package org.apache.solr.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.SignatureException;
import java.time.Instant;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpEntity;
import org.apache.http.HttpException;
import org.apache.http.HttpRequest;
import org.apache.http.HttpRequestInterceptor;
import org.apache.http.auth.BasicUserPrincipal;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.apache.solr.client.solrj.impl.Http2SolrClient;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.HttpListenerFactory;
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
import org.apache.solr.common.util.ExecutorUtil;
import org.apache.solr.common.util.StrUtils;
import org.apache.solr.common.util.SuppressForbidden;
import org.apache.solr.common.util.Utils;
import org.apache.solr.core.CoreContainer;
import org.apache.solr.handler.admin.MetricsHandler;
import org.apache.solr.request.SolrRequestInfo;
import org.apache.solr.util.CryptoKeys;
import org.eclipse.jetty.client.api.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/security/PKIAuthenticationPlugin.class */
public class PKIAuthenticationPlugin extends AuthenticationPlugin implements HttpClientBuilderPlugin {
    public static final String ACCEPT_VERSIONS = "solr.pki.acceptVersions";
    public static final String SEND_VERSION = "solr.pki.sendVersion";
    private static final Logger log;
    private static final int MIN_TIMESTAMP_DIGITS = 10;
    private static final int MAX_TIMESTAMP_DIGITS = 13;
    private final PublicKeyHandler publicKeyHandler;
    private final CoreContainer cores;
    private static final int MAX_VALIDITY;
    private final String myNodeName;
    private boolean acceptPkiV1;
    public static final String HEADER = "SolrAuth";
    public static final String HEADER_V2 = "SolrAuthV2";
    public static final String NODE_IS_USER = "$";
    private static final Principal SU;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final Map<String, PublicKey> keyCache = new ConcurrentHashMap();
    private final HttpHeaderClientInterceptor interceptor = new HttpHeaderClientInterceptor();
    private boolean interceptorRegistered = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/solr/security/PKIAuthenticationPlugin$HttpHeaderClientInterceptor.class */
    public class HttpHeaderClientInterceptor implements HttpRequestInterceptor {
        public HttpHeaderClientInterceptor() {
        }

        @Override // org.apache.http.HttpRequestInterceptor
        public void process(HttpRequest httpRequest, HttpContext httpContext) throws HttpException, IOException {
            if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin() == null) {
                return;
            }
            if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().interceptInternodeRequest(httpRequest, httpContext)) {
                if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                    PKIAuthenticationPlugin.log.debug("{} secures this internode request", PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().getClass().getSimpleName());
                }
            } else {
                if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                    PKIAuthenticationPlugin.log.debug("{} secures this internode request", getClass().getSimpleName());
                }
                PKIAuthenticationPlugin.this.setHeader(httpRequest);
            }
        }
    }

    /* loaded from: input_file:org/apache/solr/security/PKIAuthenticationPlugin$PKIHeaderData.class */
    public static class PKIHeaderData {
        String userName;
        long timestamp;

        public String toString() {
            return "PKIHeaderData{userName='" + this.userName + "', timestamp=" + this.timestamp + "}";
        }
    }

    public static void withServerIdentity(boolean z) {
        SolrRequestInfo requestInfo = SolrRequestInfo.getRequestInfo();
        if (requestInfo != null) {
            requestInfo.setUseServerToken(z);
        }
        ExecutorUtil.setServerThreadFlag(z ? Boolean.valueOf(z) : null);
    }

    public boolean isInterceptorRegistered() {
        return this.interceptorRegistered;
    }

    public PKIAuthenticationPlugin(CoreContainer coreContainer, String str, PublicKeyHandler publicKeyHandler) {
        this.acceptPkiV1 = false;
        this.publicKeyHandler = publicKeyHandler;
        this.cores = coreContainer;
        this.myNodeName = str;
        Set of = Set.of("v1", "v2");
        for (String str2 : System.getProperty(ACCEPT_VERSIONS, "v2").split(",")) {
            if (!of.contains(str2)) {
                log.warn("Unknown protocol version [{}] specified in {}", str2, ACCEPT_VERSIONS);
            }
            if ("v1".equals(str2)) {
                log.warn("System setting {} includes the deprecated v1, which should only be used for compatibility during rolling upgrades. After all servers have been upgraded, consider disabling this compatability layer.", ACCEPT_VERSIONS);
                this.acceptPkiV1 = true;
            }
        }
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    public void init(Map<String, Object> map) {
    }

