package org.apache.nifi.authorization;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import org.apache.nifi.authorization.AccessPolicy;
import org.apache.nifi.authorization.Group;
import org.apache.nifi.authorization.User;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/apache/nifi/authorization/AbstractPolicyBasedAuthorizer.class */
public abstract class AbstractPolicyBasedAuthorizer implements Authorizer {
    static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
    static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
    static final String USER_ELEMENT = "user";
    static final String GROUP_USER_ELEMENT = "groupUser";
    static final String GROUP_ELEMENT = "group";
    static final String POLICY_ELEMENT = "policy";
    static final String POLICY_USER_ELEMENT = "policyUser";
    static final String POLICY_GROUP_ELEMENT = "policyGroup";
    static final String IDENTIFIER_ATTR = "identifier";
    static final String IDENTITY_ATTR = "identity";
    static final String NAME_ATTR = "name";
    static final String RESOURCE_ATTR = "resource";
    static final String ACTIONS_ATTR = "actions";
    public static final String EMPTY_FINGERPRINT = "EMPTY";

    @Override // org.apache.nifi.authorization.Authorizer
    public final void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws AuthorizerCreationException {
        doOnConfigured(authorizerConfigurationContext);
        for (AccessPolicy accessPolicy : getAccessPolicies()) {
            if (policyExists(accessPolicy)) {
                throw new AuthorizerCreationException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
            }
        }
        for (User user : getUsers()) {
            if (tenantExists(user.getIdentifier(), user.getIdentity())) {
                throw new AuthorizerCreationException(String.format("Found multiple users/user groups with identity '%s'.", user.getIdentity()));
            }
        }
        for (Group group : getGroups()) {
            if (tenantExists(group.getIdentifier(), group.getName())) {
                throw new AuthorizerCreationException(String.format("Found multiple users/user groups with name '%s'.", group.getName()));
            }
        }
    }

    protected abstract void doOnConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws AuthorizerCreationException;

    private boolean policyExists(AccessPolicy accessPolicy) {
        for (AccessPolicy accessPolicy2 : getAccessPolicies()) {
            if (!accessPolicy2.getIdentifier().equals(accessPolicy.getIdentifier()) && accessPolicy2.getResource().equals(accessPolicy.getResource()) && accessPolicy2.getAction().equals(accessPolicy.getAction())) {
                return true;
            }
        }
        return false;
    }

    private boolean tenantExists(String str, String str2) {
        for (User user : getUsers()) {
            if (!user.getIdentifier().equals(str) && user.getIdentity().equals(str2)) {
                return true;
            }
        }
        for (Group group : getGroups()) {
            if (!group.getIdentifier().equals(str) && group.getName().equals(str2)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.nifi.authorization.Authorizer
    public final AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
        UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies();
        AccessPolicy accessPolicy = usersAndAccessPolicies.getAccessPolicy(authorizationRequest.getResource().getIdentifier(), authorizationRequest.getAction());
        if (accessPolicy == null) {
            return AuthorizationResult.resourceNotFound();
        }
        User user = usersAndAccessPolicies.getUser(authorizationRequest.getIdentity());
        if (user == null) {
            return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", authorizationRequest.getIdentity()));
        }
        return (accessPolicy.getUsers().contains(user.getIdentifier()) || containsGroup(usersAndAccessPolicies.getGroups(user.getIdentity()), accessPolicy)) ? AuthorizationResult.approved() : AuthorizationResult.denied();
    }

    private boolean containsGroup(Set<Group> set, AccessPolicy accessPolicy) {
        if (set.isEmpty() || accessPolicy.getGroups().isEmpty()) {
            return false;
        }
        Iterator<Group> it = set.iterator();
        while (it.hasNext()) {
            if (accessPolicy.getGroups().contains(it.next().getIdentifier())) {
                return true;
            }
        }
        return false;
    }

    public final synchronized Group addGroup(Group group) throws AuthorizationAccessException {
        if (tenantExists(group.getIdentifier(), group.getName())) {
            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
        }
        return doAddGroup(group);
    }

    public abstract Group doAddGroup(Group group) throws AuthorizationAccessException;

    public abstract Group getGroup(String str) throws AuthorizationAccessException;

    public final synchronized Group updateGroup(Group group) throws AuthorizationAccessException {
        if (tenantExists(group.getIdentifier(), group.getName())) {
            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
        }
        return doUpdateGroup(group);
    }

    public abstract Group doUpdateGroup(Group group) throws AuthorizationAccessException;

    public abstract Group deleteGroup(Group group) throws AuthorizationAccessException;

    public abstract Set<Group> getGroups() throws AuthorizationAccessException;

    public final synchronized User addUser(User user) throws AuthorizationAccessException {
        if (tenantExists(user.getIdentifier(), user.getIdentity())) {
            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
        }
        return doAddUser(user);
    }

    public abstract User doAddUser(User user) throws AuthorizationAccessException;

    public abstract User getUser(String str) throws AuthorizationAccessException;

