package co.cask.cdap.common.security;

import co.cask.cdap.api.annotation.Name;
import co.cask.cdap.common.lang.ClassRewriter;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import com.google.common.io.ByteStreams;
import com.google.inject.Inject;
import com.google.inject.internal.asm.C$Opcodes;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import org.objectweb.asm.AnnotationVisitor;
import org.objectweb.asm.ClassReader;
import org.objectweb.asm.ClassVisitor;
import org.objectweb.asm.ClassWriter;
import org.objectweb.asm.FieldVisitor;
import org.objectweb.asm.MethodVisitor;
import org.objectweb.asm.Type;
import org.objectweb.asm.commons.AdviceAdapter;
import org.objectweb.asm.commons.GeneratorAdapter;
import org.objectweb.asm.commons.Method;
import org.objectweb.asm.tree.AnnotationNode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter.class */
public class AuthEnforceRewriter implements ClassRewriter {
    public static final String GENERATED_FIELD_PREFIX = "_";
    public static final String GENERATED_SETTER_METHOD_PREFIX = "set";
    public static final String AUTHORIZATION_ENFORCER_FIELD_NAME = AuthorizationEnforcer.class.getSimpleName();
    public static final String AUTHENTICATION_CONTEXT_FIELD_NAME = AuthenticationContext.class.getSimpleName();
    private static final Logger LOG = LoggerFactory.getLogger(AuthEnforceRewriter.class);
    private static final Type AUTHORIZATION_ENFORCER_TYPE = Type.getType(AuthorizationEnforcer.class);
    private static final Type AUTHENTICATION_CONTEXT_TYPE = Type.getType(AuthenticationContext.class);
    private static final Type ACTION_TYPE = Type.getType(Action.class);
    private static final Type NAME_TYPE = Type.getType(Name.class);
    private static final Type AUTH_ENFORCE_UTIL_TYPE = Type.getType(AuthEnforceUtil.class);
    private static final Set<String> SUPPORTED_PARAMETER_ANNOTATIONS = Sets.newHashSet(Type.getType(Name.class).getDescriptor(), Type.getType(QueryParam.class).getDescriptor(), Type.getType(PathParam.class).getDescriptor());

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter$AnnotationDetail.class */
    public static final class AnnotationDetail {
        private final List<EntityPartDetail> entityParts;
        private final Type enforceOn;
        private final Set<Action> actions;
        private final Map<String, Integer> parameterAnnotation;

        AnnotationDetail(List<EntityPartDetail> list, Type type, Set<Action> set, Map<String, Integer> map) {
            this.entityParts = list;
            this.enforceOn = type;
            this.actions = set;
            this.parameterAnnotation = map;
        }

        List<EntityPartDetail> getEntities() {
            return this.entityParts;
        }

        Type getEnforceOn() {
            return this.enforceOn;
        }

        Set<Action> getActions() {
            return this.actions;
        }

        Map<String, Integer> getParameterAnnotation() {
            return this.parameterAnnotation;
        }
    }

    /* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter$AuthEnforceAnnotationNodeProcessor.class */
    private static class AuthEnforceAnnotationNodeProcessor {
        private final Set<Action> actions = new HashSet();
        private Type enforceOn;
        private List<String> entities;

        AuthEnforceAnnotationNodeProcessor(AnnotationNode annotationNode) {
            List list = annotationNode.values;
            Preconditions.checkArgument(list.size() == 6, "AuthEnforce annotation has three field and with their values total elements should be 6 but found %s", Integer.valueOf(list.size()));
            int i = 0;
            while (true) {
                int i2 = i;
                if (i2 >= 6) {
                    return;
                }
                Object obj = list.get(i2);
                if ("entities".equals(obj)) {
                    this.entities = (List) list.get(i2 + 1);
                } else if ("enforceOn".equals(obj)) {
                    this.enforceOn = (Type) list.get(i2 + 1);
                } else {
                    if (!"actions".equals(obj)) {
                        throw new RuntimeException(String.format("Found invalid entry %s while parsing AuthEnforce details %s", obj, list));
                    }
                    for (String[] strArr : (List) list.get(i2 + 1)) {
                        Preconditions.checkArgument(strArr.length == 2);
                        Preconditions.checkArgument(Type.getType(strArr[0]).equals(Type.getType(Action.class)));
                        this.actions.add(Action.valueOf(strArr[1]));
                    }
                }
                i = i2 + 2;
            }
        }

