package org.apache.pulsar.broker.web;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.common.collect.BoundType;
import com.google.common.collect.Lists;
import com.google.common.collect.Range;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.function.Function;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.pulsar.broker.PulsarService;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataHttps;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authorization.AuthorizationService;
import org.apache.pulsar.broker.namespace.LookupOptions;
import org.apache.pulsar.broker.namespace.NamespaceService;
import org.apache.pulsar.broker.resources.BookieResources;
import org.apache.pulsar.broker.resources.ClusterResources;
import org.apache.pulsar.broker.resources.DynamicConfigurationResources;
import org.apache.pulsar.broker.resources.LocalPoliciesResources;
import org.apache.pulsar.broker.resources.NamespaceResources;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.apache.pulsar.broker.resources.ResourceGroupResources;
import org.apache.pulsar.broker.resources.TenantResources;
import org.apache.pulsar.broker.resources.TopicResources;
import org.apache.pulsar.broker.stats.ClusterReplicationMetrics;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.PulsarServiceNameResolver;
import org.apache.pulsar.common.naming.NamespaceBundle;
import org.apache.pulsar.common.naming.NamespaceBundles;
import org.apache.pulsar.common.naming.NamespaceName;
import org.apache.pulsar.common.naming.TopicName;
import org.apache.pulsar.common.policies.data.BundlesData;
import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.policies.data.ClusterDataImpl;
import org.apache.pulsar.common.policies.data.NamespaceOperation;
import org.apache.pulsar.common.policies.data.Policies;
import org.apache.pulsar.common.policies.data.PolicyName;
import org.apache.pulsar.common.policies.data.PolicyOperation;
import org.apache.pulsar.common.policies.data.TenantInfo;
import org.apache.pulsar.common.policies.data.TenantOperation;
import org.apache.pulsar.common.policies.data.TopicOperation;
import org.apache.pulsar.common.policies.path.PolicyPath;
import org.apache.pulsar.common.util.FutureUtil;
import org.apache.pulsar.common.util.ObjectMapperFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/web/PulsarWebResource.class */
public abstract class PulsarWebResource {
    private static final Logger log = LoggerFactory.getLogger(PulsarWebResource.class);
    static final String ORIGINAL_PRINCIPAL_HEADER = "X-Original-Principal";

    @Context
    protected ServletContext servletContext;

    @Context
    protected HttpServletRequest httpRequest;

    @Context
    protected UriInfo uri;
    private PulsarService pulsar;
    protected static final int NOT_IMPLEMENTED = 501;

    /* JADX INFO: Access modifiers changed from: protected */
    public PulsarService pulsar() {
        if (this.pulsar == null) {
            this.pulsar = (PulsarService) this.servletContext.getAttribute("pulsar");
        }
        return this.pulsar;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ServiceConfiguration config() {
        return pulsar().getConfiguration();
    }

    public static String splitPath(String str, int i) {
        return PolicyPath.splitPath(str, i);
    }

    public String clientAppId() {
        return (String) this.httpRequest.getAttribute(AuthenticationFilter.AuthenticatedRoleAttributeName);
    }

    public String originalPrincipal() {
        return this.httpRequest.getHeader(ORIGINAL_PRINCIPAL_HEADER);
    }

    public AuthenticationDataHttps clientAuthData() {
        return (AuthenticationDataHttps) this.httpRequest.getAttribute(AuthenticationFilter.AuthenticatedDataAttributeName);
    }

    public boolean isRequestHttps() {
        return "https".equalsIgnoreCase(this.httpRequest.getScheme());
    }

    public static boolean isClientAuthenticated(String str) {
        return str != null;
    }

