package org.apache.rocketmq.auth.authorization.manager;

import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.rocketmq.auth.authentication.enums.SubjectType;
import org.apache.rocketmq.auth.authentication.factory.AuthenticationFactory;
import org.apache.rocketmq.auth.authentication.model.Subject;
import org.apache.rocketmq.auth.authentication.model.User;
import org.apache.rocketmq.auth.authentication.provider.AuthenticationMetadataProvider;
import org.apache.rocketmq.auth.authorization.enums.PolicyType;
import org.apache.rocketmq.auth.authorization.exception.AuthorizationException;
import org.apache.rocketmq.auth.authorization.factory.AuthorizationFactory;
import org.apache.rocketmq.auth.authorization.model.Acl;
import org.apache.rocketmq.auth.authorization.model.Environment;
import org.apache.rocketmq.auth.authorization.model.Policy;
import org.apache.rocketmq.auth.authorization.model.PolicyEntry;
import org.apache.rocketmq.auth.authorization.model.Resource;
import org.apache.rocketmq.auth.authorization.provider.AuthorizationMetadataProvider;
import org.apache.rocketmq.auth.config.AuthConfig;
import org.apache.rocketmq.common.action.Action;
import org.apache.rocketmq.common.utils.ExceptionUtils;
import org.apache.rocketmq.common.utils.IPAddressUtils;

/* loaded from: input_file:org/apache/rocketmq/auth/authorization/manager/AuthorizationMetadataManagerImpl.class */
public class AuthorizationMetadataManagerImpl implements AuthorizationMetadataManager {
    private final AuthorizationMetadataProvider authorizationMetadataProvider;
    private final AuthenticationMetadataProvider authenticationMetadataProvider;

    public AuthorizationMetadataManagerImpl(AuthConfig authConfig) {
        this.authorizationMetadataProvider = AuthorizationFactory.getMetadataProvider(authConfig);
        this.authenticationMetadataProvider = AuthenticationFactory.getMetadataProvider(authConfig);
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public void shutdown() {
        if (this.authenticationMetadataProvider != null) {
            this.authenticationMetadataProvider.shutdown();
        }
        if (this.authorizationMetadataProvider != null) {
            this.authorizationMetadataProvider.shutdown();
        }
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public CompletableFuture<Void> createAcl(Acl acl) {
        CompletableFuture<User> completedFuture;
        try {
            validate(acl);
            initAcl(acl);
            if (acl.getSubject().isSubject(SubjectType.USER)) {
                completedFuture = getAuthenticationMetadataProvider().getUser(((User) acl.getSubject()).getUsername());
            } else {
                completedFuture = CompletableFuture.completedFuture(acl.getSubject());
            }
            return completedFuture.thenCompose(subject -> {
                if (subject == null) {
                    throw new AuthorizationException("The subject of {} is not exist.", acl.getSubject().getSubjectKey());
                }
                return getAuthorizationMetadataProvider().getAcl(acl.getSubject());
            }).thenCompose((Function<? super U, ? extends CompletionStage<U>>) acl2 -> {
                if (acl2 == null) {
                    return getAuthorizationMetadataProvider().createAcl(acl);
                }
                acl2.updatePolicy(acl.getPolicies());
                return getAuthorizationMetadataProvider().updateAcl(acl2);
            });
        } catch (Exception e) {
            return handleException(e);
        }
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public CompletableFuture<Void> updateAcl(Acl acl) {
        CompletableFuture<User> completedFuture;
        try {
            validate(acl);
            initAcl(acl);
            if (acl.getSubject().isSubject(SubjectType.USER)) {
                completedFuture = getAuthenticationMetadataProvider().getUser(((User) acl.getSubject()).getUsername());
            } else {
                completedFuture = CompletableFuture.completedFuture(acl.getSubject());
            }
            return completedFuture.thenCompose(subject -> {
                if (subject == null) {
                    throw new AuthorizationException("The subject of {} is not exist.", acl.getSubject().getSubjectKey());
                }
                return getAuthorizationMetadataProvider().getAcl(acl.getSubject());
            }).thenCompose((Function<? super U, ? extends CompletionStage<U>>) acl2 -> {
                if (acl2 == null) {
                    return getAuthorizationMetadataProvider().createAcl(acl);
                }
                acl2.updatePolicy(acl.getPolicies());
                return getAuthorizationMetadataProvider().updateAcl(acl2);
            });
        } catch (Exception e) {
            return handleException(e);
        }
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public CompletableFuture<Void> deleteAcl(Subject subject) {
        return deleteAcl(subject, null, null);
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public CompletableFuture<Void> deleteAcl(Subject subject, PolicyType policyType, Resource resource) {
        try {
            if (subject == null) {
                throw new AuthorizationException("The subject is null.");
            }
            if (policyType == null) {
                policyType = PolicyType.CUSTOM;
            }
            PolicyType policyType2 = policyType;
            return (subject.isSubject(SubjectType.USER) ? getAuthenticationMetadataProvider().getUser(((User) subject).getUsername()) : CompletableFuture.completedFuture(subject)).thenCombine((CompletionStage) getAuthorizationMetadataProvider().getAcl(subject), (subject2, acl) -> {
                if (subject2 == null) {
                    throw new AuthorizationException("The subject is not exist.");
                }
                if (acl == null) {
                    throw new AuthorizationException("The acl is not exist.");
                }
                return acl;
            }).thenCompose((Function<? super V, ? extends CompletionStage<U>>) acl2 -> {
                if (resource != null) {
                    acl2.deletePolicy(policyType2, resource);
                }
                return (resource == null || CollectionUtils.isEmpty(acl2.getPolicies())) ? getAuthorizationMetadataProvider().deleteAcl(subject) : getAuthorizationMetadataProvider().updateAcl(acl2);
            });
        } catch (Exception e) {
            return handleException(e);
        }
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public CompletableFuture<Acl> getAcl(Subject subject) {
        return (subject.isSubject(SubjectType.USER) ? getAuthenticationMetadataProvider().getUser(((User) subject).getUsername()) : CompletableFuture.completedFuture(subject)).thenCompose(subject2 -> {
            if (subject2 == null) {
                throw new AuthorizationException("The subject is not exist.");
            }
            return getAuthorizationMetadataProvider().getAcl(subject);
        });
    }

