package org.apache.hive.service.auth;

import com.google.common.base.Strings;
import io.hops.security.HopsUtil;
import io.hops.security.HopsX509AuthenticationException;
import io.hops.security.HopsX509Authenticator;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.security.cert.X509Certificate;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.service.rpc.thrift.TCLIService;
import org.apache.hive.service.rpc.thrift.TCLIService.Iface;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TProtocol;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/auth/TSSLBasedProcessor.class */
public class TSSLBasedProcessor<I extends TCLIService.Iface> extends TSetIpAddressProcessor<TCLIService.Iface> {
    private static final Logger LOGGER = LoggerFactory.getLogger(TSetIpAddressProcessor.class.getName());
    private static final Pattern PROJECT_USER = Pattern.compile("\\w*__\\w*");
    private final HopsX509Authenticator hopsX509Authenticator;
    private final Set<String> usersAllowedToImpersonateSuperuser;
    private HiveConf hiveConf;

    public TSSLBasedProcessor(TCLIService.Iface iface, HiveConf hiveConf) {
        super(iface);
        this.hiveConf = null;
        this.hiveConf = hiveConf;
        this.hopsX509Authenticator = new HopsX509Authenticator(hiveConf);
        this.usersAllowedToImpersonateSuperuser = new HashSet(5);
        String str = HiveConf.ConfVars.HIVE_SUPERUSER_ALLOWED_IMPERSONATION.defaultStrVal;
        Collections.addAll(this.usersAllowedToImpersonateSuperuser, hiveConf.getTrimmedStrings(HiveConf.ConfVars.HIVE_SUPERUSER_ALLOWED_IMPERSONATION.varname, !Strings.isNullOrEmpty(str) ? str.split(",") : new String[0]));
    }

    @Override // org.apache.hive.service.auth.TSetIpAddressProcessor
    protected void setUserName(TProtocol tProtocol) throws TException {
        if (THREAD_LOCAL_USER_NAME.get() != null) {
            return;
        }
        try {
            X509Certificate[] peerCertificateChain = ((SSLSocket) tProtocol.getTransport().getSocket()).getSession().getPeerCertificateChain();
            if (peerCertificateChain.length == 0) {
                throw new TException("Missing certificates");
            }
            String name = peerCertificateChain[0].getSubjectDN().getName();
            String extractCNFromSubject = HopsUtil.extractCNFromSubject(name);
            if (extractCNFromSubject == null) {
                throw new TException("Cannot authenticate the user: Unrecognized CN format");
            }
            if (PROJECT_USER.matcher(extractCNFromSubject).matches()) {
                THREAD_LOCAL_USER_NAME.set(extractCNFromSubject);
                return;
            }
            try {
                if (this.hopsX509Authenticator.isTrustedConnection(InetAddress.getByName(THREAD_LOCAL_IP_ADDRESS.get()), extractCNFromSubject)) {
                    if (this.usersAllowedToImpersonateSuperuser.contains(HopsUtil.extractLFromSubject(name).trim())) {
                        THREAD_LOCAL_USER_NAME.set(this.hiveConf.getVar(HiveConf.ConfVars.HIVE_SUPER_USER));
                        return;
                    }
                }
                throw new TException("Failed to authenticate superuser");
            } catch (UnknownHostException e) {
                LOGGER.error("Cannot resolve machine address: ", e);
                throw new TException("Cannot authenticate the user");
            } catch (HopsX509AuthenticationException e2) {
                LOGGER.debug("Cannot authenticate super user", e2);
                throw new TException("Authentication failure", e2);
            }
        } catch (SSLException e3) {
            throw new TException(e3);
        }
    }
}
