package io.cdap.cdap.data2.dataset2;

import com.google.common.collect.ImmutableMap;
import io.cdap.cdap.api.annotation.ReadOnly;
import io.cdap.cdap.api.annotation.ReadWrite;
import io.cdap.cdap.api.annotation.WriteOnly;
import io.cdap.cdap.api.dataset.DataSetException;
import io.cdap.cdap.data2.metadata.lineage.AccessType;
import io.cdap.cdap.internal.dataset.DatasetRuntimeContext;
import io.cdap.cdap.proto.id.DatasetId;
import io.cdap.cdap.proto.security.Action;
import io.cdap.cdap.proto.security.Principal;
import io.cdap.cdap.security.spi.authorization.AuthorizationEnforcer;
import java.lang.annotation.Annotation;
import java.util.ArrayDeque;
import java.util.EnumSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.annotation.Nullable;
import org.apache.twill.common.Cancellable;

/* loaded from: input_file:io/cdap/cdap/data2/dataset2/DefaultDatasetRuntimeContext.class */
public class DefaultDatasetRuntimeContext extends DatasetRuntimeContext {
    private static final Map<Class<? extends Annotation>, AccessInfo> ANNOTATION_TO_ACCESS_INFO = ImmutableMap.of(ReadOnly.class, new AccessInfo(EnumSet.of(Action.READ), AccessType.READ), WriteOnly.class, new AccessInfo(EnumSet.of(Action.WRITE), AccessType.WRITE), ReadWrite.class, new AccessInfo(EnumSet.of(Action.READ, Action.WRITE), AccessType.READ_WRITE));
    private static final AccessInfo UNKNOWN_ACCESS_INFO = new AccessInfo(EnumSet.noneOf(Action.class), AccessType.UNKNOWN);
    private final AuthorizationEnforcer enforcer;
    private final DatasetAccessRecorder accessRecorder;
    private final Principal principal;
    private final DatasetId datasetId;

    @Nullable
    private final Class<? extends Annotation> constructorDefaultAnnotation;
    private final ThreadLocal<CallStack> callStack = new InheritableThreadLocal<CallStack>() { // from class: io.cdap.cdap.data2.dataset2.DefaultDatasetRuntimeContext.1
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // java.lang.ThreadLocal
        public CallStack initialValue() {
            return new CallStack();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // java.lang.InheritableThreadLocal
        public CallStack childValue(CallStack callStack) {
            return new CallStack(callStack);
        }
    };
    private final boolean[] lineageRecorded = new boolean[AccessType.values().length];
    private final boolean[] auditRecorded = new boolean[AccessType.values().length];

    /* loaded from: input_file:io/cdap/cdap/data2/dataset2/DefaultDatasetRuntimeContext$AccessInfo.class */
    private static final class AccessInfo {
        private final Set<Action> actions;
        private final AccessType accessType;

        private AccessInfo(Set<Action> set, AccessType accessType) {
            this.actions = set;
            this.accessType = accessType;
        }

        Set<Action> getActions() {
            return this.actions;
        }

        AccessType getAccessType() {
            return this.accessType;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/cdap/cdap/data2/dataset2/DefaultDatasetRuntimeContext$CallStack.class */
    public final class CallStack {
        private final ArrayDeque<AccessType> stack;
        private final int minSize;

        CallStack() {
            this.stack = new ArrayDeque<>(10);
            this.minSize = 0;
        }

        CallStack(CallStack callStack) {
            this.stack = new ArrayDeque<>(callStack.stack);
            this.minSize = this.stack.size();
        }

        AccessType enter(AccessType accessType) {
            AccessType peekLast = this.stack.peekLast();
            if (peekLast != null && peekLast != AccessType.UNKNOWN) {
                accessType = peekLast;
            }
            this.stack.addLast(accessType);
            return accessType;
        }

        void exit() {
            if (this.stack.size() <= this.minSize) {
                throw new DataSetException("Invalid dataset call stack for dataset " + DefaultDatasetRuntimeContext.this.datasetId + ". Potentially caused by illegal manipulation of callstack");
            }
            this.stack.removeLast();
        }
    }

    /* loaded from: input_file:io/cdap/cdap/data2/dataset2/DefaultDatasetRuntimeContext$DatasetAccessRecorder.class */
    public interface DatasetAccessRecorder {
        void recordLineage(AccessType accessType);

        void emitAudit(AccessType accessType);
    }

    public static <T> T execute(AuthorizationEnforcer authorizationEnforcer, DatasetAccessRecorder datasetAccessRecorder, Principal principal, DatasetId datasetId, @Nullable Class<? extends Annotation> cls, Callable<T> callable) throws Exception {
        Cancellable context = setContext(new DefaultDatasetRuntimeContext(authorizationEnforcer, datasetAccessRecorder, principal, datasetId, cls));
        try {
            T call = callable.call();
            context.cancel();
            return call;
        } catch (Throwable th) {
            context.cancel();
            throw th;
        }
    }

    private DefaultDatasetRuntimeContext(AuthorizationEnforcer authorizationEnforcer, DatasetAccessRecorder datasetAccessRecorder, Principal principal, DatasetId datasetId, @Nullable Class<? extends Annotation> cls) {
        this.enforcer = authorizationEnforcer;
        this.accessRecorder = datasetAccessRecorder;
        this.principal = principal;
        this.datasetId = datasetId;
        this.constructorDefaultAnnotation = cls;
    }

    public void onMethodEntry(boolean z, @Nullable Class<? extends Annotation> cls) {
        CallStack callStack = this.callStack.get();
        AccessInfo accessInfo = UNKNOWN_ACCESS_INFO;
        if (cls == null && z) {
            cls = this.constructorDefaultAnnotation;
        }
        if (cls != null) {
            accessInfo = ANNOTATION_TO_ACCESS_INFO.get(cls);
            if (accessInfo == null) {
                throw new DataSetException("Unsupported annotation " + cls + " on dataset " + this.datasetId);
            }
        }
        try {
            this.enforcer.enforce(this.datasetId, this.principal, accessInfo.getActions());
            recordAccess(callStack.enter(accessInfo.getAccessType()), accessInfo.getAccessType());
        } catch (Exception e) {
            throw new DataSetException("The principal " + this.principal + " is not authorized to access " + this.datasetId + " for operation types " + accessInfo.getActions(), e);
        }
    }

    public void onMethodExit() {
        this.callStack.get().exit();
    }

    public void close() {
        this.callStack.remove();
    }

    private void recordAccess(AccessType accessType, AccessType accessType2) {
        if (!this.lineageRecorded[accessType.ordinal()]) {
            this.accessRecorder.recordLineage(accessType);
            this.lineageRecorded[accessType.ordinal()] = true;
        }
        if (this.auditRecorded[accessType2.ordinal()]) {
            return;
        }
        this.accessRecorder.emitAudit(accessType2);
        this.auditRecorded[accessType2.ordinal()] = true;
    }
}
