package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.NamespacedEntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.commons.lang.time.StopWatch;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:co/cask/cdap/security/authorization/DefaultAuthorizationEnforcer.class */
public class DefaultAuthorizationEnforcer extends AbstractAuthorizationEnforcer {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationEnforcer.class);
    private final AuthorizerInstantiator authorizerInstantiator;

    @Nullable
    private final Principal masterUser;
    private final int logTimeTakenAsWarn;

    @Inject
    DefaultAuthorizationEnforcer(CConfiguration cConfiguration, AuthorizerInstantiator authorizerInstantiator) {
        super(cConfiguration);
        this.authorizerInstantiator = authorizerInstantiator;
        String effectiveMasterUser = AuthorizationUtil.getEffectiveMasterUser(cConfiguration);
        this.masterUser = effectiveMasterUser == null ? null : new Principal(effectiveMasterUser, Principal.PrincipalType.USER);
        this.logTimeTakenAsWarn = cConfiguration.getInt("security.authorization.extension.operation.time.warn.threshold.ms");
    }

    public void enforce(EntityId entityId, Principal principal, Action action) throws Exception {
        if (isSecurityAuthorizationEnabled()) {
            doEnforce(entityId, principal, Collections.singleton(action));
        }
    }

    public Set<? extends EntityId> isVisible(Set<? extends EntityId> set, Principal principal) throws Exception {
        if (!isSecurityAuthorizationEnabled()) {
            return set;
        }
        HashSet hashSet = new HashSet();
        for (EntityId entityId : set) {
            if (isAccessingSystemNSAsMasterUser(entityId, principal) || isEnforcingOnSamePrincipalId(entityId, principal)) {
                hashSet.add(entityId);
            }
        }
        Sets.SetView difference = Sets.difference(set, hashSet);
        LOG.trace("Checking visibility of {} for principal {}.", difference, principal);
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        try {
            Set isVisible = this.authorizerInstantiator.m16get().isVisible(difference, principal);
            stopWatch.stop();
            long time = stopWatch.getTime();
            if (time > this.logTimeTakenAsWarn) {
                LOG.warn("Checked visibility of {} for principal {}. Time spent in visibility check was {} ms.", new Object[]{difference, principal, Long.valueOf(time)});
            } else {
                LOG.trace("Checked visibility of {} for principal {}. Time spent in visibility check was {} ms.", new Object[]{difference, principal, Long.valueOf(time)});
            }
            hashSet.addAll(isVisible);
            LOG.trace("Getting {} as visible entities", hashSet);
            return Collections.unmodifiableSet(hashSet);
        } catch (Throwable th) {
            stopWatch.stop();
            long time2 = stopWatch.getTime();
            if (time2 > this.logTimeTakenAsWarn) {
                LOG.warn("Checked visibility of {} for principal {}. Time spent in visibility check was {} ms.", new Object[]{difference, principal, Long.valueOf(time2)});
            } else {
                LOG.trace("Checked visibility of {} for principal {}. Time spent in visibility check was {} ms.", new Object[]{difference, principal, Long.valueOf(time2)});
            }
            throw th;
        }
    }

    private void doEnforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        if (isAccessingSystemNSAsMasterUser(entityId, principal) || isEnforcingOnSamePrincipalId(entityId, principal)) {
            return;
        }
        LOG.trace("Enforcing actions {} on {} for principal {}.", new Object[]{set, entityId, principal});
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        try {
            this.authorizerInstantiator.m16get().enforce(entityId, principal, set);
            stopWatch.stop();
            if (stopWatch.getTime() > this.logTimeTakenAsWarn) {
                LOG.warn("Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms.", new Object[]{set, entityId, principal, Long.valueOf(stopWatch.getTime())});
            } else {
                LOG.trace("Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms.", new Object[]{set, entityId, principal, Long.valueOf(stopWatch.getTime())});
            }
        } catch (Throwable th) {
            stopWatch.stop();
            if (stopWatch.getTime() > this.logTimeTakenAsWarn) {
                LOG.warn("Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms.", new Object[]{set, entityId, principal, Long.valueOf(stopWatch.getTime())});
            } else {
                LOG.trace("Enforced actions {} on {} for principal {}. Time spent in enforcement was {} ms.", new Object[]{set, entityId, principal, Long.valueOf(stopWatch.getTime())});
            }
            throw th;
        }
    }

    private boolean isAccessingSystemNSAsMasterUser(EntityId entityId, Principal principal) {
        return (entityId instanceof NamespacedEntityId) && ((NamespacedEntityId) entityId).getNamespaceId().equals(NamespaceId.SYSTEM) && principal.equals(this.masterUser);
    }

    private boolean isEnforcingOnSamePrincipalId(EntityId entityId, Principal principal) {
        return entityId.getEntityType().equals(EntityType.KERBEROSPRINCIPAL) && principal.getName().equals(entityId.getEntityName());
    }
}
