package co.cask.cdap.security.authorization;

import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Authorizable;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AlreadyExistsException;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.NotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Splitter;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;

/* loaded from: input_file:co/cask/cdap/security/authorization/InMemoryAuthorizer.class */
public class InMemoryAuthorizer extends AbstractAuthorizer {
    private final ConcurrentMap<Authorizable, ConcurrentMap<Principal, Set<Action>>> privileges = new ConcurrentHashMap();
    private final ConcurrentMap<Role, Set<Principal>> roleToPrincipals = new ConcurrentHashMap();
    private final Set<Principal> superUsers = new HashSet();
    private final Principal allSuperUsers = new Principal("*", Principal.PrincipalType.USER);

    /* loaded from: input_file:co/cask/cdap/security/authorization/InMemoryAuthorizer$AuthorizableEntityId.class */
    public final class AuthorizableEntityId {
        private final EntityId entityId;

        AuthorizableEntityId(EntityId entityId) {
            this.entityId = entityId;
        }

        public EntityId getEntityId() {
            return this.entityId;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            AuthorizableEntityId authorizableEntityId = (AuthorizableEntityId) obj;
            if (!authorizableEntityId.getEntityId().getEntityType().equals(this.entityId.getEntityType())) {
                return false;
            }
            ArtifactId entityId = authorizableEntityId.getEntityId();
            if (this.entityId.getEntityType().equals(EntityType.ARTIFACT)) {
                ArtifactId artifactId = this.entityId;
                ArtifactId artifactId2 = entityId;
                return Objects.equals(artifactId.getNamespace(), artifactId2.getNamespace()) && Objects.equals(artifactId.getArtifact(), artifactId2.getArtifact());
            }
            if (this.entityId.getEntityType().equals(EntityType.APPLICATION)) {
                ApplicationId applicationId = this.entityId;
                ApplicationId applicationId2 = (ApplicationId) entityId;
                return Objects.equals(applicationId.getNamespace(), applicationId2.getNamespace()) && Objects.equals(applicationId.getApplication(), applicationId2.getApplication());
            }
            if (!this.entityId.getEntityType().equals(EntityType.PROGRAM)) {
                return Objects.equals(this.entityId, authorizableEntityId.entityId);
            }
            ProgramId programId = this.entityId;
            ProgramId programId2 = (ProgramId) entityId;
            return Objects.equals(programId.getNamespace(), programId2.getNamespace()) && Objects.equals(programId.getApplication(), programId2.getApplication()) && Objects.equals(programId.getType(), programId2.getType()) && Objects.equals(programId.getProgram(), programId2.getProgram());
        }

        public int hashCode() {
            if (this.entityId.getEntityType().equals(EntityType.ARTIFACT)) {
                ArtifactId artifactId = this.entityId;
                return Objects.hash(artifactId.getEntityType(), artifactId.getNamespace(), artifactId.getArtifact());
            }
            if (this.entityId.getEntityType().equals(EntityType.APPLICATION)) {
                ApplicationId applicationId = this.entityId;
                return Objects.hash(applicationId.getEntityType(), applicationId.getNamespace(), applicationId.getApplication());
            }
            if (!this.entityId.getEntityType().equals(EntityType.PROGRAM)) {
                return Objects.hash(this.entityId);
            }
            ProgramId programId = this.entityId;
            return Objects.hash(programId.getEntityType(), programId.getNamespace(), programId.getApplication(), programId.getType(), programId.getProgram());
        }
    }

    public void initialize(AuthorizationContext authorizationContext) throws Exception {
        Properties extensionProperties = authorizationContext.getExtensionProperties();
        if (extensionProperties.containsKey("superusers")) {
            Iterator it = Splitter.on(",").trimResults().omitEmptyStrings().split(extensionProperties.getProperty("superusers")).iterator();
            while (it.hasNext()) {
                this.superUsers.add(new Principal((String) it.next(), Principal.PrincipalType.USER));
            }
        }
    }

    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws UnauthorizedException {
        if (this.superUsers.contains(principal) || this.superUsers.contains(this.allSuperUsers)) {
            return;
        }
        Set<Action> actions = getActions(entityId, principal);
        if (actions.containsAll(set)) {
            return;
        }
        HashSet hashSet = new HashSet();
        if (principal.getType() != Principal.PrincipalType.ROLE) {
            Iterator<Role> it = getRoles(principal).iterator();
            while (it.hasNext()) {
                hashSet.addAll(getActions(entityId, (Principal) it.next()));
            }
        }
        if (!hashSet.containsAll(set)) {
            throw new UnauthorizedException(principal, Sets.difference(set, actions), entityId);
        }
    }

