package org.gridgain.internal.rbac.authorization;

import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.ignite3.internal.eventlog.api.Event;
import org.apache.ignite3.internal.eventlog.api.EventLog;
import org.apache.ignite3.internal.eventlog.event.EventUser;
import org.apache.ignite3.internal.security.authentication.configuration.AuthenticationProviderConfigurationSchema;
import org.apache.ignite3.internal.util.CompletableFutures;
import org.gridgain.internal.eventlog.api.GridGainEvents;
import org.gridgain.internal.rbac.privileges.Privilege;
import org.gridgain.internal.rbac.privileges.PrivilegeChecker;
import org.gridgain.internal.rbac.privileges.exception.AuthorizationException;
import org.gridgain.internal.security.context.Authentication;
import org.gridgain.internal.security.context.GridGainSecurity;
import org.gridgain.internal.security.context.SecurityContext;
import org.gridgain.internal.security.context.SecurityContextHolder;

/* loaded from: input_file:org/gridgain/internal/rbac/authorization/AuthorizerImpl.class */
public class AuthorizerImpl implements Authorizer {
    private PrivilegeChecker privilegeChecker;
    private final EventLog eventLog;
    private final AtomicBoolean isEnabled;

    public AuthorizerImpl(EventLog eventLog) {
        this.isEnabled = new AtomicBoolean();
        this.eventLog = eventLog;
    }

    public AuthorizerImpl() {
        this(supplier -> {
        });
    }

    public void init(PrivilegeChecker privilegeChecker) {
        this.privilegeChecker = privilegeChecker;
    }

    @Override // org.gridgain.internal.rbac.authorization.Authorizer
    public CompletableFuture<Void> authorizeAsync(SecurityContext securityContext, Privilege privilege) {
        if (!this.isEnabled.get()) {
            return CompletableFutures.nullCompletedFuture();
        }
        if (privilege.action().allowSelfAction() && securityContext.authentication().username() != null && securityContext.authentication().username().equals(privilege.selector().objectName())) {
            logAuthorizationSuccess(securityContext, privilege);
            return CompletableFutures.nullCompletedFuture();
        }
        Set<String> roles = securityContext.authentication().roles();
        if (!roles.contains(Authentication.SYSTEM_BYPASS_ROLE)) {
            return ((CompletableFuture) GridGainSecurity.bypass(() -> {
                return this.privilegeChecker.checkAnyAsync(privilege, roles);
            })).thenApply(bool -> {
                if (bool.booleanValue()) {
                    logAuthorizationSuccess(securityContext, privilege);
                    return null;
                }
                logAuthorizationFailure(securityContext, privilege);
                throw new AuthorizationException(Set.of(privilege), roles);
            });
        }
        logAuthorizationSuccess(securityContext, privilege);
        return CompletableFutures.nullCompletedFuture();
    }

    @Override // org.gridgain.internal.rbac.authorization.Authorizer
    public CompletableFuture<Void> authorizeAsync(Privilege privilege) {
        return !this.isEnabled.get() ? CompletableFutures.nullCompletedFuture() : authorizeAsync(SecurityContextHolder.getOrThrow(), privilege);
    }

    @Override // org.gridgain.internal.rbac.authorization.Authorizer
    public CompletableFuture<Void> authorizeAsync(SecurityContext securityContext, Set<Privilege> set) {
        if (!this.isEnabled.get()) {
            return CompletableFutures.nullCompletedFuture();
        }
        Set<String> roles = securityContext.authentication().roles();
        if (!roles.contains(Authentication.SYSTEM_BYPASS_ROLE)) {
            return ((CompletableFuture) GridGainSecurity.bypass(() -> {
                return this.privilegeChecker.checkAllAsync((Set<Privilege>) set, (Set<String>) roles);
            })).thenApply(privilegeCheckResult -> {
                if (privilegeCheckResult.isAllowed()) {
                    logAuthorizationSuccess(securityContext, (Set<Privilege>) set);
                    return null;
                }
                logAuthorizationFailure(securityContext, (Set<Privilege>) set);
                throw new AuthorizationException(privilegeCheckResult.missedPrivileges(), roles);
            });
        }
        logAuthorizationSuccess(securityContext, set);
        return CompletableFutures.nullCompletedFuture();
    }

    @Override // org.gridgain.internal.rbac.authorization.Authorizer
    public CompletableFuture<Void> authorizeAsync(Set<Privilege> set) {
        return !this.isEnabled.get() ? CompletableFutures.nullCompletedFuture() : authorizeAsync(SecurityContextHolder.getOrThrow(), set);
    }

    @Override // org.gridgain.internal.rbac.authorization.Authorizer
    public void enable(boolean z) {
        this.isEnabled.set(z);
    }

    private void logAuthorizationSuccess(SecurityContext securityContext, Set<Privilege> set) {
        logAuthorizationEvent(securityContext, set, GridGainEvents.USER_AUTHORIZATION_SUCCESS);
    }

    private void logAuthorizationSuccess(SecurityContext securityContext, Privilege privilege) {
        logAuthorizationSuccess(securityContext, Set.of(privilege));
    }

    private void logAuthorizationFailure(SecurityContext securityContext, Set<Privilege> set) {
        logAuthorizationEvent(securityContext, set, GridGainEvents.USER_AUTHORIZATION_FAILURE);
    }

    private void logAuthorizationFailure(SecurityContext securityContext, Privilege privilege) {
        logAuthorizationFailure(securityContext, Set.of(privilege));
    }

    private void logAuthorizationEvent(SecurityContext securityContext, Set<Privilege> set, GridGainEvents gridGainEvents) {
        Event build = gridGainEvents.builder().user(EventUser.of(securityContext.authentication().username(), AuthenticationProviderConfigurationSchema.TYPE_BASIC)).timestamp(System.currentTimeMillis()).fields(Map.of("privileges", set, "roles", securityContext.authentication().roles())).build();
        this.eventLog.log(() -> {
            return build;
        });
    }
}