    private static void validateOriginalPrincipal(Set<String> set, String str, String str2) {
        if (set.contains(str)) {
            if (StringUtils.isBlank(str2)) {
                log.warn("Original principal empty in request authenticated as {}", str);
                throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be empty if the request is via proxy.");
            }
            if (set.contains(str2)) {
                log.warn("Original principal {} cannot be a proxy role ({})", str2, set);
                throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be a proxy role");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasSuperUserAccess() {
        try {
            validateSuperUserAccess();
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public void validateSuperUserAccess() {
        if (config().isAuthenticationEnabled()) {
            String clientAppId = clientAppId();
            if (log.isDebugEnabled()) {
                log.debug("[{}] Check super user access: Authenticated: {} -- Role: {}", new Object[]{this.uri.getRequestUri(), Boolean.valueOf(isClientAuthenticated(clientAppId)), clientAppId});
            }
            String originalPrincipal = originalPrincipal();
            validateOriginalPrincipal(this.pulsar.getConfiguration().getProxyRoles(), clientAppId, originalPrincipal);
            if (!this.pulsar.getConfiguration().getProxyRoles().contains(clientAppId)) {
                if (config().isAuthorizationEnabled() && !((Boolean) this.pulsar.getBrokerService().getAuthorizationService().isSuperUser(clientAppId, clientAuthData()).join()).booleanValue()) {
                    throw new RestException(Response.Status.UNAUTHORIZED, "This operation requires super-user access");
                }
                log.debug("Successfully authorized {} as super-user", clientAppId);
                return;
            }
            try {
                CompletableFuture isSuperUser = this.pulsar.getBrokerService().getAuthorizationService().isSuperUser(clientAppId, clientAuthData());
                CompletableFuture isSuperUser2 = this.pulsar.getBrokerService().getAuthorizationService().isSuperUser(originalPrincipal, clientAuthData());
                if (!((Boolean) isSuperUser.get()).booleanValue() || !((Boolean) isSuperUser2.get()).booleanValue()) {
                    throw new RestException(Response.Status.UNAUTHORIZED, String.format("Proxy not authorized for super-user operation (proxy:%s,original:%s)", clientAppId, originalPrincipal));
                }
                log.debug("Successfully authorized {} (proxied by {}) as super-user", originalPrincipal, clientAppId);
            } catch (InterruptedException | ExecutionException e) {
                log.error("Error validating super-user access : " + e.getMessage(), e);
                throw new RestException(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateAdminAccessForTenant(String str) {
        try {
            validateAdminAccessForTenant(pulsar(), clientAppId(), originalPrincipal(), str, clientAuthData());
        } catch (Exception e) {
            log.error("Failed to get tenant admin data for tenant {}", str);
            throw new RestException(e);
        } catch (RestException e2) {
            throw e2;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void validateAdminAccessForTenant(PulsarService pulsarService, String str, String str2, String str3, AuthenticationDataSource authenticationDataSource) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug("check admin access on tenant: {} - Authenticated: {} -- role: {}", new Object[]{str3, Boolean.valueOf(isClientAuthenticated(str)), str});
        }
        TenantInfo tenantInfo = (TenantInfo) pulsarService.getPulsarResources().getTenantResources().getTenant(str3).orElseThrow(() -> {
            return new RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
        });
        if (pulsarService.getConfiguration().isAuthenticationEnabled() && pulsarService.getConfiguration().isAuthorizationEnabled()) {
            if (!isClientAuthenticated(str)) {
                throw new RestException(Response.Status.FORBIDDEN, "Need to authenticate to perform the request");
            }
            validateOriginalPrincipal(pulsarService.getConfiguration().getProxyRoles(), str, str2);
            if (!pulsarService.getConfiguration().getProxyRoles().contains(str)) {
                if (!((Boolean) pulsarService.getBrokerService().getAuthorizationService().isSuperUser(str, authenticationDataSource).join()).booleanValue() && !((Boolean) pulsarService.getBrokerService().getAuthorizationService().isTenantAdmin(str3, str, tenantInfo, authenticationDataSource).get()).booleanValue()) {
                    throw new RestException(Response.Status.UNAUTHORIZED, "Don't have permission to administrate resources on this tenant");
                }
                log.debug("Successfully authorized {} on tenant {}", str, str3);
                return;
            }
            try {
                AuthorizationService authorizationService = pulsarService.getBrokerService().getAuthorizationService();
                CompletableFuture isSuperUser = authorizationService.isSuperUser(str, authenticationDataSource);
                CompletableFuture isSuperUser2 = authorizationService.isSuperUser(str2, authenticationDataSource);
                boolean z = ((Boolean) isSuperUser.get()).booleanValue() || ((Boolean) authorizationService.isTenantAdmin(str3, str, tenantInfo, authenticationDataSource).get()).booleanValue();
                boolean z2 = ((Boolean) isSuperUser2.get()).booleanValue() || ((Boolean) authorizationService.isTenantAdmin(str3, str2, tenantInfo, authenticationDataSource).get()).booleanValue();
                if (!z || !z2) {
                    throw new RestException(Response.Status.UNAUTHORIZED, String.format("Proxy not authorized to access resource (proxy:%s,original:%s)", str, str2));
                }
                log.debug("Successfully authorized {} (proxied by {}) on tenant {}", new Object[]{str2, str, str3});
            } catch (InterruptedException | ExecutionException e) {
                throw new RestException(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateClusterForTenant(String str, String str2) {
        try {
            if (((TenantInfo) pulsar().getPulsarResources().getTenantResources().getTenant(str).orElseThrow(() -> {
                return new RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
            })).getAllowedClusters().contains(str2)) {
                log.info("Successfully validated clusters on tenant [{}]", str);
            } else {
                String format = String.format("Cluster [%s] is not in the list of allowed clusters list for tenant [%s]", str2, str);
                log.info(format);
                throw new RestException(Response.Status.FORBIDDEN, format);
            }
        } catch (Exception e) {
            log.error("Failed to get tenant admin data for tenant {}", str, e);
            throw new RestException(e);
        } catch (RestException e2) {
            log.warn("Failed to get tenant admin data for tenant {}", str);
            throw e2;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateClusterOwnership(String str) throws WebApplicationException {
        try {
            ClusterData clusterData = getClusterDataIfDifferentCluster(pulsar(), str, clientAppId()).get();
            if (clusterData != null) {
                URI redirectionUrl = getRedirectionUrl(clusterData);
                if (log.isDebugEnabled()) {
                    log.debug("[{}] Redirecting the rest call to {}: cluster={}", new Object[]{clientAppId(), redirectionUrl, str});
                }
                throw new WebApplicationException(Response.temporaryRedirect(redirectionUrl).build());
            }
        } catch (Exception e) {
            if (!(e.getCause() instanceof WebApplicationException)) {
                throw new RestException(Response.Status.SERVICE_UNAVAILABLE, String.format("Failed to validate Cluster configuration : cluster=%s  emsg=%s", str, e.getMessage()));
            }
            throw e.getCause();
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    private URI getRedirectionUrl(ClusterData clusterData) throws MalformedURLException {
        try {
            PulsarServiceNameResolver pulsarServiceNameResolver = new PulsarServiceNameResolver();
            if (isRequestHttps() && this.pulsar.getConfiguration().getWebServicePortTls().isPresent() && StringUtils.isNotBlank(clusterData.getServiceUrlTls())) {
                pulsarServiceNameResolver.updateServiceUrl(clusterData.getServiceUrlTls());
            } else {
                pulsarServiceNameResolver.updateServiceUrl(clusterData.getServiceUrl());
            }
            URL url = new URL(pulsarServiceNameResolver.resolveHostUri().toString());
            return UriBuilder.fromUri(this.uri.getRequestUri()).host(url.getHost()).port(url.getPort()).build(new Object[0]);
        } catch (PulsarClientException.InvalidServiceURL e) {
            throw new MalformedURLException(e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static CompletableFuture<ClusterData> getClusterDataIfDifferentCluster(PulsarService pulsarService, String str, String str2) {
        CompletableFuture<ClusterData> completableFuture = new CompletableFuture<>();
        if (isValidCluster(pulsarService, str)) {
            completableFuture.complete(null);
        } else {
            try {
                if (pulsarService.getConfiguration().getClusterName().equals(str)) {
                    completableFuture.complete(null);
                } else {
                    pulsarService.getPulsarResources().getClusterResources().getClusterAsync(str).thenAccept(optional -> {
                        if (optional.isPresent()) {
                            completableFuture.complete(optional.get());
                        } else {
                            log.warn("[{}] Cluster does not exist: requested={}", str2, str);
                            completableFuture.completeExceptionally(new RestException(Response.Status.NOT_FOUND, "Cluster does not exist: cluster=" + str));
                        }
                    }).exceptionally(th -> {
                        completableFuture.completeExceptionally(th);
                        return null;
                    });
                }
            } catch (Exception e) {
                completableFuture.completeExceptionally(e);
            }
        }
        return completableFuture;
    }

