package org.apache.pulsar.broker.authorization;

import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.pulsar.broker.PulsarServerException;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.apache.pulsar.shade.javax.ws.rs.core.Response;
import org.apache.pulsar.shade.org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.shade.org.apache.pulsar.common.naming.NamespaceName;
import org.apache.pulsar.shade.org.apache.pulsar.common.naming.TopicName;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.AuthAction;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.NamespaceOperation;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.PolicyName;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.PolicyOperation;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.TenantInfo;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.TenantOperation;
import org.apache.pulsar.shade.org.apache.pulsar.common.policies.data.TopicOperation;
import org.apache.pulsar.shade.org.apache.pulsar.common.util.FutureUtil;
import org.apache.pulsar.shade.org.apache.pulsar.common.util.RestException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/authorization/AuthorizationService.class */
public class AuthorizationService {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationService.class);
    private final AuthorizationProvider provider;
    private final ServiceConfiguration conf;

    public AuthorizationService(ServiceConfiguration serviceConfiguration, PulsarResources pulsarResources) throws PulsarServerException {
        this.conf = serviceConfiguration;
        try {
            String authorizationProvider = serviceConfiguration.getAuthorizationProvider();
            if (!StringUtils.isNotBlank(authorizationProvider)) {
                throw new PulsarServerException("No authorization providers are present.");
            }
            this.provider = (AuthorizationProvider) Class.forName(authorizationProvider).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            this.provider.initialize(serviceConfiguration, pulsarResources);
            log.info("{} has been loaded.", authorizationProvider);
        } catch (PulsarServerException e) {
            throw e;
        } catch (Throwable th) {
            throw new PulsarServerException("Failed to load an authorization provider.", th);
        }
    }

    public CompletableFuture<Boolean> isSuperUser(String str, AuthenticationDataSource authenticationDataSource) {
        return this.provider.isSuperUser(str, authenticationDataSource, this.conf);
    }

    public CompletableFuture<Boolean> isTenantAdmin(String str, String str2, TenantInfo tenantInfo, AuthenticationDataSource authenticationDataSource) {
        return this.provider.isTenantAdmin(str, str2, tenantInfo, authenticationDataSource);
    }

    public CompletableFuture<Void> grantPermissionAsync(NamespaceName namespaceName, Set<AuthAction> set, String str, String str2) {
        return this.provider.grantPermissionAsync(namespaceName, set, str, str2);
    }

    public CompletableFuture<Void> grantSubscriptionPermissionAsync(NamespaceName namespaceName, String str, Set<String> set, String str2) {
        return this.provider.grantSubscriptionPermissionAsync(namespaceName, str, set, str2);
    }

    public CompletableFuture<Void> revokeSubscriptionPermissionAsync(NamespaceName namespaceName, String str, String str2, String str3) {
        return this.provider.revokeSubscriptionPermissionAsync(namespaceName, str, str2, str3);
    }

    public CompletableFuture<Void> grantPermissionAsync(TopicName topicName, Set<AuthAction> set, String str, String str2) {
        return this.provider.grantPermissionAsync(topicName, set, str, str2);
    }

    public CompletableFuture<Boolean> canProduceAsync(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.isSuperUser(str, authenticationDataSource, this.conf).thenComposeAsync(bool -> {
            return bool.booleanValue() ? CompletableFuture.completedFuture(true) : this.provider.canProduceAsync(topicName, str, authenticationDataSource);
        });
    }

    public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource, String str2) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.isSuperUser(str, authenticationDataSource, this.conf).thenComposeAsync(bool -> {
            return bool.booleanValue() ? CompletableFuture.completedFuture(true) : this.provider.canConsumeAsync(topicName, str, authenticationDataSource, str2);
        });
    }

    public boolean canProduce(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) throws Exception {
        try {
            return canProduceAsync(topicName, str, authenticationDataSource).get(this.conf.getMetadataStoreOperationTimeoutSeconds(), TimeUnit.SECONDS).booleanValue();
        } catch (InterruptedException e) {
            log.warn("Time-out {} sec while checking authorization on {} ", Integer.valueOf(this.conf.getMetadataStoreOperationTimeoutSeconds()), topicName);
            throw e;
        } catch (Exception e2) {
            log.warn("Producer-client  with Role - {} failed to get permissions for topic - {}. {}", new Object[]{str, topicName, e2.getMessage()});
            throw e2;
        }
    }

    public boolean canConsume(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource, String str2) throws Exception {
        try {
            return canConsumeAsync(topicName, str, authenticationDataSource, str2).get(this.conf.getMetadataStoreOperationTimeoutSeconds(), TimeUnit.SECONDS).booleanValue();
        } catch (InterruptedException e) {
            log.warn("Time-out {} sec while checking authorization on {} ", Integer.valueOf(this.conf.getMetadataStoreOperationTimeoutSeconds()), topicName);
            throw e;
        } catch (Exception e2) {
            log.warn("Consumer-client  with Role - {} failed to get permissions for topic - {}. {}", new Object[]{str, topicName, e2.getMessage()});
            throw e2;
        }
    }

