package org.apache.sentry.binding.hbaseindexer.rest;

import com.ngdata.hbaseindexer.compatrest.CliCompatibleIndexResource;
import com.ngdata.hbaseindexer.model.api.IndexerDefinition;
import com.ngdata.hbaseindexer.model.impl.IndexerDefinitionJsonSerDeser;
import com.ngdata.hbaseindexer.servlet.IndexerServerException;
import java.io.IOException;
import java.util.Collection;
import java.util.EnumSet;
import javax.servlet.ServletContext;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import org.apache.sentry.binding.hbaseindexer.authz.HBaseIndexerAuthzBinding;
import org.apache.sentry.binding.hbaseindexer.authz.SentryHBaseIndexerAuthorizationException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.indexer.Indexer;
import org.apache.sentry.core.model.indexer.IndexerModelAction;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.server.auth.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path("indexer")
/* loaded from: input_file:org/apache/sentry/binding/hbaseindexer/rest/SentryIndexResource.class */
public class SentryIndexResource extends CliCompatibleIndexResource {
    private static Logger log = LoggerFactory.getLogger(SentryIndexResource.class);
    public static final String SENTRY_SITE = "sentry.hbaseindexer.sentry.site";
    public static final String SENTRY_BINDING = "sentry.hbaseindexer.binding";
    protected HBaseIndexerAuthzBinding authzBinding;

    public SentryIndexResource(@Context ServletContext servletContext) {
        if (servletContext.getAttribute(SENTRY_BINDING) != null) {
            this.authzBinding = (HBaseIndexerAuthzBinding) servletContext.getAttribute(SENTRY_BINDING);
        }
    }

    @Override // com.ngdata.hbaseindexer.compatrest.CliCompatibleIndexResource
    @GET
    @Produces({"application/json"})
    public Collection<IndexerDefinition> get(@Context UriInfo uriInfo, @Context SecurityContext securityContext) throws IndexerServerException {
        if (this.authzBinding == null) {
            throwNullBindingException();
        }
        try {
            return this.authzBinding.filterIndexers(getSubject(securityContext), super.get(uriInfo, securityContext));
        } catch (SentryHBaseIndexerAuthorizationException e) {
            throw new IndexerServerException(401, e);
        }
    }

    @Override // com.ngdata.hbaseindexer.compatrest.CliCompatibleIndexResource
    @Produces({"application/json"})
    @Path("{name}")
    @DELETE
    public byte[] delete(@Context SecurityContext securityContext, @PathParam("name") String str) throws IndexerServerException, InterruptedException, KeeperException {
        if (this.authzBinding == null) {
            throwNullBindingException();
        }
        try {
            this.authzBinding.authorizeIndexerAction(getSubject(securityContext), new Indexer(str), EnumSet.of(IndexerModelAction.WRITE));
            return super.delete(securityContext, str);
        } catch (SentryHBaseIndexerAuthorizationException e) {
            throw new IndexerServerException(401, e);
        }
    }

    @Override // com.ngdata.hbaseindexer.compatrest.CliCompatibleIndexResource
    @Path("{name}")
    @Consumes({"application/json"})
    @Produces({"application/json"})
    @PUT
    public byte[] put(@Context SecurityContext securityContext, @PathParam("name") String str, byte[] bArr) throws IndexerServerException {
        if (this.authzBinding == null) {
            throwNullBindingException();
        }
        try {
            this.authzBinding.authorizeIndexerAction(getSubject(securityContext), new Indexer(str), EnumSet.of(IndexerModelAction.WRITE));
            return super.put(securityContext, str, bArr);
        } catch (SentryHBaseIndexerAuthorizationException e) {
            throw new IndexerServerException(401, e);
        }
    }

    @Override // com.ngdata.hbaseindexer.compatrest.CliCompatibleIndexResource
    @POST
    @Produces({"application/json"})
    @Consumes({"application/json"})
    public byte[] post(@Context SecurityContext securityContext, byte[] bArr) throws IndexerServerException {
        if (this.authzBinding == null) {
            throwNullBindingException();
        }
        try {
            this.authzBinding.authorizeIndexerAction(getSubject(securityContext), new Indexer(getIndexerFromJson(bArr).getName()), EnumSet.of(IndexerModelAction.WRITE));
            return super.post(securityContext, bArr);
        } catch (SentryHBaseIndexerAuthorizationException e) {
            throw new IndexerServerException(401, e);
        }
    }

    private Subject getSubject(SecurityContext securityContext) throws SentryHBaseIndexerAuthorizationException {
        try {
            return new Subject(new KerberosName(securityContext.getUserPrincipal() != null ? securityContext.getUserPrincipal().getName() : null).getShortName());
        } catch (IOException e) {
            throw new SentryHBaseIndexerAuthorizationException("Unable to get subject", e);
        }
    }

    private IndexerDefinition getIndexerFromJson(byte[] bArr) throws IndexerServerException {
        try {
            return IndexerDefinitionJsonSerDeser.INSTANCE.fromJsonBytes(bArr).build();
        } catch (Exception e) {
            throw new IndexerServerException(401, new SentryHBaseIndexerAuthorizationException("Unable to test permissions, " + e.getMessage(), e));
        }
    }

    private void throwNullBindingException() throws IndexerServerException {
        throw new IndexerServerException(401, new SentryHBaseIndexerAuthorizationException("HBaseIndexer-Sentry binding was not created successfully. Defaulting to no access"));
    }
}
