package org.apache.ranger.security.context;

import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.SessionMgr;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component("rangerPreAuthSecurityHandler")
/* loaded from: input_file:WEB-INF/classes/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.class */
public class RangerPreAuthSecurityHandler {
    Logger logger = Logger.getLogger(RangerPreAuthSecurityHandler.class);

    @Autowired
    RangerDaoManager daoManager;

    @Autowired
    RESTErrorUtil restErrorUtil;

    @Autowired
    RangerAPIMapping rangerAPIMapping;

    @Autowired
    SessionMgr sessionMgr;

    public boolean isAPIAccessible(String str) throws Exception {
        if (str == null) {
            return false;
        }
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        if (currentUserSession == null) {
            this.logger.warn("WARNING: UserSession found null. Some non-authorized user might be trying to access the API.");
            return false;
        }
        if (currentUserSession.isUserAdmin()) {
            if (!this.logger.isDebugEnabled()) {
                return true;
            }
            this.logger.debug("WARNING: Logged in user is System Admin, System Admin is allowed to access all the tabs except Key Manager.Reason for returning true is, In few cases system admin needs to have access on Key Manager tabs as well.");
            return true;
        }
        Set<String> associatedTabsWithAPI = this.rangerAPIMapping.getAssociatedTabsWithAPI(str);
        if (CollectionUtils.isEmpty(associatedTabsWithAPI)) {
            return true;
        }
        if (associatedTabsWithAPI.contains("Permissions") && currentUserSession.isAuditUserAdmin()) {
            return true;
        }
        return isAPIAccessible(associatedTabsWithAPI);
    }

    public boolean isAPIAccessible(Set<String> set) throws Exception {
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        if (currentUserSession != null) {
            this.sessionMgr.refreshPermissionsIfNeeded(currentUserSession);
            if (currentUserSession.getRangerUserPermission() != null && CollectionUtils.containsAny(currentUserSession.getRangerUserPermission().getUserPermissions(), set)) {
                return true;
            }
        }
        throw this.restErrorUtil.createRESTException(403, "User is not allowed to access the API", true);
    }

    public boolean isAPISpnegoAccessible() {
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        if (currentUserSession != null && (currentUserSession.isSpnegoEnabled().booleanValue() || currentUserSession.isUserAdmin())) {
            return true;
        }
        if (currentUserSession == null || !(currentUserSession.isUserAdmin() || currentUserSession.isKeyAdmin())) {
            throw this.restErrorUtil.createRESTException(403, "User is not allowed to access the API", true);
        }
        return true;
    }

    public boolean isAdminOrKeyAdminRole() {
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        if (currentUserSession == null || !(currentUserSession.isKeyAdmin() || currentUserSession.isUserAdmin())) {
            throw this.restErrorUtil.createRESTException(401, "User is not allowed to access the API", true);
        }
        return true;
    }
}
