package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.http.DefaultHttpRequestConfig;
import co.cask.cdap.common.internal.remote.RemoteClient;
import co.cask.cdap.proto.codec.EntityIdTypeAdapter;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.AuthorizationPrivilege;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.VisibilityRequest;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.common.http.HttpMethod;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.reflect.TypeToken;
import com.google.inject.Inject;
import java.io.IOException;
import java.lang.reflect.Type;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.annotation.ParametersAreNonnullByDefault;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/RemoteAuthorizationEnforcer.class */
public class RemoteAuthorizationEnforcer extends AbstractAuthorizationEnforcer {
    private static final Logger LOG = LoggerFactory.getLogger(RemoteAuthorizationEnforcer.class);
    private static final Gson GSON = new GsonBuilder().registerTypeAdapter(EntityId.class, new EntityIdTypeAdapter()).create();
    private static final Type SET_ENTITY_TYPE = new TypeToken<Set<EntityId>>() { // from class: co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer.1
    }.getType();
    private static final Function<VisibilityKey, EntityId> VISIBILITY_KEY_ENTITY_ID_FUNCTION = new Function<VisibilityKey, EntityId>() { // from class: co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer.2
        public EntityId apply(VisibilityKey visibilityKey) {
            return visibilityKey.getEntityId();
        }
    };
    private static final Predicate<Map.Entry<VisibilityKey, Boolean>> VISIBILITY_KEYS_FILTER = new Predicate<Map.Entry<VisibilityKey, Boolean>>() { // from class: co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer.3
        public boolean apply(Map.Entry<VisibilityKey, Boolean> entry) {
            return entry.getValue().booleanValue();
        }
    };
    private final RemoteClient remoteClient;
    private final boolean cacheEnabled;
    private final LoadingCache<AuthorizationPrivilege, Boolean> authPolicyCache;
    private final LoadingCache<VisibilityKey, Boolean> visibilityCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/security/authorization/RemoteAuthorizationEnforcer$VisibilityKey.class */
    public static class VisibilityKey {
        private final Principal principal;
        private final EntityId entityId;

        VisibilityKey(Principal principal, EntityId entityId) {
            this.principal = principal;
            this.entityId = entityId;
        }

        public Principal getPrincipal() {
            return this.principal;
        }

        public EntityId getEntityId() {
            return this.entityId;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            VisibilityKey visibilityKey = (VisibilityKey) obj;
            return Objects.equals(this.principal, visibilityKey.principal) && Objects.equals(this.entityId, visibilityKey.entityId);
        }

        public int hashCode() {
            return Objects.hash(this.principal, this.entityId);
        }

        public String toString() {
            return "VisibilityKey{principal=" + this.principal + ", entityId=" + this.entityId + '}';
        }
    }

    @Inject
    public RemoteAuthorizationEnforcer(CConfiguration cConfiguration, DiscoveryServiceClient discoveryServiceClient) {
        super(cConfiguration);
        this.remoteClient = new RemoteClient(discoveryServiceClient, "appfabric", new DefaultHttpRequestConfig(false), "/v1/execute/");
        int i = cConfiguration.getInt("security.authorization.cache.ttl.secs");
        int i2 = cConfiguration.getInt("security.authorization.cache.max.entries");
        this.cacheEnabled = i2 > 0;
        int i3 = (i2 / 2) + 1;
        this.authPolicyCache = CacheBuilder.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).maximumSize(i3).build(new CacheLoader<AuthorizationPrivilege, Boolean>() { // from class: co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer.4
            @ParametersAreNonnullByDefault
            public Boolean load(AuthorizationPrivilege authorizationPrivilege) throws Exception {
                RemoteAuthorizationEnforcer.LOG.trace("Cache miss for {}", authorizationPrivilege);
                return Boolean.valueOf(RemoteAuthorizationEnforcer.this.doEnforce(authorizationPrivilege));
            }
        });
        this.visibilityCache = CacheBuilder.newBuilder().expireAfterAccess(i, TimeUnit.SECONDS).maximumSize(i3).build(new CacheLoader<VisibilityKey, Boolean>() { // from class: co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer.5
            @ParametersAreNonnullByDefault
            public Boolean load(VisibilityKey visibilityKey) throws Exception {
                RemoteAuthorizationEnforcer.LOG.trace("Cache miss for {}", visibilityKey);
                return Boolean.valueOf(!RemoteAuthorizationEnforcer.this.loadVisibility(Collections.singleton(visibilityKey)).isEmpty());
            }

