package com.linkedin.venice.acl.handler;

import com.linkedin.venice.acl.AclCreationDeletionListener;
import com.linkedin.venice.acl.AclException;
import com.linkedin.venice.acl.DynamicAccessController;
import com.linkedin.venice.exceptions.VeniceNoStoreException;
import com.linkedin.venice.meta.QueryAction;
import com.linkedin.venice.meta.ReadOnlyStoreRepository;
import com.linkedin.venice.utils.NettyUtils;
import com.linkedin.venice.utils.SslUtils;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.ReferenceCountUtil;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.stream.Collectors;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.util.Supplier;

@ChannelHandler.Sharable
/* loaded from: input_file:com/linkedin/venice/acl/handler/StoreAclHandler.class */
public class StoreAclHandler extends SimpleChannelInboundHandler<HttpRequest> {
    private static final Logger LOGGER = LogManager.getLogger(StoreAclHandler.class);
    private final ReadOnlyStoreRepository metadataRepository;
    private final DynamicAccessController accessController;

    public StoreAclHandler(DynamicAccessController dynamicAccessController, ReadOnlyStoreRepository readOnlyStoreRepository) {
        this.metadataRepository = readOnlyStoreRepository;
        this.accessController = dynamicAccessController.init((List) readOnlyStoreRepository.getAllStores().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toList()));
        this.metadataRepository.registerStoreDataChangedListener(new AclCreationDeletionListener(dynamicAccessController));
    }

    protected String extractStoreName(String str) {
        return str;
    }

    protected X509Certificate extractClientCert(ChannelHandlerContext channelHandlerContext) throws SSLPeerUnverifiedException {
        SslHandler sslHandler = channelHandlerContext.pipeline().get(SslHandler.class);
        if (sslHandler == null) {
            sslHandler = (SslHandler) channelHandlerContext.channel().parent().pipeline().get(SslHandler.class);
        }
        return SslUtils.getX509Certificate(sslHandler.engine().getSession().getPeerCertificates()[0]);
    }

    public void channelRead0(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws SSLPeerUnverifiedException {
        X509Certificate extractClientCert = extractClientCert(channelHandlerContext);
        String uri = httpRequest.uri();
        String[] split = URI.create(uri).getPath().split("/");
        if (split.length < 3) {
            NettyUtils.setupResponseAndFlush(HttpResponseStatus.BAD_REQUEST, ("Invalid request  uri: " + uri).getBytes(), false, channelHandlerContext);
            return;
        }
        if (split[1].equals(QueryAction.METADATA.toString().toLowerCase())) {
            ReferenceCountUtil.retain(httpRequest);
            channelHandlerContext.fireChannelRead(httpRequest);
            return;
        }
        String extractStoreName = extractStoreName(split[2]);
        String name = httpRequest.method().name();
        try {
            if (this.metadataRepository.getStoreOrThrow(extractStoreName).isSystemStore()) {
                ReferenceCountUtil.retain(httpRequest);
                channelHandlerContext.fireChannelRead(httpRequest);
            } else {
                try {
                    if (this.accessController.hasAccess(extractClientCert, extractStoreName, name)) {
                        ReferenceCountUtil.retain(httpRequest);
                        channelHandlerContext.fireChannelRead(httpRequest);
                    } else {
                        String format = String.format("%s requested %s %s", channelHandlerContext.channel().remoteAddress().toString(), name, httpRequest.uri());
                        if (this.accessController.isFailOpen() || this.accessController.hasAcl(extractStoreName)) {
                            LOGGER.debug("Unauthorized access rejected: {}", format);
                            NettyUtils.setupResponseAndFlush(HttpResponseStatus.FORBIDDEN, "Access denied!\nIf you are the store owner, add this application (or your own username for Venice shell client) to the store ACL.\nOtherwise, ask the store owner for read permission.".getBytes(), false, channelHandlerContext);
                        } else {
                            LOGGER.warn("Requested store does not have ACL: {}", format);
                            LOGGER.debug("Existing stores: {}", new Supplier[]{() -> {
                                return this.metadataRepository.getAllStores().stream().map((v0) -> {
                                    return v0.getName();
                                }).sorted().collect(Collectors.toList());
                            }});
                            LOGGER.debug("Access-controlled stores: {}", new Supplier[]{() -> {
                                return this.accessController.getAccessControlledResources().stream().sorted().collect(Collectors.toList());
                            }});
                            NettyUtils.setupResponseAndFlush(HttpResponseStatus.UNAUTHORIZED, ("ACL not found!\nEither it has not been created, or can not be loaded.\nPlease create the ACL, or report the error if you know for sure that ACL exists for this store: " + extractStoreName).getBytes(), false, channelHandlerContext);
                        }
                    }
                } catch (AclException e) {
                    String format2 = String.format("%s requested %s %s", channelHandlerContext.channel().remoteAddress().toString(), name, httpRequest.uri());
                    if (this.accessController.isFailOpen()) {
                        LOGGER.warn("Exception occurred! Access granted: {} {}", format2, e);
                        ReferenceCountUtil.retain(httpRequest);
                        channelHandlerContext.fireChannelRead(httpRequest);
                    } else {
                        LOGGER.warn("Exception occurred! Access rejected: {} {}", format2, e);
                        NettyUtils.setupResponseAndFlush(HttpResponseStatus.FORBIDDEN, new byte[0], false, channelHandlerContext);
                    }
                }
            }
        } catch (VeniceNoStoreException e2) {
            LOGGER.debug("Requested store does not exist: {} requested {} {}", channelHandlerContext.channel().remoteAddress().toString(), name, httpRequest.uri());
            NettyUtils.setupResponseAndFlush(HttpResponseStatus.BAD_REQUEST, ("Invalid Venice store name: " + extractStoreName).getBytes(), false, channelHandlerContext);
        }
    }
}
