package co.cask.cdap.client;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.api.annotation.Beta;
import co.cask.cdap.client.config.ClientConfig;
import co.cask.cdap.client.util.RESTClient;
import co.cask.cdap.common.FeatureDisabledException;
import co.cask.cdap.common.NotFoundException;
import co.cask.cdap.common.UnauthenticatedException;
import co.cask.cdap.common.conf.Constants;
import co.cask.cdap.proto.codec.EntityIdTypeAdapter;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.GrantRequest;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.RevokeRequest;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException;
import co.cask.cdap.security.spi.authorization.RoleNotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.common.http.HttpRequest;
import co.cask.common.http.HttpResponse;
import co.cask.common.http.ObjectResponse;
import com.google.common.reflect.TypeToken;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import java.io.IOException;
import java.util.Collections;
import java.util.Set;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.servlet.http.HttpServletResponse;

@Beta
/* loaded from: input_file:co/cask/cdap/client/AuthorizationClient.class */
public class AuthorizationClient extends AbstractAuthorizer {
    public static final String AUTHORIZATION_BASE = "security/authorization/";
    private final RESTClient restClient;
    private final ClientConfig config;
    private static final Gson GSON = new GsonBuilder().registerTypeAdapter(EntityId.class, new EntityIdTypeAdapter()).create();
    private static final TypeToken<Set<Privilege>> TYPE_OF_PRIVILEGE_SET = new TypeToken<Set<Privilege>>() { // from class: co.cask.cdap.client.AuthorizationClient.1
    };
    private static final TypeToken<Set<Role>> TYPE_OF_ROLE_SET = new TypeToken<Set<Role>>() { // from class: co.cask.cdap.client.AuthorizationClient.2
    };

    @Inject
    public AuthorizationClient(ClientConfig clientConfig, RESTClient rESTClient) {
        this.config = clientConfig;
        this.restClient = rESTClient;
    }

    public AuthorizationClient(ClientConfig clientConfig) {
        this(clientConfig, new RESTClient(clientConfig));
    }

    @Override // co.cask.cdap.security.spi.authorization.AbstractAuthorizer, co.cask.cdap.security.spi.authorization.AuthorizationEnforcer
    public void enforce(EntityId entityId, Principal principal, Action action) throws Exception {
        enforce(entityId, principal, Collections.singleton(action));
    }

    @Override // co.cask.cdap.security.spi.authorization.AuthorizationEnforcer
    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        throw new UnsupportedOperationException("Enforcement is not supported via Java Client. Please instead use the listPrivileges method to view the privileges for a principal.");
    }

    @Override // co.cask.cdap.security.spi.authorization.AbstractAuthorizer, co.cask.cdap.security.spi.authorization.AuthorizationEnforcer
    public Predicate<EntityId> createFilter(Principal principal) throws Exception {
        throw new UnsupportedOperationException("Filtering is not supported via Java Client.");
    }

    @Override // co.cask.cdap.security.spi.authorization.PrivilegesManager
    public void grant(EntityId entityId, Principal principal, Set<Action> set) throws IOException, UnauthenticatedException, FeatureDisabledException, UnauthorizedException, NotFoundException {
        executePrivilegeRequest(HttpRequest.post(this.config.resolveURLV3("security/authorization//privileges/grant")).withBody(GSON.toJson(new GrantRequest(entityId, principal, set))).build());
    }

    @Override // co.cask.cdap.security.spi.authorization.PrivilegesManager
    public void revoke(EntityId entityId) throws IOException, UnauthenticatedException, FeatureDisabledException, UnauthorizedException, NotFoundException {
        revoke(entityId, null, null);
    }

    @Override // co.cask.cdap.security.spi.authorization.PrivilegesManager
    public void revoke(EntityId entityId, @Nullable Principal principal, @Nullable Set<Action> set) throws IOException, UnauthenticatedException, FeatureDisabledException, UnauthorizedException, NotFoundException {
        revoke(new RevokeRequest(entityId, principal, set));
    }

    @Override // co.cask.cdap.security.spi.authorization.PrivilegesFetcher
    public Set<Privilege> listPrivileges(Principal principal) throws IOException, FeatureDisabledException, UnauthenticatedException, UnauthorizedException, NotFoundException {
        HttpResponse doExecuteRequest = doExecuteRequest(HttpRequest.get(this.config.resolveURLV3(String.format("security/authorization/%s/%s/privileges", principal.getType(), principal.getName()))).build(), new int[0]);
        if (doExecuteRequest.getResponseCode() == 200) {
            return (Set) ObjectResponse.fromJsonBody(doExecuteRequest, TYPE_OF_PRIVILEGE_SET, GSON).getResponseObject();
        }
        throw new IOException(String.format("Cannot list privileges. Reason: %s", doExecuteRequest.getResponseBodyAsString()));
    }

    @Override // co.cask.cdap.security.spi.authorization.Authorizer
    public void createRole(Role role) throws IOException, FeatureDisabledException, UnauthenticatedException, UnauthorizedException, RoleAlreadyExistsException, NotFoundException {
        if (doExecuteRequest(HttpRequest.put(this.config.resolveURLV3(String.format("security/authorization/roles/%s", role.getName()))).build(), HttpServletResponse.SC_CONFLICT).getResponseCode() == 409) {
            throw new RoleAlreadyExistsException(role);
        }
    }

