package com.datahub.authorization;

import com.datahub.authentication.Authentication;
import com.datahub.authorization.AuthorizationResult;
import com.datahub.plugins.auth.authorization.Authorizer;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import com.linkedin.common.urn.Urn;
import com.linkedin.events.metadata.ChangeType;
import com.linkedin.metadata.Constants;
import com.linkedin.metadata.authorization.ApiGroup;
import com.linkedin.metadata.authorization.ApiOperation;
import com.linkedin.metadata.authorization.Conjunctive;
import com.linkedin.metadata.authorization.Disjunctive;
import com.linkedin.metadata.authorization.PoliciesConfig;
import com.linkedin.metadata.browse.BrowseResult;
import com.linkedin.metadata.models.registry.EntityRegistry;
import com.linkedin.metadata.query.AutoCompleteResult;
import com.linkedin.metadata.search.ScrollResult;
import com.linkedin.metadata.search.SearchResult;
import com.linkedin.metadata.utils.EntityKeyUtils;
import com.linkedin.mxe.MetadataChangeProposal;
import com.linkedin.util.Pair;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;

/* loaded from: input_file:com/datahub/authorization/AuthUtil.class */
public class AuthUtil {
    public static final Set<String> VIEW_RESTRICTED_ENTITY_TYPES = ImmutableSet.of("dataset", "dashboard", "chart", "mlModel", "mlFeature", Constants.ML_MODEL_GROUP_ENTITY_NAME, Constants.ML_FEATURE_TABLE_ENTITY_NAME, Constants.ML_PRIMARY_KEY_ENTITY_NAME, "dataFlow", "dataJob", "glossaryTerm", "glossaryNode", "domain", Constants.DATA_PRODUCT_ENTITY_NAME, "notebook");

    public static List<Pair<MetadataChangeProposal, Integer>> isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull EntityRegistry entityRegistry, @Nonnull Collection<MetadataChangeProposal> collection) {
        List list = (List) collection.stream().map(metadataChangeProposal -> {
            Urn entityUrn = metadataChangeProposal.getEntityUrn();
            if (entityUrn == null) {
                entityUrn = EntityKeyUtils.getUrnFromProposal(metadataChangeProposal, entityRegistry.getEntitySpec(metadataChangeProposal.getEntityType()).getKeyAspectSpec());
            }
            return Pair.of(Pair.of(metadataChangeProposal.getChangeType(), entityUrn), metadataChangeProposal);
        }).collect(Collectors.toList());
        Map<Pair<ChangeType, Urn>, Integer> isAPIAuthorizedUrns = isAPIAuthorizedUrns(authentication, authorizer, apiGroup, (Collection) list.stream().map((v0) -> {
            return v0.getFirst();
        }).collect(Collectors.toSet()));
        return (List) list.stream().map(pair -> {
            return Pair.of((MetadataChangeProposal) pair.getValue(), (Integer) isAPIAuthorizedUrns.getOrDefault(pair.getKey(), 500));
        }).collect(Collectors.toList());
    }

    public static Map<Pair<ChangeType, Urn>, Integer> isAPIAuthorizedUrns(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull Collection<Pair<ChangeType, Urn>> collection) {
        return (Map) collection.stream().distinct().map(pair -> {
            Urn urn = (Urn) pair.getSecond();
            switch ((ChangeType) pair.getFirst()) {
                case CREATE:
                case UPSERT:
                case UPDATE:
                case RESTATE:
                case PATCH:
                    if (!isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(apiGroup, ApiOperation.UPDATE, urn.getEntityType()), new EntitySpec(urn.getEntityType(), urn.toString()))) {
                        return Pair.of(pair, 403);
                    }
                    break;
                case CREATE_ENTITY:
                    if (!isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(apiGroup, ApiOperation.CREATE, urn.getEntityType()), new EntitySpec(urn.getEntityType(), urn.toString()))) {
                        return Pair.of(pair, 403);
                    }
                    break;
                case DELETE:
                    if (!isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(apiGroup, ApiOperation.DELETE, urn.getEntityType()), new EntitySpec(urn.getEntityType(), urn.toString()))) {
                        return Pair.of(pair, 403);
                    }
                    break;
                default:
                    return Pair.of(pair, 400);
            }
            return Pair.of(pair, 200);
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull SearchResult searchResult) {
        return isAPIAuthorizedEntityUrns(authentication, authorizer, ApiOperation.READ, (Collection) searchResult.getEntities().stream().map((v0) -> {
            return v0.getEntity();
        }).collect(Collectors.toList()));
    }

