package com.facebook.airlift.jaxrs;

import com.facebook.airlift.http.server.AuthorizationResult;
import com.facebook.airlift.http.server.Authorizer;
import com.facebook.airlift.http.server.HttpServerConfig;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Inject;
import java.security.Principal;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;

@Provider
/* loaded from: input_file:com/facebook/airlift/jaxrs/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter {
    private final Authorizer authorizer;
    private final HttpServerConfig.AuthorizationPolicy authorizationPolicy;
    private final Set<String> defaultAllowedRoles;
    private final Map<Class<?>, Map<String, String>> roleMaps;

    @Context
    private ResourceInfo resourceInfo;

    @Inject
    public AuthorizationFilter(Authorizer authorizer, HttpServerConfig httpServerConfig, @RoleMapping Map<Class<?>, Map<String, String>> map) {
        this(authorizer, httpServerConfig.getDefaultAuthorizationPolicy(), httpServerConfig.getDefaultAllowedRoles(), map);
    }

    @VisibleForTesting
    public AuthorizationFilter(Authorizer authorizer, HttpServerConfig.AuthorizationPolicy authorizationPolicy, Set<String> set, Map<Class<?>, Map<String, String>> map) {
        this.authorizer = (Authorizer) Objects.requireNonNull(authorizer, "authorizer is null");
        this.authorizationPolicy = (HttpServerConfig.AuthorizationPolicy) Objects.requireNonNull(authorizationPolicy, "authorizationPolicy is null");
        this.defaultAllowedRoles = (Set) Objects.requireNonNull(set, "defaultAllowedRoles is null");
        this.roleMaps = (Map) Objects.requireNonNull(map, "roleMaps is null");
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        if (userPrincipal == null) {
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity("Request principal is missing.").build());
            return;
        }
        Optional<Set<String>> allowedRoles = getAllowedRoles();
        if (!allowedRoles.isPresent()) {
            switch (this.authorizationPolicy) {
                case ALLOW:
                    return;
                case DENY:
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(String.format("Principal %s is not allowed to access the resource. Reason: denied by default policy", userPrincipal.getName())).build());
                    return;
                case DEFAULT_ROLES:
                    allowedRoles = Optional.of(this.defaultAllowedRoles);
                    break;
            }
        } else if (this.roleMaps.containsKey(this.resourceInfo.getResourceClass())) {
            allowedRoles = Optional.of(allowedRoles.get().stream().map(str -> {
                return this.roleMaps.get(this.resourceInfo.getResourceClass()).getOrDefault(str, str);
            }).collect(ImmutableSet.toImmutableSet()));
        }
        AuthorizationResult authorize = this.authorizer.authorize(userPrincipal, allowedRoles.get(), containerRequestContext.getUriInfo().getRequestUri().toString());
        if (authorize.isAllowed()) {
            return;
        }
        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(String.format("Principal %s is not allowed to access the resource. Reason: %s", userPrincipal.getName(), authorize.getReason())).build());
    }

    private Optional<Set<String>> getAllowedRoles() {
        return this.resourceInfo.getResourceMethod().isAnnotationPresent(RolesAllowed.class) ? Optional.of(ImmutableSet.copyOf(((RolesAllowed) this.resourceInfo.getResourceMethod().getAnnotation(RolesAllowed.class)).value())) : this.resourceInfo.getResourceClass().isAnnotationPresent(RolesAllowed.class) ? Optional.of(ImmutableSet.copyOf(((RolesAllowed) this.resourceInfo.getResourceClass().getAnnotation(RolesAllowed.class)).value())) : Optional.empty();
    }
}
