package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.KerberosPrincipalId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.impersonation.OwnerAdmin;
import co.cask.cdap.security.impersonation.SecurityUtil;
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Function;
import com.google.common.base.Predicate;
import com.google.common.collect.Iterables;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.annotation.Nullable;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/AuthorizationUtil.class */
public final class AuthorizationUtil {
    private static final Logger LOG = LoggerFactory.getLogger(AuthorizationUtil.class);

    private AuthorizationUtil() {
    }

    public static void ensureOnePrivilege(EntityId entityId, Set<Action> set, AuthorizationEnforcer authorizationEnforcer, Principal principal) throws Exception {
        boolean z = false;
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            try {
                authorizationEnforcer.enforce(entityId, principal, it.next());
                z = true;
                break;
            } catch (UnauthorizedException e) {
            }
        }
        if (!z) {
            throw new UnauthorizedException(principal, set, entityId, false);
        }
    }

    public static <EntityInfo> List<EntityInfo> isVisible(Collection<EntityInfo> collection, AuthorizationEnforcer authorizationEnforcer, Principal principal, Function<EntityInfo, EntityId> function, @Nullable Predicate<EntityInfo> predicate) throws Exception {
        ArrayList arrayList = new ArrayList(collection.size());
        for (List list : Iterables.partition(collection, 500)) {
            LinkedHashMap linkedHashMap = new LinkedHashMap(list.size());
            for (Object obj : list) {
                if (predicate == null || !predicate.apply(obj)) {
                    linkedHashMap.put(function.apply(obj), obj);
                } else {
                    arrayList.add(obj);
                }
            }
            linkedHashMap.keySet().retainAll(authorizationEnforcer.isVisible(linkedHashMap.keySet(), principal));
            arrayList.addAll(linkedHashMap.values());
        }
        return Collections.unmodifiableList(arrayList);
    }

    public static void ensureAccess(EntityId entityId, AuthorizationEnforcer authorizationEnforcer, Principal principal) throws Exception {
        if (authorizationEnforcer.isVisible(Collections.singleton(entityId), principal).isEmpty()) {
            throw new UnauthorizedException(principal, entityId);
        }
    }

    public static boolean isSecurityAuthorizationEnabled(CConfiguration cConfiguration) {
        return cConfiguration.getBoolean("security.enabled") && cConfiguration.getBoolean("security.authorization.enabled");
    }

    public static <T> T authorizeAs(String str, Callable<T> callable) throws Exception {
        String userId = SecurityRequestContext.getUserId();
        SecurityRequestContext.setUserId(str);
        try {
            T call = callable.call();
            SecurityRequestContext.setUserId(userId);
            return call;
        } catch (Throwable th) {
            SecurityRequestContext.setUserId(userId);
            throw th;
        }
    }

    public static String getAppAuthorizingUser(OwnerAdmin ownerAdmin, AuthenticationContext authenticationContext, ApplicationId applicationId, @Nullable KerberosPrincipalId kerberosPrincipalId) throws IOException {
        KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, applicationId.getNamespaceId(), kerberosPrincipalId == null ? null : kerberosPrincipalId.getPrincipal());
        String shortName = effectiveOwner != null ? new KerberosName(effectiveOwner.getPrincipal()).getShortName() : authenticationContext.getPrincipal().getName();
        LOG.trace("Returning {} as authorizing app user for {}", shortName, applicationId);
        return shortName;
    }

    @Nullable
    public static String getEffectiveMasterUser(CConfiguration cConfiguration) {
        String str;
        String str2 = cConfiguration.get("cdap.master.kerberos.principal");
        try {
            if (isSecurityAuthorizationEnabled(cConfiguration)) {
                str = str2 == null ? UserGroupInformation.getLoginUser().getShortUserName() : new KerberosName(str2).getShortName();
            } else {
                str = null;
            }
            return str;
        } catch (IOException e) {
            throw new RuntimeException(String.format("Failed to translate the principal name %s to an operating system user name.", str2), e);
        }
    }
}