    public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ScrollResult scrollResult) {
        return isAPIAuthorizedEntityUrns(authentication, authorizer, ApiOperation.READ, (Collection) scrollResult.getEntities().stream().map((v0) -> {
            return v0.getEntity();
        }).collect(Collectors.toList()));
    }

    public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull AutoCompleteResult autoCompleteResult) {
        return isAPIAuthorizedEntityUrns(authentication, authorizer, ApiOperation.READ, (Collection) autoCompleteResult.getEntities().stream().map((v0) -> {
            return v0.getUrn();
        }).collect(Collectors.toList()));
    }

    public static boolean isAPIAuthorizedResult(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull BrowseResult browseResult) {
        return isAPIAuthorizedEntityUrns(authentication, authorizer, ApiOperation.READ, (Collection) browseResult.getEntities().stream().map((v0) -> {
            return v0.getUrn();
        }).collect(Collectors.toList()));
    }

    public static boolean isAPIAuthorizedUrns(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation, @Nonnull Collection<Urn> collection) {
        if (ApiGroup.ENTITY.equals(apiGroup)) {
            return isAPIAuthorizedEntityUrns(authentication, authorizer, apiOperation, collection);
        }
        return isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(apiGroup, apiOperation, null), (List) collection.stream().map(urn -> {
            return new EntitySpec(urn.getEntityType(), urn.toString());
        }).collect(Collectors.toList()));
    }

    public static boolean isAPIAuthorizedEntityUrns(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiOperation apiOperation, @Nonnull Collection<Urn> collection) {
        return ((Map) collection.stream().map(urn -> {
            return new EntitySpec(urn.getEntityType(), urn.toString());
        }).collect(Collectors.groupingBy((v0) -> {
            return v0.getType();
        }))).entrySet().stream().allMatch(entry -> {
            return isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(ApiGroup.ENTITY, apiOperation, (String) entry.getKey()), (Collection<EntitySpec>) entry.getValue());
        });
    }

    public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiOperation apiOperation, @Nonnull String str) {
        return isAPIAuthorizedEntityType(authentication, authorizer, ApiGroup.ENTITY, apiOperation, List.of(str));
    }

    public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation, @Nonnull String str) {
        return isAPIAuthorizedEntityType(authentication, authorizer, apiGroup, apiOperation, List.of(str));
    }

    public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiOperation apiOperation, @Nonnull Collection<String> collection) {
        return isAPIAuthorizedEntityType(authentication, authorizer, ApiGroup.ENTITY, apiOperation, collection);
    }

    public static boolean isAPIAuthorizedEntityType(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation, @Nonnull Collection<String> collection) {
        return collection.stream().distinct().allMatch(str -> {
            return isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(apiGroup, apiOperation, str), new EntitySpec(str, ""));
        });
    }

    public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation) {
        return isAPIAuthorized(authentication, authorizer, lookupAPIPrivilege(apiGroup, apiOperation, null), (EntitySpec) null);
    }

    public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull PoliciesConfig.Privilege privilege, @Nullable EntitySpec entitySpec) {
        return isAPIAuthorized(authentication, authorizer, (Disjunctive<Conjunctive<PoliciesConfig.Privilege>>) Disjunctive.disjoint(privilege), entitySpec);
    }

    public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull PoliciesConfig.Privilege privilege) {
        return isAPIAuthorized(authentication, authorizer, (Disjunctive<Conjunctive<PoliciesConfig.Privilege>>) Disjunctive.disjoint(privilege), (EntitySpec) null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull Disjunctive<Conjunctive<PoliciesConfig.Privilege>> disjunctive, @Nullable EntitySpec entitySpec) {
        return isAPIAuthorized(authentication, authorizer, disjunctive, entitySpec != null ? List.of(entitySpec) : List.of());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAPIAuthorized(@Nonnull Authentication authentication, @Nonnull Authorizer authorizer, @Nonnull Disjunctive<Conjunctive<PoliciesConfig.Privilege>> disjunctive, @Nonnull Collection<EntitySpec> collection) {
        if (Boolean.parseBoolean(System.getenv(Constants.REST_API_AUTHORIZATION_ENABLED_ENV))) {
            return isAuthorized(authorizer, authentication.getActor().toUrnStr(), buildDisjunctivePrivilegeGroup(disjunctive), collection);
        }
        return true;
    }

