package org.apache.pinot.broker.broker;

import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.helix.store.zk.ZkHelixPropertyStore;
import org.apache.helix.zookeeper.datamodel.ZNRecord;
import org.apache.pinot.broker.api.AccessControl;
import org.apache.pinot.broker.api.HttpRequesterIdentity;
import org.apache.pinot.broker.api.RequesterIdentity;
import org.apache.pinot.common.config.provider.AccessControlUserCache;
import org.apache.pinot.common.request.BrokerRequest;
import org.apache.pinot.common.utils.BcryptUtils;
import org.apache.pinot.core.auth.BasicAuthUtils;
import org.apache.pinot.core.auth.ZkBasicAuthPrincipal;
import org.apache.pinot.spi.env.PinotConfiguration;

/* loaded from: input_file:org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.class */
public class ZkBasicAuthAccessControlFactory extends AccessControlFactory {
    private static final String HEADER_AUTHORIZATION = "authorization";
    private AccessControl _accessControl;

    /* loaded from: input_file:org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory$BasicAuthAccessControl.class */
    private static class BasicAuthAccessControl implements AccessControl {
        private Map<String, ZkBasicAuthPrincipal> _name2principal;
        private final AccessControlUserCache _userCache;

        public BasicAuthAccessControl(AccessControlUserCache accessControlUserCache) {
            this._userCache = accessControlUserCache;
        }

        @Override // org.apache.pinot.broker.api.AccessControl
        public boolean hasAccess(RequesterIdentity requesterIdentity) {
            return hasAccess(requesterIdentity, (BrokerRequest) null);
        }

        @Override // org.apache.pinot.broker.api.AccessControl
        public boolean hasAccess(RequesterIdentity requesterIdentity, BrokerRequest brokerRequest) {
            if (brokerRequest != null && brokerRequest.isSetQuerySource() && brokerRequest.getQuerySource().isSetTableName()) {
                return hasAccess(requesterIdentity, Collections.singleton(brokerRequest.getQuerySource().getTableName()));
            }
            return true;
        }

        @Override // org.apache.pinot.broker.api.AccessControl
        public boolean hasAccess(RequesterIdentity requesterIdentity, Set<String> set) {
            Optional<ZkBasicAuthPrincipal> principalAuth = getPrincipalAuth(requesterIdentity);
            if (!principalAuth.isPresent()) {
                return false;
            }
            if (set == null || set.isEmpty()) {
                return true;
            }
            ZkBasicAuthPrincipal zkBasicAuthPrincipal = principalAuth.get();
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (!zkBasicAuthPrincipal.hasTable(it.next())) {
                    return false;
                }
            }
            return true;
        }

        private Optional<ZkBasicAuthPrincipal> getPrincipalAuth(RequesterIdentity requesterIdentity) {
            Preconditions.checkArgument(requesterIdentity instanceof HttpRequesterIdentity, "HttpRequesterIdentity required");
            Collection collection = ((HttpRequesterIdentity) requesterIdentity).getHttpHeaders().get(ZkBasicAuthAccessControlFactory.HEADER_AUTHORIZATION);
            this._name2principal = (Map) BasicAuthUtils.extractBasicAuthPrincipals(this._userCache.getAllBrokerUserConfig()).stream().collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, zkBasicAuthPrincipal -> {
                return zkBasicAuthPrincipal;
            }));
            Map map = (Map) collection.stream().collect(Collectors.toMap(BasicAuthUtils::extractUsername, BasicAuthUtils::extractPassword));
            Stream stream = map.keySet().stream();
            Objects.requireNonNull(map);
            Function function = (v1) -> {
                return r1.get(v1);
            };
            Map<String, ZkBasicAuthPrincipal> map2 = this._name2principal;
            Objects.requireNonNull(map2);
            return ((Map) stream.collect(Collectors.toMap(function, (v1) -> {
                return r2.get(v1);
            }))).entrySet().stream().filter(entry -> {
                return BcryptUtils.checkpw((String) entry.getKey(), ((ZkBasicAuthPrincipal) entry.getValue()).getPassword());
            }).map(entry2 -> {
                return (ZkBasicAuthPrincipal) entry2.getValue();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst();
        }
    }

    @Override // org.apache.pinot.broker.broker.AccessControlFactory
    public void init(PinotConfiguration pinotConfiguration, ZkHelixPropertyStore<ZNRecord> zkHelixPropertyStore) {
        this._accessControl = new BasicAuthAccessControl(new AccessControlUserCache(zkHelixPropertyStore));
    }

    @Override // org.apache.pinot.broker.broker.AccessControlFactory
    public AccessControl create() {
        return this._accessControl;
    }
}
