package org.openmetadata.service.security;

import java.util.List;
import javax.ws.rs.core.SecurityContext;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.type.EntityReference;
import org.openmetadata.schema.type.Permission;
import org.openmetadata.schema.type.ResourcePermission;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.security.policyevaluator.OperationContext;
import org.openmetadata.service.security.policyevaluator.PolicyEvaluator;
import org.openmetadata.service.security.policyevaluator.ResourceContextInterface;
import org.openmetadata.service.security.policyevaluator.SubjectContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/DefaultAuthorizer.class */
public class DefaultAuthorizer implements Authorizer {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizer.class);

    @Override // org.openmetadata.service.security.Authorizer
    public void init(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        LOG.info("Initializing DefaultAuthorizer with config {}", openMetadataApplicationConfig.getAuthorizerConfiguration());
    }

    @Override // org.openmetadata.service.security.Authorizer
    public List<ResourcePermission> listPermissions(SecurityContext securityContext, String str) {
        SubjectContext changeSubjectContext = changeSubjectContext(str, getSubjectContext(securityContext));
        return changeSubjectContext.isAdmin() ? PolicyEvaluator.getResourcePermissions(Permission.Access.ALLOW) : PolicyEvaluator.listPermission(changeSubjectContext);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public ResourcePermission getPermission(SecurityContext securityContext, String str, String str2) {
        SubjectContext changeSubjectContext = changeSubjectContext(str, getSubjectContext(securityContext));
        return changeSubjectContext.isAdmin() ? PolicyEvaluator.getResourcePermission(str2, Permission.Access.ALLOW) : PolicyEvaluator.getPermission(changeSubjectContext, str2);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public ResourcePermission getPermission(SecurityContext securityContext, String str, ResourceContextInterface resourceContextInterface) {
        SubjectContext changeSubjectContext = changeSubjectContext(str, getSubjectContext(securityContext));
        return changeSubjectContext.isAdmin() ? PolicyEvaluator.getResourcePermission(resourceContextInterface.getResource(), Permission.Access.ALLOW) : PolicyEvaluator.getPermission(changeSubjectContext, resourceContextInterface);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public void authorize(SecurityContext securityContext, OperationContext operationContext, ResourceContextInterface resourceContextInterface) {
        SubjectContext subjectContext = getSubjectContext(securityContext);
        if (subjectContext.isAdmin() || isReviewer(resourceContextInterface, subjectContext)) {
            return;
        }
        PolicyEvaluator.hasPermission(subjectContext, resourceContextInterface, operationContext);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public void authorizeAdmin(SecurityContext securityContext) {
        if (!getSubjectContext(securityContext).isAdmin()) {
            throw new AuthorizationException(CatalogExceptionMessage.notAdmin(securityContext.getUserPrincipal().getName()));
        }
    }

    @Override // org.openmetadata.service.security.Authorizer
    public void authorizeAdminOrBot(SecurityContext securityContext) {
        SubjectContext subjectContext = getSubjectContext(securityContext);
        if (!subjectContext.isAdmin() && !subjectContext.isBot()) {
            throw new AuthorizationException(CatalogExceptionMessage.notAdmin(securityContext.getUserPrincipal().getName()));
        }
    }

    @Override // org.openmetadata.service.security.Authorizer
    public boolean shouldMaskPasswords(SecurityContext securityContext) {
        return !getSubjectContext(securityContext).isBot();
    }

    @Override // org.openmetadata.service.security.Authorizer
    public boolean authorizePII(SecurityContext securityContext, EntityReference entityReference) {
        SubjectContext subjectContext = getSubjectContext(securityContext);
        return subjectContext.isAdmin() || subjectContext.isBot() || subjectContext.isOwner(entityReference);
    }

    public static SubjectContext getSubjectContext(SecurityContext securityContext) {
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            throw new AuthenticationException("No principal in security context");
        }
        return SubjectContext.getSubjectContext(SecurityUtil.getUserName(securityContext));
    }

    private SubjectContext changeSubjectContext(String str, SubjectContext subjectContext) {
        if (str == null || subjectContext.user().getName().equals(str)) {
            return subjectContext;
        }
        if (!subjectContext.isAdmin()) {
            throw new AuthorizationException(CatalogExceptionMessage.notAdmin(subjectContext.user().getName()));
        }
        LOG.debug("Changing subject context from logged-in user to {}", str);
        return SubjectContext.getSubjectContext(str);
    }

    private boolean isReviewer(ResourceContextInterface resourceContextInterface, SubjectContext subjectContext) {
        if (resourceContextInterface.getEntity() == null) {
            return false;
        }
        String name = subjectContext.user().getName();
        List reviewers = resourceContextInterface.getEntity().getReviewers();
        return !CommonUtil.nullOrEmpty(reviewers) && reviewers.stream().anyMatch(entityReference -> {
            return name.equals(entityReference.getName()) || name.equals(entityReference.getFullyQualifiedName());
        });
    }
}