    public abstract User getUserByIdentity(String str) throws AuthorizationAccessException;

    public final synchronized User updateUser(User user) throws AuthorizationAccessException {
        if (tenantExists(user.getIdentifier(), user.getIdentity())) {
            throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
        }
        return doUpdateUser(user);
    }

    public abstract User doUpdateUser(User user) throws AuthorizationAccessException;

    public abstract User deleteUser(User user) throws AuthorizationAccessException;

    public abstract Set<User> getUsers() throws AuthorizationAccessException;

    public final synchronized AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
        if (policyExists(accessPolicy)) {
            throw new IllegalStateException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
        }
        return doAddAccessPolicy(accessPolicy);
    }

    protected abstract AccessPolicy doAddAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException;

    public abstract AccessPolicy getAccessPolicy(String str) throws AuthorizationAccessException;

    public abstract AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException;

    public abstract AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException;

    public abstract Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException;

    public abstract UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException;

    public final void inheritFingerprint(String str) throws AuthorizationAccessException {
        if (str == null || str.trim().isEmpty()) {
            return;
        }
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8));
            Throwable th = null;
            try {
                try {
                    Element documentElement = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder().parse(byteArrayInputStream).getDocumentElement();
                    NodeList elementsByTagName = documentElement.getElementsByTagName(USER_ELEMENT);
                    for (int i = 0; i < elementsByTagName.getLength(); i++) {
                        addUser(parseUser((Element) elementsByTagName.item(i)));
                    }
                    NodeList elementsByTagName2 = documentElement.getElementsByTagName(GROUP_ELEMENT);
                    for (int i2 = 0; i2 < elementsByTagName2.getLength(); i2++) {
                        addGroup(parseGroup((Element) elementsByTagName2.item(i2)));
                    }
                    NodeList elementsByTagName3 = documentElement.getElementsByTagName(POLICY_ELEMENT);
                    for (int i3 = 0; i3 < elementsByTagName3.getLength(); i3++) {
                        addAccessPolicy(parsePolicy((Element) elementsByTagName3.item(i3)));
                    }
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (IOException | ParserConfigurationException | SAXException e) {
            throw new AuthorizationAccessException("Unable to parse fingerprint", e);
        }
    }

    private User parseUser(Element element) {
        return new User.Builder().identifier(element.getAttribute(IDENTIFIER_ATTR)).identity(element.getAttribute(IDENTITY_ATTR)).build();
    }

    private Group parseGroup(Element element) {
        Group.Builder name = new Group.Builder().identifier(element.getAttribute(IDENTIFIER_ATTR)).name(element.getAttribute(NAME_ATTR));
        NodeList elementsByTagName = element.getElementsByTagName(GROUP_USER_ELEMENT);
        for (int i = 0; i < elementsByTagName.getLength(); i++) {
            name.addUser(((Element) elementsByTagName.item(i)).getAttribute(IDENTIFIER_ATTR));
        }
        return name.build();
    }

    private AccessPolicy parsePolicy(Element element) {
        AccessPolicy.Builder resource = new AccessPolicy.Builder().identifier(element.getAttribute(IDENTIFIER_ATTR)).resource(element.getAttribute(RESOURCE_ATTR));
        String attribute = element.getAttribute(ACTIONS_ATTR);
        if (attribute.equals(RequestAction.READ.name())) {
            resource.action(RequestAction.READ);
        } else {
            if (!attribute.equals(RequestAction.WRITE.name())) {
                throw new IllegalStateException("Unknown Policy Action: " + attribute);
            }
            resource.action(RequestAction.WRITE);
        }
        NodeList elementsByTagName = element.getElementsByTagName(POLICY_USER_ELEMENT);
        for (int i = 0; i < elementsByTagName.getLength(); i++) {
            resource.addUser(((Element) elementsByTagName.item(i)).getAttribute(IDENTIFIER_ATTR));
        }
        NodeList elementsByTagName2 = element.getElementsByTagName(POLICY_GROUP_ELEMENT);
        for (int i2 = 0; i2 < elementsByTagName2.getLength(); i2++) {
            resource.addGroup(((Element) elementsByTagName2.item(i2)).getAttribute(IDENTIFIER_ATTR));
        }
        return resource.build();
    }