    static boolean isValidCluster(PulsarService pulsarService, String str) {
        return str == null || "global".equals(str) || !pulsarService.getConfiguration().isAuthorizationEnabled();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateBundleOwnership(String str, String str2, String str3, boolean z, boolean z2, NamespaceBundle namespaceBundle) {
        NamespaceName namespaceName = NamespaceName.get(str, str2, str3);
        try {
            validateBundleOwnership(namespaceBundle, z, z2);
        } catch (WebApplicationException e) {
            throw e;
        } catch (Exception e2) {
            log.debug("Failed to find owner for namespace {}", namespaceName, e2);
            throw new RestException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NamespaceBundle validateNamespaceBundleRange(NamespaceName namespaceName, BundlesData bundlesData, String str) {
        try {
            Preconditions.checkArgument(str.contains(ClusterReplicationMetrics.SEPARATOR), "Invalid bundle range: " + str);
            String[] split = str.split(ClusterReplicationMetrics.SEPARATOR);
            Long decode = Long.decode(split[0]);
            Long decode2 = Long.decode(split[1]);
            NamespaceBundle bundle = pulsar().getNamespaceService().getNamespaceBundleFactory().getBundle(namespaceName, Range.range(decode, BoundType.CLOSED, decode2, decode2.equals(NamespaceBundles.FULL_UPPER_BOUND) ? BoundType.CLOSED : BoundType.OPEN));
            pulsar().getNamespaceService().getNamespaceBundleFactory().getBundles(namespaceName, bundlesData).validateBundle(bundle);
            return bundle;
        } catch (IllegalArgumentException e) {
            log.error("[{}] Invalid bundle range {}/{}, {}", new Object[]{clientAppId(), namespaceName.toString(), str, e.getMessage()});
            throw new RestException(Response.Status.PRECONDITION_FAILED, e.getMessage());
        } catch (Exception e2) {
            log.error("[{}] Failed to validate namespace bundle {}/{}", new Object[]{clientAppId(), namespaceName.toString(), str, e2});
            throw new RestException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CompletableFuture<Boolean> isBundleOwnedByAnyBroker(NamespaceName namespaceName, BundlesData bundlesData, String str) {
        try {
            return pulsar().getNamespaceService().getWebServiceUrlAsync(validateNamespaceBundleRange(namespaceName, bundlesData, str), LookupOptions.builder().authoritative(false).requestHttps(isRequestHttps()).readOnly(true).loadTopicsInBundle(false).build()).thenApply(optional -> {
                return Boolean.valueOf(optional.isPresent());
            });
        } catch (Exception e) {
            log.error("Failed to check whether namespace bundle is owned {}/{}", new Object[]{namespaceName.toString(), str, e});
            throw new RestException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NamespaceBundle validateNamespaceBundleOwnership(NamespaceName namespaceName, BundlesData bundlesData, String str, boolean z, boolean z2) {
        try {
            NamespaceBundle validateNamespaceBundleRange = validateNamespaceBundleRange(namespaceName, bundlesData, str);
            validateBundleOwnership(validateNamespaceBundleRange, z, z2);
            return validateNamespaceBundleRange;
        } catch (Exception e) {
            log.error("[{}] Failed to validate namespace bundle {}/{}", new Object[]{clientAppId(), namespaceName.toString(), str, e});
            throw new RestException(e);
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    public void validateBundleOwnership(NamespaceBundle namespaceBundle, boolean z, boolean z2) throws Exception {
        NamespaceService namespaceService = pulsar().getNamespaceService();
        try {
            Optional<URL> webServiceUrl = namespaceService.getWebServiceUrl(namespaceBundle, LookupOptions.builder().authoritative(z).requestHttps(isRequestHttps()).readOnly(z2).loadTopicsInBundle(false).build());
            if (webServiceUrl == null || !webServiceUrl.isPresent()) {
                log.warn("Unable to get web service url");
                throw new RestException(Response.Status.PRECONDITION_FAILED, "Failed to find ownership for ServiceUnit:" + namespaceBundle.toString());
            }
            if (namespaceService.isServiceUnitOwned(namespaceBundle)) {
                return;
            }
            URI build = UriBuilder.fromUri(this.uri.getRequestUri()).host(webServiceUrl.get().getHost()).port(webServiceUrl.get().getPort()).replaceQueryParam("authoritative", new Object[]{Boolean.valueOf(isLeaderBroker())}).build(new Object[0]);
            log.debug("{} is not a service unit owned", namespaceBundle);
            log.debug("Redirecting the rest call to {}", build);
            throw new WebApplicationException(Response.temporaryRedirect(build).build());
        } catch (IllegalArgumentException e) {
            log.debug("Failed to find owner for ServiceUnit {}", namespaceBundle, e);
            throw new RestException(Response.Status.PRECONDITION_FAILED, "ServiceUnit format is not expected. ServiceUnit " + namespaceBundle);
        } catch (IllegalStateException e2) {
            log.debug("Failed to find owner for ServiceUnit {}", namespaceBundle, e2);
            throw new RestException(Response.Status.PRECONDITION_FAILED, "ServiceUnit bundle is actived. ServiceUnit " + namespaceBundle);
        } catch (NullPointerException e3) {
            log.warn("Unable to get web service url");
            throw new RestException(Response.Status.PRECONDITION_FAILED, "Failed to find ownership for ServiceUnit:" + namespaceBundle);
