package org.apache.solr.handler.component;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.util.Iterator;
import java.util.Set;
import org.apache.lucene.index.Term;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.Query;
import org.apache.lucene.search.TermQuery;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.SolrParams;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.sentry.SentryIndexAuthorizationSingleton;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/handler/component/QueryDocAuthorizationComponent.class */
public class QueryDocAuthorizationComponent extends SearchComponent {
    private static Logger log = LoggerFactory.getLogger(QueryDocAuthorizationComponent.class);
    public static String AUTH_FIELD_PROP = "sentryAuthField";
    public static String DEFAULT_AUTH_FIELD = "sentry_auth";
    public static String ALL_ROLES_TOKEN_PROP = "allRolesToken";
    public static String ENABLED_PROP = "enabled";
    private SentryIndexAuthorizationSingleton sentryInstance;
    private String authField;
    private String allRolesToken;
    private boolean enabled;

    public QueryDocAuthorizationComponent() {
        this(SentryIndexAuthorizationSingleton.getInstance());
    }

    @VisibleForTesting
    public QueryDocAuthorizationComponent(SentryIndexAuthorizationSingleton sentryIndexAuthorizationSingleton) {
        this.sentryInstance = sentryIndexAuthorizationSingleton;
    }

    public void init(NamedList namedList) {
        SolrParams solrParams = SolrParams.toSolrParams(namedList);
        this.authField = solrParams.get(AUTH_FIELD_PROP, DEFAULT_AUTH_FIELD);
        log.info("QueryDocAuthorizationComponent authField: " + this.authField);
        this.allRolesToken = solrParams.get(ALL_ROLES_TOKEN_PROP, "");
        log.info("QueryDocAuthorizationComponent allRolesToken: " + this.allRolesToken);
        this.enabled = solrParams.getBool(ENABLED_PROP, false);
        log.info("QueryDocAuthorizationComponent enabled: " + this.enabled);
    }

    private void addRawClause(StringBuilder sb, String str, String str2) {
        sb.append(" {!raw f=").append(str).append(" v=").append(str2).append("}");
    }

    public String getFilterQueryStr(Set<String> set) {
        if (set == null || set.size() <= 0) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            addRawClause(sb, this.authField, it.next());
        }
        if (this.allRolesToken != null && !this.allRolesToken.isEmpty()) {
            addRawClause(sb, this.authField, this.allRolesToken);
        }
        return sb.toString();
    }

    private BooleanClause getBooleanClause(String str, String str2) {
        return new BooleanClause(new TermQuery(new Term(str, str2)), BooleanClause.Occur.SHOULD);
    }

    public Query getFilterQuery(Set<String> set) {
        if (set == null || set.size() <= 0) {
            return null;
        }
        BooleanQuery booleanQuery = new BooleanQuery();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            booleanQuery.add(getBooleanClause(this.authField, it.next()));
        }
        if (this.allRolesToken != null && !this.allRolesToken.isEmpty()) {
            booleanQuery.add(getBooleanClause(this.authField, this.allRolesToken));
        }
        return booleanQuery;
    }

    public void prepare(ResponseBuilder responseBuilder) throws IOException {
        if (this.enabled) {
            String userName = this.sentryInstance.getUserName(responseBuilder.req);
            if (System.getProperty("solr.authorization.superuser", "solr").equals(userName)) {
                return;
            }
            Set<String> roles = this.sentryInstance.getRoles(userName);
            if (roles == null || roles.size() <= 0) {
                throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, "Request from user: " + userName + " rejected because user is not associated with any roles");
            }
            String filterQueryStr = getFilterQueryStr(roles);
            ModifiableSolrParams modifiableSolrParams = new ModifiableSolrParams(responseBuilder.req.getParams());
            modifiableSolrParams.add("fq", new String[]{filterQueryStr});
            responseBuilder.req.setParams(modifiableSolrParams);
        }
    }

    public void process(ResponseBuilder responseBuilder) throws IOException {
    }

    public String getDescription() {
        return "Handle Query Document Authorization";
    }

    public String getSource() {
        return "$URL$";
    }

    public boolean getEnabled() {
        return this.enabled;
    }
}