    @Override // org.apache.solr.security.AuthenticationPlugin
    @SuppressForbidden(reason = "Needs currentTimeMillis to compare against time in header")
    public boolean doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws Exception {
        long currentTimeMillis = System.currentTimeMillis();
        if (httpServletRequest.getRequestURI().endsWith(PublicKeyHandler.PATH)) {
            if (!$assertionsDisabled) {
                throw new AssertionError("Should already be handled by SolrDispatchFilter.authenticateRequest");
            }
            this.numPassThrough.inc();
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return true;
        }
        PKIHeaderData pKIHeaderData = null;
        String header = httpServletRequest.getHeader(HEADER_V2);
        String header2 = httpServletRequest.getHeader(HEADER);
        if (header != null) {
            int indexOf = header.indexOf(32);
            if (indexOf <= 0) {
                return sendError(httpServletResponse, true, "Could not parse node name from SolrAuthV2 header.");
            }
            pKIHeaderData = decipherHeaderV2(header, header.substring(0, indexOf));
        } else if (header2 != null && this.acceptPkiV1) {
            List splitWS = StrUtils.splitWS(header2, false);
            if (splitWS.size() != 2) {
                return sendError(httpServletResponse, false, "Invalid SolrAuth header: " + header2);
            }
            pKIHeaderData = decipherHeader((String) splitWS.get(0), (String) splitWS.get(1));
        }
        if (pKIHeaderData == null) {
            return sendError(httpServletResponse, true, "Could not load principal from SolrAuthV2 header.");
        }
        long j = currentTimeMillis - pKIHeaderData.timestamp;
        if (j > MAX_VALIDITY) {
            return sendError(httpServletResponse, true, "Expired key request timestamp, elapsed=" + j);
        }
        Principal basicUserPrincipal = NODE_IS_USER.equals(pKIHeaderData.userName) ? SU : new BasicUserPrincipal(pKIHeaderData.userName);
        this.numAuthenticated.inc();
        filterChain.doFilter(wrapWithPrincipal(httpServletRequest, basicUserPrincipal), httpServletResponse);
        return true;
    }

    private boolean sendError(HttpServletResponse httpServletResponse, boolean z, String str) throws IOException {
        this.numErrors.mark();
        log.error(str);
        httpServletResponse.setHeader("WWW-Authenticate", z ? HEADER_V2 : HEADER);
        httpServletResponse.sendError(401, str);
        return false;
    }

    private PKIHeaderData decipherHeaderV2(String str, String str2) {
        PublicKey publicKey = this.keyCache.get(str2);
        if (publicKey == null) {
            log.debug("No key available for node: {} fetching now ", str2);
            publicKey = getRemotePublicKey(str2);
            log.debug("public key obtained {} ", publicKey);
        }
        int lastIndexOf = str.lastIndexOf(32);
        String substring = str.substring(0, lastIndexOf);
        byte[] decode = Base64.getDecoder().decode(str.substring(lastIndexOf + 1));
        PKIHeaderData validateSignature = validateSignature(substring, decode, publicKey, false);
        if (validateSignature == null) {
            log.warn("Failed to verify signature, trying after refreshing the key ");
            validateSignature = validateSignature(substring, decode, getRemotePublicKey(str2), true);
        }
        return validateSignature;
    }

    private PKIHeaderData validateSignature(String str, byte[] bArr, PublicKey publicKey, boolean z) {
        try {
            if (!CryptoKeys.verifySha256(str.getBytes(StandardCharsets.UTF_8), bArr, publicKey)) {
                log.warn("Signature verification failed, signature or checksum does not match");
                return null;
            }
            int lastIndexOf = str.lastIndexOf(32);
            PKIHeaderData pKIHeaderData = new PKIHeaderData();
            String substring = str.substring(lastIndexOf + 1);
            try {
                pKIHeaderData.timestamp = Long.parseLong(substring);
                pKIHeaderData.userName = str.substring(str.indexOf(32) + 1, lastIndexOf);
                return pKIHeaderData;
            } catch (NumberFormatException e) {
                log.error("SolrAuthV2 header error, cannot parse {} as timestamp", substring);
                return null;
            }
        } catch (InvalidKeyException | SignatureException e2) {
            if (z) {
                log.error("Signature validation on retry failed, likely key error");
                return null;
            }
            log.info("Signature validation failed first attempt, likely key error");
            return null;
        }
    }

