package org.apache.nifi.registry.security.authorization;

import java.util.List;
import java.util.Objects;
import org.apache.nifi.registry.exception.ResourceNotFoundException;
import org.apache.nifi.registry.security.authorization.exception.AccessDeniedException;
import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.registry.security.authorization.resource.Authorizable;
import org.apache.nifi.registry.security.authorization.resource.ResourceFactory;
import org.apache.nifi.registry.security.authorization.resource.ResourceType;
import org.apache.nifi.registry.security.authorization.user.NiFiUser;
import org.apache.nifi.registry.security.authorization.user.StandardNiFiUser;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.service.RegistryService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-0.5.0.jar:org/apache/nifi/registry/security/authorization/FrameworkAuthorizer.class */
public class FrameworkAuthorizer implements Authorizer {
    public static Logger LOGGER = LoggerFactory.getLogger(FrameworkAuthorizer.class);
    private static final Authorizable PROXY_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.FrameworkAuthorizer.1
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getProxyResource();
        }
    };
    private final Authorizer wrappedAuthorizer;
    private final RegistryService registryService;

    public FrameworkAuthorizer(Authorizer authorizer, RegistryService registryService) {
        this.wrappedAuthorizer = (Authorizer) Objects.requireNonNull(authorizer);
        this.registryService = (RegistryService) Objects.requireNonNull(registryService);
    }

    public void initialize(AuthorizerInitializationContext authorizerInitializationContext) throws SecurityProviderCreationException {
        this.wrappedAuthorizer.initialize(authorizerInitializationContext);
    }

    public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
        this.wrappedAuthorizer.onConfigured(authorizerConfigurationContext);
    }

    public AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
        Resource resource = authorizationRequest.getResource();
        RequestAction action = authorizationRequest.getAction();
        if (isPublicAccessAllowed(resource, action)) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Authorizing access to public resource '{}'", new Object[]{resource.getIdentifier()});
            }
            return AuthorizationResult.approved();
        }
        if (authorizationRequest.isAnonymous()) {
            return AuthorizationResult.denied("Anonymous access is not authorized");
        }
        List<String> proxyIdentities = authorizationRequest.getProxyIdentities();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Found {} proxy identities", new Object[]{Integer.valueOf(proxyIdentities.size())});
        }
        for (String str : proxyIdentities) {
            NiFiUser createProxyNiFiUser = createProxyNiFiUser(str);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Authorizing proxy [{}] for {}", new Object[]{str, action});
            }
            try {
                PROXY_AUTHORIZABLE.authorize(this.wrappedAuthorizer, action, createProxyNiFiUser);
            } catch (AccessDeniedException e) {
                return AuthorizationResult.denied(String.format("Untrusted proxy [%s] for %s operation.", str, action.toString()));
            }
        }
        return this.wrappedAuthorizer.authorize(authorizationRequest);
    }

    private boolean isPublicAccessAllowed(Resource resource, RequestAction requestAction) {
        String identifier;
        int lastIndexOf;
        if (resource == null || requestAction == null || (identifier = resource.getIdentifier()) == null || !identifier.startsWith(ResourceType.Bucket.getValue() + "/") || (lastIndexOf = identifier.lastIndexOf("/")) < 0 || lastIndexOf >= identifier.length() - 1) {
            return false;
        }
        String substring = identifier.substring(lastIndexOf + 1);
        try {
            if (this.registryService.getBucket(substring).isAllowPublicRead().booleanValue()) {
                if (requestAction == RequestAction.READ) {
                    return true;
                }
            }
            return false;
        } catch (ResourceNotFoundException e) {
            LOGGER.debug("Cannot determine public access, bucket not found with id [{}]", new Object[]{substring});
            return false;
        } catch (Exception e2) {
            LOGGER.error("Error checking public access to bucket with id [{}]", new Object[]{substring}, e2);
            return false;
        }
    }

    private NiFiUser createProxyNiFiUser(String str) {
        return new StandardNiFiUser.Builder().identity(str).build();
    }

    public void preDestruction() throws SecurityProviderDestructionException {
        this.wrappedAuthorizer.preDestruction();
    }
}
