package backtype.storm.security.auth.authorizer;

import backtype.storm.Config;
import backtype.storm.security.auth.AuthUtils;
import backtype.storm.security.auth.IPrincipalToLocal;
import backtype.storm.security.auth.ReqContext;
import backtype.storm.utils.Utils;
import java.security.Principal;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:backtype/storm/security/auth/authorizer/DRPCSimpleACLAuthorizer.class */
public class DRPCSimpleACLAuthorizer extends DRPCAuthorizerBase {
    public static Logger LOG = LoggerFactory.getLogger(DRPCSimpleACLAuthorizer.class);
    public static final String CLIENT_USERS_KEY = "client.users";
    public static final String INVOCATION_USER_KEY = "invocation.user";
    public static final String FUNCTION_KEY = "function.name";
    protected IPrincipalToLocal _ptol;
    protected String _aclFileName = "";
    protected boolean _permitWhenMissingFunctionEntry = false;
    private volatile Map<String, AclFunctionEntry> _acl = null;
    private volatile long _lastUpdate = 0;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:backtype/storm/security/auth/authorizer/DRPCSimpleACLAuthorizer$AclFunctionEntry.class */
    public class AclFunctionEntry {
        public final Set<String> clientUsers;
        public final String invocationUser;

        public AclFunctionEntry(Collection<String> collection, String str) {
            this.clientUsers = collection != null ? new HashSet(collection) : new HashSet();
            this.invocationUser = str;
        }
    }

    protected Map<String, AclFunctionEntry> readAclFromConfig() {
        if (System.currentTimeMillis() - 5000 > this._lastUpdate || this._acl == null) {
            HashMap hashMap = new HashMap();
            Map findAndReadConfigFile = Utils.findAndReadConfigFile(this._aclFileName);
            if (findAndReadConfigFile.containsKey(Config.DRPC_AUTHORIZER_ACL)) {
                Map map = (Map) findAndReadConfigFile.get(Config.DRPC_AUTHORIZER_ACL);
                for (String str : map.keySet()) {
                    Map map2 = (Map) map.get(str);
                    hashMap.put(str, new AclFunctionEntry(map2.containsKey(CLIENT_USERS_KEY) ? (Collection) map2.get(CLIENT_USERS_KEY) : null, map2.containsKey(INVOCATION_USER_KEY) ? (String) map2.get(INVOCATION_USER_KEY) : null));
                }
            } else if (!this._permitWhenMissingFunctionEntry) {
                LOG.warn("Requiring explicit ACL entries, but none given. Therefore, all operiations will be denied.");
            }
            this._acl = hashMap;
            this._lastUpdate = System.currentTimeMillis();
        }
        return this._acl;
    }

    @Override // backtype.storm.security.auth.authorizer.DRPCAuthorizerBase, backtype.storm.security.auth.IAuthorizer
    public void prepare(Map map) {
        Boolean bool = (Boolean) map.get(Config.DRPC_AUTHORIZER_ACL_STRICT);
        this._permitWhenMissingFunctionEntry = (bool == null || bool.booleanValue()) ? false : true;
        this._aclFileName = (String) map.get(Config.DRPC_AUTHORIZER_ACL_FILENAME);
        this._ptol = AuthUtils.GetPrincipalToLocalPlugin(map);
    }

    private String getUserFromContext(ReqContext reqContext) {
        Principal principal;
        if (reqContext == null || (principal = reqContext.principal()) == null) {
            return null;
        }
        return principal.getName();
    }

    private String getLocalUserFromContext(ReqContext reqContext) {
        if (reqContext != null) {
            return this._ptol.toLocal(reqContext.principal());
        }
        return null;
    }

    protected boolean permitClientOrInvocationRequest(ReqContext reqContext, Map map, String str) {
        Map<String, AclFunctionEntry> readAclFromConfig = readAclFromConfig();
        String str2 = (String) map.get("function.name");
        if (str2 == null || str2.isEmpty()) {
            return false;
        }
        AclFunctionEntry aclFunctionEntry = readAclFromConfig.get(str2);
        if (aclFunctionEntry == null && this._permitWhenMissingFunctionEntry) {
            return true;
        }
        if (aclFunctionEntry == null) {
            return false;
        }
        try {
            Object obj = AclFunctionEntry.class.getDeclaredField(str).get(aclFunctionEntry);
            String userFromContext = getUserFromContext(reqContext);
            String localUserFromContext = getLocalUserFromContext(reqContext);
            if (obj == null) {
                LOG.warn("Configuration for function '" + str2 + "' is invalid: it should have both an invocation user and a list of client users defined.");
                return false;
            }
            if ((obj instanceof Set) && (((Set) obj).contains(userFromContext) || ((Set) obj).contains(localUserFromContext))) {
                return true;
            }
            if (obj instanceof String) {
                return obj.equals(userFromContext) || obj.equals(localUserFromContext);
            }
            return false;
        } catch (Exception e) {
            LOG.warn("Caught Exception while accessing ACL", e);
            return false;
        }
    }

    @Override // backtype.storm.security.auth.authorizer.DRPCAuthorizerBase
    protected boolean permitClientRequest(ReqContext reqContext, String str, Map map) {
        return permitClientOrInvocationRequest(reqContext, map, "clientUsers");
    }

    @Override // backtype.storm.security.auth.authorizer.DRPCAuthorizerBase
    protected boolean permitInvocationRequest(ReqContext reqContext, String str, Map map) {
        return permitClientOrInvocationRequest(reqContext, map, "invocationUser");
    }
}
