package org.apache.pulsar.broker.authorization;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.RequiredTypeException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.function.Function;
import java.util.stream.Stream;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.apache.pulsar.common.naming.NamespaceName;
import org.apache.pulsar.common.naming.TopicName;
import org.apache.pulsar.common.policies.data.NamespaceOperation;
import org.apache.pulsar.common.policies.data.PolicyName;
import org.apache.pulsar.common.policies.data.PolicyOperation;
import org.apache.pulsar.common.policies.data.TenantInfo;
import org.apache.pulsar.common.policies.data.TenantOperation;
import org.apache.pulsar.common.policies.data.TopicOperation;
import org.apache.pulsar.common.util.FutureUtil;
import org.apache.pulsar.common.util.RestException;
import org.apache.pulsar.metadata.api.MetadataStoreException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.class */
public class MultiRolesTokenAuthorizationProvider extends PulsarAuthorizationProvider {
    private static final Logger log = LoggerFactory.getLogger(MultiRolesTokenAuthorizationProvider.class);
    static final String HTTP_HEADER_NAME = "Authorization";
    static final String HTTP_HEADER_VALUE_PREFIX = "Bearer ";
    static final String CONF_TOKEN_SETTING_PREFIX = "tokenSettingPrefix";
    static final String CONF_TOKEN_AUTH_CLAIM = "tokenAuthClaim";
    private String roleClaim = "sub";
    private final JwtParser parser = Jwts.parserBuilder().build();

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public void initialize(ServiceConfiguration serviceConfiguration, PulsarResources pulsarResources) throws IOException {
        String str = (String) serviceConfiguration.getProperty(CONF_TOKEN_SETTING_PREFIX);
        if (null == str) {
            str = "";
        }
        Object property = serviceConfiguration.getProperty(str + "tokenAuthClaim");
        if (property != null && StringUtils.isNotBlank((String) property)) {
            this.roleClaim = (String) property;
        }
        super.initialize(serviceConfiguration, pulsarResources);
    }

    @Override // org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> isSuperUser(String str, AuthenticationDataSource authenticationDataSource, ServiceConfiguration serviceConfiguration) {
        Set<String> superUserRoles = serviceConfiguration.getSuperUserRoles();
        if (superUserRoles.isEmpty()) {
            return CompletableFuture.completedFuture(false);
        }
        if (str != null && superUserRoles.contains(str)) {
            return CompletableFuture.completedFuture(true);
        }
        Set<String> roles = getRoles(authenticationDataSource);
        if (roles.isEmpty()) {
            return CompletableFuture.completedFuture(false);
        }
        Stream<String> stream = roles.stream();
        Objects.requireNonNull(superUserRoles);
        return CompletableFuture.completedFuture(Boolean.valueOf(stream.anyMatch((v1) -> {
            return r1.contains(v1);
        })));
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
    public CompletableFuture<Boolean> validateTenantAdminAccess(String str, String str2, AuthenticationDataSource authenticationDataSource) {
        return isSuperUser(str2, authenticationDataSource, this.conf).thenCompose(bool -> {
            if (bool.booleanValue()) {
                return CompletableFuture.completedFuture(true);
            }
            Set<String> roles = getRoles(authenticationDataSource);
            return roles.isEmpty() ? CompletableFuture.completedFuture(false) : this.pulsarResources.getTenantResources().getTenantAsync(str).thenCompose(optional -> {
                if (!optional.isPresent()) {
                    throw new RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
                }
                TenantInfo tenantInfo = (TenantInfo) optional.get();
                return (tenantInfo.getAdminRoles() == null || tenantInfo.getAdminRoles().isEmpty()) ? CompletableFuture.completedFuture(false) : CompletableFuture.completedFuture(Boolean.valueOf(roles.stream().anyMatch(str3 -> {
                    return tenantInfo.getAdminRoles().contains(str3);
                })));
            }).exceptionally((Function<Throwable, ? extends U>) th -> {
                Throwable cause = th.getCause();
                if (cause instanceof MetadataStoreException.NotFoundException) {
                    log.warn("Failed to get tenant info data for non existing tenant {}", str);
                    throw new RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
                }
                log.error("Failed to get tenant {}", str, cause);
                throw new RestException(cause);
            });
        });
    }

