package co.cask.cdap.gateway.handlers;

import co.cask.cdap.common.BadRequestException;
import co.cask.cdap.common.FeatureDisabledException;
import co.cask.cdap.common.NotFoundException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.entity.EntityExistenceVerifier;
import co.cask.cdap.common.logging.AuditLogEntry;
import co.cask.cdap.gateway.handlers.util.AbstractAppFabricHttpHandler;
import co.cask.cdap.proto.codec.EntityIdTypeAdapter;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.AuthorizationRequest;
import co.cask.cdap.proto.security.GrantRequest;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.RevokeRequest;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.AuthorizerInstantiatorService;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.http.HttpResponder;
import com.google.common.base.Objects;
import com.google.common.reflect.TypeToken;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.inject.Inject;
import java.lang.reflect.Type;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.EnumSet;
import java.util.Set;
import javax.annotation.Nullable;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import org.jboss.netty.handler.codec.http.HttpRequest;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path("/v3/security/authorization")
/* loaded from: input_file:co/cask/cdap/gateway/handlers/AuthorizationHandler.class */
public class AuthorizationHandler extends AbstractAppFabricHttpHandler {
    private final AuthorizerInstantiatorService authorizerInstantiatorService;
    private final boolean authenticationEnabled;
    private final boolean authorizationEnabled;
    private final EntityExistenceVerifier entityExistenceVerifier;
    private static final Logger AUDIT_LOG = LoggerFactory.getLogger("authorization-access");
    private static final Gson GSON = new GsonBuilder().registerTypeAdapter(EntityId.class, new EntityIdTypeAdapter()).create();
    private static final Type PRIVILEGE_SET_TYPE = new TypeToken<Set<Privilege>>() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandler.1
    }.getType();

    @Inject
    AuthorizationHandler(AuthorizerInstantiatorService authorizerInstantiatorService, CConfiguration cConfiguration, EntityExistenceVerifier entityExistenceVerifier) {
        this.authorizerInstantiatorService = authorizerInstantiatorService;
        this.authenticationEnabled = cConfiguration.getBoolean("security.enabled");
        this.authorizationEnabled = cConfiguration.getBoolean("security.authorization.enabled");
        this.entityExistenceVerifier = entityExistenceVerifier;
    }

    @POST
    @Path("/privileges/grant")
    public void grant(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
        ensureSecurityEnabled();
        GrantRequest grantRequest = (GrantRequest) parseBody(httpRequest, GrantRequest.class);
        verifyAuthRequest(grantRequest);
        Set allOf = grantRequest.getActions() == null ? EnumSet.allOf(Action.class) : grantRequest.getActions();
        this.authorizerInstantiatorService.get().enforce(grantRequest.getEntity(), SecurityRequestContext.toPrincipal(), Action.ADMIN);
        this.authorizerInstantiatorService.get().grant(grantRequest.getEntity(), grantRequest.getPrincipal(), allOf);
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, grantRequest, HttpResponseStatus.OK);
    }

    @POST
    @Path("/privileges/revoke")
    public void revoke(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
        ensureSecurityEnabled();
        RevokeRequest revokeRequest = (RevokeRequest) parseBody(httpRequest, RevokeRequest.class);
        verifyAuthRequest(revokeRequest);
        this.authorizerInstantiatorService.get().enforce(revokeRequest.getEntity(), SecurityRequestContext.toPrincipal(), Action.ADMIN);
        if (revokeRequest.getPrincipal() == null && revokeRequest.getActions() == null) {
            this.authorizerInstantiatorService.get().revoke(revokeRequest.getEntity());
        } else {
            this.authorizerInstantiatorService.get().revoke(revokeRequest.getEntity(), revokeRequest.getPrincipal(), revokeRequest.getActions() == null ? EnumSet.allOf(Action.class) : revokeRequest.getActions());
        }
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, revokeRequest, HttpResponseStatus.OK);
    }