    public boolean canLookup(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) throws Exception {
        try {
            return canLookupAsync(topicName, str, authenticationDataSource).get(this.conf.getMetadataStoreOperationTimeoutSeconds(), TimeUnit.SECONDS).booleanValue();
        } catch (InterruptedException e) {
            log.warn("Time-out {} sec while checking authorization on {} ", Integer.valueOf(this.conf.getMetadataStoreOperationTimeoutSeconds()), topicName);
            throw e;
        } catch (Exception e2) {
            log.warn("Role - {} failed to get lookup permissions for topic - {}. {}", new Object[]{str, topicName, e2.getMessage()});
            throw e2;
        }
    }

    public CompletableFuture<Boolean> canLookupAsync(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.isSuperUser(str, authenticationDataSource, this.conf).thenComposeAsync(bool -> {
            return bool.booleanValue() ? CompletableFuture.completedFuture(true) : this.provider.canLookupAsync(topicName, str, authenticationDataSource);
        });
    }

    public CompletableFuture<Boolean> allowFunctionOpsAsync(NamespaceName namespaceName, String str, AuthenticationDataSource authenticationDataSource) {
        return this.provider.allowFunctionOpsAsync(namespaceName, str, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName namespaceName, String str, AuthenticationDataSource authenticationDataSource) {
        return this.provider.allowSourceOpsAsync(namespaceName, str, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName, String str, AuthenticationDataSource authenticationDataSource) {
        return this.provider.allowSinkOpsAsync(namespaceName, str, authenticationDataSource);
    }

    private static void validateOriginalPrincipal(Set<String> set, String str, String str2) {
        if (set.contains(str)) {
            if (StringUtils.isBlank(str2)) {
                log.warn("Original principal empty in request authenticated as {}", str);
                throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be empty if the request is via proxy.");
            }
            if (set.contains(str2)) {
                log.warn("Original principal {} cannot be a proxy role ({})", str2, set);
                throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be a proxy role");
            }
        }
    }

    private boolean isProxyRole(String str) {
        return str != null && this.conf.getProxyRoles().contains(str);
    }

    public CompletableFuture<Boolean> allowTenantOperationAsync(String str, TenantOperation tenantOperation, String str2, AuthenticationDataSource authenticationDataSource) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.allowTenantOperationAsync(str, str2, tenantOperation, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowTenantOperationAsync(String str, TenantOperation tenantOperation, String str2, String str3, AuthenticationDataSource authenticationDataSource) {
        validateOriginalPrincipal(this.conf.getProxyRoles(), str3, str2);
        return isProxyRole(str3) ? allowTenantOperationAsync(str, tenantOperation, str3, authenticationDataSource).thenCombine((CompletionStage) allowTenantOperationAsync(str, tenantOperation, str2, authenticationDataSource), (bool, bool2) -> {
            return Boolean.valueOf(bool.booleanValue() && bool2.booleanValue());
        }) : allowTenantOperationAsync(str, tenantOperation, str3, authenticationDataSource);
    }

    public boolean allowTenantOperation(String str, TenantOperation tenantOperation, String str2, String str3, AuthenticationDataSource authenticationDataSource) {
        try {
            return allowTenantOperationAsync(str, tenantOperation, str2, str3, authenticationDataSource).get().booleanValue();
        } catch (InterruptedException e) {
            throw new RestException(e);
        } catch (ExecutionException e2) {
            throw new RestException(e2.getCause());
        }
    }

    public CompletableFuture<Boolean> allowNamespaceOperationAsync(NamespaceName namespaceName, NamespaceOperation namespaceOperation, String str, AuthenticationDataSource authenticationDataSource) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.allowNamespaceOperationAsync(namespaceName, str, namespaceOperation, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowNamespaceOperationAsync(NamespaceName namespaceName, NamespaceOperation namespaceOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        validateOriginalPrincipal(this.conf.getProxyRoles(), str2, str);
        return isProxyRole(str2) ? allowNamespaceOperationAsync(namespaceName, namespaceOperation, str2, authenticationDataSource).thenCombine((CompletionStage) allowNamespaceOperationAsync(namespaceName, namespaceOperation, str, authenticationDataSource), (bool, bool2) -> {
            return Boolean.valueOf(bool.booleanValue() && bool2.booleanValue());
        }) : allowNamespaceOperationAsync(namespaceName, namespaceOperation, str2, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowNamespacePolicyOperationAsync(NamespaceName namespaceName, PolicyName policyName, PolicyOperation policyOperation, String str, AuthenticationDataSource authenticationDataSource) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.allowNamespacePolicyOperationAsync(namespaceName, policyName, policyOperation, str, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowNamespacePolicyOperationAsync(NamespaceName namespaceName, PolicyName policyName, PolicyOperation policyOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        validateOriginalPrincipal(this.conf.getProxyRoles(), str2, str);
        return isProxyRole(str2) ? allowNamespacePolicyOperationAsync(namespaceName, policyName, policyOperation, str2, authenticationDataSource).thenCombine((CompletionStage) allowNamespacePolicyOperationAsync(namespaceName, policyName, policyOperation, str, authenticationDataSource), (bool, bool2) -> {
            return Boolean.valueOf(bool.booleanValue() && bool2.booleanValue());
        }) : allowNamespacePolicyOperationAsync(namespaceName, policyName, policyOperation, str2, authenticationDataSource);
    }

