package co.cask.cdap.security.authorization;

import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
import com.google.common.base.Predicate;
import com.google.inject.Inject;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/DefaultPrivilegesManager.class */
public class DefaultPrivilegesManager implements PrivilegesManager {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultPrivilegesManager.class);
    private final Authorizer delegateAuthorizer;
    private final AuthorizationEnforcementService authorizationEnforcementService;
    private final PrivilegesFetcherProxyService privilegesFetcherProxyService;

    @Inject
    DefaultPrivilegesManager(AuthorizerInstantiator authorizerInstantiator, AuthorizationEnforcementService authorizationEnforcementService, PrivilegesFetcherProxyService privilegesFetcherProxyService) {
        this.privilegesFetcherProxyService = privilegesFetcherProxyService;
        this.delegateAuthorizer = authorizerInstantiator.m17get();
        this.authorizationEnforcementService = authorizationEnforcementService;
    }

    public void grant(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        this.delegateAuthorizer.grant(entityId, principal, set);
        Predicate<Principal> createInvalidationPredicate = createInvalidationPredicate(principal);
        this.authorizationEnforcementService.invalidate(createInvalidationPredicate);
        this.privilegesFetcherProxyService.invalidate(createInvalidationPredicate);
    }

    public void revoke(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        this.delegateAuthorizer.revoke(entityId, principal, set);
        Predicate<Principal> createInvalidationPredicate = createInvalidationPredicate(principal);
        this.authorizationEnforcementService.invalidate(createInvalidationPredicate);
        this.privilegesFetcherProxyService.invalidate(createInvalidationPredicate);
    }

    public void revoke(EntityId entityId) throws Exception {
        this.delegateAuthorizer.revoke(entityId);
    }

    private Predicate<Principal> createInvalidationPredicate(final Principal principal) {
        return new Predicate<Principal>() { // from class: co.cask.cdap.security.authorization.DefaultPrivilegesManager.1
            public boolean apply(Principal principal2) {
                if (Principal.PrincipalType.ROLE != principal.getType()) {
                    return principal2.equals(principal);
                }
                Role role = new Role(principal.getName());
                try {
                    return DefaultPrivilegesManager.this.delegateAuthorizer.listRoles(principal2).contains(role);
                } catch (Exception e) {
                    DefaultPrivilegesManager.LOG.warn("Error while listing roles of principal {}. Cannot invalidate cache for role {}. Operations may fail until the next cache refresh.", new Object[]{principal2, role, e});
                    return false;
                }
            }
        };
    }
}
