package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.NamespacedEntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.impersonation.SecurityUtil;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:co/cask/cdap/security/authorization/DefaultAuthorizationEnforcer.class */
public class DefaultAuthorizationEnforcer extends AbstractAuthorizationEnforcer {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationEnforcer.class);
    private final AuthorizerInstantiator authorizerInstantiator;

    @Nullable
    private final Principal masterUser;

    @Inject
    DefaultAuthorizationEnforcer(CConfiguration cConfiguration, AuthorizerInstantiator authorizerInstantiator) {
        super(cConfiguration);
        this.authorizerInstantiator = authorizerInstantiator;
        if (!isSecurityAuthorizationEnabled()) {
            this.masterUser = null;
            return;
        }
        String masterPrincipal = SecurityUtil.getMasterPrincipal(cConfiguration);
        if (masterPrincipal == null) {
            throw new RuntimeException("Kerberos master principal is null. Authorization can only be used when kerberos is used");
        }
        try {
            this.masterUser = new Principal(new KerberosName(masterPrincipal).getShortName(), Principal.PrincipalType.USER);
        } catch (IOException e) {
            throw new RuntimeException(String.format("Failed to translate the principal name %s to an operating system user name.", masterPrincipal), e);
        }
    }

    public void enforce(EntityId entityId, Principal principal, Action action) throws Exception {
        if (isSecurityAuthorizationEnabled()) {
            doEnforce(entityId, principal, Collections.singleton(action));
        }
    }

    public Set<? extends EntityId> isVisible(Set<? extends EntityId> set, Principal principal) throws Exception {
        if (!isSecurityAuthorizationEnabled()) {
            return set;
        }
        HashSet hashSet = new HashSet();
        for (EntityId entityId : set) {
            if (isAccessingSystemNSAsMasterUser(entityId, principal) || isEnforcingOnSamePrincipalId(entityId, principal)) {
                hashSet.add(entityId);
            }
        }
        Sets.SetView difference = Sets.difference(set, hashSet);
        LOG.debug("Checking visibility of {} for principal {}.", difference, principal);
        hashSet.addAll(this.authorizerInstantiator.m16get().isVisible(difference, principal));
        return Collections.unmodifiableSet(hashSet);
    }

    private void doEnforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        if (isAccessingSystemNSAsMasterUser(entityId, principal) || isEnforcingOnSamePrincipalId(entityId, principal)) {
            return;
        }
        LOG.debug("Enforcing actions {} on {} for principal {}.", new Object[]{set, entityId, principal});
        this.authorizerInstantiator.m16get().enforce(entityId, principal, set);
    }

    private boolean isAccessingSystemNSAsMasterUser(EntityId entityId, Principal principal) {
        return (entityId instanceof NamespacedEntityId) && ((NamespacedEntityId) entityId).getNamespaceId().equals(NamespaceId.SYSTEM) && principal.equals(this.masterUser);
    }

    private boolean isEnforcingOnSamePrincipalId(EntityId entityId, Principal principal) {
        return entityId.getEntityType().equals(EntityType.KERBEROSPRINCIPAL) && principal.getName().equals(entityId.getEntityName());
    }
}
