package org.apache.nifi.registry.web.api;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import java.net.URI;
import java.util.Collections;
import java.util.List;
import javassist.compiler.TokenId;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.nifi.registry.authorization.AccessPolicy;
import org.apache.nifi.registry.authorization.AccessPolicySummary;
import org.apache.nifi.registry.authorization.Resource;
import org.apache.nifi.registry.exception.ResourceNotFoundException;
import org.apache.nifi.registry.security.authorization.Authorizer;
import org.apache.nifi.registry.security.authorization.AuthorizerCapabilityDetection;
import org.apache.nifi.registry.security.authorization.RequestAction;
import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils;
import org.apache.nifi.registry.service.AuthorizationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Api(value = "/policies", description = "Endpoint for managing access policies.")
@Path("/policies")
@Component
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/api/AccessPolicyResource.class */
public class AccessPolicyResource extends AuthorizableApplicationResource {
    private static final Logger logger = LoggerFactory.getLogger(AccessPolicyResource.class);

    @Autowired
    public AccessPolicyResource(Authorizer authorizer, AuthorizationService authorizationService) {
        super(authorizer, authorizationService);
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request."), @ApiResponse(code = 409, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry might not be configured to use a ConfigurableAccessPolicyProvider.")})
    @Consumes({"application/json"})
    @ApiOperation(value = "Creates an access policy", response = AccessPolicy.class)
    @POST
    @Produces({"application/json"})
    public Response createAccessPolicy(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "The access policy configuration details.", required = true) AccessPolicy accessPolicy) {
        verifyAuthorizerSupportsConfigurablePolicies();
        authorizeAccess(RequestAction.WRITE);
        if (accessPolicy == null) {
            throw new IllegalArgumentException("Access policy details must be specified when creating a new policy.");
        }
        if (accessPolicy.getIdentifier() != null) {
            throw new IllegalArgumentException("Access policy ID cannot be specified when creating a new policy.");
        }
        if (accessPolicy.getResource() == null) {
            throw new IllegalArgumentException("Resource must be specified when creating a new access policy.");
        }
        RequestAction.valueOfValue(accessPolicy.getAction());
        AccessPolicy createAccessPolicy = this.authorizationService.createAccessPolicy(accessPolicy);
        return generateCreatedResponse(URI.create(generateAccessPolicyUri(createAccessPolicy)), createAccessPolicy).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request."), @ApiResponse(code = 409, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets all access policies", response = AccessPolicy.class, responseContainer = "List")
    @Produces({"application/json"})
    public Response getAccessPolicies() {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        List<AccessPolicy> accessPolicies = this.authorizationService.getAccessPolicies();
        if (accessPolicies == null) {
            accessPolicies = Collections.emptyList();
        }
        return generateOkResponse(accessPolicies).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("{id}")
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets an access policy", response = AccessPolicy.class)
    @Produces({"application/json"})
    public Response getAccessPolicy(@PathParam("id") @ApiParam(value = "The access policy id.", required = true) String str) {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        AccessPolicy accessPolicy = this.authorizationService.getAccessPolicy(str);
        if (accessPolicy == null) {
            throw new ResourceNotFoundException("No access policy found with ID + " + str);
        }
        return generateOkResponse(accessPolicy).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("{action}/{resource: .+}")
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets an access policy for the specified action and resource", notes = "Will return the effective policy if no specific policy exists for the specified action and resource. Must have Read permissions to the policy with the desired action and resource. Permissions for the policy that is returned will be indicated in the response. If the client does not have permissions to that policy, the response will not include the policy and the permissions in the response will be marked accordingly. If the client does not have permissions to the policy of the desired action and resource a 403 response will be returned.", response = AccessPolicy.class)
    @Produces({"application/json"})
    public Response getAccessPolicyForResource(@PathParam("action") @ApiParam(value = "The request action.", allowableValues = "read, write, delete", required = true) String str, @PathParam("resource") @ApiParam(value = "The resource of the policy.", required = true) String str2) {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        String str3 = "/" + str2;
        AccessPolicy accessPolicy = this.authorizationService.getAccessPolicy(str3, RequestAction.valueOfValue(str));
        if (accessPolicy == null) {
            throw new ResourceNotFoundException("No policy found for action='" + str + "', resource='" + str3 + "'");
        }
        return generateOkResponse(accessPolicy).build();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry might not be configured to use a ConfigurableAccessPolicyProvider.")})
    @Path("{id}")
    @Consumes({"application/json"})
    @ApiOperation(value = "Updates a access policy", response = AccessPolicy.class)
    @Produces({"application/json"})
    @PUT
    public Response updateAccessPolicy(@Context HttpServletRequest httpServletRequest, @PathParam("id") @ApiParam(value = "The access policy id.", required = true) String str, @ApiParam(value = "The access policy configuration details.", required = true) AccessPolicy accessPolicy) {
        verifyAuthorizerSupportsConfigurablePolicies();
        authorizeAccess(RequestAction.WRITE);
        if (accessPolicy == null) {
            throw new IllegalArgumentException("Access policy details must be specified when updating a policy.");
        }
        if (!str.equals(accessPolicy.getIdentifier())) {
            throw new IllegalArgumentException(String.format("The policy id in the request body (%s) does not equal the policy id of the requested resource (%s).", accessPolicy.getIdentifier(), str));
        }
        AccessPolicy updateAccessPolicy = this.authorizationService.updateAccessPolicy(accessPolicy);
        generateAccessPolicyUri(updateAccessPolicy);
        return generateOkResponse(updateAccessPolicy).build();
    }