    @GET
    @Path("{principal-type}/{principal-name}/privileges")
    public void listPrivileges(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String str, @PathParam("principal-name") String str2) throws Exception {
        ensureSecurityEnabled();
        httpResponder.sendJson(HttpResponseStatus.OK, this.authorizerInstantiatorService.get().listPrivileges(new Principal(str2, Principal.PrincipalType.valueOf(str.toUpperCase()))), PRIVILEGE_SET_TYPE, GSON);
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    @Path("/roles/{role-name}")
    @PUT
    public void createRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String str) throws Exception {
        ensureSecurityEnabled();
        this.authorizerInstantiatorService.get().createRole(new Role(str));
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    @Path("/roles/{role-name}")
    @DELETE
    public void dropRole(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("role-name") String str) throws Exception {
        ensureSecurityEnabled();
        this.authorizerInstantiatorService.get().dropRole(new Role(str));
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    @GET
    @Path("/roles")
    public void listAllRoles(HttpRequest httpRequest, HttpResponder httpResponder) throws Exception {
        ensureSecurityEnabled();
        httpResponder.sendJson(HttpResponseStatus.OK, this.authorizerInstantiatorService.get().listAllRoles());
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    @GET
    @Path("{principal-type}/{principal-name}/roles")
    public void listRoles(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String str, @PathParam("principal-name") String str2) throws Exception {
        ensureSecurityEnabled();
        httpResponder.sendJson(HttpResponseStatus.OK, this.authorizerInstantiatorService.get().listRoles(new Principal(str2, Principal.PrincipalType.valueOf(str.toUpperCase()))));
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    @Path("/{principal-type}/{principal-name}/roles/{role-name}")
    @PUT
    public void addRoleToPrincipal(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String str, @PathParam("principal-name") String str2, @PathParam("role-name") String str3) throws Exception {
        ensureSecurityEnabled();
        this.authorizerInstantiatorService.get().addRoleToPrincipal(new Role(str3), new Principal(str2, Principal.PrincipalType.valueOf(str.toUpperCase())));
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    @Path("/{principal-type}/{principal-name}/roles/{role-name}")
    @DELETE
    public void removeRoleFromPrincipal(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("principal-type") String str, @PathParam("principal-name") String str2, @PathParam("role-name") String str3) throws Exception {
        ensureSecurityEnabled();
        this.authorizerInstantiatorService.get().removeRoleFromPrincipal(new Role(str3), new Principal(str2, Principal.PrincipalType.valueOf(str.toUpperCase())));
        httpResponder.sendStatus(HttpResponseStatus.OK);
        createLogEntry(httpRequest, null, HttpResponseStatus.OK);
    }

    private void ensureSecurityEnabled() throws FeatureDisabledException {
        if (!this.authenticationEnabled) {
            throw new FeatureDisabledException(FeatureDisabledException.Feature.AUTHENTICATION, "cdap-site.xml", "security.enabled", "true");
        }
        if (!this.authorizationEnabled) {
            throw new FeatureDisabledException(FeatureDisabledException.Feature.AUTHORIZATION, "cdap-site.xml", "security.authorization.enabled", "true");
        }
    }

    private void verifyAuthRequest(AuthorizationRequest authorizationRequest) throws BadRequestException, NotFoundException {
        if (authorizationRequest == null) {
            throw new BadRequestException("Missing request body");
        }
        this.entityExistenceVerifier.ensureExists(authorizationRequest.getEntity());
    }

    private void createLogEntry(HttpRequest httpRequest, @Nullable AuthorizationRequest authorizationRequest, HttpResponseStatus httpResponseStatus) throws UnknownHostException {
        AuditLogEntry auditLogEntry = new AuditLogEntry();
        auditLogEntry.setUserName((String) Objects.firstNonNull(SecurityRequestContext.getUserId(), "-"));
        auditLogEntry.setClientIP(InetAddress.getByName((String) Objects.firstNonNull(SecurityRequestContext.getUserIP(), "0.0.0.0")));
        auditLogEntry.setRequestLine(httpRequest.getMethod(), httpRequest.getUri(), httpRequest.getProtocolVersion());
        if (authorizationRequest != null) {
            auditLogEntry.setRequestBody(String.format("[%s %s %s]", authorizationRequest.getPrincipal(), authorizationRequest.getEntity(), authorizationRequest.getActions()));
        }
        auditLogEntry.setResponseCode(Integer.valueOf(httpResponseStatus.getCode()));
        AUDIT_LOG.trace(auditLogEntry.toString());
    }
}
