package io.pravega.controller.server.rpc.auth;

import com.google.common.annotations.VisibleForTesting;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.pravega.auth.AuthHandler;
import io.pravega.auth.AuthenticationException;
import io.pravega.auth.AuthorizationException;
import io.pravega.shared.security.token.JsonWebToken;
import java.beans.ConstructorProperties;
import java.util.HashMap;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/pravega/controller/server/rpc/auth/GrpcAuthHelper.class */
public class GrpcAuthHelper {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger log = LoggerFactory.getLogger(GrpcAuthHelper.class);
    private final boolean isAuthEnabled;
    private final String tokenSigningKey;
    private final Integer accessTokenTTLInSeconds;

    @VisibleForTesting
    public static GrpcAuthHelper getDisabledAuthHelper() {
        return new GrpcAuthHelper(false, "", -1);
    }

    public boolean isAuthorized(String str, AuthHandler.Permissions permissions, AuthContext authContext) {
        AuthHandler.Permissions permissions2;
        if (!this.isAuthEnabled) {
            log.debug("Since auth is disabled, returning [true]");
            return true;
        }
        if (authContext == null || authContext.getAuthHandler() == null) {
            log.warn("Auth is enabled but 'authContext'  is null. Defaulting to no permissions.");
            permissions2 = AuthHandler.Permissions.NONE;
        } else {
            permissions2 = authContext.getAuthHandler().authorize(str, authContext.getPrincipal());
        }
        return permissions2.ordinal() >= permissions.ordinal();
    }

    public String checkAuthorization(String str, AuthHandler.Permissions permissions, AuthContext authContext) {
        if (isAuthorized(str, permissions, authContext)) {
            return "";
        }
        if (authContext == null || authContext.getPrincipal() == null) {
            throw new AuthenticationException("Could't extract Principal");
        }
        throw new AuthorizationException(String.format("Principal [%s] not allowed [%s] access for resource [%s]", authContext.getPrincipal(), permissions, str));
    }

    public String checkAuthorization(String str, AuthHandler.Permissions permissions) {
        return checkAuthorization(str, permissions, AuthContext.current());
    }

    public String checkAuthorizationAndCreateToken(String str, AuthHandler.Permissions permissions) {
        if (!this.isAuthEnabled) {
            return "";
        }
        try {
            checkAuthorization(str, permissions);
            return createDelegationToken(str, permissions, this.tokenSigningKey);
        } catch (RuntimeException e) {
            log.warn("Authorization failed", e);
            throw e;
        }
    }

    private String createDelegationToken(String str, AuthHandler.Permissions permissions, String str2) {
        if (!this.isAuthEnabled) {
            return "";
        }
        HashMap hashMap = new HashMap();
        hashMap.put(str, String.valueOf(permissions));
        return new JsonWebToken("segmentstoreresource", "segmentstore", str2.getBytes(), hashMap, this.accessTokenTTLInSeconds).toCompactString();
    }

    public String retrieveMasterToken() {
        return this.isAuthEnabled ? retrieveMasterToken(this.tokenSigningKey) : "";
    }

    public static String retrieveMasterToken(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("*", String.valueOf(AuthHandler.Permissions.READ_UPDATE));
        return new JsonWebToken("segmentstoreresource", "segmentstore", str.getBytes(), hashMap, (Integer) null).toCompactString();
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    @ConstructorProperties({"isAuthEnabled", "tokenSigningKey", "accessTokenTTLInSeconds"})
    public GrpcAuthHelper(boolean z, String str, Integer num) {
        this.isAuthEnabled = z;
        this.tokenSigningKey = str;
        this.accessTokenTTLInSeconds = num;
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public boolean isAuthEnabled() {
        return this.isAuthEnabled;
    }
}
