package org.apache.druid.server.security;

import com.google.common.base.Function;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.druid.java.util.common.ISE;

/* loaded from: input_file:org/apache/druid/server/security/AuthorizationUtils.class */
public class AuthorizationUtils {
    public static Function<String, ResourceAction> DATASOURCE_READ_RA_GENERATOR = new Function<String, ResourceAction>() { // from class: org.apache.druid.server.security.AuthorizationUtils.1
        public ResourceAction apply(String str) {
            return new ResourceAction(new Resource(str, ResourceType.DATASOURCE), Action.READ);
        }
    };
    public static Function<String, ResourceAction> DATASOURCE_WRITE_RA_GENERATOR = new Function<String, ResourceAction>() { // from class: org.apache.druid.server.security.AuthorizationUtils.2
        public ResourceAction apply(String str) {
            return new ResourceAction(new Resource(str, ResourceType.DATASOURCE), Action.WRITE);
        }
    };

    public static Access authorizeResourceAction(HttpServletRequest httpServletRequest, ResourceAction resourceAction, AuthorizerMapper authorizerMapper) {
        return authorizeAllResourceActions(httpServletRequest, Collections.singletonList(resourceAction), authorizerMapper);
    }

    public static AuthenticationResult authenticationResultFromRequest(HttpServletRequest httpServletRequest) {
        AuthenticationResult authenticationResult = (AuthenticationResult) httpServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT);
        if (authenticationResult == null) {
            throw new ISE("Null authentication result", new Object[0]);
        }
        return authenticationResult;
    }

    public static Access authorizeAllResourceActions(AuthenticationResult authenticationResult, Iterable<ResourceAction> iterable, AuthorizerMapper authorizerMapper) {
        Authorizer authorizer = authorizerMapper.getAuthorizer(authenticationResult.getAuthorizerName());
        if (authorizer == null) {
            throw new ISE("No authorizer found with name: [%s].", new Object[]{authenticationResult.getAuthorizerName()});
        }
        HashSet newHashSet = Sets.newHashSet();
        for (ResourceAction resourceAction : iterable) {
            if (!newHashSet.contains(resourceAction)) {
                Access authorize = authorizer.authorize(authenticationResult, resourceAction.getResource(), resourceAction.getAction());
                if (!authorize.isAllowed()) {
                    return authorize;
                }
                newHashSet.add(resourceAction);
            }
        }
        return Access.OK;
    }

    public static Access authorizeAllResourceActions(HttpServletRequest httpServletRequest, Iterable<ResourceAction> iterable, AuthorizerMapper authorizerMapper) {
        if (httpServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH) != null) {
            return Access.OK;
        }
        if (httpServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
            throw new ISE("Request already had authorization check.", new Object[0]);
        }
        Access authorizeAllResourceActions = authorizeAllResourceActions(authenticationResultFromRequest(httpServletRequest), iterable, authorizerMapper);
        httpServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, Boolean.valueOf(authorizeAllResourceActions.isAllowed()));
        return authorizeAllResourceActions;
    }

    public static <ResType> Iterable<ResType> filterAuthorizedResources(HttpServletRequest httpServletRequest, Iterable<ResType> iterable, Function<? super ResType, Iterable<ResourceAction>> function, AuthorizerMapper authorizerMapper) {
        if (httpServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH) != null) {
            return iterable;
        }
        if (httpServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
            throw new ISE("Request already had authorization check.", new Object[0]);
        }
        Iterable<ResType> filterAuthorizedResources = filterAuthorizedResources(authenticationResultFromRequest(httpServletRequest), iterable, function, authorizerMapper);
        httpServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
        return filterAuthorizedResources;
    }

    public static <ResType> Iterable<ResType> filterAuthorizedResources(AuthenticationResult authenticationResult, Iterable<ResType> iterable, Function<? super ResType, Iterable<ResourceAction>> function, AuthorizerMapper authorizerMapper) {
        Authorizer authorizer = authorizerMapper.getAuthorizer(authenticationResult.getAuthorizerName());
        if (authorizer == null) {
            throw new ISE("No authorizer found with name: [%s].", new Object[]{authenticationResult.getAuthorizerName()});
        }
        HashMap newHashMap = Maps.newHashMap();
        return Iterables.filter(iterable, obj -> {
            Iterable iterable2 = (Iterable) function.apply(obj);
            if (iterable2 == null) {
                return false;
            }
            Iterator it = iterable2.iterator();
            while (it.hasNext()) {
                if (!((Access) newHashMap.computeIfAbsent((ResourceAction) it.next(), resourceAction -> {
                    return authorizer.authorize(authenticationResult, resourceAction.getResource(), resourceAction.getAction());
                })).isAllowed()) {
                    return false;
                }
            }
            return true;
        });
    }

    public static <KeyType, ResType> Map<KeyType, List<ResType>> filterAuthorizedResources(HttpServletRequest httpServletRequest, Map<KeyType, List<ResType>> map, Function<? super ResType, Iterable<ResourceAction>> function, AuthorizerMapper authorizerMapper) {
        if (httpServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH) != null) {
            return map;
        }
        if (httpServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
            throw new ISE("Request already had authorization check.", new Object[0]);
        }
        AuthenticationResult authenticationResultFromRequest = authenticationResultFromRequest(httpServletRequest);
        HashMap newHashMap = Maps.newHashMap();
        for (Map.Entry<KeyType, List<ResType>> entry : map.entrySet()) {
            if (entry.getValue() != null) {
                ArrayList newArrayList = Lists.newArrayList(filterAuthorizedResources(authenticationResultFromRequest, entry.getValue(), function, authorizerMapper));
                if (newArrayList.size() > 0) {
                    newHashMap.put(entry.getKey(), newArrayList);
                }
            }
        }
        httpServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
        return newHashMap;
    }
}
