package co.cask.cdap.security.authorization.sentry.policy;

import co.cask.cdap.security.authorization.sentry.model.ActionFactory;
import co.cask.cdap.security.authorization.sentry.model.Authorizable;
import com.google.common.collect.Lists;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.Set;
import org.apache.sentry.policy.common.PolicyConstants;
import org.apache.sentry.policy.common.PrivilegeValidatorContext;
import org.apache.shiro.config.ConfigurationException;

/* loaded from: input_file:lib/cdap-sentry-policy-0.7.0.jar:co/cask/cdap/security/authorization/sentry/policy/PrivilegeValidator.class */
public class PrivilegeValidator implements org.apache.sentry.policy.common.PrivilegeValidator {
    private final ActionFactory actionFactory = new ActionFactory();

    @Override // org.apache.sentry.policy.common.PrivilegeValidator
    public void validate(PrivilegeValidatorContext privilegeValidatorContext) throws ConfigurationException {
        LinkedList newLinkedList = Lists.newLinkedList(PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeValidatorContext.getPrivilege()));
        if (newLinkedList.size() < 2) {
            throw new ConfigurationException("Invalid Privilege Exception: Privilege can be given to an instance or instance -> namespace or instance -> namespace -> (artifact|applications|stream|dataset) or instance -> namespace -> application -> program");
        }
        if (!isAction((String) newLinkedList.removeLast())) {
            throw new ConfigurationException("CDAP privilege must end with a valid action.\n");
        }
        Set<Authorizable.AuthorizableType> of = EnumSet.of(Authorizable.AuthorizableType.INSTANCE);
        while (true) {
            Set<Authorizable.AuthorizableType> set = of;
            if (newLinkedList.isEmpty()) {
                return;
            }
            Authorizable from = ModelAuthorizables.from((String) newLinkedList.removeFirst());
            if (set.isEmpty()) {
                throw new ConfigurationException(String.format("Was expecting end of Authorizables. Found unexpected authorizable %s of type %s", from, from.getAuthzType()));
            }
            of = validatePrivilege(from.getAuthzType(), set);
        }
    }

    private Set<Authorizable.AuthorizableType> validatePrivilege(Authorizable.AuthorizableType authorizableType, Set<Authorizable.AuthorizableType> set) {
        if (!set.contains(authorizableType)) {
            throw new ConfigurationException(String.format("Expecting authorizable types %s but found %s", set.toString(), authorizableType));
        }
        switch (authorizableType) {
            case INSTANCE:
                set = EnumSet.of(Authorizable.AuthorizableType.NAMESPACE);
                break;
            case NAMESPACE:
                set = EnumSet.of(Authorizable.AuthorizableType.APPLICATION, Authorizable.AuthorizableType.ARTIFACT, Authorizable.AuthorizableType.STREAM, Authorizable.AuthorizableType.DATASET);
                break;
            case APPLICATION:
                set = EnumSet.of(Authorizable.AuthorizableType.PROGRAM);
                break;
            case ARTIFACT:
            case STREAM:
            case DATASET:
            case PROGRAM:
            case PRINCIPAL:
                set = new HashSet();
                break;
        }
        return set;
    }

    private boolean isAction(String str) {
        String[] split = str.toLowerCase().split("=");
        return split.length == 2 && split[0].equalsIgnoreCase("action") && this.actionFactory.getActionByName(split[1]) != null;
    }
}