    public static boolean canViewEntity(@Nonnull String str, @Nonnull Authorizer authorizer, @Nonnull Urn urn) {
        return canViewEntity(str, authorizer, List.of(urn));
    }

    public static boolean canViewEntity(@Nonnull String str, @Nonnull Authorizer authorizer, @Nonnull Collection<Urn> collection) {
        return isAuthorizedEntityUrns(authorizer, str, ApiOperation.READ, collection);
    }

    public static boolean isAuthorized(@Nonnull String str, @Nonnull Authorizer authorizer, @Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation) {
        return isAuthorized(authorizer, str, lookupAPIPrivilege(apiGroup, apiOperation, null), (EntitySpec) null);
    }

    public static boolean isAuthorizedEntityType(@Nonnull String str, @Nonnull Authorizer authorizer, @Nonnull ApiOperation apiOperation, @Nonnull Collection<String> collection) {
        return collection.stream().distinct().allMatch(str2 -> {
            return isAuthorized(authorizer, str, lookupEntityAPIPrivilege(apiOperation, str2), new EntitySpec(str2, ""));
        });
    }

    public static boolean isAuthorizedEntityUrns(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull ApiOperation apiOperation, @Nonnull Collection<Urn> collection) {
        return isAuthorizedUrns(authorizer, str, ApiGroup.ENTITY, apiOperation, collection);
    }

    public static boolean isAuthorizedUrns(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation, @Nonnull Collection<Urn> collection) {
        return ((Map) collection.stream().map(urn -> {
            return new EntitySpec(urn.getEntityType(), urn.toString());
        }).collect(Collectors.groupingBy((v0) -> {
            return v0.getType();
        }))).entrySet().stream().allMatch(entry -> {
            Disjunctive<Conjunctive<PoliciesConfig.Privilege>> lookupAPIPrivilege = lookupAPIPrivilege(apiGroup, apiOperation, (String) entry.getKey());
            return ((List) entry.getValue()).stream().allMatch(entitySpec -> {
                return isAuthorized(authorizer, str, (Disjunctive<Conjunctive<PoliciesConfig.Privilege>>) lookupAPIPrivilege, entitySpec);
            });
        });
    }

    public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull PoliciesConfig.Privilege privilege) {
        return isAuthorized(authorizer, str, buildDisjunctivePrivilegeGroup(Disjunctive.disjoint(privilege)), (EntitySpec) null);
    }

    public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull PoliciesConfig.Privilege privilege, @Nullable EntitySpec entitySpec) {
        return isAuthorized(authorizer, str, buildDisjunctivePrivilegeGroup(Disjunctive.disjoint(privilege)), entitySpec);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull Disjunctive<Conjunctive<PoliciesConfig.Privilege>> disjunctive, @Nullable EntitySpec entitySpec) {
        return isAuthorized(authorizer, str, buildDisjunctivePrivilegeGroup(disjunctive), entitySpec);
    }

    public static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull DisjunctivePrivilegeGroup disjunctivePrivilegeGroup, @Nullable EntitySpec entitySpec) {
        Iterator<ConjunctivePrivilegeGroup> it = disjunctivePrivilegeGroup.getAuthorizedPrivilegeGroups().iterator();
        while (it.hasNext()) {
            if (isAuthorized(authorizer, str, it.next(), entitySpec)) {
                return true;
            }
        }
        return false;
    }

    private static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull ConjunctivePrivilegeGroup conjunctivePrivilegeGroup, @Nullable EntitySpec entitySpec) {
        if (conjunctivePrivilegeGroup.getRequiredPrivileges().isEmpty()) {
            return false;
        }
        Iterator<String> it = conjunctivePrivilegeGroup.getRequiredPrivileges().iterator();
        while (it.hasNext()) {
            if (isDenied(authorizer, str, it.next(), entitySpec)) {
                return false;
            }
        }
        return true;
    }

