package co.cask.cdap.security.authorization.sentry.binding;

import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Authorizable;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.sentry.binding.conf.AuthConf;
import co.cask.cdap.security.authorization.sentry.model.ActionFactory;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/SentryAuthorizer.class */
public class SentryAuthorizer extends AbstractAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger(SentryAuthorizer.class);
    private AuthBinding binding;
    private AuthorizationContext context;

    public void initialize(AuthorizationContext authorizationContext) throws Exception {
        Properties extensionProperties = authorizationContext.getExtensionProperties();
        String property = extensionProperties.getProperty(AuthConf.SENTRY_SITE_URL);
        Preconditions.checkArgument(!Strings.isNullOrEmpty(AuthConf.SENTRY_SITE_URL), "Path to sentry-site.xml path is not specified in cdap-site.xml. Please provide the path to sentry-site.xml in cdap-site.xml with property name %s", AuthConf.SENTRY_SITE_URL);
        String property2 = extensionProperties.getProperty(AuthConf.SENTRY_ADMIN_GROUP, AuthConf.AuthzConfVars.AUTHZ_SENTRY_ADMIN_GROUP.getDefault());
        Preconditions.checkArgument(!property2.contains(","), "Please provide exactly one Sentry admin group at %s in cdap-site.xml. Found '%s'.", AuthConf.SENTRY_ADMIN_GROUP, property2);
        String property3 = extensionProperties.containsKey(AuthConf.INSTANCE_NAME) ? extensionProperties.getProperty(AuthConf.INSTANCE_NAME) : AuthConf.AuthzConfVars.getDefault(AuthConf.INSTANCE_NAME);
        int parseInt = Integer.parseInt(extensionProperties.getProperty(AuthConf.CACHE_TTL_SECS, AuthConf.CACHE_TTL_SECS_DEFAULT));
        int parseInt2 = Integer.parseInt(extensionProperties.getProperty(AuthConf.CACHE_MAX_ENTRIES, AuthConf.CACHE_MAX_ENTRIES_DEFAULT));
        LOG.info("Configuring SentryAuthorizer with sentry-site.xml at {}, CDAP instance {} and Sentry Admin Group: {}", property, property3, property2);
        this.binding = new AuthBinding(property, property3, property2, parseInt, parseInt2);
        this.context = authorizationContext;
    }

    public void grant(Authorizable authorizable, Principal principal, Set<Action> set) throws Exception {
        LOG.trace("Granting {} on {} to {}", set, authorizable, principal);
        if (!principal.getType().equals(Principal.PrincipalType.ROLE)) {
            throw new IllegalArgumentException(String.format("Sentry only supports granting privileges to a '%s'. The given principal '%s' is of unsupported type '%s'.", Principal.PrincipalType.ROLE, principal.getName(), principal.getType()));
        }
        this.binding.grant(authorizable, new Role(principal.getName()), set, getRequestingUser());
        LOG.trace("Granted {} on {} to {}", set, authorizable, principal);
    }

    public void revoke(Authorizable authorizable, Principal principal, Set<Action> set) throws Exception {
        LOG.trace("Revoking {} on {} to {}", set, authorizable, principal);
        if (!principal.getType().equals(Principal.PrincipalType.ROLE)) {
            throw new IllegalArgumentException(String.format("Sentry only supports revoking privileges from a '%s'. The given principal '%s' is of unsupported type '%s'.", Principal.PrincipalType.ROLE, principal.getName(), principal.getType()));
        }
        this.binding.revoke(authorizable, new Role(principal.getName()), set, getRequestingUser());
        LOG.trace("Revoked {} on {} to {}", set, authorizable, principal);
    }

    public void revoke(Authorizable authorizable) throws Exception {
        LOG.debug("Revoking all privileges on {}", authorizable);
        this.binding.revoke(authorizable);
        LOG.debug("Revoked all privileges on {}", authorizable);
    }

    public Set<Privilege> listPrivileges(Principal principal) throws Exception {
        return this.binding.listPrivileges(principal);
    }

    public void createRole(Role role) throws Exception {
        this.binding.createRole(role, getRequestingUser());
    }

    public void dropRole(Role role) throws Exception {
        this.binding.dropRole(role, getRequestingUser());
    }

    public void addRoleToPrincipal(Role role, Principal principal) throws Exception {
        this.binding.addRoleToGroup(role, principal, getRequestingUser());
    }

    public void removeRoleFromPrincipal(Role role, Principal principal) throws Exception {
        this.binding.removeRoleFromGroup(role, principal, getRequestingUser());
    }

    public Set<Role> listRoles(Principal principal) throws Exception {
        Preconditions.checkArgument(principal.getType() != Principal.PrincipalType.ROLE, "The given principal '%s' is of type '%s'. In Sentry revoke roles can only be listed for '%s' and '%s'", principal.getName(), principal.getType(), Principal.PrincipalType.USER, Principal.PrincipalType.GROUP);
        return this.binding.listRolesForGroup(principal, getRequestingUser());
    }

    public Set<Role> listAllRoles() throws Exception {
        return this.binding.listAllRoles();
    }

    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        checkUserPrincipal(principal);
        Set<WildcardPolicy> policies = this.binding.getPolicies(principal);
        LOG.debug("Got policies {} for principal {}, entity {} and actions {}", policies, principal, entityId, set);
        if (policies.isEmpty()) {
            throw new UnauthorizedException(principal, set, entityId, true);
        }
        ArrayList arrayList = new ArrayList();
        Authorizable fromEntityId = Authorizable.fromEntityId(entityId);
        this.binding.toSentryAuthorizables(fromEntityId.getEntityType(), fromEntityId, arrayList);
        Set<ActionFactory.Action> sentryActions = this.binding.toSentryActions(set);
        HashSet hashSet = new HashSet(set.size());
        for (ActionFactory.Action action : sentryActions) {
            Iterator<WildcardPolicy> it = policies.iterator();
            while (true) {
                if (it.hasNext()) {
                    if (it.next().isAllowed(arrayList, action)) {
                        hashSet.add(action);
                        break;
                    }
                } else {
                    break;
                }
            }
        }
        if (!sentryActions.equals(hashSet)) {
            throw new UnauthorizedException(principal, set, entityId, true);
        }
    }

    public Set<? extends EntityId> isVisible(Set<? extends EntityId> set, Principal principal) throws Exception {
        checkUserPrincipal(principal);
        Set<WildcardPolicy> policies = this.binding.getPolicies(principal);
        LOG.debug("Got policies {} for principal {}", policies, principal);
        if (policies.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(set.size());
        for (EntityId entityId : set) {
            ArrayList arrayList = new ArrayList();
            Authorizable fromEntityId = Authorizable.fromEntityId(entityId);
            this.binding.toSentryAuthorizables(fromEntityId.getEntityType(), fromEntityId, arrayList);
            Iterator<WildcardPolicy> it = policies.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().isVisible(arrayList)) {
                    hashSet.add(entityId);
                    break;
                }
            }
        }
        return hashSet;
    }

    private void checkUserPrincipal(Principal principal) {
        Preconditions.checkArgument(Principal.PrincipalType.USER == principal.getType(), "Only support principal type %s for authorization, given principal %s is of type %s", Principal.PrincipalType.USER, principal.getName(), principal.getType());
    }

    private String getRequestingUser() throws IllegalArgumentException {
        Principal principal = this.context.getPrincipal();
        LOG.trace("Got requesting principal {}", principal);
        return principal.getName();
    }
}
