package org.apache.hadoop.ozone.s3.endpoint;

import java.util.ArrayList;
import java.util.BitSet;
import java.util.List;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.s3.endpoint.S3BucketAcl;
import org.apache.hadoop.ozone.s3.exception.OS3Exception;
import org.apache.hadoop.ozone.s3.exception.S3ErrorTable;
import org.apache.hadoop.ozone.s3.util.S3Consts;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/s3/endpoint/S3Acl.class */
public final class S3Acl {
    private static final Logger LOG = LoggerFactory.getLogger(S3Acl.class);
    public static final String GRANT_READ = "x-amz-grant-read";
    public static final String GRANT_WRITE = "x-amz-grant-write";
    public static final String GRANT_READ_CAP = "x-amz-grant-read-acp";
    public static final String GRANT_WRITE_CAP = "x-amz-grant-write-acp";
    public static final String GRANT_FULL_CONTROL = "x-amz-grant-full-control";
    public static final String CANNED_ACL_HEADER = "x-amz-acl";

    /* loaded from: input_file:org/apache/hadoop/ozone/s3/endpoint/S3Acl$ACLIdentityType.class */
    enum ACLIdentityType {
        USER("CanonicalUser", true, "id"),
        GROUP("Group", false, S3Consts.ENCODING_TYPE),
        USER_BY_EMAIL("AmazonCustomerByEmail", false, "emailAddress");

        private final String granteeType;
        private final boolean supported;
        private final String granteeInHeader;

        public String getGranteeType() {
            return this.granteeType;
        }

        public String getHeaderType() {
            return this.granteeInHeader;
        }

        ACLIdentityType(String str, boolean z, String str2) {
            this.granteeType = str;
            this.supported = z;
            this.granteeInHeader = str2;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isSupported() {
            return this.supported;
        }

        public static ACLIdentityType getTypeFromGranteeType(String str) {
            for (ACLIdentityType aCLIdentityType : values()) {
                if (aCLIdentityType.getGranteeType().equals(str)) {
                    return aCLIdentityType;
                }
            }
            return null;
        }

        public static ACLIdentityType getTypeFromHeaderType(String str) {
            for (ACLIdentityType aCLIdentityType : values()) {
                if (aCLIdentityType.getHeaderType().equals(str)) {
                    return aCLIdentityType;
                }
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/ozone/s3/endpoint/S3Acl$ACLType.class */
    public enum ACLType {
        READ("READ"),
        WRITE("WRITE"),
        READ_ACP("READ_ACP"),
        WRITE_ACP("WRITE_ACP"),
        FULL_CONTROL("FULL_CONTROL");

        private final String value;

        public String getValue() {
            return this.value;
        }

        ACLType(String str) {
            this.value = str;
        }

        public static ACLType getType(String str) {
            for (ACLType aCLType : values()) {
                if (aCLType.getValue().equals(str)) {
                    return aCLType;
                }
            }
            return null;
        }
    }

    private S3Acl() {
    }

    public static boolean isGranteeTypeSupported(String str) {
        ACLIdentityType typeFromGranteeType = ACLIdentityType.getTypeFromGranteeType(str);
        if (typeFromGranteeType == null) {
            return false;
        }
        return typeFromGranteeType.isSupported();
    }

    public static boolean isHeaderTypeSupported(String str) {
        ACLIdentityType typeFromHeaderType = ACLIdentityType.getTypeFromHeaderType(str);
        if (typeFromHeaderType == null) {
            return false;
        }
        return typeFromHeaderType.isSupported();
    }

    public static List<S3BucketAcl.Grant> ozoneNativeAclToS3Acl(OzoneAcl ozoneAcl) {
        ArrayList arrayList = new ArrayList();
        if (ozoneAcl.getType() != IAccessAuthorizer.ACLIdentityType.USER) {
            return arrayList;
        }
        S3BucketAcl.Grantee grantee = new S3BucketAcl.Grantee();
        grantee.setDisplayName(ozoneAcl.getName());
        grantee.setId(ozoneAcl.getName());
        List aclList = ozoneAcl.getAclList();
        if (aclList.contains(IAccessAuthorizer.ACLType.ALL)) {
            S3BucketAcl.Grant grant = new S3BucketAcl.Grant();
            grant.setGrantee(grantee);
            grant.setPermission(ACLType.FULL_CONTROL.toString());
            arrayList.add(grant);
        } else if (aclList.contains(IAccessAuthorizer.ACLType.WRITE_ACL)) {
            S3BucketAcl.Grant grant2 = new S3BucketAcl.Grant();
            grant2.setGrantee(grantee);
            grant2.setPermission(ACLType.WRITE_ACP.toString());
            arrayList.add(grant2);
        } else if (aclList.contains(IAccessAuthorizer.ACLType.READ_ACL)) {
            S3BucketAcl.Grant grant3 = new S3BucketAcl.Grant();
            grant3.setGrantee(grantee);
            grant3.setPermission(ACLType.READ_ACP.toString());
            arrayList.add(grant3);
        } else if (aclList.contains(IAccessAuthorizer.ACLType.WRITE) && aclList.contains(IAccessAuthorizer.ACLType.DELETE) && aclList.contains(IAccessAuthorizer.ACLType.CREATE)) {
            S3BucketAcl.Grant grant4 = new S3BucketAcl.Grant();
            grant4.setGrantee(grantee);
            grant4.setPermission(ACLType.WRITE.toString());
            arrayList.add(grant4);
        } else if (aclList.contains(IAccessAuthorizer.ACLType.READ) && aclList.contains(IAccessAuthorizer.ACLType.LIST)) {
            S3BucketAcl.Grant grant5 = new S3BucketAcl.Grant();
            grant5.setGrantee(grantee);
            grant5.setPermission(ACLType.READ.toString());
            arrayList.add(grant5);
        } else {
            LOG.error("Cannot find a good mapping for Ozone ACL {} to S3", ozoneAcl.toString());
        }
        return arrayList;
    }

