package org.apache.nifi.registry.security.authorization;

import java.util.Objects;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.exception.ResourceNotFoundException;
import org.apache.nifi.registry.security.authorization.resource.Authorizable;
import org.apache.nifi.registry.security.authorization.resource.InheritingAuthorizable;
import org.apache.nifi.registry.security.authorization.resource.ProxyChainAuthorizable;
import org.apache.nifi.registry.security.authorization.resource.PublicCheckingAuthorizable;
import org.apache.nifi.registry.security.authorization.resource.ResourceFactory;
import org.apache.nifi.registry.security.authorization.resource.ResourceType;
import org.apache.nifi.registry.service.RegistryService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.2.jar:org/apache/nifi/registry/security/authorization/StandardAuthorizableLookup.class */
public class StandardAuthorizableLookup implements AuthorizableLookup {
    private static final Logger logger = LoggerFactory.getLogger(StandardAuthorizableLookup.class);
    private static final Authorizable TENANTS_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.1
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getTenantsResource();
        }
    };
    private static final Authorizable POLICIES_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.2
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getPoliciesResource();
        }
    };
    private static final Authorizable BUCKETS_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.3
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getBucketsResource();
        }
    };
    private static final Authorizable PROXY_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.4
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getProxyResource();
        }
    };
    private static final Authorizable ACTUATOR_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.5
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getActuatorResource();
        }
    };
    private static final Authorizable SWAGGER_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.6
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getSwaggerResource();
        }
    };
    private final RegistryService registryService;

    @Autowired
    public StandardAuthorizableLookup(RegistryService registryService) {
        this.registryService = (RegistryService) Objects.requireNonNull(registryService);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getActuatorAuthorizable() {
        return new ProxyChainAuthorizable(ACTUATOR_AUTHORIZABLE, PROXY_AUTHORIZABLE, this::isPublicAccessAllowed);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getSwaggerAuthorizable() {
        return new ProxyChainAuthorizable(SWAGGER_AUTHORIZABLE, PROXY_AUTHORIZABLE, this::isPublicAccessAllowed);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getProxyAuthorizable() {
        return PROXY_AUTHORIZABLE;
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getTenantsAuthorizable() {
        return new ProxyChainAuthorizable(TENANTS_AUTHORIZABLE, PROXY_AUTHORIZABLE, this::isPublicAccessAllowed);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getPoliciesAuthorizable() {
        return new ProxyChainAuthorizable(POLICIES_AUTHORIZABLE, PROXY_AUTHORIZABLE, this::isPublicAccessAllowed);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getBucketsAuthorizable() {
        return new ProxyChainAuthorizable(BUCKETS_AUTHORIZABLE, PROXY_AUTHORIZABLE, this::isPublicAccessAllowed);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getBucketAuthorizable(final String str) {
        return new ProxyChainAuthorizable(new PublicCheckingAuthorizable(new InheritingAuthorizable() { // from class: org.apache.nifi.registry.security.authorization.StandardAuthorizableLookup.7
            @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
            public Authorizable getParentAuthorizable() {
                return StandardAuthorizableLookup.BUCKETS_AUTHORIZABLE;
            }

            @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
            public Resource getResource() {
                return ResourceFactory.getBucketResource(str, "Bucket with ID " + str);
            }
        }, this::isPublicAccessAllowed), PROXY_AUTHORIZABLE, this::isPublicAccessAllowed);
    }

    @Override // org.apache.nifi.registry.security.authorization.AuthorizableLookup
    public Authorizable getAuthorizableByResource(String str) {
        ResourceType mapFullResourcePathToResourceType = ResourceType.mapFullResourcePathToResourceType(str);
        if (mapFullResourcePathToResourceType == null) {
            throw new ResourceNotFoundException("Unrecognized resource: " + str);
        }
        return getAuthorizableByResource(mapFullResourcePathToResourceType, str);
    }

    private Authorizable getAuthorizableByResource(ResourceType resourceType, String str) {
        Authorizable authorizable = null;
        switch (resourceType) {
            case Policy:
                authorizable = getPoliciesAuthorizable();
                break;
            case Tenant:
                authorizable = getTenantsAuthorizable();
                break;
            case Proxy:
                authorizable = getProxyAuthorizable();
                break;
            case Actuator:
                authorizable = getActuatorAuthorizable();
                break;
            case Swagger:
                authorizable = getSwaggerAuthorizable();
                break;
            case Bucket:
                String substringAfter = StringUtils.substringAfter(str, resourceType.getValue());
                if (!substringAfter.startsWith("/")) {
                    authorizable = getBucketsAuthorizable();
                    break;
                } else {
                    authorizable = getAuthorizableByChildResource(resourceType, substringAfter);
                    break;
                }
        }
        if (authorizable != null) {
            return authorizable;
        }
        logger.debug("Could not determine the Authorizable for resource type='{}', path='{}', ", resourceType.getValue(), str);
        throw new IllegalArgumentException("This an unexpected type of authorizable resource: " + resourceType.getValue());
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:2:0x0008. Please report as an issue. */
    private Authorizable getAuthorizableByChildResource(ResourceType resourceType, String str) {
        switch (resourceType) {
            case Bucket:
                String[] split = str.split("/");
                if (split.length >= 1) {
                    return getBucketAuthorizable(split[1]);
                }
            default:
                throw new IllegalArgumentException("Unexpected lookup for child resource authorizable for base resource type " + resourceType.getValue());
        }
    }

    private boolean isPublicAccessAllowed(Resource resource, RequestAction requestAction) {
        String identifier;
        int lastIndexOf;
        if (resource == null || requestAction == null || requestAction != RequestAction.READ || (identifier = resource.getIdentifier()) == null || !identifier.startsWith(ResourceType.Bucket.getValue() + "/") || (lastIndexOf = identifier.lastIndexOf("/")) < 0 || lastIndexOf >= identifier.length() - 1) {
            return false;
        }
        String substring = identifier.substring(lastIndexOf + 1);
        try {
            return this.registryService.getBucket(substring).isAllowPublicRead().booleanValue();
        } catch (ResourceNotFoundException e) {
            logger.debug("Cannot determine public access, bucket not found with id [{}]", new Object[]{substring});
            return false;
        } catch (Exception e2) {
            logger.error("Error checking public access to bucket with id [{}]", new Object[]{substring}, e2);
            return false;
        }
    }
}
