package org.apache.druid.security.basic.authorization.endpoint;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableMap;
import com.google.inject.Inject;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.Response;
import org.apache.druid.guice.annotations.Smile;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDBResourceException;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
import org.apache.druid.server.security.ResourceAction;

/* loaded from: input_file:org/apache/druid/security/basic/authorization/endpoint/CoordinatorBasicAuthorizerResourceHandler.class */
public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorizerResourceHandler {
    private static final Logger log = new Logger(CoordinatorBasicAuthorizerResourceHandler.class);
    private final BasicAuthorizerMetadataStorageUpdater storageUpdater;
    private final Map<String, BasicRoleBasedAuthorizer> authorizerMap = new HashMap();
    private final ObjectMapper objectMapper;

    @Inject
    public CoordinatorBasicAuthorizerResourceHandler(BasicAuthorizerMetadataStorageUpdater basicAuthorizerMetadataStorageUpdater, AuthorizerMapper authorizerMapper, @Smile ObjectMapper objectMapper) {
        this.storageUpdater = basicAuthorizerMetadataStorageUpdater;
        this.objectMapper = objectMapper;
        for (Map.Entry entry : authorizerMapper.getAuthorizerMap().entrySet()) {
            String str = (String) entry.getKey();
            Authorizer authorizer = (Authorizer) entry.getValue();
            if (authorizer instanceof BasicRoleBasedAuthorizer) {
                this.authorizerMap.put(str, (BasicRoleBasedAuthorizer) authorizer);
            }
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getAllUsers(String str) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : Response.ok(BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, this.storageUpdater.getCurrentUserMapBytes(str)).keySet()).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getAllGroupMappings(String str) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : Response.ok(BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, this.storageUpdater.getCurrentGroupMappingMapBytes(str)).keySet()).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getUser(String str, String str2, boolean z, boolean z2) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : z ? getUserFull(str, str2, z2) : getUserSimple(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getGroupMapping(String str, String str2, boolean z) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : z ? getGroupMappingFull(str, str2) : getGroupMappingSimple(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response createUser(String str, String str2) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.createUser(str, str2);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response createGroupMapping(String str, BasicAuthorizerGroupMapping basicAuthorizerGroupMapping) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.createGroupMapping(str, basicAuthorizerGroupMapping);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response deleteUser(String str, String str2) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.deleteUser(str, str2);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response deleteGroupMapping(String str, String str2) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.deleteGroupMapping(str, str2);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getAllRoles(String str) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : Response.ok(BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, this.storageUpdater.getCurrentRoleMapBytes(str)).keySet()).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getRole(String str, String str2, boolean z, boolean z2) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : z ? getRoleFull(str, str2, z2) : getRoleSimple(str, str2, z2);
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response createRole(String str, String str2) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.createRole(str, str2);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response deleteRole(String str, String str2) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.deleteRole(str, str2);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response assignRoleToUser(String str, String str2, String str3) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.assignUserRole(str, str2, str3);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response assignRoleToGroupMapping(String str, String str2, String str3) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.assignGroupMappingRole(str, str2, str3);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response unassignRoleFromUser(String str, String str2, String str3) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.unassignUserRole(str, str2, str3);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response unassignRoleFromGroupMapping(String str, String str2, String str3) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.unassignGroupMappingRole(str, str2, str3);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response setRolePermissions(String str, String str2, List<ResourceAction> list) {
        if (this.authorizerMap.get(str) == null) {
            return makeResponseForAuthorizerNotFound(str);
        }
        try {
            this.storageUpdater.setPermissions(str, str2, list);
            return Response.ok().build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getRolePermissions(String str, String str2) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : getPermissions(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getCachedUserMaps(String str) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : Response.ok(new UserAndRoleMap(this.storageUpdater.getCachedUserMap(str), this.storageUpdater.getCachedRoleMap(str))).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getCachedGroupMappingMaps(String str) {
        return this.authorizerMap.get(str) == null ? makeResponseForAuthorizerNotFound(str) : Response.ok(new GroupMappingAndRoleMap(this.storageUpdater.getCachedGroupMappingMap(str), this.storageUpdater.getCachedRoleMap(str))).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response refreshAll() {
        this.storageUpdater.refreshAllNotification();
        return Response.ok().build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response authorizerUserUpdateListener(String str, byte[] bArr) {
        return Response.status(Response.Status.NOT_FOUND).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response authorizerGroupMappingUpdateListener(String str, byte[] bArr) {
        return Response.status(Response.Status.NOT_FOUND).build();
    }

