package org.apache.pinot.broker.broker;

import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.NotAuthorizedException;
import org.apache.pinot.broker.api.AccessControl;
import org.apache.pinot.broker.api.HttpRequesterIdentity;
import org.apache.pinot.broker.api.RequesterIdentity;
import org.apache.pinot.common.auth.BasicAuthUtils;
import org.apache.pinot.common.request.BrokerRequest;
import org.apache.pinot.core.auth.BasicAuthPrincipal;
import org.apache.pinot.spi.auth.AuthorizationResult;
import org.apache.pinot.spi.auth.TableAuthorizationResult;
import org.apache.pinot.spi.env.PinotConfiguration;

/* loaded from: input_file:org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.class */
public class BasicAuthAccessControlFactory extends AccessControlFactory {
    private static final String PREFIX = "principals";
    private static final String HEADER_AUTHORIZATION = "authorization";
    private AccessControl _accessControl;

    /* loaded from: input_file:org/apache/pinot/broker/broker/BasicAuthAccessControlFactory$BasicAuthAccessControl.class */
    private static class BasicAuthAccessControl implements AccessControl {
        private final Map<String, BasicAuthPrincipal> _token2principal;

        public BasicAuthAccessControl(Collection<BasicAuthPrincipal> collection) {
            this._token2principal = (Map) collection.stream().collect(Collectors.toMap((v0) -> {
                return v0.getToken();
            }, basicAuthPrincipal -> {
                return basicAuthPrincipal;
            }));
        }

        @Override // org.apache.pinot.broker.api.AccessControl
        public AuthorizationResult authorize(RequesterIdentity requesterIdentity) {
            return authorize(requesterIdentity, (BrokerRequest) null);
        }

        @Override // org.apache.pinot.broker.api.AccessControl
        public AuthorizationResult authorize(RequesterIdentity requesterIdentity, BrokerRequest brokerRequest) {
            Optional<BasicAuthPrincipal> principalOpt = getPrincipalOpt(requesterIdentity);
            if (!principalOpt.isPresent()) {
                throw new NotAuthorizedException("Basic", new Object[0]);
            }
            BasicAuthPrincipal basicAuthPrincipal = principalOpt.get();
            if (brokerRequest == null || !brokerRequest.isSetQuerySource() || !brokerRequest.getQuerySource().isSetTableName()) {
                return TableAuthorizationResult.success();
            }
            HashSet hashSet = new HashSet();
            if (!basicAuthPrincipal.hasTable(brokerRequest.getQuerySource().getTableName())) {
                hashSet.add(brokerRequest.getQuerySource().getTableName());
            }
            return hashSet.isEmpty() ? TableAuthorizationResult.success() : new TableAuthorizationResult(hashSet);
        }

        @Override // org.apache.pinot.broker.api.AccessControl
        public TableAuthorizationResult authorize(RequesterIdentity requesterIdentity, Set<String> set) {
            Optional<BasicAuthPrincipal> principalOpt = getPrincipalOpt(requesterIdentity);
            if (!principalOpt.isPresent()) {
                throw new NotAuthorizedException("Basic", new Object[0]);
            }
            if (set == null || set.isEmpty()) {
                return TableAuthorizationResult.success();
            }
            BasicAuthPrincipal basicAuthPrincipal = principalOpt.get();
            HashSet hashSet = new HashSet();
            for (String str : set) {
                if (!basicAuthPrincipal.hasTable(str)) {
                    hashSet.add(str);
                }
            }
            return hashSet.isEmpty() ? TableAuthorizationResult.success() : new TableAuthorizationResult(hashSet);
        }

        private Optional<BasicAuthPrincipal> getPrincipalOpt(RequesterIdentity requesterIdentity) {
            Preconditions.checkArgument(requesterIdentity instanceof HttpRequesterIdentity, "HttpRequesterIdentity required");
            Stream map = ((HttpRequesterIdentity) requesterIdentity).getHttpHeaders().get(BasicAuthAccessControlFactory.HEADER_AUTHORIZATION).stream().map(BasicAuthUtils::normalizeBase64Token);
            Map<String, BasicAuthPrincipal> map2 = this._token2principal;
            Objects.requireNonNull(map2);
            return map.map((v1) -> {
                return r1.get(v1);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst();
        }
    }

    @Override // org.apache.pinot.broker.broker.AccessControlFactory
    public void init(PinotConfiguration pinotConfiguration) {
        this._accessControl = new BasicAuthAccessControl(org.apache.pinot.core.auth.BasicAuthUtils.extractBasicAuthPrincipals(pinotConfiguration, PREFIX));
    }

    @Override // org.apache.pinot.broker.broker.AccessControlFactory
    public AccessControl create() {
        return this._accessControl;
    }
}
