package co.cask.cdap.security.authorization.sentry.binding;

import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.sentry.binding.conf.AuthConf;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException;
import co.cask.cdap.security.spi.authorization.RoleNotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.Sets;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/SentryAuthorizer.class */
public class SentryAuthorizer extends AbstractAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger(SentryAuthorizer.class);
    private static final String ENTITY_ROLE_PREFIX = ".";
    private AuthBinding binding;
    private AuthorizationContext context;

    /* renamed from: co.cask.cdap.security.authorization.sentry.binding.SentryAuthorizer$2, reason: invalid class name */
    /* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/SentryAuthorizer$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$co$cask$cdap$proto$security$Principal$PrincipalType = new int[Principal.PrincipalType.values().length];

        static {
            try {
                $SwitchMap$co$cask$cdap$proto$security$Principal$PrincipalType[Principal.PrincipalType.ROLE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$security$Principal$PrincipalType[Principal.PrincipalType.USER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$security$Principal$PrincipalType[Principal.PrincipalType.GROUP.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public void initialize(AuthorizationContext authorizationContext) throws Exception {
        Properties extensionProperties = authorizationContext.getExtensionProperties();
        String property = extensionProperties.getProperty(AuthConf.SENTRY_SITE_URL);
        Preconditions.checkArgument(!Strings.isNullOrEmpty(AuthConf.SENTRY_SITE_URL), "Path to sentry-site.xml path is not specified in cdap-site.xml. Please provide the path to sentry-site.xml in cdap-site.xml with property name %s", AuthConf.SENTRY_SITE_URL);
        String property2 = extensionProperties.getProperty(AuthConf.SENTRY_ADMIN_GROUP, AuthConf.AuthzConfVars.AUTHZ_SENTRY_ADMIN_GROUP.getDefault());
        Preconditions.checkArgument(!property2.contains(","), "Please provide exactly one Sentry admin group at %s in cdap-site.xml. Found '%s'.", AuthConf.SENTRY_ADMIN_GROUP, property2);
        String property3 = extensionProperties.containsKey(AuthConf.INSTANCE_NAME) ? extensionProperties.getProperty(AuthConf.INSTANCE_NAME) : AuthConf.AuthzConfVars.getDefault(AuthConf.INSTANCE_NAME);
        LOG.info("Configuring SentryAuthorizer with sentry-site.xml at {}, CDAP instance {} and Sentry Admin Group: {}", property, property3, property2);
        this.binding = new AuthBinding(property, property3, property2);
        this.context = authorizationContext;
    }

    public void grant(EntityId entityId, Principal principal, Set<Action> set) throws RoleNotFoundException {
        switch (AnonymousClass2.$SwitchMap$co$cask$cdap$proto$security$Principal$PrincipalType[principal.getType().ordinal()]) {
            case 1:
                this.binding.grant(entityId, new Role(principal.getName()), set, getRequestingUser());
                return;
            case 2:
                performGroupBasedGrant(entityId, getGroupPrincipal(principal), set);
                return;
            case 3:
                performGroupBasedGrant(entityId, principal, set);
                return;
            default:
                throw new IllegalArgumentException(String.format("The given principal '%s' is of unsupported type '%s'.", principal.getName(), principal.getType()));
        }
    }

    public void revoke(EntityId entityId, Principal principal, Set<Action> set) throws RoleNotFoundException {
        switch (AnonymousClass2.$SwitchMap$co$cask$cdap$proto$security$Principal$PrincipalType[principal.getType().ordinal()]) {
            case 1:
                this.binding.revoke(entityId, new Role(principal.getName()), set, getRequestingUser());
                return;
            case 2:
                Role entityUserRole = getEntityUserRole(entityId, getGroupPrincipal(principal));
                this.binding.revoke(entityId, entityUserRole, set);
                cleanUpEntityRole(entityUserRole, true);
                return;
            case 3:
                Role entityUserRole2 = getEntityUserRole(entityId, principal);
                this.binding.revoke(entityId, entityUserRole2, set);
                cleanUpEntityRole(entityUserRole2, true);
                return;
            default:
                throw new IllegalArgumentException(String.format("The given principal '%s' is of unsupported type '%s'.", principal.getName(), principal.getType()));
        }
    }

    public void revoke(EntityId entityId) {
        this.binding.revoke(entityId);
        Iterator<Role> it = getEntityRoles(entityId).iterator();
        while (it.hasNext()) {
            cleanUpEntityRole(it.next(), false);
        }
    }