        Type getEnforceOn() {
            return this.enforceOn;
        }

        List<String> getEntities() {
            return this.entities;
        }

        Set<Action> getActions() {
            return this.actions;
        }

        public String toString() {
            return "AuthEnforceAnnotationNodeProcessor{actions=" + this.actions + ", enforceOn=" + this.enforceOn + ", entities=" + this.entities + '}';
        }
    }

    /* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter$AuthEnforceAnnotationRewriter.class */
    private final class AuthEnforceAnnotationRewriter extends ClassVisitor {
        private final String className;
        private final Type classType;
        private final Map<Method, AnnotationDetail> methodAnnotations;
        private final String authenticationContextFieldName;
        private final String authorizationEnforcerFieldName;

        AuthEnforceAnnotationRewriter(String str, ClassWriter classWriter, Map<String, Type> map, Map<Method, AnnotationDetail> map2) {
            super(C$Opcodes.ASM5, classWriter);
            this.className = str;
            this.classType = Type.getObjectType(str.replace(".", "/"));
            this.methodAnnotations = map2;
            this.authenticationContextFieldName = generateUniqueFieldName(AuthEnforceRewriter.AUTHENTICATION_CONTEXT_FIELD_NAME);
            this.authorizationEnforcerFieldName = generateUniqueFieldName(AuthEnforceRewriter.AUTHORIZATION_ENFORCER_FIELD_NAME);
        }

        public MethodVisitor visitMethod(int i, final String str, String str2, String str3, String[] strArr) {
            MethodVisitor visitMethod = super.visitMethod(i, str, str2, str3, strArr);
            final AnnotationDetail annotationDetail = this.methodAnnotations.get(new Method(str, str2));
            return annotationDetail == null ? visitMethod : new AdviceAdapter(C$Opcodes.ASM5, visitMethod, i, str, str2) { // from class: co.cask.cdap.common.security.AuthEnforceRewriter.AuthEnforceAnnotationRewriter.1
                protected void onMethodEnter() {
                    AuthEnforceRewriter.LOG.trace("AuthEnforce annotation found in class {} on method {}. Authorization enforcement command will be generated for Entities: {}, enforceOn: {}, actions: {}.", AuthEnforceAnnotationRewriter.this.className, str, annotationDetail.getEntities(), annotationDetail.getEnforceOn(), annotationDetail.getActions());
                    loadThis();
                    getField(AuthEnforceAnnotationRewriter.this.classType, AuthEnforceAnnotationRewriter.this.authorizationEnforcerFieldName, AuthEnforceRewriter.AUTHORIZATION_ENFORCER_TYPE);
                    push(annotationDetail.getEntities().size());
                    newArray(Type.getType(Object.class));
                    for (int i2 = 0; i2 < annotationDetail.getEntities().size(); i2++) {
                        dup();
                        push(i2);
                        EntityPartDetail entityPartDetail = annotationDetail.getEntities().get(i2);
                        if (entityPartDetail.isField()) {
                            loadThis();
                            getField(AuthEnforceAnnotationRewriter.this.classType, entityPartDetail.getEntityName(), entityPartDetail.getType());
                        } else {
                            loadArg(annotationDetail.getParameterAnnotation().get(annotationDetail.getEntities().get(i2).getEntityName()).intValue());
                        }
                        arrayStore(Type.getType(Object.class));
                    }
                    push(annotationDetail.getEnforceOn());
                    loadThis();
                    getField(AuthEnforceAnnotationRewriter.this.classType, AuthEnforceAnnotationRewriter.this.authenticationContextFieldName, AuthEnforceRewriter.AUTHENTICATION_CONTEXT_TYPE);
                    ArrayList arrayList = new ArrayList();
                    Iterator<Action> it = annotationDetail.getActions().iterator();
                    while (it.hasNext()) {
                        getStatic(AuthEnforceRewriter.ACTION_TYPE, it.next().name().toUpperCase(), AuthEnforceRewriter.ACTION_TYPE);
                        arrayList.add(Type.getType(Enum.class));
                    }
                    invokeStatic(Type.getType(EnumSet.class), new Method("of", Type.getMethodDescriptor(Type.getType(EnumSet.class), (Type[]) arrayList.toArray(new Type[arrayList.size()]))));
                    invokeStatic(AuthEnforceRewriter.AUTH_ENFORCE_UTIL_TYPE, new Method("enforce", Type.getMethodDescriptor(Type.VOID_TYPE, new Type[]{AuthEnforceRewriter.AUTHORIZATION_ENFORCER_TYPE, Type.getType(Object[].class), Type.getType(Class.class), AuthEnforceRewriter.AUTHENTICATION_CONTEXT_TYPE, Type.getType(Set.class)})));
                }
            };
        }

