoteAddr();
            if (byteBuf != null) {
                byteBuf.release();
            }
            if (byteBuf2 == null) {
                return true;
            }
            byteBuf2.release();
            return true;
        } catch (Throwable th) {
            if (byteBuf != null) {
                byteBuf.release();
            }
            if (byteBuf2 != null) {
                byteBuf2.release();
            }
            throw th;
        }
    }

    protected int checkIntParam(String str) {
        return Integer.parseInt(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public long checkLongParam(String str) {
        return Long.parseLong(str);
    }

    protected String getCurrentFrontendURL() {
        return Config.enable_https ? "https://" + NetUtils.getHostPortInAccessibleFormat(FrontendOptions.getLocalHostAddress(), Config.https_port) : "http://" + NetUtils.getHostPortInAccessibleFormat(FrontendOptions.getLocalHostAddress(), Config.http_port);
    }
}
