package org.apache.druid.security.basic.authorization;

import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.security.basic.BasicAuthDBConfig;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.server.security.Access;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.Resource;

@JsonTypeName("basic")
/* loaded from: input_file:org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.class */
public class BasicRoleBasedAuthorizer implements Authorizer {
    private final String name;
    private final BasicAuthDBConfig dbConfig;
    private final RoleProvider roleProvider;

    @JsonCreator
    public BasicRoleBasedAuthorizer(@JacksonInject BasicAuthorizerCacheManager basicAuthorizerCacheManager, @JsonProperty("name") String str, @JsonProperty("initialAdminUser") String str2, @JsonProperty("initialAdminRole") String str3, @JsonProperty("initialAdminGroupMapping") String str4, @JsonProperty("enableCacheNotifications") Boolean bool, @JsonProperty("cacheNotificationTimeout") Long l, @JsonProperty("roleProvider") RoleProvider roleProvider) {
        this.name = str;
        this.dbConfig = new BasicAuthDBConfig(null, null, str2, str3, str4, bool == null ? true : bool.booleanValue(), l == null ? BasicAuthDBConfig.DEFAULT_CACHE_NOTIFY_TIMEOUT_MS : l.longValue(), 0);
        if (roleProvider == null) {
            this.roleProvider = new MetadataStoreRoleProvider(basicAuthorizerCacheManager);
        } else {
            this.roleProvider = roleProvider;
        }
    }

    public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
        if (authenticationResult == null) {
            throw new IAE("authenticationResult is null where it should never be.", new Object[0]);
        }
        HashSet hashSet = new HashSet(this.roleProvider.getRoles(this.name, authenticationResult));
        Map<String, BasicAuthorizerRole> roleMap = this.roleProvider.getRoleMap(this.name);
        if (hashSet.isEmpty()) {
            return new Access(false);
        }
        if (roleMap == null) {
            throw new IAE("Could not load roleMap for authorizer [%s]", new Object[]{this.name});
        }
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            BasicAuthorizerRole basicAuthorizerRole = roleMap.get((String) it.next());
            if (basicAuthorizerRole != null) {
                Iterator<BasicAuthorizerPermission> it2 = basicAuthorizerRole.getPermissions().iterator();
                while (it2.hasNext()) {
                    if (permissionCheck(resource, action, it2.next())) {
                        return new Access(true);
                    }
                }
            }
        }
        return new Access(false);
    }

    private boolean permissionCheck(Resource resource, Action action, BasicAuthorizerPermission basicAuthorizerPermission) {
        if (action == basicAuthorizerPermission.getResourceAction().getAction() && basicAuthorizerPermission.getResourceAction().getResource().getType() == resource.getType()) {
            return basicAuthorizerPermission.getResourceNamePattern().matcher(resource.getName()).matches();
        }
        return false;
    }

    public BasicAuthDBConfig getDbConfig() {
        return this.dbConfig;
    }
}