    public final String getFingerprint() throws AuthorizationAccessException {
        List<User> sortedUsers = getSortedUsers();
        List<Group> sortedGroups = getSortedGroups();
        List<AccessPolicy> sortedAccessPolicies = getSortedAccessPolicies();
        if (sortedUsers.isEmpty() && sortedGroups.isEmpty() && sortedAccessPolicies.isEmpty()) {
            return EMPTY_FINGERPRINT;
        }
        XMLStreamWriter xMLStreamWriter = null;
        StringWriter stringWriter = new StringWriter();
        try {
            try {
                xMLStreamWriter = XML_OUTPUT_FACTORY.createXMLStreamWriter(stringWriter);
                xMLStreamWriter.writeStartDocument();
                xMLStreamWriter.writeStartElement("authorizations");
                Iterator<User> it = sortedUsers.iterator();
                while (it.hasNext()) {
                    writeUser(xMLStreamWriter, it.next());
                }
                Iterator<Group> it2 = sortedGroups.iterator();
                while (it2.hasNext()) {
                    writeGroup(xMLStreamWriter, it2.next());
                }
                Iterator<AccessPolicy> it3 = sortedAccessPolicies.iterator();
                while (it3.hasNext()) {
                    writePolicy(xMLStreamWriter, it3.next());
                }
                xMLStreamWriter.writeEndElement();
                xMLStreamWriter.writeEndDocument();
                xMLStreamWriter.flush();
                if (xMLStreamWriter != null) {
                    try {
                        xMLStreamWriter.close();
                    } catch (XMLStreamException e) {
                    }
                }
                return stringWriter.toString();
            } catch (XMLStreamException e2) {
                throw new AuthorizationAccessException("Unable to generate fingerprint", e2);
            }
        } catch (Throwable th) {
            if (xMLStreamWriter != null) {
                try {
                    xMLStreamWriter.close();
                } catch (XMLStreamException e3) {
                }
            }
            throw th;
        }
    }

    private void writeUser(XMLStreamWriter xMLStreamWriter, User user) throws XMLStreamException {
        xMLStreamWriter.writeStartElement(USER_ELEMENT);
        xMLStreamWriter.writeAttribute(IDENTIFIER_ATTR, user.getIdentifier());
        xMLStreamWriter.writeAttribute(IDENTITY_ATTR, user.getIdentity());
        xMLStreamWriter.writeEndElement();
    }

    private void writeGroup(XMLStreamWriter xMLStreamWriter, Group group) throws XMLStreamException {
        ArrayList<String> arrayList = new ArrayList(group.getUsers());
        Collections.sort(arrayList);
        xMLStreamWriter.writeStartElement(GROUP_ELEMENT);
        xMLStreamWriter.writeAttribute(IDENTIFIER_ATTR, group.getIdentifier());
        xMLStreamWriter.writeAttribute(NAME_ATTR, group.getName());
        for (String str : arrayList) {
            xMLStreamWriter.writeStartElement(GROUP_USER_ELEMENT);
            xMLStreamWriter.writeAttribute(IDENTIFIER_ATTR, str);
            xMLStreamWriter.writeEndElement();
        }
        xMLStreamWriter.writeEndElement();
    }

    private void writePolicy(XMLStreamWriter xMLStreamWriter, AccessPolicy accessPolicy) throws XMLStreamException {
        ArrayList<String> arrayList = new ArrayList(accessPolicy.getUsers());
        Collections.sort(arrayList);
        ArrayList<String> arrayList2 = new ArrayList(accessPolicy.getGroups());
        Collections.sort(arrayList2);
        xMLStreamWriter.writeStartElement(POLICY_ELEMENT);
        xMLStreamWriter.writeAttribute(IDENTIFIER_ATTR, accessPolicy.getIdentifier());
        xMLStreamWriter.writeAttribute(RESOURCE_ATTR, accessPolicy.getResource());
        xMLStreamWriter.writeAttribute(ACTIONS_ATTR, accessPolicy.getAction().name());
        for (String str : arrayList) {
            xMLStreamWriter.writeStartElement(POLICY_USER_ELEMENT);
            xMLStreamWriter.writeAttribute(IDENTIFIER_ATTR, str);
            xMLStreamWriter.writeEndElement();
        }
        for (String str2 : arrayList2) {
            xMLStreamWriter.writeStartElement(POLICY_GROUP_ELEMENT);
            xMLStreamWriter.writeAttribute(IDENTIFIER_ATTR, str2);
            xMLStreamWriter.writeEndElement();
        }
        xMLStreamWriter.writeEndElement();
    }

    private List<AccessPolicy> getSortedAccessPolicies() {
        ArrayList arrayList = new ArrayList(getAccessPolicies());
        Collections.sort(arrayList, new Comparator<AccessPolicy>() { // from class: org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer.1
            @Override // java.util.Comparator
            public int compare(AccessPolicy accessPolicy, AccessPolicy accessPolicy2) {
                return accessPolicy.getIdentifier().compareTo(accessPolicy2.getIdentifier());
            }
        });
        return arrayList;
    }

    private List<Group> getSortedGroups() {
        ArrayList arrayList = new ArrayList(getGroups());
        Collections.sort(arrayList, new Comparator<Group>() { // from class: org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer.2
            @Override // java.util.Comparator
            public int compare(Group group, Group group2) {
                return group.getIdentifier().compareTo(group2.getIdentifier());
            }
        });
        return arrayList;
    }

    private List<User> getSortedUsers() {
        ArrayList arrayList = new ArrayList(getUsers());
        Collections.sort(arrayList, new Comparator<User>() { // from class: org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer.3
            @Override // java.util.Comparator
            public int compare(User user, User user2) {
                return user.getIdentifier().compareTo(user2.getIdentifier());
            }
        });
        return arrayList;
    }
}
