package org.apache.storm.blobstore;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.storm.Config;
import org.apache.storm.generated.AccessControl;
import org.apache.storm.generated.AccessControlType;
import org.apache.storm.generated.AuthorizationException;
import org.apache.storm.generated.SettableBlobMeta;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.IGroupMappingServiceProvider;
import org.apache.storm.security.auth.IPrincipalToLocal;
import org.apache.storm.security.auth.NimbusPrincipal;
import org.apache.storm.shade.org.apache.commons.lang.StringUtils;
import org.apache.storm.utils.WrappedAuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/blobstore/BlobStoreAclHandler.class */
public class BlobStoreAclHandler {
    public static final int READ = 1;
    public static final int WRITE = 2;
    public static final int ADMIN = 4;
    private final IPrincipalToLocal ptol;
    private final IGroupMappingServiceProvider groupMappingServiceProvider;
    private Set<String> supervisors;
    private Set<String> admins;
    private Set<String> adminsGroups;
    private boolean doAclValidation;
    public static final Logger LOG = LoggerFactory.getLogger(BlobStoreAclHandler.class);
    public static final List<AccessControl> WORLD_EVERYTHING = Arrays.asList(new AccessControl(AccessControlType.OTHER, 7));
    public static final List<AccessControl> DEFAULT = new ArrayList();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.storm.blobstore.BlobStoreAclHandler$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/storm/blobstore/BlobStoreAclHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$storm$generated$AccessControlType = new int[AccessControlType.values().length];

        static {
            try {
                $SwitchMap$org$apache$storm$generated$AccessControlType[AccessControlType.OTHER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$storm$generated$AccessControlType[AccessControlType.USER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public BlobStoreAclHandler(Map<String, Object> map) {
        this.ptol = ClientAuthUtils.getPrincipalToLocalPlugin(map);
        if (map.get(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN) != null) {
            this.groupMappingServiceProvider = ClientAuthUtils.getGroupMappingServiceProviderPlugin(map);
        } else {
            this.groupMappingServiceProvider = null;
        }
        this.supervisors = new HashSet();
        this.admins = new HashSet();
        this.adminsGroups = new HashSet();
        if (map.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) {
            this.supervisors.addAll((List) map.get(Config.NIMBUS_SUPERVISOR_USERS));
        }
        if (map.containsKey(Config.NIMBUS_ADMINS)) {
            this.admins.addAll((List) map.get(Config.NIMBUS_ADMINS));
        }
        if (map.containsKey(Config.NIMBUS_ADMINS_GROUPS)) {
            this.adminsGroups.addAll((List) map.get(Config.NIMBUS_ADMINS_GROUPS));
        }
        if (map.containsKey(Config.STORM_BLOBSTORE_ACL_VALIDATION_ENABLED)) {
            this.doAclValidation = ((Boolean) map.get(Config.STORM_BLOBSTORE_ACL_VALIDATION_ENABLED)).booleanValue();
        }
    }

    private static AccessControlType parseAclType(String str) {
        if ("other".equalsIgnoreCase(str) || "o".equalsIgnoreCase(str)) {
            return AccessControlType.OTHER;
        }
        if ("user".equalsIgnoreCase(str) || "u".equalsIgnoreCase(str)) {
            return AccessControlType.USER;
        }
        throw new IllegalArgumentException(str + " is not a valid access control type");
    }

    private static int parseAccess(String str) {
        int i = 0;
        for (char c : str.toCharArray()) {
            if ('r' == c) {
                i |= 1;
            } else if ('w' == c) {
                i |= 2;
            } else if ('a' == c) {
                i |= 4;
            } else if ('-' != c) {
                throw new IllegalArgumentException("");
            }
        }
        return i;
    }

    public static AccessControl parseAccessControl(String str) {
        String[] split = str.split(":");
        String str2 = "other";
        String str3 = "";
        String str4 = "-";
        if (split.length > 3) {
            throw new IllegalArgumentException("Don't know how to parse " + str + " into an ACL value");
        }
        if (split.length == 1) {
            str2 = "other";
            str3 = "";
            str4 = split[0];
        } else if (split.length == 2) {
            str2 = "user";
            str3 = split[0];
            str4 = split[1];
        } else if (split.length == 3) {
            str2 = split[0];
            str3 = split[1];
            str4 = split[2];
        }
        AccessControl accessControl = new AccessControl();
        accessControl.set_type(parseAclType(str2));
        accessControl.set_name(str3);
        accessControl.set_access(parseAccess(str4));
        return accessControl;
    }

    private static String accessToString(int i) {
        StringBuilder sb = new StringBuilder();
        sb.append((i & 1) > 0 ? "r" : "-");
        sb.append((i & 2) > 0 ? "w" : "-");
        sb.append((i & 4) > 0 ? "a" : "-");
        return sb.toString();
    }

