package org.apache.atlas.web.filters;

import com.google.common.base.Strings;
import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.atlas.authorize.AtlasAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasAuthorizerFactory;
import org.apache.atlas.authorize.AtlasResourceTypes;
import org.json.simple.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.GenericFilterBean;

@Component
/* loaded from: input_file:org/apache/atlas/web/filters/AtlasAuthorizationFilter.class */
public class AtlasAuthorizationFilter extends GenericFilterBean {
    private static final Logger LOG = LoggerFactory.getLogger(AtlasAuthorizationFilter.class);
    private static boolean isDebugEnabled = LOG.isDebugEnabled();
    private AtlasAuthorizer authorizer;
    private final String BASE_URL = "/api/atlas/";

    public AtlasAuthorizationFilter() {
        this.authorizer = null;
        if (isDebugEnabled) {
            LOG.debug("==> AtlasAuthorizationFilter() -- Now initializing the Apache Atlas Authorizer!!!");
        }
        try {
            this.authorizer = AtlasAuthorizerFactory.getAtlasAuthorizer();
            if (this.authorizer != null) {
                this.authorizer.init();
            } else {
                LOG.warn("AtlasAuthorizer not initialized properly, please check the application logs and add proper configurations.");
            }
        } catch (AtlasAuthorizationException e) {
            LOG.error("Unable to obtain AtlasAuthorizer. ", e);
        }
    }

    public void destroy() {
        if (isDebugEnabled) {
            LOG.debug("==> AtlasAuthorizationFilter destroy");
        }
        if (this.authorizer != null) {
            this.authorizer.cleanUp();
        }
        super.destroy();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (isDebugEnabled) {
            LOG.debug("==> AuthorizationFilter.doFilter");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        new AtlasResponseRequestWrapper(httpServletResponse).setHeader("X-Frame-Options", "DENY");
        String servletPath = httpServletRequest.getServletPath();
        if (Strings.isNullOrEmpty(servletPath) || !(servletPath.startsWith("/api/atlas/") || "/api/atlas/".startsWith(servletPath))) {
            if (isDebugEnabled) {
                LOG.debug("Ignoring request {}", servletPath);
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (isDebugEnabled) {
            LOG.debug("{} is a valid REST API request!!!", servletPath);
        }
        HashSet hashSet = new HashSet();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            if (LOG.isErrorEnabled()) {
                LOG.error("Cannot obtain Security Context");
            }
            throw new ServletException("Cannot obtain Security Context");
        }
        String name = authentication.getName();
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            hashSet.add(((GrantedAuthority) it.next()).getAuthority());
        }
        AtlasAccessRequest atlasAccessRequest = new AtlasAccessRequest(httpServletRequest, name, hashSet);
        if (isDebugEnabled) {
            LOG.debug("============================\nUserName :: {}\nGroups :: {}\nURL :: {}\nAction :: {}\nrequest.getServletPath() :: {}\n============================\n", new Object[]{atlasAccessRequest.getUser(), atlasAccessRequest.getUserGroups(), httpServletRequest.getRequestURL(), atlasAccessRequest.getAction(), servletPath});
        }
        boolean z = false;
        Set resourceTypes = atlasAccessRequest.getResourceTypes();
        if (resourceTypes.size() == 1 && resourceTypes.contains(AtlasResourceTypes.UNKNOWN)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Allowing access to unprotected resource types {}", resourceTypes);
            }
            z = true;
        } else {
            try {
                if (this.authorizer != null) {
                    z = this.authorizer.isAccessAllowed(atlasAccessRequest);
                }
            } catch (AtlasAuthorizationException e) {
                if (LOG.isErrorEnabled()) {
                    LOG.error("Access Restricted. Could not process the request :: {}", e);
                }
            }
            if (isDebugEnabled) {
                LOG.debug("Authorizer result :: {}", Boolean.valueOf(z));
            }
        }
        if (z) {
            if (isDebugEnabled) {
                LOG.debug("Access is allowed so forwarding the request!!!");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("AuthorizationError", "You are not authorized for " + atlasAccessRequest.getAction().name() + " on " + resourceTypes + " : " + atlasAccessRequest.getResource());
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setStatus(403);
        httpServletResponse.sendError(403, jSONObject.toString());
        if (isDebugEnabled) {
            LOG.debug("You are not authorized for {} on {} : {}\nReturning 403 since the access is blocked update!!!!", new Object[]{atlasAccessRequest.getAction().name(), resourceTypes, atlasAccessRequest.getResource()});
        }
    }
}
