package org.apache.pinot.server.access;

import java.util.Collection;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang.StringUtils;
import org.apache.helix.HelixManager;
import org.apache.pinot.common.config.provider.AccessControlUserCache;
import org.apache.pinot.common.utils.BcryptUtils;
import org.apache.pinot.core.auth.BasicAuthUtils;
import org.apache.pinot.core.auth.ZkBasicAuthPrincipal;
import org.apache.pinot.shaded.io.netty.channel.ChannelHandlerContext;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.utils.builder.TableNameBuilder;

/* loaded from: input_file:org/apache/pinot/server/access/ZkBasicAuthAccessFactory.class */
public class ZkBasicAuthAccessFactory implements AccessControlFactory {
    private static final String AUTHORIZATION_KEY = "authorization";
    private HelixManager _helixManager;
    private AccessControl _accessControl;

    /* loaded from: input_file:org/apache/pinot/server/access/ZkBasicAuthAccessFactory$BasicAuthAccessControl.class */
    private static class BasicAuthAccessControl implements AccessControl {
        private Map<String, ZkBasicAuthPrincipal> _name2principal;
        private AccessControlUserCache _userCache;
        private HelixManager _innerHelixManager;

        public BasicAuthAccessControl(HelixManager helixManager) {
            this._innerHelixManager = helixManager;
        }

        public void initUserCache() {
            if (this._userCache == null) {
                this._userCache = new AccessControlUserCache(this._innerHelixManager.getHelixPropertyStore());
            }
        }

        @Override // org.apache.pinot.server.access.AccessControl
        public boolean isAuthorizedChannel(ChannelHandlerContext channelHandlerContext) {
            return true;
        }

        @Override // org.apache.pinot.server.access.AccessControl
        public boolean hasDataAccess(RequesterIdentity requesterIdentity, String str) {
            if (this._userCache == null) {
                initUserCache();
            }
            Collection<String> tokens = getTokens(requesterIdentity);
            this._name2principal = (Map) BasicAuthUtils.extractBasicAuthPrincipals(this._userCache.getAllServerUserConfig()).stream().collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, zkBasicAuthPrincipal -> {
                return zkBasicAuthPrincipal;
            }));
            Map map = (Map) tokens.stream().collect(Collectors.toMap(BasicAuthUtils::extractUsername, BasicAuthUtils::extractPassword));
            Stream stream = map.keySet().stream();
            Objects.requireNonNull(map);
            Function function = (v1) -> {
                return r1.get(v1);
            };
            Map<String, ZkBasicAuthPrincipal> map2 = this._name2principal;
            Objects.requireNonNull(map2);
            return ((Boolean) ((Map) stream.collect(Collectors.toMap(function, (v1) -> {
                return r2.get(v1);
            }))).entrySet().stream().filter(entry -> {
                return BcryptUtils.checkpw((String) entry.getKey(), ((ZkBasicAuthPrincipal) entry.getValue()).getPassword());
            }).map(entry2 -> {
                return (ZkBasicAuthPrincipal) entry2.getValue();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst().map(zkBasicAuthPrincipal2 -> {
                return Boolean.valueOf(StringUtils.isEmpty(str) || zkBasicAuthPrincipal2.hasTable(TableNameBuilder.extractRawTableName(str)));
            }).orElse(false)).booleanValue();
        }

        private Collection<String> getTokens(RequesterIdentity requesterIdentity) {
            if (requesterIdentity instanceof GrpcRequesterIdentity) {
                return ((GrpcRequesterIdentity) requesterIdentity).getGrpcMetadata().get("authorization");
            }
            if (requesterIdentity instanceof HttpRequesterIdentity) {
                return ((HttpRequesterIdentity) requesterIdentity).getHttpHeaders().get("authorization");
            }
            throw new UnsupportedOperationException("GrpcRequesterIdentity or HttpRequesterIdentity is required");
        }
    }

    @Override // org.apache.pinot.server.access.AccessControlFactory
    public void init(PinotConfiguration pinotConfiguration, HelixManager helixManager) {
        this._helixManager = helixManager;
    }

    @Override // org.apache.pinot.server.access.AccessControlFactory
    public AccessControl create() {
        if (this._accessControl == null) {
            this._accessControl = new BasicAuthAccessControl(this._helixManager);
        }
        return this._accessControl;
    }
}