    @Override // org.apache.rocketmq.auth.authorization.manager.AuthorizationMetadataManager
    public CompletableFuture<List<Acl>> listAcl(String str, String str2) {
        return getAuthorizationMetadataProvider().listAcl(str, str2);
    }

    private static void initAcl(Acl acl) {
        acl.getPolicies().forEach(policy -> {
            if (policy.getPolicyType() == null) {
                policy.setPolicyType(PolicyType.CUSTOM);
            }
        });
    }

    private void validate(Acl acl) {
        if (acl.getSubject().getSubjectType() == null) {
            throw new AuthorizationException("The subject type is null.");
        }
        List<Policy> policies = acl.getPolicies();
        if (CollectionUtils.isEmpty(policies)) {
            throw new AuthorizationException("The policies is empty.");
        }
        Iterator<Policy> it = policies.iterator();
        while (it.hasNext()) {
            validate(it.next());
        }
    }

    private void validate(Policy policy) {
        List<PolicyEntry> entries = policy.getEntries();
        if (CollectionUtils.isEmpty(entries)) {
            throw new AuthorizationException("The policy entries is empty.");
        }
        Iterator<PolicyEntry> it = entries.iterator();
        while (it.hasNext()) {
            validate(it.next());
        }
    }

    private void validate(PolicyEntry policyEntry) {
        Resource resource = policyEntry.getResource();
        if (resource == null) {
            throw new AuthorizationException("The resource is null.");
        }
        if (resource.getResourceType() == null) {
            throw new AuthorizationException("The resource type is null.");
        }
        if (resource.getResourcePattern() == null) {
            throw new AuthorizationException("The resource pattern is null.");
        }
        if (CollectionUtils.isEmpty(policyEntry.getActions())) {
            throw new AuthorizationException("The actions is empty.");
        }
        if (policyEntry.getActions().contains(Action.ANY)) {
            throw new AuthorizationException("The actions can not be Any.");
        }
        Environment environment = policyEntry.getEnvironment();
        if (environment != null && CollectionUtils.isNotEmpty(environment.getSourceIps())) {
            for (String str : environment.getSourceIps()) {
                if (StringUtils.isBlank(str)) {
                    throw new AuthorizationException("The source ip is empty.");
                }
                if (!IPAddressUtils.isValidIPOrCidr(str)) {
                    throw new AuthorizationException("The source ip is invalid.");
                }
            }
        }
        if (policyEntry.getDecision() == null) {
            throw new AuthorizationException("The decision is null or illegal.");
        }
    }

    private <T> CompletableFuture<T> handleException(Exception exc) {
        CompletableFuture<T> completableFuture = new CompletableFuture<>();
        completableFuture.completeExceptionally(ExceptionUtils.getRealException(exc));
        return completableFuture;
    }

    private AuthenticationMetadataProvider getAuthenticationMetadataProvider() {
        if (this.authorizationMetadataProvider == null) {
            throw new IllegalStateException("The authenticationMetadataProvider is not configured.");
        }
        return this.authenticationMetadataProvider;
    }

    private AuthorizationMetadataProvider getAuthorizationMetadataProvider() {
        if (this.authenticationMetadataProvider == null) {
            throw new IllegalStateException("The authenticationMetadataProvider is not configured.");
        }
        return this.authorizationMetadataProvider;
    }
}
