package co.cask.cdap.gateway.handlers;

import co.cask.cdap.common.BadRequestException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.http.SecurityRequestContext;
import co.cask.cdap.common.logging.AuditLogEntry;
import co.cask.cdap.gateway.handlers.util.AbstractAppFabricHttpHandler;
import co.cask.cdap.proto.security.AuthorizationRequest;
import co.cask.cdap.proto.security.CheckAuthorizedRequest;
import co.cask.cdap.proto.security.CheckAuthorizedResponse;
import co.cask.cdap.proto.security.GrantRequest;
import co.cask.cdap.proto.security.RevokeRequest;
import co.cask.cdap.security.authorization.AuthorizationPlugin;
import co.cask.http.HttpResponder;
import com.google.inject.Inject;
import java.net.InetAddress;
import java.net.UnknownHostException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import org.jboss.netty.handler.codec.http.HttpRequest;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path("/v3/security")
/* loaded from: input_file:co/cask/cdap/gateway/handlers/AuthorizationHandler.class */
public class AuthorizationHandler extends AbstractAppFabricHttpHandler {
    private static final Logger AUDIT_LOG = LoggerFactory.getLogger("authorization-access");
    private final AuthorizationPlugin auth;
    private final boolean enabled;

    @Inject
    public AuthorizationHandler(AuthorizationPlugin authorizationPlugin, CConfiguration cConfiguration) {
        this.auth = authorizationPlugin;
        this.enabled = cConfiguration.getBoolean("security.authorization.enabled");
    }

    private void createLogEntry(HttpRequest httpRequest, AuthorizationRequest authorizationRequest, HttpResponseStatus httpResponseStatus) throws UnknownHostException {
        String format = String.format("[%s %s %s]", authorizationRequest.getUser(), authorizationRequest.getEntity(), authorizationRequest.getActions());
        AuditLogEntry auditLogEntry = new AuditLogEntry();
        auditLogEntry.setUserName((String) SecurityRequestContext.getUserId().or("-"));
        auditLogEntry.setClientIP(InetAddress.getByName((String) SecurityRequestContext.getUserIP().or("0.0.0.0")));
        auditLogEntry.setRequestLine(httpRequest.getMethod(), httpRequest.getUri(), httpRequest.getProtocolVersion());
        auditLogEntry.setRequestBody(format);
        auditLogEntry.setResponseCode(Integer.valueOf(httpResponseStatus.getCode()));
        AUDIT_LOG.trace(auditLogEntry.toString());
    }

    @POST
    @Path("/authorized")
    public void authorized(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
        if (!this.enabled) {
            httpResponder.sendStatus(HttpResponseStatus.NOT_FOUND);
            return;
        }
        CheckAuthorizedRequest checkAuthorizedRequest = (CheckAuthorizedRequest) parseBody(httpRequest, CheckAuthorizedRequest.class);
        if (checkAuthorizedRequest == null) {
            throw new BadRequestException("Missing request body");
        }
        httpResponder.sendJson(HttpResponseStatus.OK, new CheckAuthorizedResponse(this.auth.authorized(checkAuthorizedRequest.getEntity(), checkAuthorizedRequest.getUser(), checkAuthorizedRequest.getActions())));
        createLogEntry(httpRequest, checkAuthorizedRequest, HttpResponseStatus.OK);
    }

    @POST
    @Path("/grant")
    public void grant(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
        if (!this.enabled) {
            httpResponder.sendStatus(HttpResponseStatus.NOT_FOUND);
            return;
        }
        GrantRequest grantRequest = (GrantRequest) parseBody(httpRequest, GrantRequest.class);
        if (grantRequest == null) {
            throw new BadRequestException("Missing request body");
        }
        if (grantRequest.getActions() == null) {
            this.auth.grant(grantRequest.getEntity(), grantRequest.getUser());
        } else {
            this.auth.grant(grantRequest.getEntity(), grantRequest.getUser(), grantRequest.getActions());
        }
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, grantRequest, HttpResponseStatus.OK);
    }

    @POST
    @Path("/revoke")
    public void revoke(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
        if (!this.enabled) {
            httpResponder.sendStatus(HttpResponseStatus.NOT_FOUND);
            return;
        }
        RevokeRequest revokeRequest = (RevokeRequest) parseBody(httpRequest, RevokeRequest.class);
        if (revokeRequest == null) {
            throw new BadRequestException("Missing request body");
        }
        if (revokeRequest.getUser() == null && revokeRequest.getActions() == null) {
            this.auth.revoke(revokeRequest.getEntity());
        } else if (revokeRequest.getActions() == null) {
            this.auth.revoke(revokeRequest.getEntity(), revokeRequest.getUser());
        } else {
            this.auth.revoke(revokeRequest.getEntity(), revokeRequest.getUser(), revokeRequest.getActions());
        }
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, revokeRequest, HttpResponseStatus.OK);
    }
}