    @Override // co.cask.cdap.security.spi.authorization.Authorizer
    public void dropRole(Role role) throws IOException, FeatureDisabledException, UnauthenticatedException, UnauthorizedException, RoleNotFoundException, NotFoundException {
        executeExistingRolesRequest(role, HttpRequest.delete(this.config.resolveURLV3(String.format("security/authorization/roles/%s", role.getName()))).build());
    }

    @Override // co.cask.cdap.security.spi.authorization.Authorizer
    public Set<Role> listAllRoles() throws FeatureDisabledException, UnauthenticatedException, UnauthorizedException, IOException, NotFoundException {
        return listRolesHelper(null);
    }

    @Override // co.cask.cdap.security.spi.authorization.Authorizer
    public Set<Role> listRoles(Principal principal) throws FeatureDisabledException, UnauthenticatedException, UnauthorizedException, IOException, NotFoundException {
        return listRolesHelper(principal);
    }

    @Override // co.cask.cdap.security.spi.authorization.Authorizer
    public void addRoleToPrincipal(Role role, Principal principal) throws IOException, FeatureDisabledException, UnauthenticatedException, UnauthorizedException, RoleNotFoundException, NotFoundException {
        executeExistingRolesRequest(role, HttpRequest.put(this.config.resolveURLV3(String.format("security/authorization/%s/%s/roles/%s", principal.getType(), principal.getName(), role.getName()))).build());
    }

    @Override // co.cask.cdap.security.spi.authorization.Authorizer
    public void removeRoleFromPrincipal(Role role, Principal principal) throws IOException, FeatureDisabledException, UnauthenticatedException, UnauthorizedException, RoleNotFoundException, NotFoundException {
        executeExistingRolesRequest(role, HttpRequest.delete(this.config.resolveURLV3(String.format("security/authorization/%s/%s/roles/%s", principal.getType(), principal.getName(), role.getName()))).build());
    }

    private void revoke(RevokeRequest revokeRequest) throws IOException, UnauthenticatedException, FeatureDisabledException, UnauthorizedException, NotFoundException {
        executePrivilegeRequest(HttpRequest.post(this.config.resolveURLV3("security/authorization//privileges/revoke")).withBody(GSON.toJson(revokeRequest)).build());
    }

    private Set<Role> listRolesHelper(@Nullable Principal principal) throws IOException, FeatureDisabledException, UnauthenticatedException, UnauthorizedException, NotFoundException {
        HttpResponse doExecuteRequest = doExecuteRequest(HttpRequest.get(principal == null ? this.config.resolveURLV3("security/authorization/roles") : this.config.resolveURLV3(String.format("security/authorization/%s/%s/roles", principal.getType(), principal.getName()))).build(), new int[0]);
        if (doExecuteRequest.getResponseCode() == 200) {
            return (Set) ObjectResponse.fromJsonBody(doExecuteRequest, TYPE_OF_ROLE_SET).getResponseObject();
        }
        throw new IOException(String.format("Cannot list roles. Reason: %s", doExecuteRequest.getResponseBodyAsString()));
    }

    private void executeExistingRolesRequest(Role role, HttpRequest httpRequest) throws IOException, UnauthenticatedException, FeatureDisabledException, UnauthorizedException, RoleNotFoundException, NotFoundException {
        if (doExecuteRequest(httpRequest, HttpServletResponse.SC_NOT_FOUND).getResponseCode() == 404) {
            throw new RoleNotFoundException(role);
        }
    }

    private HttpResponse executePrivilegeRequest(HttpRequest httpRequest) throws FeatureDisabledException, UnauthenticatedException, IOException, NotFoundException, UnauthorizedException {
        HttpResponse doExecuteRequest = doExecuteRequest(httpRequest, HttpServletResponse.SC_NOT_FOUND);
        if (404 == doExecuteRequest.getResponseCode()) {
            throw new NotFoundException(doExecuteRequest.getResponseBodyAsString());
        }
        return doExecuteRequest;
    }

    private HttpResponse doExecuteRequest(HttpRequest httpRequest, int... iArr) throws IOException, UnauthenticatedException, FeatureDisabledException, UnauthorizedException {
        int[] iArr2 = new int[iArr.length + 2];
        System.arraycopy(iArr, 0, iArr2, 0, iArr.length);
        iArr2[iArr.length] = 501;
        HttpResponse execute = this.restClient.execute(httpRequest, this.config.getAccessToken(), iArr2);
        if (501 != execute.getResponseCode()) {
            return execute;
        }
        FeatureDisabledException.Feature feature = FeatureDisabledException.Feature.AUTHORIZATION;
        String str = Constants.Security.Authorization.ENABLED;
        if (execute.getResponseBodyAsString().toLowerCase().contains("authentication")) {
            feature = FeatureDisabledException.Feature.AUTHENTICATION;
            str = Constants.Security.ENABLED;
        }
        throw new FeatureDisabledException(feature, FeatureDisabledException.CDAP_SITE, str, "true");
    }
}