        } catch (TimeoutException e4) {
            String format = String.format("Finding owner for ServiceUnit %s timed out", namespaceBundle);
            log.error(format, e4);
            throw new RestException(Response.Status.INTERNAL_SERVER_ERROR, format);
        } catch (WebApplicationException e5) {
            throw e5;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateTopicOwnership(TopicName topicName, boolean z) {
        try {
            validateTopicOwnershipAsync(topicName, z).join();
        } catch (CompletionException e) {
            if (!(e.getCause() instanceof WebApplicationException)) {
                throw new RestException(e.getCause());
            }
            throw e.getCause();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CompletableFuture<Void> validateTopicOwnershipAsync(TopicName topicName, boolean z) {
        NamespaceService namespaceService = pulsar().getNamespaceService();
        return namespaceService.getWebServiceUrlAsync(topicName, LookupOptions.builder().authoritative(z).requestHttps(isRequestHttps()).readOnly(false).loadTopicsInBundle(false).build()).thenApply(optional -> {
            if (optional != null && optional.isPresent()) {
                return (URL) optional.get();
            }
            log.info("Unable to get web service url");
            throw new RestException(Response.Status.PRECONDITION_FAILED, "Failed to find ownership for topic:" + topicName);
        }).thenCompose((Function<? super U, ? extends CompletionStage<U>>) url -> {
            return namespaceService.isServiceUnitOwnedAsync(topicName).thenApply(bool -> {
                return Pair.of(url, bool);
            });
        }).thenAccept(pair -> {
            URL url2 = (URL) pair.getLeft();
            if (((Boolean) pair.getRight()).booleanValue()) {
                return;
            }
            URI build = UriBuilder.fromUri(this.uri.getRequestUri()).host(url2.getHost()).port(url2.getPort()).replaceQueryParam("authoritative", new Object[]{Boolean.valueOf(isLeaderBroker(pulsar()))}).build(new Object[0]);
            if (log.isDebugEnabled()) {
                log.debug("Redirecting the rest call to {}", build);
            }
            throw new WebApplicationException(Response.temporaryRedirect(build).build());
        }).exceptionally(th -> {
            if ((th.getCause() instanceof IllegalArgumentException) || (th.getCause() instanceof IllegalStateException)) {
                if (log.isDebugEnabled()) {
                    log.debug("Failed to find owner for topic: {}", topicName, th);
                }
                throw new RestException(Response.Status.PRECONDITION_FAILED, "Can't find owner for topic " + topicName);
            }
            if (th.getCause() instanceof WebApplicationException) {
                throw th.getCause();
            }
            throw new RestException(th.getCause());
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateGlobalNamespaceOwnership(NamespaceName namespaceName) {
        int zooKeeperOperationTimeoutSeconds = pulsar().getConfiguration().getZooKeeperOperationTimeoutSeconds();
        try {
            ClusterDataImpl clusterDataImpl = checkLocalOrGetPeerReplicationCluster(pulsar(), namespaceName).get(zooKeeperOperationTimeoutSeconds, TimeUnit.SECONDS);
            if (clusterDataImpl != null) {
                URI redirectionUrl = getRedirectionUrl(clusterDataImpl);
                if (log.isDebugEnabled()) {
                    log.debug("[{}] Redirecting the rest call to {}: cluster={}", new Object[]{clientAppId(), redirectionUrl, clusterDataImpl});
                }
                throw new WebApplicationException(Response.temporaryRedirect(redirectionUrl).build());
            }
        } catch (InterruptedException e) {
            log.warn("Time-out {} sec while validating policy on {} ", Integer.valueOf(zooKeeperOperationTimeoutSeconds), namespaceName);
            throw new RestException(Response.Status.SERVICE_UNAVAILABLE, String.format("Failed to validate global cluster configuration : ns=%s  emsg=%s", namespaceName, e.getMessage()));
        } catch (Exception e2) {
            if (!(e2.getCause() instanceof WebApplicationException)) {
                throw new RestException(Response.Status.SERVICE_UNAVAILABLE, String.format("Failed to validate global cluster configuration : ns=%s  emsg=%s", namespaceName, e2.getMessage()));
            }
            throw e2.getCause();
        } catch (WebApplicationException e3) {
            throw e3;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CompletableFuture<Void> validateGlobalNamespaceOwnershipAsync(NamespaceName namespaceName) {
        return checkLocalOrGetPeerReplicationCluster(pulsar(), namespaceName).thenAccept(clusterDataImpl -> {
            if (clusterDataImpl != null) {
                try {
                    URI redirectionUrl = getRedirectionUrl(clusterDataImpl);
                    if (log.isDebugEnabled()) {
                        log.debug("[{}] Redirecting the rest call to {}: cluster={}", new Object[]{clientAppId(), redirectionUrl, clusterDataImpl});
                    }
                    throw new WebApplicationException(Response.temporaryRedirect(redirectionUrl).build());
                } catch (MalformedURLException e) {
                    throw new RestException(Response.Status.SERVICE_UNAVAILABLE, String.format("Failed to validate global cluster configuration : ns=%s  emsg=%s", namespaceName, e.getMessage()));
                }
            }
        });
    }

