package org.apache.hadoop.fs.azure;

import com.facebook.presto.hadoop.$internal.com.fasterxml.jackson.core.JsonParseException;
import com.facebook.presto.hadoop.$internal.com.fasterxml.jackson.databind.JsonMappingException;
import com.facebook.presto.hadoop.$internal.com.fasterxml.jackson.databind.ObjectMapper;
import com.facebook.presto.hadoop.$internal.com.fasterxml.jackson.databind.ObjectReader;
import com.facebook.presto.hadoop.$internal.com.google.common.annotations.VisibleForTesting;
import com.facebook.presto.hadoop.$internal.org.apache.commons.lang3.StringUtils;
import com.facebook.presto.hadoop.$internal.org.apache.http.client.utils.URIBuilder;
import com.facebook.presto.hadoop.$internal.org.slf4j.Logger;
import com.facebook.presto.hadoop.$internal.org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.azure.NativeAzureFileSystem;
import org.apache.hadoop.fs.azure.security.Constants;
import org.apache.hadoop.io.retry.RetryPolicy;
import org.apache.hadoop.io.retry.RetryUtils;
import org.apache.hadoop.security.UserGroupInformation;

/* loaded from: input_file:org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.class */
public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) RemoteWasbAuthorizerImpl.class);
    private static final ObjectReader RESPONSE_READER = new ObjectMapper().readerFor(RemoteWasbAuthorizerResponse.class);
    public static final String KEY_REMOTE_AUTH_SERVICE_URLS = "fs.azure.authorization.remote.service.urls";
    private static final String CHECK_AUTHORIZATION_OP = "CHECK_AUTHORIZATION";
    private static final String ACCESS_OPERATION_QUERY_PARAM_NAME = "operation_type";
    private static final String WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME = "wasb_absolute_path";
    private static final String WASB_RESOURCE_OWNER_QUERY_PARAM_NAME = "wasb_resource_owner";
    private static final String AUTHORIZER_HTTP_CLIENT_RETRY_POLICY_ENABLED_KEY = "fs.azure.authorizer.http.retry.policy.enabled";
    private static final String AUTHORIZER_HTTP_CLIENT_RETRY_POLICY_SPEC_SPEC = "fs.azure.authorizer.http.retry.policy.spec";
    private static final String AUTHORIZER_HTTP_CLIENT_RETRY_POLICY_SPEC_DEFAULT = "10,3,100,2";
    private static final String AUTHORIZATION_CACHEENTRY_EXPIRY_PERIOD = "fs.azure.authorization.cacheentry.expiry.period";
    private boolean isKerberosSupportEnabled;
    private boolean isSpnegoTokenCacheEnabled;
    private RetryPolicy retryPolicy;
    private CachingAuthorizer<CachedAuthorizerEntry, Boolean> cache;
    private WasbRemoteCallHelper remoteCallHelper = null;
    private String[] commaSeparatedUrls = null;

    @VisibleForTesting
    public void updateWasbRemoteCallHelper(WasbRemoteCallHelper wasbRemoteCallHelper) {
        this.remoteCallHelper = wasbRemoteCallHelper;
    }

    @Override // org.apache.hadoop.fs.azure.WasbAuthorizerInterface
    public void init(Configuration configuration) throws IOException {
        LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
        this.isKerberosSupportEnabled = configuration.getBoolean(Constants.AZURE_KERBEROS_SUPPORT_PROPERTY_NAME, false);
        this.isSpnegoTokenCacheEnabled = configuration.getBoolean(Constants.AZURE_ENABLE_SPNEGO_TOKEN_CACHE, true);
        this.commaSeparatedUrls = configuration.getTrimmedStrings(KEY_REMOTE_AUTH_SERVICE_URLS);
        if (this.commaSeparatedUrls == null || this.commaSeparatedUrls.length <= 0) {
            throw new IOException("fs.azure.authorization.remote.service.urls config not set in configuration.");
        }
        this.retryPolicy = RetryUtils.getMultipleLinearRandomRetry(configuration, AUTHORIZER_HTTP_CLIENT_RETRY_POLICY_ENABLED_KEY, true, AUTHORIZER_HTTP_CLIENT_RETRY_POLICY_SPEC_SPEC, AUTHORIZER_HTTP_CLIENT_RETRY_POLICY_SPEC_DEFAULT);
        if (this.isKerberosSupportEnabled && UserGroupInformation.isSecurityEnabled()) {
            this.remoteCallHelper = new SecureWasbRemoteCallHelper(this.retryPolicy, false, this.isSpnegoTokenCacheEnabled);
        } else {
            this.remoteCallHelper = new WasbRemoteCallHelper(this.retryPolicy);
        }
        this.cache = new CachingAuthorizer<>(configuration.getTimeDuration(AUTHORIZATION_CACHEENTRY_EXPIRY_PERIOD, 5L, TimeUnit.MINUTES), "AUTHORIZATION");
        this.cache.init(configuration);
    }

    @Override // org.apache.hadoop.fs.azure.WasbAuthorizerInterface
    public boolean authorize(String str, String str2, String str3) throws IOException {
        if (str.endsWith(NativeAzureFileSystem.FolderRenamePending.SUFFIX)) {
            return true;
        }
        CachedAuthorizerEntry cachedAuthorizerEntry = new CachedAuthorizerEntry(str, str2, str3);
        Boolean bool = this.cache.get(cachedAuthorizerEntry);
        if (bool != null) {
            return bool.booleanValue();
        }
        boolean authorizeInternal = authorizeInternal(str, str2, str3);
        this.cache.put(cachedAuthorizerEntry, Boolean.valueOf(authorizeInternal));
        return authorizeInternal;
    }

    private boolean authorizeInternal(String str, String str2, String str3) throws IOException {
        try {
            URIBuilder uRIBuilder = new URIBuilder();
            uRIBuilder.setPath("/CHECK_AUTHORIZATION");
            uRIBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME, str);
            uRIBuilder.addParameter(ACCESS_OPERATION_QUERY_PARAM_NAME, str2);
            if (str3 != null && StringUtils.isNotEmpty(str3)) {
                uRIBuilder.addParameter(WASB_RESOURCE_OWNER_QUERY_PARAM_NAME, str3);
            }
            RemoteWasbAuthorizerResponse remoteWasbAuthorizerResponse = (RemoteWasbAuthorizerResponse) RESPONSE_READER.readValue(this.remoteCallHelper.makeRemoteRequest(this.commaSeparatedUrls, uRIBuilder.getPath(), uRIBuilder.getQueryParams(), "GET"));
            if (remoteWasbAuthorizerResponse == null) {
                throw new WasbAuthorizationException("RemoteWasbAuthorizerResponse object null from remote call");
            }
            if (remoteWasbAuthorizerResponse.getResponseCode() == 0) {
                return remoteWasbAuthorizerResponse.getAuthorizationResult();
            }
            throw new WasbAuthorizationException("Remote authorization service encountered an error " + remoteWasbAuthorizerResponse.getResponseMessage());
        } catch (JsonParseException | JsonMappingException | WasbRemoteCallException e) {
            throw new WasbAuthorizationException(e);
        }
    }
}
