package com.huawei.iotdb.db.auth.authorizer;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.huawei.iotdb.db.entity.AdminPrivilegeType;
import com.huawei.iotdb.db.util.LinuxCmdUtils;
import com.huawei.iotdb.db.util.Shell;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer;
import org.apache.iotdb.commons.auth.authorizer.KerberosAuthenticatorFilter;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.auth.role.LocalFileRoleManager;
import org.apache.iotdb.commons.conf.CommonConfig;
import org.apache.iotdb.commons.conf.CommonDescriptor;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.rpc.TSStatusCode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/huawei/iotdb/db/auth/authorizer/IoTDBOSAuthorizer.class */
public class IoTDBOSAuthorizer extends KerberosAuthenticatorFilter {
    private static final String USER_MATCHER = "(^[a-zA-Z0-9_/\\s/][a-zA-Z0-9_/\\s/-]{2,63})";
    private static final int MAX_SIZE = 1000;
    private static final long TTL = 10;
    private static final String LINUX_ROOT_USER = "root";
    private static final Logger LOGGER = LoggerFactory.getLogger(BasicAuthorizer.class);
    private static final CommonConfig config = CommonDescriptor.getInstance().getConfig();
    private static final String IOTDB_GROUP = "iotdbgroup" + config.getMRSMultiServerRank();
    private LocalFileRoleManager roleManager = new LocalFileRoleManager(config.getRoleFolder());
    private LoadingCache<String, String> userGroupCache = CacheBuilder.newBuilder().maximumSize(1000).expireAfterWrite(TTL, TimeUnit.SECONDS).build(new CacheLoader<String, String>() { // from class: com.huawei.iotdb.db.auth.authorizer.IoTDBOSAuthorizer.1
        public String load(String str) throws Exception {
            return Shell.execCommand(LinuxCmdUtils.getGroupsForUserCommand(str));
        }
    });

    public IoTDBOSAuthorizer() throws AuthException {
        initIoTDBGroup();
    }

    private void initIoTDBGroup() throws AuthException {
        if (this.roleManager.createRole(IOTDB_GROUP)) {
            Iterator<Integer> it = AdminPrivilegeType.getAdminPrivileges().iterator();
            while (it.hasNext()) {
                grantPrivilegeToRole(IOTDB_GROUP, AuthUtils.ROOT_PATH_PRIVILEGE, it.next().intValue());
            }
        }
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public boolean checkUserPrivileges(String str, String str2, int i) throws AuthException {
        if (!isValid(str)) {
            LOGGER.error("The user name:{} is invalid.", str);
            return false;
        }
        try {
            String str3 = (String) this.userGroupCache.get(str);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("The System group is {}", str3);
            }
            List<String> listAllRoles = this.roleManager.listAllRoles();
            HashMap hashMap = new HashMap();
            for (String str4 : listAllRoles) {
                hashMap.put(str4, str4);
            }
            StringTokenizer stringTokenizer = new StringTokenizer(str3);
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (hashMap.containsKey(nextToken) && this.roleManager.getRole(nextToken).checkPrivilege(str2, i)) {
                    return true;
                }
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("rolenames list is:{}", listAllRoles.toString());
            }
            LOGGER.warn("User {} do not has {} on {}", new Object[]{str, PrivilegeType.values()[i], str2});
            return false;
        } catch (ExecutionException e) {
            LOGGER.error("Failed to get userGroup from cache, username is {}", str, e);
            throw new AuthException(TSStatusCode.AUTH_IO_EXCEPTION, e);
        }
    }

    public static boolean isValid(String str) {
        return !str.equals("root") && Pattern.compile(USER_MATCHER).matcher(str).matches();
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void createRole(String str) throws AuthException {
        if (!this.roleManager.createRole(str)) {
            throw new AuthException(TSStatusCode.ROLE_ALREADY_EXIST, String.format("Role %s already exists", str));
        }
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void deleteRole(String str) throws AuthException {
        if (!this.roleManager.deleteRole(str)) {
            throw new AuthException(TSStatusCode.ROLE_NOT_EXIST, String.format("Role %s does not exist", str));
        }
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void grantPrivilegeToRole(String str, String str2, int i) throws AuthException {
        String str3 = str2;
        if (!PrivilegeType.isPathRelevant(i)) {
            str3 = AuthUtils.ROOT_PATH_PRIVILEGE;
        }
        if (!this.roleManager.grantPrivilegeToRole(str, str3, i)) {
            throw new AuthException(TSStatusCode.ALREADY_HAS_PRIVILEGE, String.format("Role %s already has %s on %s", str, PrivilegeType.values()[i], str2));
        }
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void revokePrivilegeFromRole(String str, String str2, int i) throws AuthException {
        String str3 = str2;
        if (!PrivilegeType.isPathRelevant(i)) {
            str3 = AuthUtils.ROOT_PATH_PRIVILEGE;
        }
        if (!this.roleManager.revokePrivilegeFromRole(str, str3, i)) {
            throw new AuthException(TSStatusCode.NOT_HAS_PRIVILEGE, String.format("Role %s does not have %s on %s", str, PrivilegeType.values()[i], str2));
        }
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public List<String> listAllRoles() {
        return this.roleManager.listAllRoles();
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public Role getRole(String str) throws AuthException {
        return this.roleManager.getRole(str);
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public void replaceAllRoles(Map<String, Role> map) throws AuthException {
        this.roleManager.replaceAllRoles(map);
    }

    @Override // org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer, org.apache.iotdb.commons.auth.authorizer.IAuthorizer
    public User getUser(String str) throws AuthException {
        User user = new User(str, "");
        if (!isValid(str)) {
            LOGGER.error("The user name:{} is invalid.", str);
            return null;
        }
        try {
            String str2 = (String) this.userGroupCache.get(str);
            LOGGER.debug("The System group is {}", str2);
            List<String> listAllRoles = this.roleManager.listAllRoles();
            StringTokenizer stringTokenizer = new StringTokenizer(str2);
            ArrayList arrayList = new ArrayList();
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (listAllRoles.contains(nextToken) && !arrayList.contains(nextToken)) {
                    arrayList.add(nextToken);
                }
            }
            user.setRoleList(arrayList);
            LOGGER.debug("User is {}, and role is {}", str, arrayList);
            return user;
        } catch (ExecutionException e) {
            LOGGER.error("Failed to get userGroup from cache, username is {}, maybe user is invalid", str, e);
            return null;
        }
    }
}
