package io.confluent.catalog.web.filters;

import io.confluent.catalog.client.autthorizer.CatalogAuthorizerClient;
import io.confluent.catalog.model.ModelConstants;
import io.confluent.catalog.util.CatalogTenantUtils;
import io.confluent.catalog.util.QualifiedNameGenerator;
import io.confluent.catalog.util.RbacConstants;
import io.confluent.catalog.util.RbacException;
import io.confluent.catalog.util.RbacUtils;
import io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry;
import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Set;
import org.apache.atlas.authorize.AtlasAdminAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
import org.apache.atlas.authorize.AtlasTypesDefFilterRequest;
import org.apache.atlas.model.discovery.AtlasSearchResult;
import org.apache.atlas.model.instance.AtlasEntity;
import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.apache.atlas.model.instance.AtlasRelatedObjectId;
import org.apache.atlas.repository.store.graph.AtlasEntityStore;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/catalog/web/filters/CatalogRbacAuthorizationFilter.class */
public class CatalogRbacAuthorizationFilter implements AtlasAuthorizer {
    private boolean isRbacEnabled;
    private Map<String, Object> authorizationConfig;
    private CatalogAuthorizerClient authorizerRestClient;
    private KafkaSchemaRegistry schemaRegistry;
    private AtlasEntityStore entityStore;
    private static ThreadLocal<Integer> preRbacResultSize = new ThreadLocal<>();
    private static final Logger LOG = LoggerFactory.getLogger(CatalogRbacAuthorizationFilter.class);

    public void init() {
        this.isRbacEnabled = false;
        LOG.debug("Initialized CatalogRbacAuthorizationFilter. RBAC not enabled yet");
    }

    public void cleanUp() {
    }

    public boolean isAccessAllowed(AtlasAdminAccessRequest atlasAdminAccessRequest) throws AtlasAuthorizationException {
        return false;
    }

    public boolean isAccessAllowed(AtlasEntityAccessRequest atlasEntityAccessRequest) throws AtlasAuthorizationException {
        return true;
    }

    public boolean isAccessAllowed(AtlasTypeAccessRequest atlasTypeAccessRequest) throws AtlasAuthorizationException {
        return true;
    }

    public boolean isAccessAllowed(AtlasRelationshipAccessRequest atlasRelationshipAccessRequest) throws AtlasAuthorizationException {
        return true;
    }

    public void scrubSearchResults(AtlasSearchResultScrubRequest atlasSearchResultScrubRequest) throws AtlasAuthorizationException {
        AtlasSearchResult searchResult = atlasSearchResultScrubRequest.getSearchResult();
        if (searchResult.getEntities() != null) {
            preRbacResultSize.set(Integer.valueOf(searchResult.getEntities().size()));
        } else {
            preRbacResultSize.set(0);
        }
        LOG.info("search params in filter " + searchResult.getSearchParameters().toString());
        if (this.isRbacEnabled) {
            if (CollectionUtils.isNotEmpty(searchResult.getEntities())) {
                scrubEntities(atlasSearchResultScrubRequest.getUser(), searchResult.getEntities());
                ListIterator listIterator = searchResult.getEntities().listIterator();
                while (listIterator.hasNext()) {
                    if (((AtlasEntityHeader) listIterator.next()).getGuid().equals("-1")) {
                        listIterator.remove();
                    }
                }
            }
            if (CollectionUtils.isNotEmpty(searchResult.getFullTextResult())) {
                LinkedList linkedList = new LinkedList();
                for (AtlasSearchResult.AtlasFullTextResult atlasFullTextResult : searchResult.getFullTextResult()) {
                    if (atlasFullTextResult != null) {
                        linkedList.add(atlasFullTextResult.getEntity());
                    }
                }
                scrubEntities(atlasSearchResultScrubRequest.getUser(), linkedList);
                ListIterator listIterator2 = searchResult.getFullTextResult().listIterator();
                while (listIterator2.hasNext()) {
                    AtlasSearchResult.AtlasFullTextResult atlasFullTextResult2 = (AtlasSearchResult.AtlasFullTextResult) listIterator2.next();
                    if (atlasFullTextResult2 != null && atlasFullTextResult2.getEntity().getGuid().equals("-1")) {
                        listIterator2.remove();
                    }
                }
            }
            if (MapUtils.isNotEmpty(searchResult.getReferredEntities())) {
                LinkedList linkedList2 = new LinkedList();
                Iterator it = searchResult.getReferredEntities().values().iterator();
                while (it.hasNext()) {
                    linkedList2.add((AtlasEntityHeader) it.next());
                }
                scrubEntities(atlasSearchResultScrubRequest.getUser(), linkedList2);
                Iterator it2 = searchResult.getReferredEntities().values().iterator();
                while (it2.hasNext()) {
                    AtlasEntityHeader atlasEntityHeader = (AtlasEntityHeader) it2.next();
                    if (atlasEntityHeader != null && atlasEntityHeader.getGuid().equals("-1")) {
                        it2.remove();
                    }
                }
            }
        }
    }