    public static CompletableFuture<ClusterDataImpl> checkLocalOrGetPeerReplicationCluster(PulsarService pulsarService, NamespaceName namespaceName) {
        if (!namespaceName.isGlobal()) {
            return CompletableFuture.completedFuture(null);
        }
        CompletableFuture<ClusterDataImpl> completableFuture = new CompletableFuture<>();
        String clusterName = pulsarService.getConfiguration().getClusterName();
        pulsarService.getPulsarResources().getNamespaceResources().getPoliciesAsync(namespaceName).thenAccept(optional -> {
            if (!optional.isPresent()) {
                String format = String.format("Policies not found for %s namespace", namespaceName.toString());
                log.warn(format);
                completableFuture.completeExceptionally(new RestException(Response.Status.NOT_FOUND, format));
                return;
            }
            Policies policies = (Policies) optional.get();
            if (policies.replication_clusters.isEmpty()) {
                String format2 = String.format("Namespace does not have any clusters configured : local_cluster=%s ns=%s", clusterName, namespaceName.toString());
                log.warn(format2);
                completableFuture.completeExceptionally(new RestException(Response.Status.PRECONDITION_FAILED, format2));
            } else {
                if (policies.replication_clusters.contains(clusterName)) {
                    completableFuture.complete(null);
                    return;
                }
                ClusterDataImpl ownerFromPeerClusterList = getOwnerFromPeerClusterList(pulsarService, policies.replication_clusters);
                if (ownerFromPeerClusterList != null) {
                    completableFuture.complete(ownerFromPeerClusterList);
                    return;
                }
                String format3 = String.format("Namespace missing local cluster name in clusters list: local_cluster=%s ns=%s clusters=%s", clusterName, namespaceName.toString(), policies.replication_clusters);
                log.warn(format3);
                completableFuture.completeExceptionally(new RestException(Response.Status.PRECONDITION_FAILED, format3));
            }
        }).exceptionally(th -> {
            log.error(String.format("Failed to validate global cluster configuration : cluster=%s ns=%s  emsg=%s", clusterName, namespaceName, th.getMessage()));
            completableFuture.completeExceptionally(new RestException(th));
            return null;
        });
        return completableFuture;
    }