    public boolean allowNamespacePolicyOperation(NamespaceName namespaceName, PolicyName policyName, PolicyOperation policyOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        try {
            return allowNamespacePolicyOperationAsync(namespaceName, policyName, policyOperation, str, str2, authenticationDataSource).get().booleanValue();
        } catch (InterruptedException e) {
            throw new RestException(e);
        } catch (ExecutionException e2) {
            throw new RestException(e2.getCause());
        }
    }

    public CompletableFuture<Boolean> allowTopicPolicyOperationAsync(TopicName topicName, PolicyName policyName, PolicyOperation policyOperation, String str, AuthenticationDataSource authenticationDataSource) {
        return !this.conf.isAuthorizationEnabled() ? CompletableFuture.completedFuture(true) : this.provider.allowTopicPolicyOperationAsync(topicName, str, policyName, policyOperation, authenticationDataSource);
    }

    public CompletableFuture<Boolean> allowTopicPolicyOperationAsync(TopicName topicName, PolicyName policyName, PolicyOperation policyOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        try {
            validateOriginalPrincipal(this.conf.getProxyRoles(), str2, str);
            return isProxyRole(str2) ? allowTopicPolicyOperationAsync(topicName, policyName, policyOperation, str2, authenticationDataSource).thenCombine((CompletionStage) allowTopicPolicyOperationAsync(topicName, policyName, policyOperation, str, authenticationDataSource), (bool, bool2) -> {
                return Boolean.valueOf(bool.booleanValue() && bool2.booleanValue());
            }) : allowTopicPolicyOperationAsync(topicName, policyName, policyOperation, str2, authenticationDataSource);
        } catch (RestException e) {
            return FutureUtil.failedFuture(e);
        }
    }

    public Boolean allowTopicPolicyOperation(TopicName topicName, PolicyName policyName, PolicyOperation policyOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        try {
            return allowTopicPolicyOperationAsync(topicName, policyName, policyOperation, str, str2, authenticationDataSource).get();
        } catch (InterruptedException e) {
            throw new RestException(e);
        } catch (ExecutionException e2) {
            throw new RestException(e2.getCause());
        }
    }

    public CompletableFuture<Boolean> allowTopicOperationAsync(TopicName topicName, TopicOperation topicOperation, String str, AuthenticationDataSource authenticationDataSource) {
        if (log.isDebugEnabled()) {
            log.debug("Check if role {} is allowed to execute topic operation {} on topic {}", new Object[]{str, topicOperation, topicName});
        }
        if (!this.conf.isAuthorizationEnabled()) {
            return CompletableFuture.completedFuture(true);
        }
        CompletableFuture<Boolean> allowTopicOperationAsync = this.provider.allowTopicOperationAsync(topicName, str, topicOperation, authenticationDataSource);
        return log.isDebugEnabled() ? allowTopicOperationAsync.whenComplete((bool, th) -> {
            if (th != null) {
                log.debug("Failed to check if topic operation {} on topic {} is allowed: role = {}", new Object[]{topicOperation, topicName, str, th});
            } else if (bool.booleanValue()) {
                log.debug("Topic operation {} on topic {} is allowed: role = {}", new Object[]{topicOperation, topicName, str});
            } else {
                log.debug("Topic operation {} on topic {} is NOT allowed: role = {}", new Object[]{topicOperation, topicName, str});
            }
        }) : allowTopicOperationAsync;
    }

    public CompletableFuture<Boolean> allowTopicOperationAsync(TopicName topicName, TopicOperation topicOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        validateOriginalPrincipal(this.conf.getProxyRoles(), str2, str);
        return isProxyRole(str2) ? allowTopicOperationAsync(topicName, topicOperation, str2, authenticationDataSource).thenCombine((CompletionStage) allowTopicOperationAsync(topicName, topicOperation, str, authenticationDataSource), (bool, bool2) -> {
            return Boolean.valueOf(bool.booleanValue() && bool2.booleanValue());
        }) : allowTopicOperationAsync(topicName, topicOperation, str2, authenticationDataSource);
    }

    public Boolean allowTopicOperation(TopicName topicName, TopicOperation topicOperation, String str, String str2, AuthenticationDataSource authenticationDataSource) {
        try {
            return allowTopicOperationAsync(topicName, topicOperation, str, str2, authenticationDataSource).get();
        } catch (InterruptedException e) {
            throw new RestException(e);
        } catch (ExecutionException e2) {
            throw new RestException(e2.getCause());
        }
    }
}