    public static Integer getPreRbacResultSize() {
        return preRbacResultSize.get();
    }

    public static void removePreRbacResultSize() {
        preRbacResultSize.remove();
    }

    public void scrubEntityHeader(AtlasEntityHeader atlasEntityHeader) {
        super.scrubEntityHeader(atlasEntityHeader);
        atlasEntityHeader.setDisplayText("Not Authorized");
    }

    public void filterTypesDef(AtlasTypesDefFilterRequest atlasTypesDefFilterRequest) throws AtlasAuthorizationException {
    }

    public void setRbacEnabled(boolean z) {
        this.isRbacEnabled = z;
        LOG.debug("RBAC Enabled = {}", Boolean.valueOf(z));
    }

    public void setSchemaRegistry(KafkaSchemaRegistry kafkaSchemaRegistry) {
        this.schemaRegistry = kafkaSchemaRegistry;
    }

    public void setAuthorizerRestClient(CatalogAuthorizerClient catalogAuthorizerClient) {
        this.authorizerRestClient = catalogAuthorizerClient;
        LOG.debug("Set Authorizer rest client");
    }

    public void setEntityStore(AtlasEntityStore atlasEntityStore) {
        this.entityStore = atlasEntityStore;
    }

    public void scrubEntities(String str, Collection<AtlasEntityHeader> collection) {
        for (AtlasEntityHeader atlasEntityHeader : collection) {
            try {
                checkEntityAuthorization(str, atlasEntityHeader);
            } catch (Exception e) {
                LOG.error("RBAC Auth Error. Entity:{} EntityType:{},Exception:{}", new Object[]{atlasEntityHeader.getAttribute(ModelConstants.ATTR_QUALIFIED_NAME), atlasEntityHeader.getTypeName(), e.getMessage()});
                scrubEntityHeader(atlasEntityHeader);
            }
        }
    }

    private void checkEntityAuthorization(String str, AtlasEntityHeader atlasEntityHeader) throws Exception {
        List<CatalogAuthorizerClient.CatalogAuthorizerAction> convertToActions = convertToActions(atlasEntityHeader);
        if (convertToActions.size() == 0) {
            LOG.debug("Actions empty for resource {}. No authorization check is performed", atlasEntityHeader.getAttribute(ModelConstants.ATTR_QUALIFIED_NAME));
            return;
        }
        boolean z = false;
        Iterator<CatalogAuthorizerClient.CatalogAuthorizerResponse> it = this.authorizerRestClient.authorize(CatalogRequestContextHolder.getRequestContext(), str, new CatalogAuthorizerClient.CatalogAuthorizerRequest("", convertToActions)).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (it.next().getResult() == CatalogAuthorizerClient.CatalogAuthorizeResult.ALLOWED) {
                z = true;
                break;
            }
        }
        if (z) {
            return;
        }
        LOG.debug("Read Authorization not allowed for resource {}. Entity will be scrubbed", atlasEntityHeader.getAttribute(ModelConstants.ATTR_QUALIFIED_NAME));
        scrubEntityHeader(atlasEntityHeader);
    }

