package com.hortonworks.smm.kafka.services.security.impl;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.hortonworks.smm.kafka.services.security.AuthenticationContext;
import com.hortonworks.smm.kafka.services.security.AuthorizerConfiguration;
import com.hortonworks.smm.kafka.services.security.KafkaAuthorizerConfiguration;
import com.hortonworks.smm.kafka.services.security.Permission;
import com.hortonworks.smm.kafka.services.security.ResourceType;
import com.hortonworks.smm.kafka.services.security.SMMAuthorizer;
import com.hortonworks.smm.kafka.services.security.SecurityUtil;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.network.ClientInformation;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.requests.RequestContext;
import org.apache.kafka.common.requests.RequestHeader;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/hortonworks/smm/kafka/services/security/impl/DefaultSMMAuthorizer.class */
public class DefaultSMMAuthorizer implements SMMAuthorizer {
    static final String CACHE_EXPIRATION_MILLIS = "auth.cache.expiration.ms";
    static final String CACHE_MAXIMUM_SIZE = "auth.cache.maximum.size";
    static final String CACHE_CONCURRENCY_LEVEL = "auth.cache.concurrency.level";
    private static final Logger LOG = LoggerFactory.getLogger(DefaultSMMAuthorizer.class);
    private Authorizer kafkaAuthorizer;
    private LoadingCache<AuthKey, Boolean> authCache;
    private final InetAddress clientAddress = getLocalInetAddress();
    private final AtomicInteger correlationId = new AtomicInteger();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/hortonworks/smm/kafka/services/security/impl/DefaultSMMAuthorizer$AuthKey.class */
    public static class AuthKey {
        final String userName;
        final ResourceType resourceType;
        final String resourceName;
        final Permission permission;

        public AuthKey(String str, ResourceType resourceType, String str2, Permission permission) {
            this.userName = str;
            this.resourceType = resourceType;
            this.resourceName = str2;
            this.permission = permission;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            AuthKey authKey = (AuthKey) obj;
            return this.userName.equals(authKey.userName) && this.resourceType == authKey.resourceType && this.resourceName.equals(authKey.resourceName) && this.permission == authKey.permission;
        }

        public int hashCode() {
            return Objects.hash(this.userName, this.resourceType, this.resourceName, this.permission);
        }
    }

    @Override // com.hortonworks.smm.kafka.services.security.SMMAuthorizer
    public void init(AuthorizerConfiguration authorizerConfiguration) {
        initKafkaAuthorizer(authorizerConfiguration);
        initCache(authorizerConfiguration);
    }

    private void initCache(AuthorizerConfiguration authorizerConfiguration) {
        Integer valueOf = Integer.valueOf(authorizerConfiguration.getProperties().getOrDefault(CACHE_EXPIRATION_MILLIS, "30000").toString());
        Integer valueOf2 = Integer.valueOf(authorizerConfiguration.getProperties().getOrDefault(CACHE_MAXIMUM_SIZE, "10000").toString());
        Integer valueOf3 = Integer.valueOf(authorizerConfiguration.getProperties().getOrDefault(CACHE_CONCURRENCY_LEVEL, "4").toString());
        LOG.info("Initializing auth cache with expiration: {} ms, max. entries: {}, concurrency level: {}", new Object[]{valueOf, valueOf2, valueOf3});
        this.authCache = CacheBuilder.newBuilder().expireAfterWrite(Duration.ofMillis(valueOf.intValue())).maximumSize(valueOf2.intValue()).concurrencyLevel(valueOf3.intValue()).build(new CacheLoader<AuthKey, Boolean>() { // from class: com.hortonworks.smm.kafka.services.security.impl.DefaultSMMAuthorizer.1
            public Boolean load(AuthKey authKey) throws Exception {
                return Boolean.valueOf(DefaultSMMAuthorizer.this.authorize(authKey.userName, authKey.resourceType, authKey.resourceName, authKey.permission));
            }
        });
    }