    public static String accessControlToString(AccessControl accessControl) {
        StringBuilder sb = new StringBuilder();
        switch (AnonymousClass1.$SwitchMap$org$apache$storm$generated$AccessControlType[accessControl.get_type().ordinal()]) {
            case READ /* 1 */:
                sb.append("o");
                break;
            case WRITE /* 2 */:
                sb.append("u");
                break;
            default:
                throw new IllegalArgumentException("Don't know what a type of " + accessControl.get_type() + " means ");
        }
        sb.append(":");
        if (accessControl.is_set_name()) {
            sb.append(accessControl.get_name());
        }
        sb.append(":");
        sb.append(accessToString(accessControl.get_access()));
        return sb.toString();
    }

    public static void validateSettableACLs(String str, List<AccessControl> list) throws AuthorizationException {
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        Iterator<AccessControl> it = list.iterator();
        while (it.hasNext()) {
            String str2 = it.next().get_name();
            if (!StringUtils.isEmpty(str2) && !hashSet.add(str2)) {
                LOG.error("'{}' user can't appear more than once in the ACLs", str2);
                arrayList.add(str2);
            }
        }
        if (arrayList.size() > 0) {
            throw new WrappedAuthorizationException("user " + Arrays.toString(arrayList.toArray()) + " can't appear more than once in the ACLs for key [" + str + "].");
        }
    }

    private Set<String> constructUserFromPrincipals(Subject subject) {
        HashSet hashSet = new HashSet();
        if (subject != null) {
            Iterator<Principal> it = subject.getPrincipals().iterator();
            while (it.hasNext()) {
                hashSet.add(this.ptol.toLocal(it.next()));
            }
        }
        return hashSet;
    }

    private boolean isAdmin(Subject subject) {
        for (String str : constructUserFromPrincipals(subject)) {
            if (this.admins.contains(str)) {
                return true;
            }
            if (this.adminsGroups.size() > 0 && this.groupMappingServiceProvider != null) {
                Set<String> set = null;
                try {
                    set = this.groupMappingServiceProvider.getGroups(str);
                } catch (IOException e) {
                    LOG.warn("Error while trying to fetch user groups", e);
                }
                if (set != null) {
                    Iterator<String> it = set.iterator();
                    while (it.hasNext()) {
                        if (this.adminsGroups.contains(it.next())) {
                            return true;
                        }
                    }
                } else {
                    continue;
                }
            }
        }
        return false;
    }

    private boolean isReadOperation(int i) {
        return i == 1;
    }

    private boolean isSupervisor(Subject subject, int i) {
        Set<String> constructUserFromPrincipals = constructUserFromPrincipals(subject);
        if (!isReadOperation(i)) {
            return false;
        }
        Iterator<String> it = constructUserFromPrincipals.iterator();
        while (it.hasNext()) {
            if (this.supervisors.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean isNimbus(Subject subject) {
        boolean z = false;
        if (subject != null) {
            Iterator<Principal> it = subject.getPrincipals().iterator();
            while (it.hasNext()) {
                if (it.next() instanceof NimbusPrincipal) {
                    z = true;
                }
            }
        }
        return z;
    }

    public boolean checkForValidUsers(Subject subject, int i) {
        return isNimbus(subject) || isAdmin(subject) || isSupervisor(subject, i);
    }

    public void validateUserCanReadMeta(List<AccessControl> list, Subject subject, String str) throws AuthorizationException {
        hasAnyPermissions(list, 7, subject, str);
    }

    public void hasAnyPermissions(List<AccessControl> list, int i, Subject subject, String str) throws AuthorizationException {
        if (this.doAclValidation) {
            Set<String> constructUserFromPrincipals = constructUserFromPrincipals(subject);
            LOG.debug("user {}", constructUserFromPrincipals);
            if (checkForValidUsers(subject, i)) {
                return;
            }
            Iterator<AccessControl> it = list.iterator();
            while (it.hasNext()) {
                int allowed = getAllowed(it.next(), constructUserFromPrincipals);
                LOG.debug(" user: {} allowed: {} key: {}", new Object[]{constructUserFromPrincipals, Integer.valueOf(allowed), str});
                if ((allowed & i) > 0) {
                    return;
                }
            }
            throw new WrappedAuthorizationException(constructUserFromPrincipals + " does not have access to " + str);
        }
    }

    public void hasPermissions(List<AccessControl> list, int i, Subject subject, String str) throws AuthorizationException {
        if (this.doAclValidation) {
            Set<String> constructUserFromPrincipals = constructUserFromPrincipals(subject);
            LOG.debug("user {}", constructUserFromPrincipals);
            if (checkForValidUsers(subject, i)) {
                return;
            }
            Iterator<AccessControl> it = list.iterator();
            while (it.hasNext()) {
                int allowed = getAllowed(it.next(), constructUserFromPrincipals);
                i = (allowed ^ (-1)) & i;
                LOG.debug(" user: {} allowed: {} disallowed: {} key: {}", new Object[]{constructUserFromPrincipals, Integer.valueOf(allowed), Integer.valueOf(i), str});
            }
            if (i != 0) {
                throw new WrappedAuthorizationException(constructUserFromPrincipals + " does not have " + namedPerms(i) + " access to " + str);
            }
        }
    }