    @Override // org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler
    public Response getLoadStatus() {
        HashMap hashMap = new HashMap();
        this.authorizerMap.forEach((str, basicRoleBasedAuthorizer) -> {
            hashMap.put(str, Boolean.valueOf((this.storageUpdater.getCachedUserMap(str) == null || this.storageUpdater.getCachedGroupMappingMap(str) == null || this.storageUpdater.getCachedRoleMap(str) == null) ? false : true));
        });
        return Response.ok(hashMap).build();
    }

    private static Response makeResponseForAuthorizerNotFound(String str) {
        return Response.status(Response.Status.BAD_REQUEST).entity(ImmutableMap.of("error", StringUtils.format("Basic authorizer with name [%s] does not exist.", new Object[]{str}))).build();
    }

    private static Response makeResponseForBasicSecurityDBResourceException(BasicSecurityDBResourceException basicSecurityDBResourceException) {
        return Response.status(Response.Status.BAD_REQUEST).entity(ImmutableMap.of("error", basicSecurityDBResourceException.getMessage())).build();
    }

    private Response getUserSimple(String str, String str2) {
        try {
            BasicAuthorizerUser basicAuthorizerUser = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, this.storageUpdater.getCurrentUserMapBytes(str)).get(str2);
            if (basicAuthorizerUser == null) {
                throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
            }
            return Response.ok(basicAuthorizerUser).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    private Response getUserFull(String str, String str2, boolean z) {
        try {
            BasicAuthorizerUser basicAuthorizerUser = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, this.storageUpdater.getCurrentUserMapBytes(str)).get(str2);
            if (basicAuthorizerUser == null) {
                throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
            }
            Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, this.storageUpdater.getCurrentRoleMapBytes(str));
            return z ? Response.ok(new BasicAuthorizerUserFullSimplifiedPermissions(str2, getRolesForUserWithSimplifiedPermissions(basicAuthorizerUser, deserializeAuthorizerRoleMap))).build() : Response.ok(new BasicAuthorizerUserFull(str2, getRolesForUser(basicAuthorizerUser, deserializeAuthorizerRoleMap))).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    private Set<BasicAuthorizerRoleSimplifiedPermissions> getRolesForUserWithSimplifiedPermissions(BasicAuthorizerUser basicAuthorizerUser, Map<String, BasicAuthorizerRole> map) {
        HashSet hashSet = new HashSet();
        for (String str : basicAuthorizerUser.getRoles()) {
            BasicAuthorizerRole basicAuthorizerRole = map.get(str);
            if (basicAuthorizerRole == null) {
                log.error("User [%s] had role [%s], but role object was not found.", new Object[]{basicAuthorizerUser.getName(), str});
            } else {
                hashSet.add(new BasicAuthorizerRoleSimplifiedPermissions(basicAuthorizerRole.getName(), null, BasicAuthorizerRoleSimplifiedPermissions.convertPermissions(basicAuthorizerRole.getPermissions())));
            }
        }
        return hashSet;
    }

    private Set<BasicAuthorizerRole> getRolesForUser(BasicAuthorizerUser basicAuthorizerUser, Map<String, BasicAuthorizerRole> map) {
        HashSet hashSet = new HashSet();
        for (String str : basicAuthorizerUser.getRoles()) {
            BasicAuthorizerRole basicAuthorizerRole = map.get(str);
            if (basicAuthorizerRole == null) {
                log.error("User [%s] had role [%s], but role object was not found.", new Object[]{basicAuthorizerUser.getName(), str});
            } else {
                hashSet.add(basicAuthorizerRole);
            }
        }
        return hashSet;
    }

