package org.apache.knox.gateway.service.idbroker;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.io.StringWriter;
import java.security.AccessController;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.security.GroupPrincipal;
import org.apache.knox.gateway.security.SubjectUtils;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.CryptoService;
import org.apache.knox.gateway.services.security.EncryptionResult;

/* loaded from: input_file:org/apache/knox/gateway/service/idbroker/AbstractKnoxCloudCredentialsClient.class */
public abstract class AbstractKnoxCloudCredentialsClient implements KnoxCloudCredentialsClient {
    protected static final String ROLE_TYPE_USER = "USER_ROLE";
    protected static final String ROLE_TYPE_GROUP = "GROUP_ROLE";
    protected static final String ROLE_TYPE_EXPLICIT = "EXPLICIT_ROLE";
    protected static final String CREDENTIAL_CACHE_TTL = "credential.cache.ttl";
    private static IdBrokerServiceMessages log = (IdBrokerServiceMessages) MessagesFactory.get(IdBrokerServiceMessages.class);
    private CloudClientConfigurationProvider cloudConfigProvider;
    protected AliasService aliasService;
    protected CryptoService cryptoService;
    protected String topologyName;
    static final String ERR_NO_ROLE_DEFINED = "No suitable role is defined for the authenticated user.";
    static final String ERR_USER_NOT_IN_REQUESTED_GROUP = "The authenticated user is not a member of the requested group.";
    static final String ERR_NO_ROLE_FOR_REQUESTED_GROUP = "There is no role mapped to the requested group.";
    static final String ERR_USER_NOT_IN_DEFAULT_GROUP = "The authenticated user is not a member of the configured default group.";
    static final String ERR_NO_ROLE_FOR_DEFAULT_GROUP = "There is no role mapped to the configured default group for the authenticated user.";
    static final String ERR_AMBIGUOUS_GROUP_MAPPINGS = "Ambiguous group role mappings for the authenticated user.";
    static final String ERR_NO_MATCHING_GROUP_MAPPINGS = "There is no mapped role for the group(s) associated with the authenticated user.";
    protected Cache<String, EncryptionResult> credentialCache;

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void init(Properties properties) {
        this.topologyName = properties.getProperty("topology.name");
        this.credentialCache = CacheBuilder.newBuilder().maximumSize(1000L).expireAfterWrite(NumberUtils.toInt(properties.getProperty(CREDENTIAL_CACHE_TTL), 1200), TimeUnit.SECONDS).recordStats().build();
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public CloudClientConfigurationProvider getConfigProvider() {
        return this.cloudConfigProvider;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void setConfigProvider(CloudClientConfigurationProvider cloudClientConfigurationProvider) {
        this.cloudConfigProvider = cloudClientConfigurationProvider;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void setAliasService(AliasService aliasService) {
        this.aliasService = aliasService;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void setCryptoService(CryptoService cryptoService) {
        this.cryptoService = cryptoService;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentialsForRole(String str, String str2) {
        return getCredentialsForRole(getRole(str, str2));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getRole() {
        return getRole("", null);
    }

    protected String getRole(String str, String str2) {
        String str3 = null;
        boolean z = -1;
        switch (str.hashCode()) {
            case -1139346326:
                if (str.equals(ROLE_TYPE_USER)) {
                    z = false;
                    break;
                }
                break;
            case 494443425:
                if (str.equals(ROLE_TYPE_EXPLICIT)) {
                    z = 2;
                    break;
                }
                break;
            case 1797084758:
                if (str.equals(ROLE_TYPE_GROUP)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str3 = getUserRole(true);
                break;
            case true:
                str3 = getGroupRole(str2);
                break;
            case true:
                if (str2 != null && isUserMappedToRole(str2)) {
                    str3 = str2;
                    break;
                }
                break;
            default:
                str3 = getUserRole(false);
                if (str3 == null) {
                    str3 = getGroupRole(str2);
                    break;
                }
                break;
        }
        if (str3 != null) {
            return str3;
        }
        Subject subject = Subject.getSubject(AccessController.getContext());
        throw new WebApplicationException(ERR_NO_ROLE_DEFINED, Response.status(Response.Status.FORBIDDEN).entity(generateJSONResponse(ERR_NO_ROLE_DEFINED, subject != null ? getEffectiveUserName(subject) : null, null)).build());
    }

    protected String getUserRole(boolean z) {
        String str = null;
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject != null) {
            String effectiveUserName = getEffectiveUserName(subject);
            str = getConfigProvider().getConfig().getUserRole(effectiveUserName);
            if (str == null && z) {
                log.noRoleForUser(effectiveUserName);
            }
        }
        return str;
    }