    private static ClusterDataImpl getOwnerFromPeerClusterList(PulsarService pulsarService, Set<String> set) {
        String clusterName = pulsarService.getConfiguration().getClusterName();
        if (set == null || set.isEmpty() || StringUtils.isBlank(clusterName)) {
            return null;
        }
        try {
            Optional cluster = pulsarService.getPulsarResources().getClusterResources().getCluster(clusterName);
            if (!cluster.isPresent() || ((ClusterData) cluster.get()).getPeerClusterNames() == null) {
                return null;
            }
            Iterator it = ((ClusterData) cluster.get()).getPeerClusterNames().iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                if (set.contains(str)) {
                    return (ClusterDataImpl) pulsarService.getPulsarResources().getClusterResources().getCluster(str).orElseThrow(() -> {
                        return new RestException(Response.Status.NOT_FOUND, "Peer cluster " + str + " data not found");
                    });
                }
            }
            return null;
        } catch (Exception e) {
            log.error("Failed to get peer-cluster {}-{}", clusterName, e.getMessage());
            if (e instanceof RestException) {
                throw ((RestException) e);
            }
            throw new RestException((Throwable) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void checkAuthorization(PulsarService pulsarService, TopicName topicName, String str, AuthenticationDataSource authenticationDataSource) throws Exception {
        if (pulsarService.getConfiguration().isAuthorizationEnabled() && !pulsarService.getBrokerService().getAuthorizationService().allowTopicOperation(topicName, TopicOperation.LOOKUP, (String) null, str, authenticationDataSource).booleanValue()) {
            log.warn("[{}] Role {} is not allowed to lookup topic", topicName, str);
            throw new RestException(Response.Status.UNAUTHORIZED, "Don't have permission to connect to this namespace");
        }
    }

