package io.ballerina.messaging.broker.auth.authorization.authorizer.rdbms;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import io.ballerina.messaging.broker.auth.AuthException;
import io.ballerina.messaging.broker.auth.AuthNotFoundException;
import io.ballerina.messaging.broker.auth.AuthServerException;
import io.ballerina.messaging.broker.auth.BrokerAuthConfiguration;
import io.ballerina.messaging.broker.auth.authorization.Authorizer;
import io.ballerina.messaging.broker.auth.authorization.DiscretionaryAccessController;
import io.ballerina.messaging.broker.auth.authorization.MandatoryAccessController;
import io.ballerina.messaging.broker.auth.authorization.UserStore;
import io.ballerina.messaging.broker.auth.authorization.authorizer.rdbms.resource.AuthResource;
import io.ballerina.messaging.broker.auth.authorization.authorizer.rdbms.resource.ResourceCacheKey;
import io.ballerina.messaging.broker.auth.authorization.provider.MemoryDacHandler;
import io.ballerina.messaging.broker.common.StartupContext;
import io.ballerina.messaging.broker.common.config.BrokerConfigProvider;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/ballerina/messaging/broker/auth/authorization/authorizer/rdbms/DefaultAuthorizer.class */
public class DefaultAuthorizer implements Authorizer {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultAuthorizer.class);
    private final MemoryDacHandler memoryDacHandler = new MemoryDacHandler();
    private UserStore userStore;
    private LoadingCache<String, UserCacheEntry> userCache;
    private DiscretionaryAccessController externalDacHandler;
    private MandatoryAccessController macHandler;

    /* loaded from: input_file:io/ballerina/messaging/broker/auth/authorization/authorizer/rdbms/DefaultAuthorizer$UserCacheLoader.class */
    private class UserCacheLoader extends CacheLoader<String, UserCacheEntry> {
        private UserCacheLoader() {
        }

        @Override // com.google.common.cache.CacheLoader
        public UserCacheEntry load(@Nonnull String str) throws AuthException {
            UserCacheEntry userCacheEntry = new UserCacheEntry();
            userCacheEntry.setUserGroups(DefaultAuthorizer.this.userStore.getUserGroupsList(str));
            return userCacheEntry;
        }
    }

    public DefaultAuthorizer(DiscretionaryAccessController discretionaryAccessController, MandatoryAccessController mandatoryAccessController, UserStore userStore) {
        this.externalDacHandler = discretionaryAccessController;
        this.macHandler = mandatoryAccessController;
        this.userStore = userStore;
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public void initialize(StartupContext startupContext) throws Exception {
        BrokerAuthConfiguration brokerAuthConfiguration = (BrokerAuthConfiguration) ((BrokerConfigProvider) startupContext.getService(BrokerConfigProvider.class)).getConfigurationObject(BrokerAuthConfiguration.NAMESPACE, BrokerAuthConfiguration.class);
        this.userCache = CacheBuilder.newBuilder().maximumSize(brokerAuthConfiguration.getAuthorization().getCache().getSize()).expireAfterWrite(brokerAuthConfiguration.getAuthorization().getCache().getTimeout(), TimeUnit.MINUTES).build(new UserCacheLoader());
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public boolean authorize(String str, String str2) throws AuthException, AuthServerException, AuthNotFoundException {
        try {
            if (str2 == null) {
                throw new AuthException("user id cannot be null.");
            }
            UserCacheEntry userCacheEntry = this.userCache.get(str2);
            if (userCacheEntry.getAuthorizedScopes().stream().anyMatch(str3 -> {
                return str3.equals(str);
            })) {
                LOGGER.debug("Scopes are loaded from cache for auth scope key : {} ", str);
                return true;
            }
            if (!this.macHandler.authorize(str, userCacheEntry.getUserGroups())) {
                return false;
            }
            userCacheEntry.getAuthorizedScopes().add(str);
            return true;
        } catch (ExecutionException e) {
            throw new AuthServerException("Error occurred while retrieving authorizations from cache for scope name : " + str, e);
        }
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public boolean authorize(String str, String str2, String str3, String str4) throws AuthException, AuthServerException, AuthNotFoundException {
        ResourceCacheKey resourceCacheKey = new ResourceCacheKey(str, str2);
        try {
            if (str4 == null) {
                throw new AuthException("user id cannot be null.");
            }
            UserCacheEntry userCacheEntry = this.userCache.get(str4);
            Set<String> set = userCacheEntry.getAuthorizedResourceActions().get(resourceCacheKey);
            if (Objects.nonNull(set) && set.stream().anyMatch(str5 -> {
                return str5.equals(str3);
            })) {
                LOGGER.debug("resourceName authorizations are loaded from cache for resourceType : {} resourceName: {}", str, str2);
                return true;
            }
            if (!authorizeInDac(str, str2, str3, str4, userCacheEntry)) {
                return false;
            }
            if (Objects.isNull(set)) {
                set = new HashSet();
                userCacheEntry.getAuthorizedResourceActions().put(resourceCacheKey, set);
            }
            set.add(str3);
            return true;
        } catch (ExecutionException e) {
            throw new AuthException("Error occurred while retrieving authorizations from cache for resourceType : " + str + " resourceName: " + str2, e);
        }
    }

