package org.apache.rocketmq.auth.authorization.chain;

import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.rocketmq.auth.authorization.context.DefaultAuthorizationContext;
import org.apache.rocketmq.auth.authorization.enums.Decision;
import org.apache.rocketmq.auth.authorization.enums.PolicyType;
import org.apache.rocketmq.auth.authorization.exception.AuthorizationException;
import org.apache.rocketmq.auth.authorization.factory.AuthorizationFactory;
import org.apache.rocketmq.auth.authorization.model.Acl;
import org.apache.rocketmq.auth.authorization.model.Environment;
import org.apache.rocketmq.auth.authorization.model.Policy;
import org.apache.rocketmq.auth.authorization.model.PolicyEntry;
import org.apache.rocketmq.auth.authorization.model.Resource;
import org.apache.rocketmq.auth.authorization.provider.AuthorizationMetadataProvider;
import org.apache.rocketmq.auth.config.AuthConfig;
import org.apache.rocketmq.common.chain.Handler;
import org.apache.rocketmq.common.chain.HandlerChain;
import org.apache.rocketmq.common.resource.ResourcePattern;
import org.apache.rocketmq.common.resource.ResourceType;

/* loaded from: input_file:org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.class */
public class AclAuthorizationHandler implements Handler<DefaultAuthorizationContext, CompletableFuture<Void>> {
    private final AuthorizationMetadataProvider authorizationMetadataProvider;

    public AclAuthorizationHandler(AuthConfig authConfig) {
        this.authorizationMetadataProvider = AuthorizationFactory.getMetadataProvider(authConfig);
    }

    public AclAuthorizationHandler(AuthConfig authConfig, Supplier<?> supplier) {
        this.authorizationMetadataProvider = AuthorizationFactory.getMetadataProvider(authConfig, supplier);
    }

    public CompletableFuture<Void> handle(DefaultAuthorizationContext defaultAuthorizationContext, HandlerChain<DefaultAuthorizationContext, CompletableFuture<Void>> handlerChain) {
        if (this.authorizationMetadataProvider == null) {
            throw new AuthorizationException("The authorizationMetadataProvider is not configured");
        }
        return this.authorizationMetadataProvider.getAcl(defaultAuthorizationContext.getSubject()).thenAccept(acl -> {
            if (acl == null) {
                throwException(defaultAuthorizationContext, "no matched policies.");
            }
            PolicyEntry matchPolicyEntries = matchPolicyEntries(defaultAuthorizationContext, acl);
            if (matchPolicyEntries == null) {
                throwException(defaultAuthorizationContext, "no matched policies.");
            }
            if (matchPolicyEntries.getDecision() == Decision.DENY) {
                throwException(defaultAuthorizationContext, "the decision is deny.");
            }
        });
    }

    private PolicyEntry matchPolicyEntries(DefaultAuthorizationContext defaultAuthorizationContext, Acl acl) {
        Policy policy;
        ArrayList arrayList = new ArrayList();
        Policy policy2 = acl.getPolicy(PolicyType.CUSTOM);
        if (policy2 != null) {
            List<PolicyEntry> matchPolicyEntries = matchPolicyEntries(defaultAuthorizationContext, policy2.getEntries());
            if (CollectionUtils.isNotEmpty(matchPolicyEntries)) {
                arrayList.addAll(matchPolicyEntries);
            }
        }
        if (CollectionUtils.isEmpty(arrayList) && (policy = acl.getPolicy(PolicyType.DEFAULT)) != null) {
            List<PolicyEntry> matchPolicyEntries2 = matchPolicyEntries(defaultAuthorizationContext, policy.getEntries());
            if (CollectionUtils.isNotEmpty(matchPolicyEntries2)) {
                arrayList.addAll(matchPolicyEntries2);
            }
        }
        if (CollectionUtils.isEmpty(arrayList)) {
            return null;
        }
        arrayList.sort(this::comparePolicyEntries);
        return (PolicyEntry) arrayList.get(0);
    }

    private List<PolicyEntry> matchPolicyEntries(DefaultAuthorizationContext defaultAuthorizationContext, List<PolicyEntry> list) {
        if (CollectionUtils.isEmpty(list)) {
            return null;
        }
        return (List) list.stream().filter(policyEntry -> {
            return policyEntry.isMatchResource(defaultAuthorizationContext.getResource());
        }).filter(policyEntry2 -> {
            return policyEntry2.isMatchAction(defaultAuthorizationContext.getActions());
        }).filter(policyEntry3 -> {
            return policyEntry3.isMatchEnvironment(Environment.of(defaultAuthorizationContext.getSourceIp()));
        }).collect(Collectors.toList());
    }

    private int comparePolicyEntries(PolicyEntry policyEntry, PolicyEntry policyEntry2) {
        int i = 0;
        Resource resource = policyEntry.getResource();
        Resource resource2 = policyEntry2.getResource();
        if (resource.getResourceType() != resource2.getResourceType()) {
            if (resource.getResourceType() == ResourceType.ANY) {
                i = 1;
            }
            if (resource2.getResourceType() == ResourceType.ANY) {
                i = -1;
            }
        } else if (resource.getResourcePattern() != resource2.getResourcePattern()) {
            if (resource.getResourcePattern() == ResourcePattern.LITERAL) {
                i = 1;
            }
            if (resource.getResourcePattern() == ResourcePattern.LITERAL) {
                i = -1;
            }
            if (resource.getResourcePattern() == ResourcePattern.PREFIXED) {
                i = 1;
            }
            if (resource.getResourcePattern() == ResourcePattern.PREFIXED) {
                i = -1;
            }
        } else if (resource.getResourcePattern() == ResourcePattern.PREFIXED) {
            i = Integer.compare(resource.getResourceName().length(), resource2.getResourceName().length());
        }
        if (i != 0) {
            return i;
        }
        Decision decision = policyEntry.getDecision();
        Decision decision2 = policyEntry2.getDecision();
        if (decision == Decision.DENY) {
            return 1;
        }
        return decision2 == Decision.DENY ? -1 : 0;
    }

    private static void throwException(DefaultAuthorizationContext defaultAuthorizationContext, String str) {
        throw new AuthorizationException("{} has no permission to access {} from {}, " + str, defaultAuthorizationContext.getSubject().getSubjectKey(), defaultAuthorizationContext.getResource().getResourceKey(), defaultAuthorizationContext.getSourceIp());
    }

    public /* bridge */ /* synthetic */ Object handle(Object obj, HandlerChain handlerChain) {
        return handle((DefaultAuthorizationContext) obj, (HandlerChain<DefaultAuthorizationContext, CompletableFuture<Void>>) handlerChain);
    }
}
