package alluxio.security.authentication;

import alluxio.RuntimeConstants;
import alluxio.conf.AlluxioConfiguration;
import alluxio.conf.PropertyKey;
import alluxio.util.CommonUtils;
import com.google.common.base.Splitter;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import javax.annotation.concurrent.ThreadSafe;
import javax.security.sasl.AuthenticationException;

@ThreadSafe
/* loaded from: input_file:alluxio/security/authentication/ImpersonationAuthenticator.class */
public final class ImpersonationAuthenticator {
    public static final String WILDCARD = "*";
    private static final Splitter SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
    private final Map<String, Set<String>> mImpersonationGroups = new HashMap();
    private final Map<String, Set<String>> mImpersonationUsers = new HashMap();
    private AlluxioConfiguration mConfiguration;

    public ImpersonationAuthenticator(AlluxioConfiguration alluxioConfiguration) {
        this.mConfiguration = alluxioConfiguration;
        for (PropertyKey propertyKey : alluxioConfiguration.keySet()) {
            Matcher match = PropertyKey.Template.MASTER_IMPERSONATION_GROUPS_OPTION.match(propertyKey.getName());
            if (match.matches()) {
                String group = match.group(1);
                String str = (String) alluxioConfiguration.getOrDefault(propertyKey, null);
                if (group != null) {
                    this.mImpersonationGroups.put(group, Sets.newHashSet(SPLITTER.split(str)));
                }
            }
            Matcher match2 = PropertyKey.Template.MASTER_IMPERSONATION_USERS_OPTION.match(propertyKey.getName());
            if (match2.matches()) {
                String group2 = match2.group(1);
                String str2 = (String) alluxioConfiguration.getOrDefault(propertyKey, null);
                if (group2 != null) {
                    this.mImpersonationUsers.put(group2, Sets.newHashSet(SPLITTER.split(str2)));
                }
            }
        }
    }

    public void authenticate(String str, String str2) throws AuthenticationException {
        if (str2 == null || str.equals(str2)) {
            return;
        }
        Set<String> set = this.mImpersonationUsers.get(str);
        Set<String> set2 = this.mImpersonationGroups.get(str);
        if (set == null && set2 == null) {
            throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio server and impersonating as impersonationUser=\"%s\" to access Alluxio file system. User \"%s\" is not configured to allow any impersonation. Please read the guide to configure impersonation at %s", str, str2, str, RuntimeConstants.ALLUXIO_SECURITY_DOCS_URL));
        }
        if (set == null || !(set.contains("*") || set.contains(str2))) {
            if (set2 != null) {
                if (set2.contains("*")) {
                    return;
                }
                try {
                    Iterator<String> it = CommonUtils.getGroups(str2, this.mConfiguration).iterator();
                    while (it.hasNext()) {
                        if (set2.contains(it.next())) {
                            return;
                        }
                    }
                } catch (IOException e) {
                    throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio master and impersonating as impersonationUser=\"%s\" to access Alluxio file system: Failed to get groups that impersonationUser=\"%s\" belongs to.", str, str2, str2), e);
                }
            }
            throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio master and impersonating as impersonationUser=\"%s\" to access Alluxio file system. user=\"%s\" is not configured to impersonate as impersonationUser=\"%s\".Please read the guide to configure impersonation at %s", str, str2, str, str2, RuntimeConstants.ALLUXIO_SECURITY_DOCS_URL));
        }
    }
}