    public static List<OzoneAcl> s3AclToOzoneNativeAclOnBucket(S3BucketAcl s3BucketAcl) throws OS3Exception {
        ArrayList arrayList = new ArrayList();
        for (S3BucketAcl.Grant grant : s3BucketAcl.getAclList().getGrantList()) {
            ACLIdentityType typeFromGranteeType = ACLIdentityType.getTypeFromGranteeType(grant.getGrantee().getXsiType());
            if (typeFromGranteeType == null || !typeFromGranteeType.isSupported()) {
                LOG.error("Grantee type {} is not supported", grant.getGrantee().getXsiType());
                throw S3ErrorTable.newError(S3ErrorTable.NOT_IMPLEMENTED, grant.getGrantee().getXsiType());
            }
            BitSet ozoneAclOnBucketFromS3Permission = getOzoneAclOnBucketFromS3Permission(grant.getPermission());
            OzoneAcl ozoneAcl = new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, grant.getGrantee().getId(), ozoneAclOnBucketFromS3Permission, OzoneAcl.AclScope.DEFAULT);
            OzoneAcl ozoneAcl2 = new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, grant.getGrantee().getId(), ozoneAclOnBucketFromS3Permission, OzoneAcl.AclScope.ACCESS);
            arrayList.add(ozoneAcl);
            arrayList.add(ozoneAcl2);
        }
        return arrayList;
    }

    public static BitSet getOzoneAclOnBucketFromS3Permission(String str) throws OS3Exception {
        ACLType type = ACLType.getType(str);
        if (type == null) {
            throw S3ErrorTable.newError(S3ErrorTable.INVALID_ARGUMENT, str);
        }
        BitSet bitSet = new BitSet(IAccessAuthorizer.ACLType.getNoOfAcls());
        switch (type) {
            case FULL_CONTROL:
                bitSet.set(IAccessAuthorizer.ACLType.ALL.ordinal());
                break;
            case WRITE_ACP:
                bitSet.set(IAccessAuthorizer.ACLType.WRITE_ACL.ordinal());
                break;
            case READ_ACP:
                bitSet.set(IAccessAuthorizer.ACLType.READ_ACL.ordinal());
                break;
            case WRITE:
                bitSet.set(IAccessAuthorizer.ACLType.WRITE.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.DELETE.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.CREATE.ordinal());
                break;
            case READ:
                bitSet.set(IAccessAuthorizer.ACLType.READ.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.LIST.ordinal());
                break;
            default:
                LOG.error("Failed to recognize S3 permission {}", str);
                throw S3ErrorTable.newError(S3ErrorTable.INVALID_ARGUMENT, str);
        }
        return bitSet;
    }

    public static List<OzoneAcl> s3AclToOzoneNativeAclOnVolume(S3BucketAcl s3BucketAcl) throws OS3Exception {
        ArrayList arrayList = new ArrayList();
        for (S3BucketAcl.Grant grant : s3BucketAcl.getAclList().getGrantList()) {
            ACLIdentityType typeFromGranteeType = ACLIdentityType.getTypeFromGranteeType(grant.getGrantee().getXsiType());
            if (typeFromGranteeType == null || !typeFromGranteeType.isSupported()) {
                LOG.error("Grantee type {} is not supported", grant.getGrantee().getXsiType());
                throw S3ErrorTable.newError(S3ErrorTable.NOT_IMPLEMENTED, grant.getGrantee().getXsiType());
            }
            arrayList.add(new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, grant.getGrantee().getId(), getOzoneAclOnVolumeFromS3Permission(grant.getPermission()), OzoneAcl.AclScope.ACCESS));
        }
        return arrayList;
    }

    public static BitSet getOzoneAclOnVolumeFromS3Permission(String str) throws OS3Exception {
        BitSet bitSet = new BitSet(IAccessAuthorizer.ACLType.getNoOfAcls());
        ACLType type = ACLType.getType(str);
        if (type == null) {
            throw S3ErrorTable.newError(S3ErrorTable.INVALID_ARGUMENT, str);
        }
        switch (type) {
            case FULL_CONTROL:
                bitSet.set(IAccessAuthorizer.ACLType.READ.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.WRITE.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.READ_ACL.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.WRITE_ACL.ordinal());
                break;
            case WRITE_ACP:
                bitSet.set(IAccessAuthorizer.ACLType.READ.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.READ_ACL.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.WRITE_ACL.ordinal());
                break;
            case READ_ACP:
                bitSet.set(IAccessAuthorizer.ACLType.READ.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.READ_ACL.ordinal());
                break;
            case WRITE:
                bitSet.set(IAccessAuthorizer.ACLType.READ.ordinal());
                bitSet.set(IAccessAuthorizer.ACLType.WRITE.ordinal());
                break;
            case READ:
                bitSet.set(IAccessAuthorizer.ACLType.READ.ordinal());
                break;
            default:
                LOG.error("Failed to recognize S3 permission {}", str);
                throw S3ErrorTable.newError(S3ErrorTable.INVALID_ARGUMENT, str);
        }
        return bitSet;
    }
}
