package co.cask.cdap.security.authorization;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException;
import co.cask.cdap.security.spi.authorization.RoleNotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Splitter;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;

/* loaded from: input_file:co/cask/cdap/security/authorization/InMemoryAuthorizer.class */
public class InMemoryAuthorizer extends AbstractAuthorizer {
    private final ConcurrentMap<EntityId, ConcurrentMap<Principal, Set<Action>>> privileges = new ConcurrentHashMap();
    private final ConcurrentMap<Role, Set<Principal>> roleToPrincipals = new ConcurrentHashMap();
    private final Set<Principal> superUsers = new HashSet();
    private final Principal allSuperUsers = new Principal("*", Principal.PrincipalType.USER);

    public void initialize(AuthorizationContext authorizationContext) throws Exception {
        Properties extensionProperties = authorizationContext.getExtensionProperties();
        if (extensionProperties.containsKey("superusers")) {
            Iterator it = Splitter.on(",").trimResults().omitEmptyStrings().split(extensionProperties.getProperty("superusers")).iterator();
            while (it.hasNext()) {
                this.superUsers.add(new Principal((String) it.next(), Principal.PrincipalType.USER));
            }
        }
    }

    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws UnauthorizedException {
        if (this.superUsers.contains(principal) || this.superUsers.contains(this.allSuperUsers)) {
            return;
        }
        Set<Action> actions = getActions(entityId, principal);
        if (actions.containsAll(set)) {
            return;
        }
        HashSet hashSet = new HashSet();
        if (principal.getType() != Principal.PrincipalType.ROLE) {
            Iterator<Role> it = getRoles(principal).iterator();
            while (it.hasNext()) {
                hashSet.addAll(getActions(entityId, it.next()));
            }
        }
        if (!hashSet.containsAll(set)) {
            throw new UnauthorizedException(principal, Sets.difference(set, actions), entityId);
        }
    }

    public Predicate<EntityId> createFilter(Principal principal) throws Exception {
        return (this.superUsers.contains(principal) || this.superUsers.contains(this.allSuperUsers)) ? ALLOW_ALL : super.createFilter(principal);
    }

    public void grant(EntityId entityId, Principal principal, Set<Action> set) {
        getActions(entityId, principal).addAll(set);
    }

    public void revoke(EntityId entityId, Principal principal, Set<Action> set) {
        getActions(entityId, principal).removeAll(set);
    }

    public void revoke(EntityId entityId) {
        this.privileges.remove(entityId);
    }

    public void createRole(Role role) throws RoleAlreadyExistsException {
        if (this.roleToPrincipals.containsKey(role)) {
            throw new RoleAlreadyExistsException(role);
        }
        if (this.roleToPrincipals.putIfAbsent(role, Collections.newSetFromMap(new ConcurrentHashMap())) != null) {
            throw new RoleAlreadyExistsException(role);
        }
    }

    public void dropRole(Role role) throws RoleNotFoundException {
        if (this.roleToPrincipals.remove(role) == null) {
            throw new RoleNotFoundException(role);
        }
    }

    public void addRoleToPrincipal(Role role, Principal principal) throws RoleNotFoundException {
        Set<Principal> set = this.roleToPrincipals.get(role);
        if (set == null) {
            throw new RoleNotFoundException(role);
        }
        set.add(principal);
    }

    public void removeRoleFromPrincipal(Role role, Principal principal) throws RoleNotFoundException {
        Set<Principal> set = this.roleToPrincipals.get(role);
        if (set == null) {
            throw new RoleNotFoundException(role);
        }
        set.remove(principal);
    }

    public Set<Role> listRoles(Principal principal) {
        return Collections.unmodifiableSet(getRoles(principal));
    }

    public Set<Role> listAllRoles() {
        return Collections.unmodifiableSet(this.roleToPrincipals.keySet());
    }

    public Set<Privilege> listPrivileges(Principal principal) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(getPrivileges(principal));
        if (principal.getType() != Principal.PrincipalType.ROLE) {
            Iterator<Role> it = this.roleToPrincipals.keySet().iterator();
            while (it.hasNext()) {
                hashSet.addAll(getPrivileges(it.next()));
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<Privilege> getPrivileges(Principal principal) {
        HashSet hashSet = new HashSet();
        Iterator<Map.Entry<EntityId, ConcurrentMap<Principal, Set<Action>>>> it = this.privileges.entrySet().iterator();
        while (it.hasNext()) {
            EntityId key = it.next().getKey();
            Iterator<Action> it2 = getActions(key, principal).iterator();
            while (it2.hasNext()) {
                hashSet.add(new Privilege(key, it2.next()));
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<Action> getActions(EntityId entityId, Principal principal) {
        ConcurrentMap<Principal, Set<Action>> concurrentMap = this.privileges.get(entityId);
        if (concurrentMap == null) {
            ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
            ConcurrentMap<Principal, Set<Action>> putIfAbsent = this.privileges.putIfAbsent(entityId, concurrentHashMap);
            concurrentMap = putIfAbsent == null ? concurrentHashMap : putIfAbsent;
        }
        Set<Action> set = concurrentMap.get(principal);
        if (set != null) {
            return set;
        }
        Set<Action> newSetFromMap = Collections.newSetFromMap(new ConcurrentHashMap());
        Set<Action> putIfAbsent2 = concurrentMap.putIfAbsent(principal, newSetFromMap);
        return putIfAbsent2 == null ? newSetFromMap : putIfAbsent2;
    }

    private Set<Role> getRoles(Principal principal) {
        HashSet hashSet = new HashSet();
        for (Map.Entry<Role, Set<Principal>> entry : this.roleToPrincipals.entrySet()) {
            if (entry.getValue().contains(principal)) {
                hashSet.add(entry.getKey());
            }
        }
        return hashSet;
    }
}