    public Set<Privilege> listPrivileges(Principal principal) {
        return this.binding.listPrivileges(principal);
    }

    public void createRole(Role role) throws RoleAlreadyExistsException {
        this.binding.createRole(role, getRequestingUser());
    }

    public void dropRole(Role role) throws RoleNotFoundException {
        this.binding.dropRole(role, getRequestingUser());
    }

    public void addRoleToPrincipal(Role role, Principal principal) throws RoleNotFoundException {
        this.binding.addRoleToGroup(role, principal, getRequestingUser());
    }

    public void removeRoleFromPrincipal(Role role, Principal principal) throws RoleNotFoundException {
        this.binding.removeRoleFromGroup(role, principal, getRequestingUser());
    }

    public Set<Role> listRoles(Principal principal) {
        Preconditions.checkArgument(principal.getType() != Principal.PrincipalType.ROLE, "The given principal '%s' is of type '%s'. In Sentry revoke roles can only be listed for '%s' and '%s'", principal.getName(), principal.getType(), Principal.PrincipalType.USER, Principal.PrincipalType.GROUP);
        return this.binding.listRolesForGroup(principal, getRequestingUser());
    }

    public Set<Role> listAllRoles() {
        return this.binding.listAllRoles();
    }

    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        Preconditions.checkArgument(Principal.PrincipalType.USER == principal.getType(), "The given principal '%s' is of type '%s'. In Sentry authorization checks can only be performed on principal type '%s'.", principal.getName(), principal.getType(), Principal.PrincipalType.USER);
        if (!this.binding.authorize(entityId, principal, set)) {
            throw new UnauthorizedException(principal, set, entityId);
        }
    }

    private synchronized void performGroupBasedGrant(EntityId entityId, Principal principal, Set<Action> set) {
        Role entityUserRole = getEntityUserRole(entityId, principal);
        try {
            this.binding.createRole(entityUserRole);
            LOG.debug("Created role {}", entityUserRole);
        } catch (RoleAlreadyExistsException e) {
            LOG.debug("Dot role {} already exists.", entityUserRole);
        }
        try {
            this.binding.addRoleToGroup(entityUserRole, principal);
            LOG.debug("Added role {} to group {}", entityUserRole, principal);
            this.binding.grant(entityId, entityUserRole, set);
            LOG.debug("Granted actions {} to role {} on entity {}", set, entityUserRole, entityId);
        } catch (RoleNotFoundException e2) {
            LOG.debug("Role {} not found. This is unexpected since its existence was just ensured.", entityUserRole);
        }
    }

    private void cleanUpEntityRole(Role role, boolean z) {
        if (!role.getName().startsWith(".")) {
            throw new IllegalArgumentException(String.format("The given role %s is not an entity role. Please use drop role to remove this role.", role));
        }
        if (z && !listPrivileges(role).isEmpty()) {
            LOG.debug("Skipping role cleanup for role {}", role);
            return;
        }
        try {
            this.binding.dropRole(role);
            LOG.debug("Successfully dropped role {}", role);
        } catch (RoleNotFoundException e) {
            LOG.debug("Trying to delete role {}, but it was not found. Ignoring since it's an entity role.", role);
        }
    }

    private Set<Role> getEntityRoles(EntityId entityId) {
        final String join = Joiner.on(".").join("", entityId.toString(), new Object[0]);
        return Sets.newHashSet(Collections2.filter(listAllRoles(), new Predicate<Role>() { // from class: co.cask.cdap.security.authorization.sentry.binding.SentryAuthorizer.1
            @Override // com.google.common.base.Predicate
            public boolean apply(Role role) {
                return role.getName().startsWith(join);
            }
        }));
    }

    private Principal getGroupPrincipal(Principal principal) {
        return new Principal(principal.getName(), Principal.PrincipalType.GROUP);
    }

    private Role getEntityUserRole(EntityId entityId, Principal principal) {
        return new Role(Joiner.on(".").join("", entityId.toString(), Character.valueOf(principal.getType().name().toLowerCase().charAt(0)), principal.getName()));
    }

    private String getRequestingUser() throws IllegalArgumentException {
        Principal principal = this.context.getPrincipal();
        LOG.trace("Got requesting principal {}", principal);
        return principal.getName();
    }
}
