package org.apache.solr.handler.component;

import java.io.IOException;
import java.util.Iterator;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.SolrParams;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.core.SolrCore;
import org.apache.solr.request.LocalSolrQueryRequest;
import org.apache.solr.request.SolrQueryRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/handler/component/QueryDocAuthorizationComponent.class */
public class QueryDocAuthorizationComponent extends SearchComponent {
    public static final String AUTH_FIELD_PROP = "sentryAuthField";
    public static final String DEFAULT_AUTH_FIELD = "sentry_auth";
    public static final String ALL_ROLES_TOKEN_PROP = "allRolesToken";
    public static final String ENABLED_PROP = "enabled";
    private String authField;
    private String allRolesToken;
    private boolean enabled;
    private static final Logger LOG = LoggerFactory.getLogger(QueryDocAuthorizationComponent.class);
    private static final String superUser = System.getProperty("solr.authorization.superuser", "solr");

    public void init(NamedList namedList) {
        SolrParams solrParams = SolrParams.toSolrParams(namedList);
        this.authField = solrParams.get(AUTH_FIELD_PROP, DEFAULT_AUTH_FIELD);
        LOG.info("QueryDocAuthorizationComponent authField: " + this.authField);
        this.allRolesToken = solrParams.get(ALL_ROLES_TOKEN_PROP, "");
        LOG.info("QueryDocAuthorizationComponent allRolesToken: " + this.allRolesToken);
        this.enabled = solrParams.getBool(ENABLED_PROP, false);
        LOG.info("QueryDocAuthorizationComponent enabled: " + this.enabled);
    }

    private void addRawClause(StringBuilder sb, String str, String str2) {
        sb.append(" {!raw f=").append(str).append(" v=").append(str2).append("}");
    }

    public String getFilterQueryStr(Set<String> set) {
        if (set == null || set.size() <= 0) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            addRawClause(sb, this.authField, it.next());
        }
        if (this.allRolesToken != null && !this.allRolesToken.isEmpty()) {
            addRawClause(sb, this.authField, this.allRolesToken);
        }
        return sb.toString();
    }

    public void prepare(ResponseBuilder responseBuilder) throws IOException {
        if (this.enabled) {
            String userName = getUserName(responseBuilder.req);
            if (superUser.equals(userName)) {
                return;
            }
            Set<String> roles = getRoles(responseBuilder.req, userName);
            if (roles == null || roles.isEmpty()) {
                throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, "Request from user: " + userName + " rejected because user is not associated with any roles");
            }
            String filterQueryStr = getFilterQueryStr(roles);
            ModifiableSolrParams modifiableSolrParams = new ModifiableSolrParams(responseBuilder.req.getParams());
            modifiableSolrParams.add("fq", new String[]{filterQueryStr});
            responseBuilder.req.setParams(modifiableSolrParams);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Adding filter query {} for user {} with roles {}", new Object[]{filterQueryStr, userName, roles});
            }
        }
    }

    public void process(ResponseBuilder responseBuilder) throws IOException {
    }

    public String getDescription() {
        return "Handle Query Document Authorization";
    }

    public boolean getEnabled() {
        return this.enabled;
    }

    private String getUserName(SolrQueryRequest solrQueryRequest) {
        if (solrQueryRequest instanceof LocalSolrQueryRequest) {
            return superUser;
        }
        SolrCore core = solrQueryRequest.getCore();
        HttpServletRequest httpServletRequest = (HttpServletRequest) solrQueryRequest.getContext().get("httpRequest");
        if (httpServletRequest == null) {
            StringBuilder sb = new StringBuilder("Unable to locate HttpServletRequest");
            if (core != null && !core.getSolrConfig().getBool("requestDispatcher/requestParsers/@addHttpRequestToContext", true)) {
                sb.append(", ensure requestDispatcher/requestParsers/@addHttpRequestToContext is set to true in solrconfig.xml");
            }
            throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, sb.toString());
        }
        String remoteUser = httpServletRequest.getRemoteUser();
        if (remoteUser == null) {
            remoteUser = SentrySolrPluginImpl.getShortUserName(httpServletRequest.getUserPrincipal());
        }
        if (remoteUser == null) {
            throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, "This request is not authenticated.");
        }
        return remoteUser;
    }

    private Set<String> getRoles(SolrQueryRequest solrQueryRequest, String str) {
        SentrySolrPluginImpl authorizationPlugin = solrQueryRequest.getCore().getCoreContainer().getAuthorizationPlugin();
        if (authorizationPlugin instanceof SentrySolrPluginImpl) {
            return authorizationPlugin.getRoles(str);
        }
        throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, getClass().getSimpleName() + " can only be used with Sentry authorization plugin for Solr");
    }
}