    public void normalizeSettableBlobMeta(String str, SettableBlobMeta settableBlobMeta, Subject subject, int i) {
        settableBlobMeta.set_acl(normalizeSettableAcls(str, settableBlobMeta.get_acl(), subject, i));
    }

    private String namedPerms(int i) {
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        if ((i & 1) > 0) {
            sb.append("READ ");
        }
        if ((i & 2) > 0) {
            sb.append("WRITE ");
        }
        if ((i & 4) > 0) {
            sb.append("ADMIN ");
        }
        sb.append("]");
        return sb.toString();
    }

    private int getAllowed(AccessControl accessControl, Set<String> set) {
        switch (AnonymousClass1.$SwitchMap$org$apache$storm$generated$AccessControlType[accessControl.get_type().ordinal()]) {
            case READ /* 1 */:
                return accessControl.get_access();
            case WRITE /* 2 */:
                if (set.contains(accessControl.get_name())) {
                    return accessControl.get_access();
                }
                return 0;
            default:
                return 0;
        }
    }

    private List<AccessControl> removeBadAcls(List<AccessControl> list) {
        ArrayList arrayList = new ArrayList();
        for (AccessControl accessControl : list) {
            if (accessControl.get_type().equals(AccessControlType.OTHER) && accessControl.get_access() == 0) {
                LOG.debug("Removing invalid blobstore world ACL " + accessControlToString(accessControl));
            } else {
                arrayList.add(accessControl);
            }
        }
        return arrayList;
    }

    private List<AccessControl> normalizeSettableAcls(String str, List<AccessControl> list, Subject subject, int i) {
        List<AccessControl> removeBadAcls = removeBadAcls(list);
        Set<String> userNamesFromSubject = getUserNamesFromSubject(subject);
        Iterator<String> it = userNamesFromSubject.iterator();
        while (it.hasNext()) {
            fixAclsForUser(removeBadAcls, it.next(), i);
        }
        fixEmptyNameACLForUsers(removeBadAcls, userNamesFromSubject, i);
        if ((subject == null || userNamesFromSubject.isEmpty()) && !worldEverything(list)) {
            removeBadAcls.addAll(WORLD_EVERYTHING);
            LOG.debug("Access Control for key {} is normalized to world everything {}", str, removeBadAcls);
            if (!list.isEmpty()) {
                LOG.warn("Access control for blob with key {} is normalized to WORLD_EVERYTHING", str);
            }
        }
        return removeBadAcls;
    }

    private boolean worldEverything(List<AccessControl> list) {
        boolean z = false;
        Iterator<AccessControl> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AccessControl next = it.next();
            if (next.get_type() == AccessControlType.OTHER && next.get_access() == 7) {
                z = true;
                break;
            }
        }
        return z;
    }

    private void fixAclsForUser(List<AccessControl> list, String str, int i) {
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        for (AccessControl accessControl : list) {
            if (accessControl.get_type() == AccessControlType.USER) {
                if (!accessControl.is_set_name()) {
                    arrayList.add(accessControl);
                } else if (accessControl.get_name().equals(str)) {
                    int i2 = accessControl.get_access();
                    if ((i2 & i) != i) {
                        accessControl.set_access(i2 | i);
                    }
                    z = true;
                }
            }
        }
        if (!arrayList.isEmpty() && z) {
            list.removeAll(arrayList);
        }
        if (!arrayList.isEmpty() || z) {
            return;
        }
        AccessControl accessControl2 = new AccessControl();
        accessControl2.set_type(AccessControlType.USER);
        accessControl2.set_name(str);
        accessControl2.set_access(i);
        list.add(accessControl2);
    }

    private void fixEmptyNameACLForUsers(List<AccessControl> list, Set<String> set, int i) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (AccessControl accessControl : list) {
            if (accessControl.get_type() == AccessControlType.USER && !accessControl.is_set_name()) {
                arrayList2.add(accessControl);
                int i2 = accessControl.get_access();
                if ((i2 & i) != i) {
                    accessControl.set_access(i2 | i);
                }
                for (String str : set) {
                    AccessControl accessControl2 = new AccessControl(accessControl);
                    accessControl2.set_name(str);
                    arrayList.add(accessControl2);
                }
            }
        }
        list.removeAll(arrayList2);
        list.addAll(arrayList);
    }

    private Set<String> getUserNamesFromSubject(Subject subject) {
        HashSet hashSet = new HashSet();
        if (subject != null) {
            Iterator<Principal> it = subject.getPrincipals().iterator();
            while (it.hasNext()) {
                hashSet.add(this.ptol.toLocal(it.next()));
            }
        }
        return hashSet;
    }
}
