package org.apache.druid.security.basic;

import com.google.common.collect.ImmutableList;
import com.google.inject.Inject;
import com.sun.jersey.spi.container.ContainerRequest;
import java.util.List;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.server.http.security.AbstractResourceFilter;
import org.apache.druid.server.security.Access;
import org.apache.druid.server.security.AuthorizationUtils;
import org.apache.druid.server.security.AuthorizerMapper;
import org.apache.druid.server.security.Resource;
import org.apache.druid.server.security.ResourceAction;
import org.apache.druid.server.security.ResourceType;

/* loaded from: input_file:org/apache/druid/security/basic/BasicSecurityResourceFilter.class */
public class BasicSecurityResourceFilter extends AbstractResourceFilter {
    private static final List<String> APPLICABLE_PATHS = ImmutableList.of("/druid-ext/basic-security/authentication", "/druid-ext/basic-security/authorization");
    private static final String SECURITY_RESOURCE_NAME = "security";

    @Inject
    public BasicSecurityResourceFilter(AuthorizerMapper authorizerMapper) {
        super(authorizerMapper);
    }

    public ContainerRequest filter(ContainerRequest containerRequest) {
        Access authorizeResourceAction = AuthorizationUtils.authorizeResourceAction(getReq(), new ResourceAction(new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(containerRequest)), getAuthorizerMapper());
        if (authorizeResourceAction.isAllowed()) {
            return containerRequest;
        }
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(StringUtils.format("Access-Check-Result: %s", new Object[]{authorizeResourceAction.toString()})).build());
    }

    public boolean isApplicable(String str) {
        for (String str2 : APPLICABLE_PATHS) {
            if (str.startsWith(str2) && !str.equals(str2)) {
                return true;
            }
        }
        return false;
    }
}
