package com.linkedin.venice.controller.server;

import com.linkedin.venice.acl.AclException;
import com.linkedin.venice.acl.DynamicAccessController;
import com.linkedin.venice.exceptions.VeniceException;
import java.security.cert.X509Certificate;
import java.util.Optional;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import spark.Request;

/* loaded from: input_file:com/linkedin/venice/controller/server/AbstractRoute.class */
public class AbstractRoute {
    private static final String USER_UNKNOWN = "USER_UNKNOWN";
    private static final String STORE_UNKNOWN = "STORE_UNKNOWN";
    private final boolean sslEnabled;
    private final Optional<DynamicAccessController> accessController;
    private static final Logger LOGGER = LogManager.getLogger(AbstractRoute.class);
    private static final ResourceAclCheck GET_ACCESS_TO_STORE = (x509Certificate, str, dynamicAccessController) -> {
        return dynamicAccessController.hasAccess(x509Certificate, str, "GET");
    };
    private static final ResourceAclCheck WRITE_ACCESS_TO_TOPIC = (x509Certificate, str, dynamicAccessController) -> {
        return dynamicAccessController.hasAccessToTopic(x509Certificate, str, "Write");
    };
    private static final ResourceAclCheck READ_ACCESS_TO_TOPIC = (x509Certificate, str, dynamicAccessController) -> {
        return dynamicAccessController.hasAccessToTopic(x509Certificate, str, "Read");
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    @FunctionalInterface
    /* loaded from: input_file:com/linkedin/venice/controller/server/AbstractRoute$ResourceAclCheck.class */
    public interface ResourceAclCheck {
        boolean apply(X509Certificate x509Certificate, String str, DynamicAccessController dynamicAccessController) throws AclException;
    }

    public AbstractRoute(boolean z, Optional<DynamicAccessController> optional) {
        this.sslEnabled = z;
        this.accessController = optional;
    }

    private boolean hasAccess(Request request, ResourceAclCheck resourceAclCheck) {
        if (!isAclEnabled()) {
            return true;
        }
        X509Certificate certificate = getCertificate(request);
        String queryParams = request.queryParams("store_name");
        try {
            if (resourceAclCheck.apply(certificate, queryParams, this.accessController.get())) {
                return true;
            }
            LOGGER.warn("Client {} [host:{} IP:{}] doesn't have access to store {}", certificate.getSubjectX500Principal().toString(), request.host(), request.ip(), queryParams);
            return false;
        } catch (AclException e) {
            LOGGER.error("Error while parsing certificate from client {} [host:{} IP:{}]", certificate.getSubjectX500Principal().toString(), request.host(), request.ip(), e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasWriteAccessToTopic(Request request) {
        return hasAccess(request, WRITE_ACCESS_TO_TOPIC);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasReadAccessToTopic(Request request) {
        return hasAccess(request, READ_ACCESS_TO_TOPIC);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getPrincipalId(Request request) {
        if (!isSslEnabled()) {
            LOGGER.warn("SSL is not enabled. No certificate could be extracted from request.");
            return USER_UNKNOWN;
        }
        X509Certificate certificate = getCertificate(request);
        if (!isAclEnabled()) {
            return certificate.getSubjectX500Principal().getName();
        }
        try {
            return this.accessController.get().getPrincipalId(certificate);
        } catch (Exception e) {
            LOGGER.error("Error when retrieving principal Id from request", e);
            return USER_UNKNOWN;
        }
    }

    protected boolean hasAccessToStore(Request request) {
        return hasAccess(request, GET_ACCESS_TO_STORE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAllowListUser(Request request) {
        if (!isAclEnabled()) {
            return true;
        }
        return this.accessController.get().isAllowlistUsers(getCertificate(request), request.queryParamOrDefault("store_name", STORE_UNKNOWN), "GET");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isSslEnabled() {
        return this.sslEnabled;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAclEnabled() {
        return this.accessController.isPresent();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509Certificate getCertificate(Request request) {
        Object attribute = request.raw().getAttribute("javax.servlet.request.X509Certificate");
        if (attribute == null) {
            throw new VeniceException("Client request doesn't contain certificate for store: " + request.queryParams("store_name"));
        }
        return ((X509Certificate[]) attribute)[0];
    }
}
