package org.apache.rocketmq.auth.authorization.provider;

import com.google.protobuf.GeneratedMessageV3;
import io.grpc.Metadata;
import io.netty.channel.ChannelHandlerContext;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.rocketmq.auth.authorization.builder.AuthorizationContextBuilder;
import org.apache.rocketmq.auth.authorization.builder.DefaultAuthorizationContextBuilder;
import org.apache.rocketmq.auth.authorization.chain.AclAuthorizationHandler;
import org.apache.rocketmq.auth.authorization.chain.UserAuthorizationHandler;
import org.apache.rocketmq.auth.authorization.context.DefaultAuthorizationContext;
import org.apache.rocketmq.auth.authorization.enums.Decision;
import org.apache.rocketmq.auth.config.AuthConfig;
import org.apache.rocketmq.common.chain.HandlerChain;
import org.apache.rocketmq.remoting.protocol.RemotingCommand;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/rocketmq/auth/authorization/provider/DefaultAuthorizationProvider.class */
public class DefaultAuthorizationProvider implements AuthorizationProvider<DefaultAuthorizationContext> {
    protected final Logger log = LoggerFactory.getLogger("RocketmqAuthAudit");
    protected AuthConfig authConfig;
    protected Supplier<?> metadataService;
    protected AuthorizationContextBuilder authorizationContextBuilder;

    @Override // org.apache.rocketmq.auth.authorization.provider.AuthorizationProvider
    public void initialize(AuthConfig authConfig) {
        initialize(authConfig, null);
    }

    @Override // org.apache.rocketmq.auth.authorization.provider.AuthorizationProvider
    public void initialize(AuthConfig authConfig, Supplier<?> supplier) {
        this.authConfig = authConfig;
        this.metadataService = supplier;
        this.authorizationContextBuilder = new DefaultAuthorizationContextBuilder(authConfig);
    }

    @Override // org.apache.rocketmq.auth.authorization.provider.AuthorizationProvider
    public CompletableFuture<Void> authorize(DefaultAuthorizationContext defaultAuthorizationContext) {
        return ((CompletableFuture) newHandlerChain().handle(defaultAuthorizationContext)).whenComplete((r6, th) -> {
            doAuditLog(defaultAuthorizationContext, th);
        });
    }

    @Override // org.apache.rocketmq.auth.authorization.provider.AuthorizationProvider
    public List<DefaultAuthorizationContext> newContexts(Metadata metadata, GeneratedMessageV3 generatedMessageV3) {
        return this.authorizationContextBuilder.build(metadata, generatedMessageV3);
    }

    @Override // org.apache.rocketmq.auth.authorization.provider.AuthorizationProvider
    public List<DefaultAuthorizationContext> newContexts(ChannelHandlerContext channelHandlerContext, RemotingCommand remotingCommand) {
        return this.authorizationContextBuilder.build(channelHandlerContext, remotingCommand);
    }

    protected HandlerChain<DefaultAuthorizationContext, CompletableFuture<Void>> newHandlerChain() {
        return HandlerChain.create().addNext(new UserAuthorizationHandler(this.authConfig, this.metadataService)).addNext(new AclAuthorizationHandler(this.authConfig, this.metadataService));
    }

    protected void doAuditLog(DefaultAuthorizationContext defaultAuthorizationContext, Throwable th) {
        if (defaultAuthorizationContext.getSubject() == null) {
            return;
        }
        Decision decision = Decision.ALLOW;
        if (th != null) {
            decision = Decision.DENY;
        }
        String subjectKey = defaultAuthorizationContext.getSubject().getSubjectKey();
        String str = (String) defaultAuthorizationContext.getActions().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.joining(","));
        String sourceIp = defaultAuthorizationContext.getSourceIp();
        String resourceKey = defaultAuthorizationContext.getResource().getResourceKey();
        String rpcCode = defaultAuthorizationContext.getRpcCode();
        if (decision == Decision.ALLOW) {
            this.log.debug("[AUTHORIZATION] Subject = {} is {} Action = {} from sourceIp = {} on resource = {} for request = {}.", new Object[]{subjectKey, decision.getName(), str, sourceIp, resourceKey, rpcCode});
        } else {
            this.log.info("[AUTHORIZATION] Subject = {} is {} Action = {} from sourceIp = {} on resource = {} for request = {}.", new Object[]{subjectKey, decision.getName(), str, sourceIp, resourceKey, rpcCode});
        }
    }
}