    public void setPulsar(PulsarService pulsarService) {
        this.pulsar = pulsarService;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isLeaderBroker() {
        return isLeaderBroker(pulsar());
    }

    protected static boolean isLeaderBroker(PulsarService pulsarService) {
        return pulsarService.getLeaderElectionService().isLeader();
    }

    public void validateTenantOperation(String str, TenantOperation tenantOperation) {
        if (pulsar().getConfiguration().isAuthenticationEnabled() && pulsar().getBrokerService().isAuthorizationEnabled()) {
            if (!isClientAuthenticated(clientAppId())) {
                throw new RestException(Response.Status.UNAUTHORIZED, "Need to authenticate to perform the request");
            }
            if (!pulsar().getBrokerService().getAuthorizationService().allowTenantOperation(str, tenantOperation, originalPrincipal(), clientAppId(), clientAuthData())) {
                throw new RestException(Response.Status.UNAUTHORIZED, String.format("Unauthorized to validateTenantOperation for originalPrincipal [%s] and clientAppId [%s] about operation [%s] on tenant [%s]", originalPrincipal(), clientAppId(), tenantOperation.toString(), str));
            }
        }
    }

    public void validateNamespaceOperation(NamespaceName namespaceName, NamespaceOperation namespaceOperation) {
        if (pulsar().getConfiguration().isAuthenticationEnabled() && pulsar().getBrokerService().isAuthorizationEnabled()) {
            if (!isClientAuthenticated(clientAppId())) {
                throw new RestException(Response.Status.FORBIDDEN, "Need to authenticate to perform the request");
            }
            if (!pulsar().getBrokerService().getAuthorizationService().allowNamespaceOperation(namespaceName, namespaceOperation, originalPrincipal(), clientAppId(), clientAuthData())) {
                throw new RestException(Response.Status.FORBIDDEN, String.format("Unauthorized to validateNamespaceOperation for operation [%s] on namespace [%s]", namespaceOperation.toString(), namespaceName));
            }
        }
    }

    public void validateNamespacePolicyOperation(NamespaceName namespaceName, PolicyName policyName, PolicyOperation policyOperation) {
        if (pulsar().getConfiguration().isAuthenticationEnabled() && pulsar().getBrokerService().isAuthorizationEnabled()) {
            if (!isClientAuthenticated(clientAppId())) {
                throw new RestException(Response.Status.FORBIDDEN, "Need to authenticate to perform the request");
            }
            if (!pulsar().getBrokerService().getAuthorizationService().allowNamespacePolicyOperation(namespaceName, policyName, policyOperation, originalPrincipal(), clientAppId(), clientAuthData())) {
                throw new RestException(Response.Status.FORBIDDEN, String.format("Unauthorized to validateNamespacePolicyOperation for operation [%s] on namespace [%s] on policy [%s]", policyOperation.toString(), namespaceName, policyName.toString()));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PulsarResources getPulsarResources() {
        return pulsar().getPulsarResources();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TenantResources tenantResources() {
        return pulsar().getPulsarResources().getTenantResources();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ClusterResources clusterResources() {
        return pulsar().getPulsarResources().getClusterResources();
    }

    protected BookieResources bookieResources() {
        return pulsar().getPulsarResources().getBookieResources();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TopicResources topicResources() {
        return pulsar().getPulsarResources().getTopicResources();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NamespaceResources namespaceResources() {
        return pulsar().getPulsarResources().getNamespaceResources();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ResourceGroupResources resourceGroupResources() {
        return pulsar().getPulsarResources().getResourcegroupResources();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LocalPoliciesResources getLocalPolicies() {
        return pulsar().getPulsarResources().getLocalPolicies();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NamespaceResources.IsolationPolicyResources namespaceIsolationPolicies() {
        return namespaceResources().getIsolationPolicies();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public DynamicConfigurationResources dynamicConfigurationResources() {
        return pulsar().getPulsarResources().getDynamicConfigResources();
    }

    public static ObjectMapper jsonMapper() {
        return ObjectMapperFactory.getThreadLocal();
    }

