package co.cask.cdap.gateway.handlers;

import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException;
import co.cask.cdap.security.spi.authorization.RoleNotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Splitter;
import com.google.common.collect.HashBasedTable;
import com.google.common.collect.Sets;
import com.google.common.collect.Table;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.annotation.concurrent.NotThreadSafe;

@NotThreadSafe
/* loaded from: input_file:co/cask/cdap/gateway/handlers/InMemoryAuthorizer.class */
public class InMemoryAuthorizer extends AbstractAuthorizer {
    private final Table<EntityId, Principal, Set<Action>> table = HashBasedTable.create();
    private final Map<Role, Set<Principal>> roleToPrincipals = new HashMap();
    private final Set<Principal> superUsers = new HashSet();
    private final Principal allSuperUsers = new Principal("*", Principal.PrincipalType.USER);

    public void initialize(AuthorizationContext authorizationContext) throws Exception {
        Properties extensionProperties = authorizationContext.getExtensionProperties();
        if (extensionProperties.containsKey("superusers")) {
            Iterator it = Splitter.on(",").trimResults().omitEmptyStrings().split(extensionProperties.getProperty("superusers")).iterator();
            while (it.hasNext()) {
                this.superUsers.add(new Principal((String) it.next(), Principal.PrincipalType.USER));
            }
        }
    }

    public void enforce(EntityId entityId, Principal principal, Action action) throws UnauthorizedException {
        if (this.superUsers.contains(principal) || this.superUsers.contains(this.allSuperUsers)) {
            return;
        }
        HashSet newHashSet = Sets.newHashSet(getActions(entityId, principal));
        if (principal.getType() != Principal.PrincipalType.ROLE) {
            Iterator<Role> it = listRoles(principal).iterator();
            while (it.hasNext()) {
                newHashSet.addAll(getActions(entityId, it.next()));
            }
        }
        if (!newHashSet.contains(Action.ALL) && !newHashSet.contains(action)) {
            throw new UnauthorizedException(principal, action, entityId);
        }
    }

    public void grant(EntityId entityId, Principal principal, Set<Action> set) {
        getActions(entityId, principal).addAll(set);
    }

    public void revoke(EntityId entityId, Principal principal, Set<Action> set) {
        getActions(entityId, principal).removeAll(set);
    }

    public void revoke(EntityId entityId) {
        Iterator it = this.table.row(entityId).keySet().iterator();
        while (it.hasNext()) {
            getActions(entityId, (Principal) it.next()).clear();
        }
    }

    public void createRole(Role role) throws RoleAlreadyExistsException {
        if (this.roleToPrincipals.containsKey(role)) {
            throw new RoleAlreadyExistsException(role);
        }
        this.roleToPrincipals.put(role, new HashSet());
    }

    public void dropRole(Role role) throws RoleNotFoundException {
        if (!this.roleToPrincipals.containsKey(role)) {
            throw new RoleNotFoundException(role);
        }
        this.roleToPrincipals.remove(role);
    }

    public void addRoleToPrincipal(Role role, Principal principal) throws RoleNotFoundException {
        if (!this.roleToPrincipals.containsKey(role)) {
            throw new RoleNotFoundException(role);
        }
        this.roleToPrincipals.get(role).add(principal);
    }

    public void removeRoleFromPrincipal(Role role, Principal principal) throws RoleNotFoundException {
        if (!this.roleToPrincipals.containsKey(role)) {
            throw new RoleNotFoundException(role);
        }
        this.roleToPrincipals.get(role).remove(principal);
    }

    public Set<Role> listRoles(Principal principal) {
        HashSet hashSet = new HashSet();
        for (Map.Entry<Role, Set<Principal>> entry : this.roleToPrincipals.entrySet()) {
            if (entry.getValue().contains(principal)) {
                hashSet.add(entry.getKey());
            }
        }
        return hashSet;
    }

    public Set<Role> listAllRoles() {
        return this.roleToPrincipals.keySet();
    }

    public Set<Privilege> listPrivileges(Principal principal) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(getPrivileges(principal));
        if (principal.getType() != Principal.PrincipalType.ROLE) {
            Iterator<Role> it = listRoles(principal).iterator();
            while (it.hasNext()) {
                hashSet.addAll(getPrivileges(it.next()));
            }
        }
        return hashSet;
    }

    private Set<Privilege> getPrivileges(Principal principal) {
        HashSet hashSet = new HashSet();
        for (Map.Entry entry : this.table.column(principal).entrySet()) {
            Iterator it = ((Set) entry.getValue()).iterator();
            while (it.hasNext()) {
                hashSet.add(new Privilege((EntityId) entry.getKey(), (Action) it.next()));
            }
        }
        return hashSet;
    }

    private Set<Action> getActions(EntityId entityId, Principal principal) {
        if (!this.table.contains(entityId, principal)) {
            this.table.put(entityId, principal, new HashSet());
        }
        return (Set) this.table.get(entityId, principal);
    }
}