    private Set<String> getRoles(AuthenticationDataSource authenticationDataSource) {
        String str = null;
        if (authenticationDataSource.hasDataFromCommand()) {
            str = authenticationDataSource.getCommandData();
            if (StringUtils.isBlank(str)) {
                return Collections.emptySet();
            }
        } else if (authenticationDataSource.hasDataFromHttp()) {
            String httpHeader = authenticationDataSource.getHttpHeader(HTTP_HEADER_NAME);
            if (httpHeader == null || !httpHeader.startsWith(HTTP_HEADER_VALUE_PREFIX)) {
                return Collections.emptySet();
            }
            str = httpHeader.substring(HTTP_HEADER_VALUE_PREFIX.length());
        }
        if (str == null) {
            return Collections.emptySet();
        }
        String[] split = str.split("\\.");
        if (split.length < 2) {
            log.warn("Unable to extract additional roles from JWT token");
            return Collections.emptySet();
        }
        Jwt parseClaimsJwt = this.parser.parseClaimsJwt(split[0] + "." + split[1] + ".");
        try {
            return new HashSet(Collections.singletonList((String) ((Claims) parseClaimsJwt.getBody()).get(this.roleClaim, String.class)));
        } catch (RequiredTypeException e) {
            try {
                List list = (List) ((Claims) parseClaimsJwt.getBody()).get(this.roleClaim, List.class);
                return list != null ? new HashSet(list) : Collections.emptySet();
            } catch (RequiredTypeException e2) {
                return Collections.emptySet();
            }
        }
    }

    public CompletableFuture<Boolean> authorize(AuthenticationDataSource authenticationDataSource, Function<String, CompletableFuture<Boolean>> function) {
        Set<String> roles = getRoles(authenticationDataSource);
        if (roles.isEmpty()) {
            return CompletableFuture.completedFuture(false);
        }
        ArrayList arrayList = new ArrayList(roles.size());
        roles.forEach(str -> {
            arrayList.add((CompletableFuture) function.apply(str));
        });
        return FutureUtil.waitForAny(arrayList, obj -> {
            return ((Boolean) obj).booleanValue();
        }).thenApply(optional -> {
            return Boolean.valueOf(optional.isPresent());
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> canProduceAsync(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.canProduceAsync(topicName, str2, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource, String str2) {
        return authorize(authenticationDataSource, str3 -> {
            return super.canConsumeAsync(topicName, str3, authenticationDataSource, str2);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> canLookupAsync(TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.canLookupAsync(topicName, str2, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowFunctionOpsAsync(NamespaceName namespaceName, String str, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowFunctionOpsAsync(namespaceName, str2, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName namespaceName, String str, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowSourceOpsAsync(namespaceName, str2, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName, String str, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowSinkOpsAsync(namespaceName, str2, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowTenantOperationAsync(String str, String str2, TenantOperation tenantOperation, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str3 -> {
            return super.allowTenantOperationAsync(str, str3, tenantOperation, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowNamespaceOperationAsync(NamespaceName namespaceName, String str, NamespaceOperation namespaceOperation, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowNamespaceOperationAsync(namespaceName, str2, namespaceOperation, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowNamespacePolicyOperationAsync(NamespaceName namespaceName, PolicyName policyName, PolicyOperation policyOperation, String str, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowNamespacePolicyOperationAsync(namespaceName, policyName, policyOperation, str2, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowTopicOperationAsync(TopicName topicName, String str, TopicOperation topicOperation, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowTopicOperationAsync(topicName, str2, topicOperation, authenticationDataSource);
        });
    }

    @Override // org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, org.apache.pulsar.broker.authorization.AuthorizationProvider
    public CompletableFuture<Boolean> allowTopicPolicyOperationAsync(TopicName topicName, String str, PolicyName policyName, PolicyOperation policyOperation, AuthenticationDataSource authenticationDataSource) {
        return authorize(authenticationDataSource, str2 -> {
            return super.allowTopicPolicyOperationAsync(topicName, str2, policyName, policyOperation, authenticationDataSource);
        });
    }
}