    private void initKafkaAuthorizer(AuthorizerConfiguration authorizerConfiguration) {
        try {
            LOG.info("AuthorizerConfiguration : {}", authorizerConfiguration);
            KafkaAuthorizerConfiguration kafkaAuthorizerConfiguration = authorizerConfiguration.getKafkaAuthorizerConfiguration();
            String className = kafkaAuthorizerConfiguration == null ? "" : kafkaAuthorizerConfiguration.getClassName();
            if (!StringUtils.isNotEmpty(className)) {
                throw new IllegalArgumentException("kafkaAuthorizerClass cannot be empty");
            }
            Object newInstance = Class.forName(className).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            if (!(newInstance instanceof Authorizer)) {
                throw new IllegalArgumentException("kafkaAuthorizerClass is not implementing the required Authorizer interface");
            }
            this.kafkaAuthorizer = (Authorizer) newInstance;
            Map<String, Object> properties = kafkaAuthorizerConfiguration != null ? kafkaAuthorizerConfiguration.getProperties() : null;
            if (properties == null) {
                properties = new HashMap();
            }
            prepareKafkaConfigs(properties);
            this.kafkaAuthorizer.configure(properties);
        } catch (Exception e) {
            LOG.error("Error while instantiating DefaultSMMAuthorizer", e);
            throw new IllegalStateException("Error while instantiating DefaultSMMAuthorizer");
        }
    }

    private void prepareKafkaConfigs(Map<String, Object> map) {
        map.putIfAbsent("sasl.kerberos.ticket.renew.window.factor", Double.valueOf(0.8d));
        map.putIfAbsent("sasl.kerberos.ticket.renew.jitter", Double.valueOf(0.05d));
        map.putIfAbsent("sasl.kerberos.min.time.before.relogin", 60000L);
        map.putIfAbsent("sasl.kerberos.kinit.cmd", "/usr/bin/kinit");
    }

    private InetAddress getLocalInetAddress() {
        try {
            return InetAddress.getLocalHost();
        } catch (UnknownHostException e) {
            LOG.error("Error while getting LocalIpAddress", e);
            return null;
        }
    }

    @Override // com.hortonworks.smm.kafka.services.security.SMMAuthorizer
    public boolean authorize(AuthenticationContext authenticationContext, ResourceType resourceType, String str, Permission permission) {
        long nanoTime = System.nanoTime();
        boolean z = false;
        try {
            z = ((Boolean) this.authCache.get(new AuthKey(SecurityUtil.getUserName(authenticationContext), resourceType, str, permission))).booleanValue();
        } catch (ExecutionException e) {
            LOG.error("Error while authorizing request for : ctx {}, resourceType {}, resourceName {}, permission {}", new Object[]{authenticationContext, resourceType, str, permission, e});
        }
        if (LOG.isDebugEnabled()) {
            long nanoTime2 = System.nanoTime() - nanoTime;
            LOG.debug("Authorization took {} ns ~= {} millis", Long.valueOf(nanoTime2), Long.valueOf(nanoTime2 / 1000000));
        }
        return z;
    }

    boolean authorize(String str, ResourceType resourceType, String str2, Permission permission) {
        LOG.debug("Received authorize request for : ctx {}, resourceType {}, resourceName {}, permission {}", new Object[]{str, resourceType, str2, permission});
        ApiKeys apiKeys = ApiKeys.FETCH;
        RequestHeader requestHeader = new RequestHeader(apiKeys, apiKeys.latestVersion(), "smm-authorizer", this.correlationId.getAndIncrement());
        SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
        List authorize = this.kafkaAuthorizer.authorize(new RequestContext(requestHeader, "smm-authorizer-connection", this.clientAddress, new KafkaPrincipal("User", str), ListenerName.forSecurityProtocol(securityProtocol), securityProtocol, ClientInformation.EMPTY, false), Collections.singletonList(new Action(AclOperation.fromString(permission.name()), new ResourcePattern(org.apache.kafka.common.resource.ResourceType.fromString(resourceType.name()), str2, PatternType.LITERAL), 1, true, true)));
        return !authorize.isEmpty() && AuthorizationResult.ALLOWED.equals(authorize.get(0));
    }

    @VisibleForTesting
    Authorizer getKafkaAuthorizer() {
        return this.kafkaAuthorizer;
    }

    @VisibleForTesting
    LoadingCache<AuthKey, Boolean> getAuthCache() {
        return this.authCache;
    }
}