    private List<CatalogAuthorizerClient.CatalogAuthorizerAction> convertToActions(AtlasEntityHeader atlasEntityHeader) throws Exception {
        Set listSubjectsForId;
        String str = (String) atlasEntityHeader.getAttribute(ModelConstants.ATTR_QUALIFIED_NAME);
        String[] parseQualifiedName = QualifiedNameGenerator.parseQualifiedName(str);
        String str2 = parseQualifiedName[0];
        String stripEntityTenantPrefix = QualifiedNameGenerator.stripEntityTenantPrefix(str2, atlasEntityHeader.getTypeName(), str);
        LinkedList linkedList = new LinkedList();
        RbacConstants.RbacResourceTypes rbacResourceType = RbacUtils.toRbacResourceType(atlasEntityHeader.getTypeName());
        if (rbacResourceType == null) {
            LOG.error("Null entity type: {}", atlasEntityHeader.getTypeName());
            throw new RbacException("Unknown entity type");
        }
        switch (rbacResourceType) {
            case CatalogSubject:
                String str3 = parseQualifiedName[1];
                if (atlasEntityHeader.getTypeName().equals("sr_subject_version")) {
                    listSubjectsForId = Collections.singleton(new QualifiedSubject(str2, str3, parseQualifiedName[2]).toQualifiedSubject());
                } else {
                    listSubjectsForId = this.schemaRegistry.listSubjectsForId(Integer.parseInt(parseQualifiedName[2]), str3, atlasEntityHeader.getStatus() == AtlasEntity.Status.DELETED);
                }
                if (listSubjectsForId == null) {
                    LOG.error("CatalogRbacAuthorizationFilter:scrubEntities Empty subject list for tenant {}", str2);
                    break;
                } else {
                    Iterator it = listSubjectsForId.iterator();
                    while (it.hasNext()) {
                        linkedList.add(RbacUtils.getUrlEncodedAuthorizerAction(RbacConstants.RbacResourceTypes.CatalogSubject.getLabel(), CatalogTenantUtils.subjectFor(str2, (String) it.next()), RbacConstants.RbacOperations.ReadCatalog.name()));
                    }
                    break;
                }
            case CatalogTopic:
                String str4 = parseQualifiedName[parseQualifiedName.length - 1];
                if (str4 == null) {
                    str4 = stripEntityTenantPrefix;
                }
                linkedList.add(RbacUtils.getUrlEncodedAuthorizerAction(RbacConstants.RbacResourceTypes.CatalogTopic.getLabel(), str4, RbacConstants.RbacOperations.ReadCatalog.name()));
                break;
            case CatalogConnector:
                linkedList.add(RbacUtils.getUrlEncodedAuthorizerAction(RbacConstants.RbacResourceTypes.CatalogConnector.getLabel(), (String) atlasEntityHeader.getAttribute(ModelConstants.ATTR_NAME), RbacConstants.RbacOperations.ReadCatalog.name()));
                break;
            case CatalogPipeline:
            case CatalogKafkaCluster:
            case CatalogEnvironment:
                linkedList.add(RbacUtils.getUrlEncodedAuthorizerAction(rbacResourceType.getLabel(), stripEntityTenantPrefix, RbacConstants.RbacOperations.ReadCatalog.name()));
                break;
            case CatalogKafkaClusterLink:
                AtlasRelatedObjectId atlasRelatedObjectId = (AtlasRelatedObjectId) this.entityStore.getById(atlasEntityHeader.getGuid()).getEntity().getRelationshipAttribute(ModelConstants.RELN_DESTINATION_CLUSTER);
                if (atlasRelatedObjectId != null && AtlasEntity.Status.ACTIVE == atlasRelatedObjectId.getEntityStatus()) {
                    AtlasEntity.AtlasEntityWithExtInfo byId = this.entityStore.getById(atlasRelatedObjectId.getGuid(), true, true);
                    if (byId != null && byId.getEntity() != null) {
                        linkedList.add(RbacUtils.getUrlEncodedAuthorizerAction(rbacResourceType.getLabel(), (String) byId.getEntity().getAttribute(ModelConstants.ATTR_ID), RbacConstants.RbacOperations.ReadCatalog.name()));
                        break;
                    } else {
                        LOG.error("Invalid destination lkc for: {} for {}", "kafka_cluster_link", str);
                        throw new RbacException("No destination cluster entity");
                    }
                } else {
                    LOG.error("No active destination cluster for: {} for {}", "kafka_cluster_link", str);
                    throw new RbacException("No active destination cluster");
                }
                break;
            default:
                LOG.error("Unknown entity type: {} for {}", rbacResourceType, str);
                throw new RbacException("Unknown entity type");
        }
        return linkedList;
    }
}