    private PKIHeaderData decipherHeader(String str, String str2) {
        PublicKey publicKey = this.keyCache.get(str);
        if (publicKey == null) {
            log.debug("No key available for node: {} fetching now ", str);
            publicKey = getRemotePublicKey(str);
            log.debug("public key obtained {} ", publicKey);
        }
        PKIHeaderData parseCipher = parseCipher(str2, publicKey, false);
        if (parseCipher != null) {
            return parseCipher;
        }
        log.warn("Failed to decrypt header, trying after refreshing the key ");
        return parseCipher(str2, getRemotePublicKey(str), true);
    }

    @VisibleForTesting
    static PKIHeaderData parseCipher(String str, PublicKey publicKey, boolean z) {
        try {
            String trim = new String(CryptoKeys.decryptRSA(Base64.getDecoder().decode(str), publicKey), StandardCharsets.UTF_8).trim();
            int lastIndexOf = trim.lastIndexOf(32);
            int length = (trim.length() - 1) - lastIndexOf;
            if (lastIndexOf == -1 || length < 10 || length > 13) {
                log.warn("Invalid cipher {} deciphered data {}", str, trim);
                return null;
            }
            PKIHeaderData pKIHeaderData = new PKIHeaderData();
            try {
                pKIHeaderData.timestamp = Long.parseLong(trim.substring(lastIndexOf + 1));
                pKIHeaderData.userName = trim.substring(0, lastIndexOf);
                log.debug("Successfully decrypted header {} {}", pKIHeaderData.userName, Long.valueOf(pKIHeaderData.timestamp));
                return pKIHeaderData;
            } catch (NumberFormatException e) {
                log.warn("Invalid cipher {}", str);
                return null;
            }
        } catch (Exception e2) {
            if (z) {
                log.error("Decryption failed on retry, key must be wrong", e2);
                return null;
            }
            log.info("Decryption failed on first attempt, will retry", e2);
            return null;
        }
    }

    PublicKey getRemotePublicKey(String str) {
        if (!this.cores.getZkController().getZkStateReader().getClusterState().getLiveNodes().contains(str)) {
            return null;
        }
        String baseUrlForNodeName = this.cores.getZkController().getZkStateReader().getBaseUrlForNodeName(str);
        try {
            try {
                String str2 = baseUrlForNodeName + "/admin/info/key?wt=json&omitHeader=true";
                log.debug("Fetching fresh public key from: {}", str2);
                HttpEntity entity = this.cores.getUpdateShardHandler().getDefaultHttpClient().execute((HttpUriRequest) new HttpGet(str2), (HttpContext) HttpClientUtil.createNewHttpClientRequestContext()).getEntity();
                String str3 = (String) ((Map) Utils.fromJSON(EntityUtils.toByteArray(entity))).get(MetricsHandler.KEY_PARAM);
                if (str3 == null) {
                    log.error("No key available from {}{}", baseUrlForNodeName, PublicKeyHandler.PATH);
                    Utils.consumeFully(entity);
                    return null;
                }
                log.info("New key obtained from node={}, key={}", str, str3);
                PublicKey deserializeX509PublicKey = CryptoKeys.deserializeX509PublicKey(str3);
                this.keyCache.put(str, deserializeX509PublicKey);
                Utils.consumeFully(entity);
                return deserializeX509PublicKey;
            } catch (Exception e) {
                log.error("Exception trying to get public key from: {}", baseUrlForNodeName, e);
                Utils.consumeFully((HttpEntity) null);
                return null;
            }
        } catch (Throwable th) {
            Utils.consumeFully((HttpEntity) null);
            throw th;
        }
    }

