package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authorization.PrivilegesFetcher;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.AbstractScheduledService;
import com.google.common.util.concurrent.Service;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.twill.common.Threads;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/AbstractAuthorizationService.class */
public class AbstractAuthorizationService extends AbstractScheduledService {
    private static final Logger LOG = LoggerFactory.getLogger(AbstractAuthorizationService.class);
    private static final EnumSet<Service.State> SERVICE_AVAILABLE_STATES = EnumSet.of(Service.State.STARTING, Service.State.RUNNING, Service.State.STOPPING);
    protected final boolean securityEnabled;
    protected final boolean authorizationEnabled;
    protected final boolean cacheEnabled;
    private final PrivilegesFetcher privilegesFetcher;
    private final int cacheTtlSecs;
    private final int cacheRefreshIntervalSecs;
    private final LoadingCache<Principal, Map<EntityId, Set<Action>>> authPolicyCache;
    private final String serviceName;
    private final AuthenticationContext authenticationContext;
    private ScheduledExecutorService executor;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractAuthorizationService(CConfiguration cConfiguration, PrivilegesFetcher privilegesFetcher, AuthenticationContext authenticationContext, String str) {
        this.privilegesFetcher = privilegesFetcher;
        this.securityEnabled = cConfiguration.getBoolean("security.enabled");
        this.authorizationEnabled = cConfiguration.getBoolean("security.authorization.enabled");
        this.cacheEnabled = cConfiguration.getBoolean("security.authorization.cache.enabled");
        this.cacheTtlSecs = cConfiguration.getInt("security.authorization.cache.ttl.secs");
        this.cacheRefreshIntervalSecs = cConfiguration.getInt("security.authorization.cache.refresh.interval.secs");
        this.serviceName = str;
        this.authenticationContext = authenticationContext;
        validateCacheConfig();
        this.authPolicyCache = CacheBuilder.newBuilder().expireAfterWrite(this.cacheTtlSecs, TimeUnit.SECONDS).build(new CacheLoader<Principal, Map<EntityId, Set<Action>>>() { // from class: co.cask.cdap.security.authorization.AbstractAuthorizationService.1
            public Map<EntityId, Set<Action>> load(Principal principal) throws Exception {
                return AbstractAuthorizationService.this.fetchPrivileges(principal);
            }
        });
    }

    protected AbstractScheduledService.Scheduler scheduler() {
        return AbstractScheduledService.Scheduler.newFixedDelaySchedule(0L, this.cacheRefreshIntervalSecs, TimeUnit.SECONDS);
    }

    protected void startUp() throws Exception {
        if (isAuthCacheEnabled()) {
            updatePrivilegesOfCurrentUser();
        }
        LOG.info("Started authorization {} service...", this.serviceName);
    }

    protected void runOneIteration() {
        if (!isAuthCacheEnabled()) {
            LOG.trace("Authorization cache is disabled security: {}; authorization: {}; cache: {}", new Object[]{Boolean.valueOf(this.securityEnabled), Boolean.valueOf(this.authorizationEnabled), Boolean.valueOf(this.cacheEnabled)});
            return;
        }
        LOG.trace("Running authorization {} service iteration...", this.serviceName);
        for (Principal principal : this.authPolicyCache.asMap().keySet()) {
            try {
                updatePrivileges(principal);
            } catch (Exception e) {
                LOG.debug("Error while updating privileges for {}", principal, e);
                LOG.warn("Error while updating privileges for {}.", principal);
            }
        }
    }

    protected ScheduledExecutorService executor() {
        this.executor = Executors.newSingleThreadScheduledExecutor(Threads.createDaemonThreadFactory(String.format("authorization-%s-service", this.serviceName)));
        return this.executor;
    }

    protected void shutDown() throws Exception {
        LOG.debug("Shutting down authorization {} service...", this.serviceName);
        this.authPolicyCache.invalidateAll();
        if (this.executor != null) {
            this.executor.shutdownNow();
        }
        LOG.info("Shutdown authorization {} service successfully.", this.serviceName);
    }

    @VisibleForTesting
    Map<Principal, Map<EntityId, Set<Action>>> getCache() {
        this.authPolicyCache.cleanUp();
        return this.authPolicyCache.asMap();
    }

    protected Map<EntityId, Set<Action>> fetchPrivileges(Principal principal) throws Exception {
        Service.State state = state();
        if (!SERVICE_AVAILABLE_STATES.contains(state)) {
            throw new IllegalStateException(String.format("Cannot use authorization %s service because it has not been started. Its current state is %s.", this.serviceName, state));
        }
        HashMap hashMap = new HashMap();
        Set<Privilege> listPrivileges = this.privilegesFetcher.listPrivileges(principal);
        if (listPrivileges == null) {
            return hashMap;
        }
        for (Privilege privilege : listPrivileges) {
            Set set = (Set) hashMap.get(privilege.getEntity());
            if (set == null) {
                set = EnumSet.noneOf(Action.class);
                hashMap.put(privilege.getEntity(), set);
            }
            set.add(privilege.getAction());
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<EntityId, Set<Action>> getPrivileges(Principal principal) throws Exception {
        return this.cacheEnabled ? (Map) this.authPolicyCache.get(principal) : fetchPrivileges(principal);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doInvalidate(Predicate<Principal> predicate) {
        this.authPolicyCache.invalidateAll(Iterables.filter(this.authPolicyCache.asMap().keySet(), predicate));
    }

    private void updatePrivilegesOfCurrentUser() {
        Principal principal = this.authenticationContext.getPrincipal();
        try {
            updatePrivileges(principal);
            LOG.debug("Updated privileges for current user {}", principal);
        } catch (Exception e) {
            LOG.warn("Error while updating privileges for {}. Authorization cache will not be pre-populated for this user.", principal, e);
        }
    }

    private void updatePrivileges(Principal principal) throws Exception {
        Map<EntityId, Set<Action>> fetchPrivileges = fetchPrivileges(principal);
        this.authPolicyCache.put(principal, fetchPrivileges);
        LOG.debug("Updated privileges for principal {} as {}", principal, fetchPrivileges);
    }

    private void validateCacheConfig() {
        if (!isAuthCacheEnabled()) {
            if (this.cacheEnabled) {
                LOG.trace("Authorization policy caching is enabled ({} is set to true), however, this setting will have no effect because authorization is disabled ({} is set to false). ", "security.authorization.cache.enabled", "security.authorization.enabled");
            }
        } else {
            Preconditions.checkArgument(this.cacheRefreshIntervalSecs > 0, "The refresh interval for authorization cache specified by the parameter '%s' must be greater than zero. It is currently set to %s.", new Object[]{"security.authorization.cache.refresh.interval.secs", Integer.valueOf(this.cacheRefreshIntervalSecs)});
            Preconditions.checkArgument(this.cacheTtlSecs > 0, "The TTL for authorization cache entries specified by the parameter '%s' must be greater than zero. It is currently set to %s.", new Object[]{"security.authorization.cache.ttl.secs", Integer.valueOf(this.cacheTtlSecs)});
            if (this.cacheTtlSecs <= this.cacheRefreshIntervalSecs) {
                LOG.warn("The refresh interval for authorization cache specified by the parameter '{}' (set to {}) is greater than the TTL for authorization cache entries specified by the parameter '{}' (set to {}). This may result in authorization errors. Please set the refresh interval to a few seconds less than the TTL to fix this.");
            }
        }
    }

    private boolean isAuthCacheEnabled() {
        return this.securityEnabled && this.authorizationEnabled && this.cacheEnabled;
    }
}