        private String generateUniqueFieldName(String str) {
            return AuthEnforceRewriter.GENERATED_FIELD_PREFIX + System.currentTimeMillis() + str;
        }

        private void generateFieldAndSetter(String str, Type type) {
            String str2 = AuthEnforceRewriter.GENERATED_SETTER_METHOD_PREFIX + str;
            super.visitField(2, str, type.getDescriptor(), (String) null, (Object) null);
            Method method = new Method(str2, Type.getMethodDescriptor(Type.VOID_TYPE, new Type[]{type}));
            MethodVisitor visitMethod = super.visitMethod(2, method.getName(), method.getDescriptor(), (String) null, (String[]) null);
            visitMethod.visitAnnotation(Type.getType(Inject.class).getDescriptor(), true).visitEnd();
            GeneratorAdapter generatorAdapter = new GeneratorAdapter(2, method, visitMethod);
            generatorAdapter.loadThis();
            generatorAdapter.loadArg(0);
            generatorAdapter.putField(this.classType, str, type);
            generatorAdapter.returnValue();
            generatorAdapter.endMethod();
        }

        public void visitEnd() {
            generateFieldAndSetter(this.authorizationEnforcerFieldName, AuthEnforceRewriter.AUTHORIZATION_ENFORCER_TYPE);
            generateFieldAndSetter(this.authenticationContextFieldName, AuthEnforceRewriter.AUTHENTICATION_CONTEXT_TYPE);
            super.visitEnd();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter$AuthEnforceAnnotationVisitor.class */
    public static final class AuthEnforceAnnotationVisitor extends ClassVisitor {
        private final String className;
        private final Map<Method, AnnotationDetail> methodAnnotations;
        private final Map<String, Type> fieldDetails;
        private boolean interfaceClass;

        AuthEnforceAnnotationVisitor(String str) {
            super(C$Opcodes.ASM5);
            this.className = str;
            this.methodAnnotations = new HashMap();
            this.fieldDetails = new HashMap();
        }

        public void visit(int i, int i2, String str, String str2, String str3, String[] strArr) {
            this.interfaceClass = Modifier.isInterface(i2);
        }

        public FieldVisitor visitField(int i, String str, String str2, String str3, Object obj) {
            if (this.interfaceClass) {
                return null;
            }
            this.fieldDetails.put(str, Type.getType(str2));
            return super.visitField(i, str, str2, str3, obj);
        }

        public MethodVisitor visitMethod(int i, final String str, final String str2, String str3, String[] strArr) {
            if (this.interfaceClass || Modifier.isStatic(i)) {
                return null;
            }
            final Type[] argumentTypes = Type.getArgumentTypes(str2);
            return new MethodVisitor(C$Opcodes.ASM5) { // from class: co.cask.cdap.common.security.AuthEnforceRewriter.AuthEnforceAnnotationVisitor.1
                final Map<Integer, ParameterDetail> parameterDetails = new HashMap();
                AnnotationNode authEnforceAnnotationNode;

                public AnnotationVisitor visitAnnotation(String str4, boolean z) {
                    if (!z || !AuthEnforce.class.getName().equals(Type.getType(str4).getClassName())) {
                        return null;
                    }
                    this.authEnforceAnnotationNode = new AnnotationNode(str4);
                    return this.authEnforceAnnotationNode;
                }

