package org.apache.nifi.registry.security.authorization.database;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.sql.DataSource;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.apache.nifi.registry.security.authorization.AbstractConfigurableAccessPolicyProvider;
import org.apache.nifi.registry.security.authorization.AccessPolicy;
import org.apache.nifi.registry.security.authorization.AccessPolicyProviderInitializationContext;
import org.apache.nifi.registry.security.authorization.AuthorizerConfigurationContext;
import org.apache.nifi.registry.security.authorization.Group;
import org.apache.nifi.registry.security.authorization.RequestAction;
import org.apache.nifi.registry.security.authorization.User;
import org.apache.nifi.registry.security.authorization.annotation.AuthorizerContext;
import org.apache.nifi.registry.security.authorization.database.entity.DatabaseAccessPolicy;
import org.apache.nifi.registry.security.authorization.database.mapper.DatabaseAccessPolicyRowMapper;
import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.registry.security.authorization.exception.UninheritableAuthorizationsException;
import org.apache.nifi.registry.security.authorization.util.AccessPolicyProviderUtils;
import org.apache.nifi.registry.security.authorization.util.InitialPolicies;
import org.apache.nifi.registry.security.authorization.util.ResourceAndAction;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.security.identity.IdentityMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.14.0.jar:org/apache/nifi/registry/security/authorization/database/DatabaseAccessPolicyProvider.class */
public class DatabaseAccessPolicyProvider extends AbstractConfigurableAccessPolicyProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(DatabaseAccessPolicyProvider.class);
    private DataSource dataSource;
    private IdentityMapper identityMapper;
    private JdbcTemplate jdbcTemplate;

    @AuthorizerContext
    public void setDataSource(DataSource dataSource) {
        this.dataSource = dataSource;
    }

    @AuthorizerContext
    public void setIdentityMapper(IdentityMapper identityMapper) {
        this.identityMapper = identityMapper;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.nifi.registry.security.authorization.AbstractConfigurableAccessPolicyProvider
    public void doInitialize(AccessPolicyProviderInitializationContext accessPolicyProviderInitializationContext) throws SecurityProviderCreationException {
        super.doInitialize(accessPolicyProviderInitializationContext);
        this.jdbcTemplate = new JdbcTemplate(this.dataSource);
    }

    @Override // org.apache.nifi.registry.security.authorization.AbstractConfigurableAccessPolicyProvider
    public void doOnConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
        String initialAdminIdentity = AccessPolicyProviderUtils.getInitialAdminIdentity(authorizerConfigurationContext, this.identityMapper);
        Set<String> niFiIdentities = AccessPolicyProviderUtils.getNiFiIdentities(authorizerConfigurationContext, this.identityMapper);
        String niFiGroupName = AccessPolicyProviderUtils.getNiFiGroupName(authorizerConfigurationContext, this.identityMapper);
        if (!StringUtils.isBlank(initialAdminIdentity)) {
            LOGGER.info("Populating authorizations for Initial Admin: '" + initialAdminIdentity + "'");
            populateInitialAdmin(initialAdminIdentity);
        }
        if (!CollectionUtils.isEmpty(niFiIdentities)) {
            LOGGER.info("Populating authorizations for NiFi identities: [{}]", StringUtils.join(niFiIdentities, ";"));
            populateNiFiIdentities(niFiIdentities);
        }
        if (StringUtils.isBlank(niFiGroupName)) {
            return;
        }
        LOGGER.info("Populating authorizations for NiFi Group: '" + niFiGroupName + "'");
        populateNiFiGroup(niFiGroupName);
    }

    private void populateInitialAdmin(String str) {
        User userByIdentity = getUserGroupProvider().getUserByIdentity(str);
        if (userByIdentity == null) {
            throw new SecurityProviderCreationException("Unable to locate initial admin '" + str + "' to seed policies");
        }
        Iterator<ResourceAndAction> it = InitialPolicies.ADMIN_POLICIES.iterator();
        while (it.hasNext()) {
            populateInitialPolicy(userByIdentity, it.next());
        }
    }

    private void populateNiFiIdentities(Set<String> set) {
        for (String str : set) {
            User userByIdentity = getUserGroupProvider().getUserByIdentity(str);
            if (userByIdentity == null) {
                throw new SecurityProviderCreationException("Unable to locate NiFi identity '" + str + "' to seed policies.");
            }
            Iterator<ResourceAndAction> it = InitialPolicies.NIFI_POLICIES.iterator();
            while (it.hasNext()) {
                populateInitialPolicy(userByIdentity, it.next());
            }
        }
    }