    private Response getGroupMappingSimple(String str, String str2) {
        try {
            BasicAuthorizerGroupMapping basicAuthorizerGroupMapping = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, this.storageUpdater.getCurrentGroupMappingMapBytes(str)).get(str2);
            if (basicAuthorizerGroupMapping == null) {
                throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", str2);
            }
            return Response.ok(basicAuthorizerGroupMapping).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    private Response getGroupMappingFull(String str, String str2) {
        try {
            BasicAuthorizerGroupMapping basicAuthorizerGroupMapping = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, this.storageUpdater.getCurrentGroupMappingMapBytes(str)).get(str2);
            if (basicAuthorizerGroupMapping == null) {
                throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", str2);
            }
            Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, this.storageUpdater.getCurrentRoleMapBytes(str));
            HashSet hashSet = new HashSet();
            for (String str3 : basicAuthorizerGroupMapping.getRoles()) {
                BasicAuthorizerRole basicAuthorizerRole = deserializeAuthorizerRoleMap.get(str3);
                if (basicAuthorizerRole == null) {
                    log.error("Group mapping [%s] had role [%s], but role was not found.", new Object[]{str2, str3});
                } else {
                    hashSet.add(basicAuthorizerRole);
                }
            }
            return Response.ok(new BasicAuthorizerGroupMappingFull(basicAuthorizerGroupMapping.getName(), basicAuthorizerGroupMapping.getGroupPattern(), hashSet)).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    private Response getRoleSimple(String str, String str2, boolean z) {
        try {
            BasicAuthorizerRole basicAuthorizerRole = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, this.storageUpdater.getCurrentRoleMapBytes(str)).get(str2);
            if (basicAuthorizerRole == null) {
                throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str2);
            }
            return z ? Response.ok(new BasicAuthorizerRoleSimplifiedPermissions(basicAuthorizerRole, null)).build() : Response.ok(basicAuthorizerRole).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    private Response getRoleFull(String str, String str2, boolean z) {
        try {
            BasicAuthorizerRole basicAuthorizerRole = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, this.storageUpdater.getCurrentRoleMapBytes(str)).get(str2);
            if (basicAuthorizerRole == null) {
                throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str2);
            }
            Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, this.storageUpdater.getCurrentUserMapBytes(str));
            Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, this.storageUpdater.getCurrentGroupMappingMapBytes(str));
            HashSet hashSet = new HashSet();
            for (BasicAuthorizerUser basicAuthorizerUser : deserializeAuthorizerUserMap.values()) {
                if (basicAuthorizerUser.getRoles().contains(str2)) {
                    hashSet.add(basicAuthorizerUser.getName());
                }
            }
            HashSet hashSet2 = new HashSet();
            for (BasicAuthorizerGroupMapping basicAuthorizerGroupMapping : deserializeAuthorizerGroupMappingMap.values()) {
                if (basicAuthorizerGroupMapping.getRoles().contains(str2)) {
                    hashSet2.add(basicAuthorizerGroupMapping.getName());
                }
            }
            return z ? Response.ok(new BasicAuthorizerRoleSimplifiedPermissions(basicAuthorizerRole, hashSet)).build() : Response.ok(new BasicAuthorizerRoleFull(str2, hashSet, hashSet2, basicAuthorizerRole.getPermissions())).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }

    private Response getPermissions(String str, String str2) {
        try {
            BasicAuthorizerRole basicAuthorizerRole = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, this.storageUpdater.getCurrentRoleMapBytes(str)).get(str2);
            if (basicAuthorizerRole == null) {
                throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str2);
            }
            return Response.ok(basicAuthorizerRole.getPermissions()).build();
        } catch (BasicSecurityDBResourceException e) {
            return makeResponseForBasicSecurityDBResourceException(e);
        }
    }
}
