package org.apache.storm.security.auth.authorizer;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.storm.Config;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.IAuthorizer;
import org.apache.storm.security.auth.IGroupMappingServiceProvider;
import org.apache.storm.security.auth.IPrincipalToLocal;
import org.apache.storm.security.auth.ReqContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/authorizer/SimpleACLAuthorizer.class */
public class SimpleACLAuthorizer implements IAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SimpleACLAuthorizer.class);
    protected Set<String> userCommands = new HashSet(Arrays.asList("submitTopology", "fileUpload", "getNimbusConf", "getClusterInfo", "getSupervisorPageInfo", "getOwnerResourceSummaries"));
    protected Set<String> supervisorCommands = new HashSet(Arrays.asList("fileDownload", "processWorkerMetrics", "getSupervisorAssignments", "sendSupervisorWorkerHeartbeats"));
    protected Set<String> topoReadOnlyCommands = new HashSet(Arrays.asList("getTopologyConf", "getTopology", "getUserTopology", "getTopologyInfo", "getTopologyPageInfo", "getComponentPageInfo", "getWorkerProfileActionExpiry", "getComponentPendingProfileActions", "getLogConfig"));
    protected Set<String> topoCommands = new HashSet(Arrays.asList("killTopology", "rebalance", "activate", "deactivate", "uploadNewCredentials", "setLogConfig", "setWorkerProfiler", "startProfiling", "stopProfiling", "dumpProfile", "dumpJstack", "dumpHeap", "debug", "sendSupervisorWorkerHeartbeat"));
    protected Set<String> admins;
    protected Set<String> adminsGroups;
    protected Set<String> supervisors;
    protected Set<String> nimbusUsers;
    protected Set<String> nimbusGroups;
    protected IPrincipalToLocal ptol;
    protected IGroupMappingServiceProvider groupMappingServiceProvider;

    public SimpleACLAuthorizer() {
        this.topoCommands.addAll(this.topoReadOnlyCommands);
    }

    @Override // org.apache.storm.security.auth.IAuthorizer
    public void prepare(Map<String, Object> map) {
        this.admins = new HashSet();
        this.adminsGroups = new HashSet();
        this.supervisors = new HashSet();
        this.nimbusUsers = new HashSet();
        this.nimbusGroups = new HashSet();
        if (map.containsKey(Config.NIMBUS_ADMINS)) {
            this.admins.addAll((Collection) map.get(Config.NIMBUS_ADMINS));
        }
        if (map.containsKey(Config.NIMBUS_ADMINS_GROUPS)) {
            this.adminsGroups.addAll((Collection) map.get(Config.NIMBUS_ADMINS_GROUPS));
        }
        if (map.containsKey(Config.NIMBUS_SUPERVISOR_USERS)) {
            this.supervisors.addAll((Collection) map.get(Config.NIMBUS_SUPERVISOR_USERS));
        }
        if (map.containsKey(Config.NIMBUS_USERS)) {
            this.nimbusUsers.addAll((Collection) map.get(Config.NIMBUS_USERS));
        }
        if (map.containsKey(Config.NIMBUS_GROUPS)) {
            this.nimbusGroups.addAll((Collection) map.get(Config.NIMBUS_GROUPS));
        }
        this.ptol = ClientAuthUtils.getPrincipalToLocalPlugin(map);
        this.groupMappingServiceProvider = ClientAuthUtils.getGroupMappingServiceProviderPlugin(map);
    }

    @Override // org.apache.storm.security.auth.IAuthorizer
    public boolean permit(ReqContext reqContext, String str, Map<String, Object> map) {
        String name = reqContext.principal().getName();
        String local = this.ptol.toLocal(reqContext.principal());
        Set<String> hashSet = new HashSet();
        if (this.groupMappingServiceProvider != null) {
            try {
                hashSet = this.groupMappingServiceProvider.getGroups(local);
            } catch (IOException e) {
                LOG.warn("Error while trying to fetch user groups", (Throwable) e);
            }
        }
        if (this.admins.contains(name) || this.admins.contains(local) || checkUserGroupAllowed(hashSet, this.adminsGroups).booleanValue()) {
            return true;
        }
        if (this.supervisors.contains(name) || this.supervisors.contains(local)) {
            return this.supervisorCommands.contains(str);
        }
        if (this.userCommands.contains(str)) {
            return this.nimbusUsers.size() == 0 || this.nimbusUsers.contains(local) || checkUserGroupAllowed(hashSet, this.nimbusGroups).booleanValue();
        }
        if (!this.topoCommands.contains(str)) {
            return false;
        }
        if (checkTopoPermission(name, local, hashSet, map, Config.TOPOLOGY_USERS, Config.TOPOLOGY_GROUPS).booleanValue()) {
            return true;
        }
        return this.topoReadOnlyCommands.contains(str) && checkTopoPermission(name, local, hashSet, map, Config.TOPOLOGY_READONLY_USERS, Config.TOPOLOGY_READONLY_GROUPS).booleanValue();
    }

    private Boolean checkTopoPermission(String str, String str2, Set<String> set, Map<String, Object> map, String str3, String str4) {
        HashSet hashSet = new HashSet();
        if (map.containsKey(str3)) {
            hashSet.addAll((Collection) map.get(str3));
        }
        if (hashSet.contains(str) || hashSet.contains(str2)) {
            return true;
        }
        HashSet hashSet2 = new HashSet();
        if (map.containsKey(str4) && map.get(str4) != null) {
            hashSet2.addAll((Collection) map.get(str4));
        }
        return checkUserGroupAllowed(set, hashSet2);
    }

    private Boolean checkUserGroupAllowed(Set<String> set, Set<String> set2) {
        if (set.size() > 0 && set2.size() > 0) {
            Iterator<String> it = set2.iterator();
            while (it.hasNext()) {
                if (set.contains(it.next())) {
                    return true;
                }
            }
        }
        return false;
    }
}