    private void populateNiFiGroup(String str) {
        Group group = AccessPolicyProviderUtils.getGroup(str, getUserGroupProvider());
        Iterator<ResourceAndAction> it = InitialPolicies.NIFI_POLICIES.iterator();
        while (it.hasNext()) {
            populateInitialPolicy(group, it.next());
        }
    }

    public void preDestruction() throws SecurityProviderDestructionException {
    }

    public String getFingerprint() throws AuthorizationAccessException {
        throw new UnsupportedOperationException("Fingerprinting is not supported by this provider");
    }

    public void inheritFingerprint(String str) throws AuthorizationAccessException {
        throw new UnsupportedOperationException("Fingerprinting is not supported by this provider");
    }

    public void checkInheritability(String str) throws AuthorizationAccessException, UninheritableAuthorizationsException {
        throw new UnsupportedOperationException("Fingerprinting is not supported by this provider");
    }

    public AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
        Validate.notNull(accessPolicy);
        this.jdbcTemplate.update("INSERT INTO APP_POLICY(IDENTIFIER, RESOURCE, ACTION) VALUES (?, ?, ?)", accessPolicy.getIdentifier(), accessPolicy.getResource(), accessPolicy.getAction().toString());
        createPolicyUserAndGroups(accessPolicy);
        return accessPolicy;
    }

    public AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
        Validate.notNull(accessPolicy);
        if (getDatabaseAcessPolicy(accessPolicy.getIdentifier()) == null) {
            return null;
        }
        this.jdbcTemplate.update("DELETE FROM APP_POLICY_USER WHERE POLICY_IDENTIFIER = ?", accessPolicy.getIdentifier());
        this.jdbcTemplate.update("DELETE FROM APP_POLICY_GROUP WHERE POLICY_IDENTIFIER = ?", accessPolicy.getIdentifier());
        createPolicyUserAndGroups(accessPolicy);
        return accessPolicy;
    }

    public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
        List query = this.jdbcTemplate.query("SELECT * FROM APP_POLICY", new DatabaseAccessPolicyRowMapper());
        HashMap hashMap = new HashMap();
        this.jdbcTemplate.query("SELECT * FROM APP_POLICY_USER", resultSet -> {
            String string = resultSet.getString("POLICY_IDENTIFIER");
            ((Set) hashMap.computeIfAbsent(string, str -> {
                return new HashSet();
            })).add(resultSet.getString("USER_IDENTIFIER"));
        });
        HashMap hashMap2 = new HashMap();
        this.jdbcTemplate.query("SELECT * FROM APP_POLICY_GROUP", resultSet2 -> {
            String string = resultSet2.getString("POLICY_IDENTIFIER");
            ((Set) hashMap2.computeIfAbsent(string, str -> {
                return new HashSet();
            })).add(resultSet2.getString("GROUP_IDENTIFIER"));
        });
        HashSet hashSet = new HashSet();
        query.forEach(databaseAccessPolicy -> {
            hashSet.add(mapTopAccessPolicy(databaseAccessPolicy, (Set) hashMap.get(databaseAccessPolicy.getIdentifier()), (Set) hashMap2.get(databaseAccessPolicy.getIdentifier())));
        });
        return hashSet;
    }

    public AccessPolicy getAccessPolicy(String str) throws AuthorizationAccessException {
        Validate.notBlank(str);
        DatabaseAccessPolicy databaseAcessPolicy = getDatabaseAcessPolicy(str);
        if (databaseAcessPolicy == null) {
            return null;
        }
        return mapTopAccessPolicy(databaseAcessPolicy, getPolicyUsers(str), getPolicyGroups(str));
    }

    public AccessPolicy getAccessPolicy(String str, RequestAction requestAction) throws AuthorizationAccessException {
        Validate.notBlank(str);
        Validate.notNull(requestAction);
        DatabaseAccessPolicy databaseAccessPolicy = (DatabaseAccessPolicy) queryForObject("SELECT * FROM APP_POLICY WHERE RESOURCE = ? AND ACTION = ?", new Object[]{str, requestAction.toString()}, new DatabaseAccessPolicyRowMapper());
        if (databaseAccessPolicy == null) {
            return null;
        }
        return mapTopAccessPolicy(databaseAccessPolicy, getPolicyUsers(databaseAccessPolicy.getIdentifier()), getPolicyGroups(databaseAccessPolicy.getIdentifier()));
    }

    public AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
        Validate.notNull(accessPolicy);
        if (this.jdbcTemplate.update("DELETE FROM APP_POLICY WHERE IDENTIFIER = ?", accessPolicy.getIdentifier()) <= 0) {
            return null;
        }
        return accessPolicy;
    }

