package co.cask.cdap.security.store;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.api.security.store.SecureStore;
import co.cask.cdap.api.security.store.SecureStoreData;
import co.cask.cdap.api.security.store.SecureStoreManager;
import co.cask.cdap.common.BadRequestException;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.SecureKeyId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Strings;
import com.google.inject.Inject;
import com.google.inject.name.Named;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;

/* loaded from: input_file:co/cask/cdap/security/store/DefaultSecureStoreService.class */
public class DefaultSecureStoreService implements SecureStore, SecureStoreManager {
    private final AuthorizationEnforcer authorizationEnforcer;
    private final PrivilegesManager privilegesManager;
    private final AuthenticationContext authenticationContext;
    private final SecureStore secureStore;
    private final SecureStoreManager secureStoreManager;

    @Inject
    DefaultSecureStoreService(PrivilegesManager privilegesManager, AuthorizationEnforcer authorizationEnforcer, AuthenticationContext authenticationContext, @Named("delegateSecureStore") SecureStore secureStore, @Named("delegateSecureStoreManager") SecureStoreManager secureStoreManager) {
        this.privilegesManager = privilegesManager;
        this.authorizationEnforcer = authorizationEnforcer;
        this.authenticationContext = authenticationContext;
        this.secureStore = secureStore;
        this.secureStoreManager = secureStoreManager;
    }

    public final Map<String, String> listSecureData(String str) throws Exception {
        Predicate createFilter = this.authorizationEnforcer.createFilter(this.authenticationContext.getPrincipal());
        Map listSecureData = this.secureStore.listSecureData(str);
        HashMap hashMap = new HashMap(listSecureData.size());
        for (String str2 : listSecureData.keySet()) {
            if (createFilter.apply(new SecureKeyId(str, str2))) {
                hashMap.put(str2, listSecureData.get(str2));
            }
        }
        return hashMap;
    }

    public final SecureStoreData getSecureData(String str, String str2) throws Exception {
        Principal principal = this.authenticationContext.getPrincipal();
        Predicate createFilter = this.authorizationEnforcer.createFilter(principal);
        SecureKeyId secureKeyId = new SecureKeyId(str, str2);
        if (createFilter.apply(secureKeyId)) {
            return this.secureStore.getSecureData(str, str2);
        }
        throw new UnauthorizedException(principal, Action.READ, secureKeyId);
    }

    public final synchronized void putSecureData(String str, String str2, String str3, String str4, Map<String, String> map) throws Exception {
        Principal principal = this.authenticationContext.getPrincipal();
        this.authorizationEnforcer.enforce(new NamespaceId(str), principal, Action.WRITE);
        if (Strings.isNullOrEmpty(str3)) {
            throw new BadRequestException("The data field should not be empty. This is the data that will be stored securely.");
        }
        this.privilegesManager.grant(new SecureKeyId(str, str2), principal, EnumSet.allOf(Action.class));
        this.secureStoreManager.putSecureData(str, str2, str3, str4, map);
    }

    public final void deleteSecureData(String str, String str2) throws Exception {
        Principal principal = this.authenticationContext.getPrincipal();
        SecureKeyId secureKeyId = new SecureKeyId(str, str2);
        this.authorizationEnforcer.enforce(secureKeyId, principal, Action.ADMIN);
        this.secureStoreManager.deleteSecureData(str, str2);
        this.privilegesManager.revoke(secureKeyId);
    }
}
