package org.apache.storm.security.auth.authorizer;

import java.io.IOException;
import java.net.InetAddress;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.storm.Config;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.IAuthorizer;
import org.apache.storm.security.auth.IGroupMappingServiceProvider;
import org.apache.storm.security.auth.IPrincipalToLocal;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.shade.com.google.common.collect.ImmutableSet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/authorizer/ImpersonationAuthorizer.class */
public class ImpersonationAuthorizer implements IAuthorizer {
    protected static final String WILD_CARD = "*";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ImpersonationAuthorizer.class);
    protected Map<String, ImpersonationACL> userImpersonationACL;
    protected IPrincipalToLocal ptol;
    protected IGroupMappingServiceProvider groupMappingProvider;

    /* loaded from: input_file:org/apache/storm/security/auth/authorizer/ImpersonationAuthorizer$ImpersonationACL.class */
    protected static class ImpersonationACL {
        public String impersonatingUser;
        public Set<String> authorizedGroups;
        public Set<String> authorizedHosts;

        private ImpersonationACL(String str, Set<String> set, Set<String> set2) {
            this.impersonatingUser = str;
            this.authorizedGroups = set;
            this.authorizedHosts = set2;
        }

        public String toString() {
            return "ImpersonationACL{impersonatingUser='" + this.impersonatingUser + "', authorizedGroups=" + this.authorizedGroups + ", authorizedHosts=" + this.authorizedHosts + '}';
        }
    }

    @Override // org.apache.storm.security.auth.IAuthorizer
    public void prepare(Map<String, Object> map) {
        this.userImpersonationACL = new HashMap();
        Map map2 = (Map) map.get(Config.NIMBUS_IMPERSONATION_ACL);
        if (map2 != null) {
            for (Map.Entry entry : map2.entrySet()) {
                String str = (String) entry.getKey();
                this.userImpersonationACL.put(str, new ImpersonationACL(str, ImmutableSet.copyOf((Collection) ((Map) entry.getValue()).get("groups")), ImmutableSet.copyOf((Collection) ((Map) entry.getValue()).get("hosts"))));
            }
        }
        this.ptol = ClientAuthUtils.getPrincipalToLocalPlugin(map);
        this.groupMappingProvider = ClientAuthUtils.getGroupMappingServiceProviderPlugin(map);
    }

    @Override // org.apache.storm.security.auth.IAuthorizer
    public boolean permit(ReqContext reqContext, String str, Map<String, Object> map) {
        if (!reqContext.isImpersonating()) {
            LOG.debug("Not an impersonation attempt.");
            return true;
        }
        String name = reqContext.realPrincipal().getName();
        String local = this.ptol.toLocal(reqContext.realPrincipal());
        String local2 = this.ptol.toLocal(reqContext.principal());
        InetAddress remoteAddress = reqContext.remoteAddress();
        LOG.info("user = {}, principal = {} is attempting to impersonate user = {} for operation = {} from host = {}", local, name, local2, str, remoteAddress);
        if (!this.userImpersonationACL.containsKey(name) && !this.userImpersonationACL.containsKey(local)) {
            LOG.info("user = {}, principal = {} is trying to impersonate user {}, but config {} does not have entry for impersonating user or principal.Please see SECURITY.MD to learn how to configure users for impersonation.", local, name, local2, Config.NIMBUS_IMPERSONATION_ACL);
            return false;
        }
        ImpersonationACL impersonationACL = this.userImpersonationACL.get(name);
        ImpersonationACL impersonationACL2 = this.userImpersonationACL.get(local);
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (impersonationACL != null) {
            hashSet.addAll(impersonationACL.authorizedHosts);
            hashSet2.addAll(impersonationACL.authorizedGroups);
        }
        if (impersonationACL2 != null) {
            hashSet.addAll(impersonationACL2.authorizedHosts);
            hashSet2.addAll(impersonationACL2.authorizedGroups);
        }
        LOG.debug("user = {}, principal = {} is allowed to impersonate groups = {} from hosts = {} ", local, name, hashSet2, hashSet);
        if (!isAllowedToImpersonateFromHost(hashSet, remoteAddress)) {
            LOG.info("user = {}, principal = {} is not allowed to impersonate from host {} ", local, name, remoteAddress);
            return false;
        }
        if (isAllowedToImpersonateUser(hashSet2, local2)) {
            LOG.info("Allowing impersonation of user {} by user {}", local2, local);
            return true;
        }
        LOG.info("user = {}, principal = {} is not allowed to impersonate any group that user {} is part of.", local, name, local2);
        return false;
    }

    private boolean isAllowedToImpersonateFromHost(Set<String> set, InetAddress inetAddress) {
        return set.contains("*") || set.contains(inetAddress.getCanonicalHostName()) || set.contains(inetAddress.getHostName()) || set.contains(inetAddress.getHostAddress());
    }

    private boolean isAllowedToImpersonateUser(Set<String> set, String str) {
        if (set.contains("*")) {
            return true;
        }
        try {
            Set<String> groups = this.groupMappingProvider.getGroups(str);
            if (groups == null || groups.isEmpty()) {
                return false;
            }
            Iterator<String> it = groups.iterator();
            while (it.hasNext()) {
                if (set.contains(it.next())) {
                    return true;
                }
            }
            return false;
        } catch (IOException e) {
            throw new RuntimeException("failed to get groups for user " + str);
        }
    }
}