    protected void createPolicyUserAndGroups(AccessPolicy accessPolicy) {
        if (accessPolicy.getUsers() != null) {
            Iterator it = accessPolicy.getUsers().iterator();
            while (it.hasNext()) {
                insertPolicyUser(accessPolicy.getIdentifier(), (String) it.next());
            }
        }
        if (accessPolicy.getGroups() != null) {
            Iterator it2 = accessPolicy.getGroups().iterator();
            while (it2.hasNext()) {
                insertPolicyGroup(accessPolicy.getIdentifier(), (String) it2.next());
            }
        }
    }

    protected void insertPolicyGroup(String str, String str2) {
        this.jdbcTemplate.update("INSERT INTO APP_POLICY_GROUP(POLICY_IDENTIFIER, GROUP_IDENTIFIER) VALUES (?, ?)", str, str2);
    }

    protected void insertPolicyUser(String str, String str2) {
        this.jdbcTemplate.update("INSERT INTO APP_POLICY_USER(POLICY_IDENTIFIER, USER_IDENTIFIER) VALUES (?, ?)", str, str2);
    }

    protected DatabaseAccessPolicy getDatabaseAcessPolicy(String str) {
        return (DatabaseAccessPolicy) queryForObject("SELECT * FROM APP_POLICY WHERE IDENTIFIER = ?", new Object[]{str}, new DatabaseAccessPolicyRowMapper());
    }

    protected Set<String> getPolicyUsers(String str) {
        HashSet hashSet = new HashSet();
        this.jdbcTemplate.query("SELECT * FROM APP_POLICY_USER WHERE POLICY_IDENTIFIER = ?", new Object[]{str}, resultSet -> {
            hashSet.add(resultSet.getString("USER_IDENTIFIER"));
        });
        return hashSet;
    }

    protected Set<String> getPolicyGroups(String str) {
        HashSet hashSet = new HashSet();
        this.jdbcTemplate.query("SELECT * FROM APP_POLICY_GROUP WHERE POLICY_IDENTIFIER = ?", new Object[]{str}, resultSet -> {
            hashSet.add(resultSet.getString("GROUP_IDENTIFIER"));
        });
        return hashSet;
    }

    protected AccessPolicy mapTopAccessPolicy(DatabaseAccessPolicy databaseAccessPolicy, Set<String> set, Set<String> set2) {
        return new AccessPolicy.Builder().identifier(databaseAccessPolicy.getIdentifier()).resource(databaseAccessPolicy.getResource()).action(RequestAction.valueOfValue(databaseAccessPolicy.getAction())).addUsers(set).addGroups(set2).build();
    }

    protected void populateInitialPolicy(User user, ResourceAndAction resourceAndAction) {
        String identifier = user.getIdentifier();
        String identifier2 = resourceAndAction.getResource().getIdentifier();
        RequestAction action = resourceAndAction.getAction();
        AccessPolicy accessPolicy = getAccessPolicy(identifier2, action);
        if (accessPolicy == null) {
            addAccessPolicy(new AccessPolicy.Builder().identifierGenerateRandom().resource(identifier2).action(action).addUser(identifier).build());
        } else if (accessPolicy.getUsers().contains(user.getIdentifier())) {
            LOGGER.debug("'{}' is already part of the policy for {} {}", new Object[]{user.getIdentity(), action.toString(), identifier2});
        } else {
            LOGGER.debug("Adding '{}' to the policy for {} {}", new Object[]{user.getIdentity(), action.toString(), identifier2});
            insertPolicyUser(accessPolicy.getIdentifier(), identifier);
        }
    }

    protected void populateInitialPolicy(Group group, ResourceAndAction resourceAndAction) {
        String identifier = resourceAndAction.getResource().getIdentifier();
        RequestAction action = resourceAndAction.getAction();
        AccessPolicy accessPolicy = getAccessPolicy(identifier, action);
        if (accessPolicy == null) {
            addAccessPolicy(new AccessPolicy.Builder().identifierGenerateRandom().resource(identifier).action(action).addGroup(group.getIdentifier()).build());
        } else {
            insertPolicyGroup(accessPolicy.getIdentifier(), group.getIdentifier());
        }
    }

    protected <T> T queryForObject(String str, Object[] objArr, RowMapper<T> rowMapper) {
        try {
            return (T) this.jdbcTemplate.queryForObject(str, objArr, rowMapper);
        } catch (EmptyResultDataAccessException e) {
            return null;
        }
    }
}