                public AnnotationVisitor visitParameterAnnotation(int i2, String str4, boolean z) {
                    if (this.authEnforceAnnotationNode == null || !z || !AuthEnforceRewriter.SUPPORTED_PARAMETER_ANNOTATIONS.contains(str4)) {
                        return null;
                    }
                    ParameterDetail parameterDetail = new ParameterDetail(argumentTypes[i2], new AnnotationNode(str4));
                    if (this.parameterDetails.putIfAbsent(Integer.valueOf(i2), parameterDetail) == null) {
                        return parameterDetail.getAnnotationNode();
                    }
                    if (!Name.class.getName().equals(Type.getType(str4).getClassName())) {
                        return null;
                    }
                    AuthEnforceRewriter.LOG.debug("Updating parameter details for parameter at position '{}' for method '{}' in class '{}'. Since method annotations is preferred annotation.", Integer.valueOf(i2), str, AuthEnforceAnnotationVisitor.this.className);
                    this.parameterDetails.put(Integer.valueOf(i2), parameterDetail);
                    return parameterDetail.getAnnotationNode();
                }

                public void visitEnd() {
                    if (this.authEnforceAnnotationNode == null) {
                        return;
                    }
                    AuthEnforceAnnotationNodeProcessor authEnforceAnnotationNodeProcessor = new AuthEnforceAnnotationNodeProcessor(this.authEnforceAnnotationNode);
                    Map processParameterDetails = AuthEnforceRewriter.processParameterDetails(this.parameterDetails);
                    ArrayList arrayList = new ArrayList();
                    for (String str4 : authEnforceAnnotationNodeProcessor.getEntities()) {
                        if (processParameterDetails.containsKey(str4)) {
                            arrayList.add(new EntityPartDetail(str4, false, this.parameterDetails.get(processParameterDetails.get(str4)).getParameterType()));
                        } else {
                            String substring = str4.startsWith("this.") ? str4.substring("this.".length()) : str4;
                            if (!AuthEnforceAnnotationVisitor.this.fieldDetails.containsKey(substring)) {
                                throw new IllegalArgumentException(String.format("No named method parameter or a class field found with name '%s' in class '%s' for method '%s' whereas it was specified in '%s' annotation", substring, AuthEnforceAnnotationVisitor.this.className, str, AuthEnforce.class.getSimpleName()));
                            }
                            arrayList.add(new EntityPartDetail(substring, true, (Type) AuthEnforceAnnotationVisitor.this.fieldDetails.get(substring)));
                        }
                    }
                    verifyEntityParts(arrayList, authEnforceAnnotationNodeProcessor.getEnforceOn());
                    AuthEnforceAnnotationVisitor.this.methodAnnotations.put(new Method(str, str2), new AnnotationDetail(arrayList, authEnforceAnnotationNodeProcessor.getEnforceOn(), authEnforceAnnotationNodeProcessor.getActions(), processParameterDetails));
                }

                private void verifyEntityParts(List<EntityPartDetail> list, Type type) {
                    Preconditions.checkArgument(!list.isEmpty(), "Entity Details for the annotation cannot be empty");
                    Type type2 = list.get(0).getType();
                    if (!type2.equals(Type.getType(String.class))) {
                        Preconditions.checkArgument(type2.equals(type), "Found invalid entity type '%s' for enforceOn '%s' in annotation on '%s' method in '%s' class.", type2.getClassName(), type.getClassName(), str, AuthEnforceAnnotationVisitor.this.className);
                        AuthEnforceUtil.getEntityIdPartsCount(type);
                        return;
                    }
                    for (EntityPartDetail entityPartDetail : list) {
                        Type type3 = entityPartDetail.getType();
                        Preconditions.checkArgument(type3.equals(Type.getType(String.class)), "Found part %s of type %s in a multiple part entity specification of AuthEnforce. Only String is supported in multiple parts.", entityPartDetail.getEntityName(), type3);
                    }
                    int entityIdPartsCount = AuthEnforceUtil.getEntityIdPartsCount(type);
                    Preconditions.checkArgument(entityIdPartsCount == list.size(), "Found %s entity parts in AuthEnforce annotation on method %s in class %s to do enforcement on %s which requires %s entity parts or an %s", Integer.valueOf(list.size()), str, AuthEnforceAnnotationVisitor.this.className, type, Integer.valueOf(entityIdPartsCount), type.getClassName());
                }
            };
        }

