package org.apache.hadoop.ozone.om.request.s3.security;

import com.google.common.base.Optional;
import java.io.IOException;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ozone.om.OMMultiTenantManager;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.logging.log4j.util.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/om/request/s3/security/S3SecretRequestHelper.class */
public final class S3SecretRequestHelper {
    private static final Logger LOG = LoggerFactory.getLogger(S3SecretRequestHelper.class);

    private S3SecretRequestHelper() {
    }

    public static UserGroupInformation getOrCreateUgi(String str) {
        UserGroupInformation remoteUser = ProtobufRpcEngine.Server.getRemoteUser();
        return (remoteUser == null && Strings.isNotEmpty(str)) ? UserGroupInformation.createRemoteUser(str, SaslRpcServer.AuthMethod.KERBEROS) : remoteUser;
    }

    public static void checkAccessIdSecretOpPermission(OzoneManager ozoneManager, UserGroupInformation userGroupInformation, String str) throws IOException {
        boolean z = false;
        if (ozoneManager.isS3MultiTenancyEnabled()) {
            OMMultiTenantManager multiTenantManager = ozoneManager.getMultiTenantManager();
            Optional<String> tenantForAccessID = multiTenantManager.getTenantForAccessID(str);
            z = tenantForAccessID.isPresent();
            if (z) {
                String userNameGivenAccessId = multiTenantManager.getUserNameGivenAccessId(str);
                String str2 = (String) tenantForAccessID.get();
                String shortUserName = userGroupInformation.getShortUserName();
                if (!shortUserName.equals(userNameGivenAccessId) && !multiTenantManager.isTenantAdmin(userGroupInformation, str2, false)) {
                    throw new OMException("Requested accessId '" + str + "' doesn't belong to current user '" + shortUserName + "', nor does current user have Ozone or tenant administrator privilege", OMException.ResultCodes.USER_MISMATCH);
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("S3 Multi-Tenancy is enabled, but the requested accessId '{}' is not assigned to a tenant. Falling back to the old permission check", str);
            }
        }
        String userName = userGroupInformation.getUserName();
        if (!z && !userName.equals(str) && !ozoneManager.isS3Admin(userGroupInformation)) {
            throw new OMException("Requested accessId '" + str + "' doesn't match current user '" + userName + "', nor does current user has administrator privilege.", OMException.ResultCodes.USER_MISMATCH);
        }
    }
}