    public void validatePoliciesReadOnlyAccess() {
        try {
            if (namespaceResources().getPoliciesReadOnly()) {
                log.debug("Policies are read-only. Broker cannot do read-write operations");
                throw new RestException(Response.Status.FORBIDDEN, "Broker is forbidden to do read-write operations");
            }
        } catch (Exception e) {
            log.warn("Unable to fetch read-only policy config ", e);
            throw new RestException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CompletableFuture<Void> hasActiveNamespace(String str) {
        return tenantResources().hasActiveNamespace(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateClusterExists(String str) {
        try {
            if (clusterResources().clusterExists(str)) {
            } else {
                throw new RestException(Response.Status.PRECONDITION_FAILED, "Cluster " + str + " does not exist.");
            }
        } catch (Exception e) {
            throw new RestException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CompletableFuture<Void> canUpdateCluster(String str, Set<String> set, Set<String> set2) {
        ArrayList newArrayList = Lists.newArrayList();
        for (String str2 : set) {
            if (!"global".equals(str2) && !set2.contains(str2)) {
                CompletableFuture completableFuture = new CompletableFuture();
                newArrayList.add(completableFuture);
                tenantResources().getActiveNamespaces(str, str2).whenComplete((list, th) -> {
                    if (th != null) {
                        log.warn("Failed to get namespaces under {}-{}, {}", new Object[]{str, str2, th.getCause().getMessage()});
                        completableFuture.completeExceptionally(th.getCause());
                    } else if (list.size() <= 0) {
                        completableFuture.complete(null);
                    } else {
                        log.warn("{}/{} Active-namespaces {}", new Object[]{str, str2, list});
                        completableFuture.completeExceptionally(new RestException(Response.Status.PRECONDITION_FAILED, "Active namespaces"));
                    }
                });
            }
        }
        return FutureUtil.waitForAll(newArrayList);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateBrokerName(String str) {
        String format = String.format("http://%s", str);
        String format2 = String.format("https://%s", str);
        if (format.equals(pulsar().getSafeWebServiceAddress()) || format2.equals(pulsar().getWebServiceAddressTls())) {
            return;
        }
        String[] split = str.split(":");
        Preconditions.checkArgument(split.length == 2, String.format("Invalid broker url %s", str));
        URI build = UriBuilder.fromUri(this.uri.getRequestUri()).host(split[0]).port(Integer.parseInt(split[1])).build(new Object[0]);
        log.debug("[{}] Redirecting the rest call to {}: broker={}", new Object[]{clientAppId(), build, str});
        throw new WebApplicationException(Response.temporaryRedirect(build).build());
    }

    public void validateTopicPolicyOperation(TopicName topicName, PolicyName policyName, PolicyOperation policyOperation) {
        if (pulsar().getConfiguration().isAuthenticationEnabled() && pulsar().getBrokerService().isAuthorizationEnabled()) {
            if (!isClientAuthenticated(clientAppId())) {
                throw new RestException(Response.Status.FORBIDDEN, "Need to authenticate to perform the request");
            }
            if (!pulsar().getBrokerService().getAuthorizationService().allowTopicPolicyOperation(topicName, policyName, policyOperation, originalPrincipal(), clientAppId(), clientAuthData()).booleanValue()) {
                throw new RestException(Response.Status.FORBIDDEN, String.format("Unauthorized to validateTopicPolicyOperation for operation [%s] on topic [%s] on policy [%s]", policyOperation.toString(), topicName, policyName.toString()));
            }
        }
    }

    public void validateTopicOperation(TopicName topicName, TopicOperation topicOperation) {
        validateTopicOperation(topicName, topicOperation, null);
    }

    public void validateTopicOperation(TopicName topicName, TopicOperation topicOperation, String str) {
        if (pulsar().getConfiguration().isAuthenticationEnabled() && pulsar().getBrokerService().isAuthorizationEnabled()) {
            if (!isClientAuthenticated(clientAppId())) {
                throw new RestException(Response.Status.UNAUTHORIZED, "Need to authenticate to perform the request");
            }
            AuthenticationDataHttps clientAuthData = clientAuthData();
            clientAuthData.setSubscription(str);
            if (!pulsar().getBrokerService().getAuthorizationService().allowTopicOperation(topicName, topicOperation, originalPrincipal(), clientAppId(), clientAuthData).booleanValue()) {
                throw new RestException(Response.Status.UNAUTHORIZED, String.format("Unauthorized to validateTopicOperation for operation [%s] on topic [%s]", topicOperation.toString(), topicName));
            }
        }
    }
}
