package org.apache.hadoop.yarn.server.nodemanager.webapp;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.shaded.com.microsoft.sqlserver.jdbc.ISQLServerResultSet;
import org.apache.hadoop.shaded.org.apache.commons.lang.time.DateUtils;
import org.apache.hadoop.shaded.org.eclipse.jetty.websocket.api.Session;
import org.apache.hadoop.shaded.org.eclipse.jetty.websocket.api.annotations.OnWebSocketClose;
import org.apache.hadoop.shaded.org.eclipse.jetty.websocket.api.annotations.OnWebSocketConnect;
import org.apache.hadoop.shaded.org.eclipse.jetty.websocket.api.annotations.OnWebSocketMessage;
import org.apache.hadoop.shaded.org.eclipse.jetty.websocket.api.annotations.WebSocket;
import org.apache.hadoop.shaded.org.glassfish.grizzly.http.server.Constants;
import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.ShellContainerCommand;
import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerExecContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "YARN"})
@WebSocket
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.class */
public class ContainerShellWebSocket {
    private static final Logger LOG = LoggerFactory.getLogger(ContainerShellWebSocket.class);
    private static Context nmContext;
    private final ContainerExecutor exec = nmContext.getContainerExecutor();
    private IOStreamPair pair;

    public static void init(Context context) {
        nmContext = context;
    }

    @OnWebSocketMessage
    public void onText(Session session, String str) throws IOException {
        byte[] bytes;
        try {
            byte[] bArr = new byte[4000];
            if (session.isOpen()) {
                if (!str.equals("1{}") && (bytes = str.getBytes(StandardCharsets.UTF_8)) != null) {
                    this.pair.out.write(bytes);
                    this.pair.out.flush();
                }
                this.pair.in.read(bArr, 0, Math.min(this.pair.in.available(), bArr.length));
                session.getRemote().sendString(new String(bArr, StandardCharsets.UTF_8).replaceAll("\n", Constants.CRLF));
            }
        } catch (IOException e) {
            onClose(session, DateUtils.SEMI_MONTH, "Shutdown");
        }
    }

    @OnWebSocketConnect
    public void onConnect(Session session) {
        try {
            String str = "bash";
            String[] split = session.getUpgradeRequest().getRequestURI().getPath().split("/");
            String str2 = split[2];
            if (split.length == 4) {
                for (ShellContainerCommand shellContainerCommand : ShellContainerCommand.values()) {
                    if (shellContainerCommand.name().equalsIgnoreCase(split[3])) {
                        str = split[3].toLowerCase();
                    }
                }
            }
            Container container = nmContext.getContainers().get(ContainerId.fromString(str2));
            if (!checkAuthorization(session, container)) {
                session.close(ISQLServerResultSet.CONCUR_SS_OPTIMISTIC_CC, "Forbidden");
                return;
            }
            if (checkInsecureSetup()) {
                session.close(1003, "Nonsecure mode is unsupported.");
                return;
            }
            LOG.info(session.getRemoteAddress().getHostString() + " connected!");
            LOG.info("Making interactive connection to running docker container with ID: " + str2);
            this.pair = this.exec.execContainer(new ContainerExecContext.Builder().setContainer(container).setNMLocalPath(nmContext.getLocalDirsHandler()).setShell(str).build());
        } catch (Exception e) {
            LOG.error("Failed to establish WebSocket connection with Client", e);
        }
    }

    @OnWebSocketClose
    public void onClose(Session session, int i, String str) {
        try {
            LOG.info(session.getRemoteAddress().getHostString() + " closed!");
            this.pair.out.write("exit\r\n".getBytes(StandardCharsets.UTF_8));
            this.pair.out.flush();
            this.pair.in.close();
            this.pair.out.close();
            session.close();
        } catch (IOException e) {
            session.close();
        } catch (Throwable th) {
            session.close();
            throw th;
        }
    }

    protected boolean checkAuthorization(Session session, Container container) throws IOException {
        boolean z = true;
        String str = "";
        if (UserGroupInformation.isSecurityEnabled()) {
            str = new HadoopKerberosName(session.getUpgradeRequest().getUserPrincipal().getName()).getShortName();
        } else {
            Map parameterMap = session.getUpgradeRequest().getParameterMap();
            if (parameterMap.containsKey("user.name")) {
                str = (String) ((List) parameterMap.get("user.name")).get(0);
            }
        }
        boolean z2 = false;
        if (nmContext.getApplicationACLsManager().areACLsEnabled()) {
            z2 = nmContext.getApplicationACLsManager().isAdmin(UserGroupInformation.createRemoteUser(str));
        }
        if (!str.equals(container.getUser()) && !z2) {
            z = false;
        }
        return z;
    }

    private boolean checkInsecureSetup() {
        boolean isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
        boolean z = nmContext.getConf().getBoolean("yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users", true);
        if (isSecurityEnabled) {
            return false;
        }
        return z;
    }
}
