package co.cask.cdap.security.authorization;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.ParentedId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authorization.PrivilegesFetcher;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:co/cask/cdap/security/authorization/DefaultAuthorizationEnforcementService.class */
public class DefaultAuthorizationEnforcementService extends AbstractAuthorizationService implements AuthorizationEnforcementService {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationEnforcementService.class);
    private static final Predicate<EntityId> ALLOW_ALL = new Predicate<EntityId>() { // from class: co.cask.cdap.security.authorization.DefaultAuthorizationEnforcementService.1
        public boolean apply(EntityId entityId) {
            return true;
        }
    };

    @Inject
    DefaultAuthorizationEnforcementService(PrivilegesFetcher privilegesFetcher, CConfiguration cConfiguration, AuthenticationContext authenticationContext) {
        super(cConfiguration, privilegesFetcher, authenticationContext, "enforcement");
    }

    public void enforce(EntityId entityId, Principal principal, Action action) throws Exception {
        enforce(entityId, principal, Collections.singleton(action));
    }

    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        if (isSecurityAuthorizationEnabled()) {
            doEnforce(entityId, principal, set, true);
        }
    }

    public Predicate<EntityId> createFilter(Principal principal) throws Exception {
        if (!isSecurityAuthorizationEnabled()) {
            return ALLOW_ALL;
        }
        Map<EntityId, Set<Action>> privileges = getPrivileges(principal);
        final Set<EntityId> keySet = privileges != null ? privileges.keySet() : Collections.emptySet();
        return new Predicate<EntityId>() { // from class: co.cask.cdap.security.authorization.DefaultAuthorizationEnforcementService.2
            public boolean apply(EntityId entityId) {
                boolean z = false;
                if (entityId instanceof ParentedId) {
                    z = apply(((ParentedId) entityId).getParent());
                }
                return z || keySet.contains(entityId);
            }
        };
    }

    protected boolean isSecurityAuthorizationEnabled() {
        return this.securityEnabled && this.authorizationEnabled;
    }

    private boolean doEnforce(EntityId entityId, Principal principal, Set<Action> set, boolean z) throws Exception {
        if ((entityId instanceof ParentedId) && doEnforce(((ParentedId) entityId).getParent(), principal, set, false)) {
            return true;
        }
        Set<Action> set2 = getPrivileges(principal).get(entityId);
        LOG.trace("Enforcing actions {} on {} for {}. Allowed actions are {}", new Object[]{set, entityId, principal, set2});
        if (set2 == null) {
            if (z) {
                throw new UnauthorizedException(principal, set, entityId);
            }
            return false;
        }
        if (set2.containsAll(set)) {
            return true;
        }
        if (z) {
            throw new UnauthorizedException(principal, Sets.difference(set, set2), entityId);
        }
        return false;
    }

    @Override // co.cask.cdap.security.authorization.AuthorizationEnforcementService
    public void invalidate(com.google.common.base.Predicate<Principal> predicate) {
        doInvalidate(predicate);
    }
}
