package org.apache.hive.druid.io.druid.server.http.security;

import com.google.inject.Inject;
import com.sun.jersey.spi.container.ContainerRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.hive.druid.com.google.common.base.Preconditions;
import org.apache.hive.druid.io.druid.server.security.Access;
import org.apache.hive.druid.io.druid.server.security.AuthConfig;
import org.apache.hive.druid.io.druid.server.security.AuthorizationInfo;
import org.apache.hive.druid.io.druid.server.security.Resource;
import org.apache.hive.druid.io.druid.server.security.ResourceType;

/* loaded from: input_file:org/apache/hive/druid/io/druid/server/http/security/ConfigResourceFilter.class */
public class ConfigResourceFilter extends AbstractResourceFilter {
    @Inject
    public ConfigResourceFilter(AuthConfig authConfig) {
        super(authConfig);
    }

    public ContainerRequest filter(ContainerRequest containerRequest) {
        if (getAuthConfig().isEnabled()) {
            AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
            Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
            Access isAuthorized = authorizationInfo.isAuthorized(new Resource("CONFIG", ResourceType.CONFIG), getAction(containerRequest));
            if (!isAuthorized.isAllowed()) {
                throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", isAuthorized.toString())).build());
            }
        }
        return containerRequest;
    }

    @Override // org.apache.hive.druid.io.druid.server.http.security.AbstractResourceFilter
    public boolean isApplicable(String str) {
        return str.startsWith("druid/worker/v1") || str.startsWith("druid/indexer/v1") || str.startsWith("druid/coordinator/v1/config");
    }
}