    public Set<? extends EntityId> isVisible(Set<? extends EntityId> set, Principal principal) throws Exception {
        Set<Action> set2;
        if (this.superUsers.contains(principal) || this.superUsers.contains(this.allSuperUsers)) {
            return set;
        }
        HashSet hashSet = new HashSet();
        for (EntityId entityId : set) {
            Iterator<Authorizable> it = this.privileges.keySet().iterator();
            while (true) {
                if (it.hasNext()) {
                    Authorizable next = it.next();
                    if (isParent(entityId, next.getEntityParts()) && (set2 = this.privileges.get(next).get(principal)) != null && !set2.isEmpty()) {
                        hashSet.add(entityId);
                        break;
                    }
                }
            }
        }
        return hashSet;
    }

    public void grant(Authorizable authorizable, Principal principal, Set<Action> set) throws Exception {
        getActions(authorizable, principal).addAll(set);
    }

    public void revoke(Authorizable authorizable, Principal principal, Set<Action> set) throws Exception {
        getActions(authorizable, principal).removeAll(set);
    }

    public void revoke(Authorizable authorizable) throws Exception {
        this.privileges.remove(authorizable);
    }

    public void createRole(Role role) throws AlreadyExistsException {
        if (this.roleToPrincipals.containsKey(role)) {
            throw new AlreadyExistsException(role);
        }
        if (this.roleToPrincipals.putIfAbsent(role, Collections.newSetFromMap(new ConcurrentHashMap())) != null) {
            throw new AlreadyExistsException(role);
        }
    }

    public void dropRole(Role role) throws NotFoundException {
        if (this.roleToPrincipals.remove(role) == null) {
            throw new NotFoundException(role);
        }
    }

    public void addRoleToPrincipal(Role role, Principal principal) throws NotFoundException {
        Set<Principal> set = this.roleToPrincipals.get(role);
        if (set == null) {
            throw new NotFoundException(role);
        }
        set.add(principal);
    }

    public void removeRoleFromPrincipal(Role role, Principal principal) throws NotFoundException {
        Set<Principal> set = this.roleToPrincipals.get(role);
        if (set == null) {
            throw new NotFoundException(role);
        }
        set.remove(principal);
    }

    public Set<Role> listRoles(Principal principal) {
        return Collections.unmodifiableSet(getRoles(principal));
    }

    public Set<Role> listAllRoles() {
        return Collections.unmodifiableSet(this.roleToPrincipals.keySet());
    }

    public Set<Privilege> listPrivileges(Principal principal) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(getPrivileges(principal));
        if (principal.getType() != Principal.PrincipalType.ROLE) {
            Iterator<Role> it = this.roleToPrincipals.keySet().iterator();
            while (it.hasNext()) {
                hashSet.addAll(getPrivileges(it.next()));
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<Privilege> getPrivileges(Principal principal) {
        HashSet hashSet = new HashSet();
        Iterator<Map.Entry<Authorizable, ConcurrentMap<Principal, Set<Action>>>> it = this.privileges.entrySet().iterator();
        while (it.hasNext()) {
            Authorizable key = it.next().getKey();
            Iterator<Action> it2 = getActions(key, principal).iterator();
            while (it2.hasNext()) {
                hashSet.add(new Privilege(key, it2.next()));
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<Action> getActions(EntityId entityId, Principal principal) {
        return getActions(Authorizable.fromEntityId(entityId), principal);
    }

    private Set<Action> getActions(Authorizable authorizable, Principal principal) {
        ConcurrentMap<Principal, Set<Action>> concurrentMap = this.privileges.get(authorizable);
        if (concurrentMap == null) {
            ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
            ConcurrentMap<Principal, Set<Action>> putIfAbsent = this.privileges.putIfAbsent(authorizable, concurrentHashMap);
            concurrentMap = putIfAbsent == null ? concurrentHashMap : putIfAbsent;
        }
        Set<Action> set = concurrentMap.get(principal);
        if (set != null) {
            return set;
        }
        Set<Action> newSetFromMap = Collections.newSetFromMap(new ConcurrentHashMap());
        Set<Action> putIfAbsent2 = concurrentMap.putIfAbsent(principal, newSetFromMap);
        return putIfAbsent2 == null ? newSetFromMap : putIfAbsent2;
    }

    private Set<Role> getRoles(Principal principal) {
        HashSet hashSet = new HashSet();
        for (Map.Entry<Role, Set<Principal>> entry : this.roleToPrincipals.entrySet()) {
            if (entry.getValue().contains(principal)) {
                hashSet.add(entry.getKey());
            }
        }
        return hashSet;
    }

    private boolean isParent(EntityId entityId, Map<EntityType, String> map) {
        Map entityParts = Authorizable.fromEntityId(entityId).getEntityParts();
        for (EntityType entityType : entityParts.keySet()) {
            if (!map.containsKey(entityType) || !map.get(entityType).equals(entityParts.get(entityType))) {
                return false;
            }
        }
        return true;
    }
}