    protected String getGroupRole(String str) {
        return getGroupRole(str, true);
    }

    protected String getGroupRole(String str, boolean z) {
        String str2 = null;
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject != null) {
            Set<String> groupNames = getGroupNames(subject);
            CloudClientConfiguration config = getConfigProvider().getConfig();
            String str3 = null;
            if (str == null) {
                String effectiveUserName = getEffectiveUserName(subject);
                String defaultGroupForUser = config.getDefaultGroupForUser(effectiveUserName);
                if (defaultGroupForUser == null) {
                    HashSet hashSet = new HashSet();
                    Iterator<String> it = groupNames.iterator();
                    while (it.hasNext()) {
                        String groupRole = config.getGroupRole(it.next());
                        if (groupRole != null) {
                            hashSet.add(groupRole);
                        }
                    }
                    if (hashSet.size() == 1) {
                        str2 = (String) hashSet.stream().findFirst().get();
                    } else if (hashSet.size() > 1) {
                        if (z) {
                            log.multipleMatchingGroupRoles(effectiveUserName);
                        }
                        str3 = generateJSONResponse(ERR_AMBIGUOUS_GROUP_MAPPINGS, effectiveUserName, null);
                    } else {
                        if (z) {
                            log.noRoleForGroups(effectiveUserName);
                        }
                        str3 = generateJSONResponse(ERR_NO_MATCHING_GROUP_MAPPINGS, effectiveUserName, null);
                    }
                } else if (groupNames.contains(defaultGroupForUser)) {
                    str2 = config.getGroupRole(defaultGroupForUser);
                    if (str2 == null && z) {
                        log.noRoleForGroup(defaultGroupForUser);
                        str3 = generateJSONResponse(ERR_NO_ROLE_FOR_DEFAULT_GROUP, effectiveUserName, defaultGroupForUser);
                    }
                } else {
                    if (z) {
                        log.userNotInGroup(defaultGroupForUser);
                    }
                    str3 = generateJSONResponse(ERR_USER_NOT_IN_DEFAULT_GROUP, effectiveUserName, defaultGroupForUser);
                }
            } else if (groupNames.contains(str)) {
                str2 = config.getGroupRole(str);
                if (str2 == null && z) {
                    log.noRoleForGroup(str);
                    str3 = generateJSONResponse(ERR_NO_ROLE_FOR_REQUESTED_GROUP, null, str);
                }
            } else {
                if (z) {
                    log.userNotInGroup(str);
                }
                str3 = generateJSONResponse(ERR_USER_NOT_IN_REQUESTED_GROUP, getEffectiveUserName(subject), str);
            }
            if (str3 != null) {
                throw new WebApplicationException(str3, Response.status(Response.Status.FORBIDDEN).entity(str3).build());
            }
        }
        return str2;
    }

    private String generateJSONResponse(String str, String str2, String str3) {
        StringWriter stringWriter = new StringWriter();
        stringWriter.append((CharSequence) "{\n");
        stringWriter.append((CharSequence) "\"error\" : \"").append((CharSequence) str).append((CharSequence) "\"");
        if (str2 != null) {
            stringWriter.append((CharSequence) ",\n\"auth_id\" : \"").append((CharSequence) str2).append((CharSequence) "\"");
        }
        if (str3 != null) {
            stringWriter.append((CharSequence) ",\n\"group_id\" : \"").append((CharSequence) str3).append((CharSequence) "\"");
        }
        stringWriter.append((CharSequence) "\n}\n");
        return stringWriter.toString();
    }

    protected boolean isUserMappedToRole(String str) {
        boolean z = false;
        if (str.equals(getUserRole(false))) {
            z = true;
        }
        if (!z) {
            Iterator<String> it = getGroupNames(Subject.getSubject(AccessController.getContext())).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (str.equals(getGroupRole(it.next(), false))) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    protected Set<String> getGroupNames(Subject subject) {
        HashSet hashSet = new HashSet();
        Iterator it = subject.getPrincipals(GroupPrincipal.class).iterator();
        while (it.hasNext()) {
            hashSet.add(((Principal) it.next()).getName());
        }
        log.userGroups(getEffectiveUserName(subject), hashSet);
        return hashSet;
    }

    protected String getEffectiveUserName(Subject subject) {
        return SubjectUtils.getEffectivePrincipalName(subject);
    }
}