    @Override // org.apache.solr.security.HttpClientBuilderPlugin
    public void setup(Http2SolrClient http2SolrClient) {
        HttpListenerFactory.RequestResponseListener requestResponseListener = new HttpListenerFactory.RequestResponseListener() { // from class: org.apache.solr.security.PKIAuthenticationPlugin.1
            public void onQueued(Request request) {
                PKIAuthenticationPlugin.log.trace("onQueued: {}", request);
                if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin() == null) {
                    PKIAuthenticationPlugin.log.trace("no authentication plugin, skipping");
                    return;
                }
                if (PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().interceptInternodeRequest(request)) {
                    if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                        PKIAuthenticationPlugin.log.debug("{} secures this internode request", PKIAuthenticationPlugin.this.cores.getAuthenticationPlugin().getClass().getSimpleName());
                    }
                } else {
                    if (PKIAuthenticationPlugin.log.isDebugEnabled()) {
                        PKIAuthenticationPlugin.log.debug("{} secures this internode request", getClass().getSimpleName());
                    }
                    if ("v1".equals(System.getProperty(PKIAuthenticationPlugin.SEND_VERSION))) {
                        PKIAuthenticationPlugin.this.generateToken().ifPresent(str -> {
                            request.header(PKIAuthenticationPlugin.HEADER, str);
                        });
                    } else {
                        PKIAuthenticationPlugin.this.generateTokenV2().ifPresent(str2 -> {
                            request.header(PKIAuthenticationPlugin.HEADER_V2, str2);
                        });
                    }
                }
            }
        };
        http2SolrClient.addListenerFactory(() -> {
            return requestResponseListener;
        });
    }

    @Override // org.apache.solr.security.HttpClientBuilderPlugin
    public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder solrHttpClientBuilder) {
        HttpClientUtil.addRequestInterceptor(this.interceptor);
        this.interceptorRegistered = true;
        return solrHttpClientBuilder;
    }

    public boolean needsAuthorization(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getUserPrincipal() != SU;
    }

    private String getUser() {
        SolrRequestInfo requestInfo = getRequestInfo();
        if (requestInfo == null || requestInfo.useServerToken()) {
            if (isSolrThread()) {
                return NODE_IS_USER;
            }
            log.debug("generateToken: not a solr (server) thread");
            return null;
        }
        Principal userPrincipal = requestInfo.getUserPrincipal();
        if (userPrincipal == null) {
            log.debug("generateToken: principal is null");
            return null;
        }
        if ($assertionsDisabled || userPrincipal.getName() != null) {
            return userPrincipal.getName();
        }
        throw new AssertionError();
    }

    @SuppressForbidden(reason = "Needs currentTimeMillis to set current time in header")
    private Optional<String> generateToken() {
        String user = getUser();
        if (user == null) {
            return Optional.empty();
        }
        String encodeToString = Base64.getEncoder().encodeToString(this.publicKeyHandler.getKeyPair().encrypt(ByteBuffer.wrap((user + " " + System.currentTimeMillis()).getBytes(StandardCharsets.UTF_8))));
        log.trace("generateToken: usr={} token={}", user, encodeToString);
        return Optional.of(this.myNodeName + " " + encodeToString);
    }

    private Optional<String> generateTokenV2() {
        String user = getUser();
        if (user == null) {
            return Optional.empty();
        }
        String str = this.myNodeName + " " + user + " " + Instant.now().toEpochMilli();
        return Optional.of(str + " " + Base64.getEncoder().encodeToString(this.publicKeyHandler.getKeyPair().signSha256(str.getBytes(StandardCharsets.UTF_8))));
    }

    void setHeader(HttpRequest httpRequest) {
        if ("v1".equals(System.getProperty(SEND_VERSION))) {
            generateToken().ifPresent(str -> {
                httpRequest.setHeader(HEADER, str);
            });
        } else {
            generateTokenV2().ifPresent(str2 -> {
                httpRequest.setHeader(HEADER_V2, str2);
            });
        }
    }

    boolean isSolrThread() {
        return ExecutorUtil.isSolrServerThread();
    }

    SolrRequestInfo getRequestInfo() {
        return SolrRequestInfo.getRequestInfo();
    }

    @Override // org.apache.solr.metrics.SolrMetricProducer, java.lang.AutoCloseable, java.io.Closeable
    public void close() throws IOException {
        HttpClientUtil.removeRequestInterceptor(this.interceptor);
        this.interceptorRegistered = false;
    }

    @VisibleForTesting
    public String getPublicKey() {
        return this.publicKeyHandler.getKeyPair().getPublicKeyStr();
    }

    static {
        $assertionsDisabled = !PKIAuthenticationPlugin.class.desiredAssertionStatus();
        log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
        MAX_VALIDITY = Integer.getInteger("pkiauth.ttl", 5000).intValue();
        SU = new BasicUserPrincipal(NODE_IS_USER);
    }
}