        Map<Method, AnnotationDetail> getMethodAnnotations() {
            return this.methodAnnotations;
        }

        Map<String, Type> getFieldDetails() {
            return this.fieldDetails;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter$EntityPartDetail.class */
    public static final class EntityPartDetail {
        private final String entityName;
        private final boolean isField;
        private final Type type;

        EntityPartDetail(String str, boolean z, Type type) {
            Preconditions.checkArgument((str == null || str.isEmpty()) ? false : true, "Entity name must be specified");
            this.entityName = str;
            this.isField = z;
            this.type = type;
        }

        String getEntityName() {
            return this.entityName;
        }

        boolean isField() {
            return this.isField;
        }

        public Type getType() {
            return this.type;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/common/security/AuthEnforceRewriter$ParameterDetail.class */
    public static final class ParameterDetail {
        private final Type parameterType;
        private final AnnotationNode annotationNode;

        ParameterDetail(Type type, AnnotationNode annotationNode) {
            this.parameterType = type;
            this.annotationNode = annotationNode;
        }

        Type getParameterType() {
            return this.parameterType;
        }

        AnnotationNode getAnnotationNode() {
            return this.annotationNode;
        }
    }

    @Override // co.cask.cdap.common.lang.ClassRewriter
    @Nullable
    public byte[] rewriteClass(String str, InputStream inputStream) throws IOException {
        byte[] byteArray = ByteStreams.toByteArray(inputStream);
        ClassReader classReader = new ClassReader(byteArray);
        AuthEnforceAnnotationVisitor authEnforceAnnotationVisitor = new AuthEnforceAnnotationVisitor(str);
        classReader.accept(authEnforceAnnotationVisitor, 7);
        Map<Method, AnnotationDetail> methodAnnotations = authEnforceAnnotationVisitor.getMethodAnnotations();
        if (methodAnnotations.isEmpty()) {
            return byteArray;
        }
        ClassWriter classWriter = new ClassWriter(2);
        classReader.accept(new AuthEnforceAnnotationRewriter(str, classWriter, authEnforceAnnotationVisitor.getFieldDetails(), methodAnnotations), 8);
        return classWriter.toByteArray();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, Integer> processParameterDetails(Map<Integer, ParameterDetail> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<Integer, ParameterDetail> entry : map.entrySet()) {
            String str = (String) entry.getValue().getAnnotationNode().values.get(1);
            int intValue = entry.getKey().intValue();
            if (hashMap.containsKey(str)) {
                intValue = getPreferredParameter(map.get(hashMap.get(str)), ((Integer) hashMap.get(str)).intValue(), entry.getValue(), entry.getKey().intValue());
            }
            hashMap.put(str, Integer.valueOf(intValue));
        }
        return hashMap;
    }

    private static int getPreferredParameter(ParameterDetail parameterDetail, int i, ParameterDetail parameterDetail2, int i2) {
        if ((NAME_TYPE.equals(Type.getType(parameterDetail.getAnnotationNode().desc)) || NAME_TYPE.equals(Type.getType(parameterDetail2.getAnnotationNode().desc))) && !(NAME_TYPE.equals(Type.getType(parameterDetail.getAnnotationNode().desc)) && NAME_TYPE.equals(Type.getType(parameterDetail2.getAnnotationNode().desc)))) {
            return NAME_TYPE.equals(Type.getType(parameterDetail.getAnnotationNode().desc)) ? i : i2;
        }
        throw new IllegalArgumentException(String.format("Found conflicting annotation %s and %s. If possible please give preference to a parameter through %s annotation or use unique names.", parameterDetail.getAnnotationNode(), parameterDetail2.getAnnotationNode(), Name.class.getName()));
    }
}