    private boolean authorizeInDac(String str, String str2, String str3, String str4, UserCacheEntry userCacheEntry) throws AuthServerException, AuthNotFoundException {
        boolean authorize = this.memoryDacHandler.authorize(str, str2, str3, str4, userCacheEntry.getUserGroups());
        if (!authorize) {
            authorize = this.externalDacHandler.authorize(str, str2, str3, str4, userCacheEntry.getUserGroups());
        }
        return authorize;
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public AuthResource getAuthResource(String str, String str2) throws AuthServerException, AuthNotFoundException {
        AuthResource authResource = this.memoryDacHandler.getAuthResource(str, str2);
        return Objects.nonNull(authResource) ? authResource : this.externalDacHandler.getAuthResource(str, str2);
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public void addProtectedResource(String str, String str2, boolean z, String str3) throws AuthServerException {
        getDacHandler(z).addResource(str, str2, str3);
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public void deleteProtectedResource(String str, String str2) throws AuthServerException, AuthNotFoundException {
        if (this.memoryDacHandler.deleteResource(str, str2)) {
            return;
        }
        this.externalDacHandler.deleteResource(str, str2);
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public boolean addGroupsToResource(String str, String str2, String str3, List<String> list) throws AuthServerException {
        boolean z = false;
        if (this.memoryDacHandler.addGroupsToResource(str, str2, str3, list) || this.externalDacHandler.addGroupsToResource(str, str2, str3, list)) {
            z = true;
        }
        return z;
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public boolean removeGroupFromResource(String str, String str2, String str3, String str4) throws AuthServerException, AuthNotFoundException {
        boolean z = false;
        if (this.memoryDacHandler.removeGroupFromResource(str, str2, str3, str4) || this.externalDacHandler.removeGroupFromResource(str, str2, str3, str4)) {
            z = true;
        }
        return z;
    }

    @Override // io.ballerina.messaging.broker.auth.authorization.Authorizer
    public boolean changeResourceOwner(String str, String str2, String str3) throws AuthServerException, AuthNotFoundException, AuthException {
        if (!this.userStore.isUserExists(str3)) {
            throw new AuthException("Invalid username for the owner.");
        }
        boolean z = false;
        if (this.memoryDacHandler.changeResourceOwner(str, str2, str3) || this.externalDacHandler.changeResourceOwner(str, str2, str3)) {
            z = true;
        }
        return z;
    }

    private DiscretionaryAccessController getDacHandler(boolean z) {
        return z ? this.externalDacHandler : this.memoryDacHandler;
    }
}