            public Map<VisibilityKey, Boolean> loadAll(Iterable<? extends VisibilityKey> iterable) throws Exception {
                RemoteAuthorizationEnforcer.LOG.trace("Cache miss for {}", iterable);
                return RemoteAuthorizationEnforcer.this.loadVisibility(iterable);
            }
        });
    }

    public void enforce(EntityId entityId, Principal principal, Action action) throws Exception {
        if (isSecurityAuthorizationEnabled()) {
            AuthorizationPrivilege authorizationPrivilege = new AuthorizationPrivilege(principal, entityId, action);
            if (!(this.cacheEnabled ? ((Boolean) this.authPolicyCache.get(authorizationPrivilege)).booleanValue() : doEnforce(authorizationPrivilege))) {
                throw new UnauthorizedException(principal, action, entityId);
            }
        }
    }

    public Set<? extends EntityId> isVisible(Set<? extends EntityId> set, Principal principal) throws Exception {
        if (!isSecurityAuthorizationEnabled()) {
            return set;
        }
        Preconditions.checkNotNull(set, "entityIds cannot be null");
        if (!this.cacheEnabled) {
            return visibilityCheckCall(new VisibilityRequest(principal, set));
        }
        return toEntityIds(Maps.filterEntries(this.visibilityCache.getAll(toVisibilityKeys(principal, set)), VISIBILITY_KEYS_FILTER).keySet());
    }

    @VisibleForTesting
    public void clearCache() {
        this.authPolicyCache.invalidateAll();
        this.visibilityCache.invalidateAll();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean doEnforce(AuthorizationPrivilege authorizationPrivilege) throws IOException {
        try {
            return 200 == this.remoteClient.execute(this.remoteClient.requestBuilder(HttpMethod.POST, "enforce").withBody(GSON.toJson(authorizationPrivilege)).build()).getResponseCode();
        } catch (UnauthorizedException e) {
            return false;
        }
    }

    private Set<? extends EntityId> visibilityCheckCall(VisibilityRequest visibilityRequest) throws IOException {
        return (Set) GSON.fromJson(this.remoteClient.execute(this.remoteClient.requestBuilder(HttpMethod.POST, "isVisible").withBody(GSON.toJson(visibilityRequest)).build()).getResponseBodyAsString(), SET_ENTITY_TYPE);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Map<VisibilityKey, Boolean> loadVisibility(Iterable<? extends VisibilityKey> iterable) throws IOException {
        if (!iterable.iterator().hasNext()) {
            return Collections.emptyMap();
        }
        Set<? extends EntityId> visibilityCheckCall = visibilityCheckCall(new VisibilityRequest(iterable.iterator().next().getPrincipal(), toEntityIds(iterable)));
        HashMap hashMap = new HashMap();
        for (VisibilityKey visibilityKey : iterable) {
            hashMap.put(visibilityKey, Boolean.valueOf(visibilityCheckCall.contains(visibilityKey.getEntityId())));
        }
        return hashMap;
    }

    private Set<? extends EntityId> toEntityIds(Iterable<? extends VisibilityKey> iterable) {
        return ImmutableSet.copyOf(Iterables.transform(iterable, VISIBILITY_KEY_ENTITY_ID_FUNCTION));
    }

    private Iterable<VisibilityKey> toVisibilityKeys(final Principal principal, Set<? extends EntityId> set) {
        return Iterables.transform(set, new Function<EntityId, VisibilityKey>() { // from class: co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer.6
            public VisibilityKey apply(EntityId entityId) {
                return new VisibilityKey(principal, entityId);
            }
        });
    }
}
