package org.apache.pulsar.broker.authorization;

import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.cache.ConfigurationCacheService;
import org.apache.pulsar.common.naming.DestinationName;
import org.apache.pulsar.common.policies.data.AuthAction;
import org.apache.pulsar.common.policies.data.Policies;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/authorization/AuthorizationManager.class */
public class AuthorizationManager {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationManager.class);
    public final ServiceConfiguration conf;
    public final ConfigurationCacheService configCache;
    private static final String POLICY_ROOT = "/admin/policies/";

    public AuthorizationManager(ServiceConfiguration serviceConfiguration, ConfigurationCacheService configurationCacheService) {
        this.conf = serviceConfiguration;
        this.configCache = configurationCacheService;
    }

    public CompletableFuture<Boolean> canProduceAsync(DestinationName destinationName, String str) {
        return checkAuthorization(destinationName, str, AuthAction.produce);
    }

    public boolean canProduce(DestinationName destinationName, String str) throws Exception {
        try {
            return canProduceAsync(destinationName, str).get(30L, TimeUnit.SECONDS).booleanValue();
        } catch (InterruptedException e) {
            log.warn("Time-out {} sec while checking authorization on {} ", 30, destinationName);
            throw e;
        } catch (Exception e2) {
            log.warn("Producer-client  with Role - {} failed to get permissions for destination - {}", new Object[]{str, destinationName, e2});
            throw e2;
        }
    }

    public CompletableFuture<Boolean> canConsumeAsync(DestinationName destinationName, String str) {
        return checkAuthorization(destinationName, str, AuthAction.consume);
    }

    public boolean canConsume(DestinationName destinationName, String str) throws Exception {
        try {
            return canConsumeAsync(destinationName, str).get(30L, TimeUnit.SECONDS).booleanValue();
        } catch (InterruptedException e) {
            log.warn("Time-out {} sec while checking authorization on {} ", 30, destinationName);
            throw e;
        } catch (Exception e2) {
            log.warn("Consumer-client  with Role - {} failed to get permissions for destination - {}", new Object[]{str, destinationName, e2});
            throw e2;
        }
    }

    public boolean canLookup(DestinationName destinationName, String str) throws Exception {
        return canProduce(destinationName, str) || canConsume(destinationName, str);
    }

    private CompletableFuture<Boolean> checkAuthorization(DestinationName destinationName, String str, AuthAction authAction) {
        return isSuperUser(str) ? CompletableFuture.completedFuture(true) : checkPermission(destinationName, str, authAction).thenApply(bool -> {
            return Boolean.valueOf(bool.booleanValue() && checkCluster(destinationName));
        });
    }

    private boolean checkCluster(DestinationName destinationName) {
        if (destinationName.isGlobal() || this.conf.getClusterName().equals(destinationName.getCluster())) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Destination [{}] does not belong to local cluster [{}]", destinationName.toString(), this.conf.getClusterName());
        return false;
    }

    public CompletableFuture<Boolean> checkPermission(DestinationName destinationName, String str, AuthAction authAction) {
        CompletableFuture<Boolean> completableFuture = new CompletableFuture<>();
        try {
            this.configCache.policiesCache().getAsync(POLICY_ROOT + destinationName.getNamespace()).thenAccept(optional -> {
                Set<AuthAction> set;
                if (optional.isPresent()) {
                    Map<String, Set<AuthAction>> map = ((Policies) optional.get()).auth_policies.namespace_auth;
                    Set<AuthAction> set2 = map.get(str);
                    if (set2 != null && set2.contains(authAction)) {
                        completableFuture.complete(true);
                        return;
                    }
                    Map<String, Set<AuthAction>> map2 = (Map) ((Policies) optional.get()).auth_policies.destination_auth.get(destinationName.toString());
                    if (map2 != null && (set = map2.get(str)) != null && set.contains(authAction)) {
                        completableFuture.complete(true);
                        return;
                    }
                    if (this.conf.getAuthorizationAllowWildcardsMatching()) {
                        if (checkWildcardPermission(str, authAction, map)) {
                            completableFuture.complete(true);
                            return;
                        } else if (map2 != null && checkWildcardPermission(str, authAction, map2)) {
                            completableFuture.complete(true);
                            return;
                        }
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Policies node couldn't be found for destination : {}", destinationName);
                }
                completableFuture.complete(false);
            }).exceptionally(th -> {
                log.warn("Client  with Role - {} failed to get permissions for destination - {}", new Object[]{str, destinationName, th});
                completableFuture.completeExceptionally(th);
                return null;
            });
        } catch (Exception e) {
            log.warn("Client  with Role - {} failed to get permissions for destination - {}", new Object[]{str, destinationName, e});
            completableFuture.completeExceptionally(e);
        }
        return completableFuture;
    }

    private boolean checkWildcardPermission(String str, AuthAction authAction, Map<String, Set<AuthAction>> map) {
        for (Map.Entry<String, Set<AuthAction>> entry : map.entrySet()) {
            String key = entry.getKey();
            Set<AuthAction> value = entry.getValue();
            if (key.charAt(key.length() - 1) == '*' && str.startsWith(key.substring(0, key.length() - 1)) && value.contains(authAction)) {
                return true;
            }
            if (key.charAt(0) == '*' && str.endsWith(key.substring(1)) && value.contains(authAction)) {
                return true;
            }
        }
        return false;
    }

    public boolean isSuperUser(String str) {
        return str != null && this.conf.getSuperUserRoles().contains(str);
    }
}