    private static boolean isAuthorized(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull DisjunctivePrivilegeGroup disjunctivePrivilegeGroup, @Nonnull Collection<EntitySpec> collection) {
        return collection.isEmpty() ? isAuthorized(authorizer, str, disjunctivePrivilegeGroup, (EntitySpec) null) : collection.stream().allMatch(entitySpec -> {
            return isAuthorized(authorizer, str, disjunctivePrivilegeGroup, entitySpec);
        });
    }

    public static Disjunctive<Conjunctive<PoliciesConfig.Privilege>> lookupAPIPrivilege(@Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation, @Nullable String str) {
        if (ApiGroup.ENTITY.equals(apiGroup) && str == null) {
            throw new IllegalArgumentException("ENTITY API Group must include an entityType");
        }
        if (ApiGroup.ENTITY.equals(apiGroup)) {
            return lookupEntityAPIPrivilege(apiOperation, Set.of(str)).get(str);
        }
        Map<ApiOperation, Disjunctive<Conjunctive<PoliciesConfig.Privilege>>> orDefault = PoliciesConfig.API_PRIVILEGE_MAP.getOrDefault(apiGroup, Map.of());
        switch (apiOperation) {
            case MANAGE:
                return Disjunctive.conjoin(orDefault.getOrDefault(ApiOperation.UPDATE, Disjunctive.DENY_ACCESS), orDefault.getOrDefault(ApiOperation.DELETE, Disjunctive.DENY_ACCESS));
            default:
                return orDefault.getOrDefault(apiOperation, Disjunctive.DENY_ACCESS);
        }
    }

    @VisibleForTesting
    static Map<String, Disjunctive<Conjunctive<PoliciesConfig.Privilege>>> lookupEntityAPIPrivilege(@Nonnull ApiOperation apiOperation, @Nonnull Collection<String> collection) {
        return (Map) collection.stream().distinct().map(str -> {
            Map<ApiOperation, Disjunctive<Conjunctive<PoliciesConfig.Privilege>>> orDefault = PoliciesConfig.API_ENTITY_PRIVILEGE_MAP.getOrDefault(str, PoliciesConfig.API_PRIVILEGE_MAP.getOrDefault(ApiGroup.ENTITY, Map.of()));
            switch (apiOperation) {
                case MANAGE:
                    return Pair.of(str, Disjunctive.conjoin(orDefault.getOrDefault(ApiOperation.UPDATE, Disjunctive.DENY_ACCESS), orDefault.getOrDefault(ApiOperation.DELETE, Disjunctive.DENY_ACCESS)));
                default:
                    return Pair.of(str, orDefault.getOrDefault(apiOperation, Disjunctive.DENY_ACCESS));
            }
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    @VisibleForTesting
    static Disjunctive<Conjunctive<PoliciesConfig.Privilege>> lookupEntityAPIPrivilege(@Nonnull ApiOperation apiOperation, @Nonnull String str) {
        return lookupEntityAPIPrivilege(apiOperation, Set.of(str)).get(str);
    }

    public static DisjunctivePrivilegeGroup buildDisjunctivePrivilegeGroup(@Nonnull ApiGroup apiGroup, @Nonnull ApiOperation apiOperation, @Nullable String str) {
        return buildDisjunctivePrivilegeGroup(lookupAPIPrivilege(apiGroup, apiOperation, str));
    }

    @VisibleForTesting
    static DisjunctivePrivilegeGroup buildDisjunctivePrivilegeGroup(Disjunctive<Conjunctive<PoliciesConfig.Privilege>> disjunctive) {
        return new DisjunctivePrivilegeGroup((Collection) disjunctive.stream().map(conjunctive -> {
            return new ConjunctivePrivilegeGroup((Collection) conjunctive.stream().map((v0) -> {
                return v0.getType();
            }).collect(Collectors.toList()));
        }).collect(Collectors.toList()));
    }

    private static boolean isDenied(@Nonnull Authorizer authorizer, @Nonnull String str, @Nonnull String str2, @Nullable EntitySpec entitySpec) {
        return AuthorizationResult.Type.DENY.equals(authorizer.authorize(new AuthorizationRequest(str, str2, Optional.ofNullable(entitySpec))).getType());
    }

    private AuthUtil() {
    }
}