    @ApiResponses({@ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = 409, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry might not be configured to use a ConfigurableAccessPolicyProvider.")})
    @Path("{id}")
    @Consumes({"*/*"})
    @DELETE
    @ApiOperation(value = "Deletes an access policy", response = AccessPolicy.class)
    @Produces({"application/json"})
    public Response removeAccessPolicy(@Context HttpServletRequest httpServletRequest, @PathParam("id") @ApiParam(value = "The access policy id.", required = true) String str) {
        verifyAuthorizerSupportsConfigurablePolicies();
        authorizeAccess(RequestAction.DELETE);
        AccessPolicy deleteAccessPolicy = this.authorizationService.deleteAccessPolicy(str);
        if (deleteAccessPolicy == null) {
            throw new ResourceNotFoundException("No access policy found with ID + " + str);
        }
        return generateOkResponse(deleteAccessPolicy).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = TokenId.CharConstant, message = "Client could not be authenticated."), @ApiResponse(code = TokenId.LongConstant, message = "Client is not authorized to make this request.")})
    @Path("/resources")
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets the available resources that support access/authorization policies", response = Resource.class, responseContainer = "List")
    @Produces({"application/json"})
    public Response getResources() {
        authorizeAccess(RequestAction.READ);
        return generateOkResponse(this.authorizationService.getResources()).build();
    }

    private void verifyAuthorizerIsManaged() {
        if (!AuthorizerCapabilityDetection.isManagedAuthorizer(this.authorizer)) {
            throw new IllegalStateException(AuthorizationService.MSG_NON_MANAGED_AUTHORIZER);
        }
    }

    private void verifyAuthorizerSupportsConfigurablePolicies() {
        if (AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(this.authorizer)) {
            return;
        }
        verifyAuthorizerIsManaged();
        throw new IllegalStateException(AuthorizationService.MSG_NON_CONFIGURABLE_POLICIES);
    }

    private void authorizeAccess(RequestAction requestAction) {
        this.authorizationService.authorizeAccess(authorizableLookup -> {
            authorizableLookup.getPoliciesAuthorizable().authorize(this.authorizer, requestAction, NiFiUserUtils.getNiFiUser());
        });
    }

    private String generateAccessPolicyUri(AccessPolicySummary accessPolicySummary) {
        return generateResourceUri("policies", accessPolicySummary.getIdentifier());
    }
}
