package org.apache.rocketmq.acl.plain;

import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import java.io.File;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.rocketmq.acl.common.AclException;
import org.apache.rocketmq.acl.common.AclUtils;
import org.apache.rocketmq.acl.common.Permission;
import org.apache.rocketmq.logging.InternalLogger;
import org.apache.rocketmq.logging.InternalLoggerFactory;
import org.apache.rocketmq.srvutil.FileWatchService;

/* loaded from: input_file:org/apache/rocketmq/acl/plain/PlainPermissionLoader.class */
public class PlainPermissionLoader {
    private static final InternalLogger log = InternalLoggerFactory.getLogger("RocketmqCommon");
    private static final String DEFAULT_PLAIN_ACL_FILE = "/conf/plain_acl.yml";
    private final ReadWriteLock lock = new ReentrantReadWriteLock();
    private String fileHome = System.getProperty("rocketmq.home.dir", System.getenv("ROCKETMQ_HOME"));
    private String fileName = System.getProperty("rocketmq.acl.plain.file", DEFAULT_PLAIN_ACL_FILE);
    private Map<String, PlainAccessResource> plainAccessResourceMap = new HashMap();
    private List<RemoteAddressStrategy> globalWhiteRemoteAddressStrategy = new ArrayList();
    private RemoteAddressStrategyFactory remoteAddressStrategyFactory = new RemoteAddressStrategyFactory();
    private boolean isWatchStart;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/rocketmq/acl/plain/PlainPermissionLoader$PlainAccessConfig.class */
    public static class PlainAccessConfig {
        private String accessKey;
        private String secretKey;
        private String whiteRemoteAddress;
        private boolean admin;
        private String defaultTopicPerm;
        private String defaultGroupPerm;
        private List<String> topicPerms;
        private List<String> groupPerms;

        PlainAccessConfig() {
        }

        public String getAccessKey() {
            return this.accessKey;
        }

        public void setAccessKey(String str) {
            this.accessKey = str;
        }

        public String getSecretKey() {
            return this.secretKey;
        }

        public void setSecretKey(String str) {
            this.secretKey = str;
        }

        public String getWhiteRemoteAddress() {
            return this.whiteRemoteAddress;
        }

        public void setWhiteRemoteAddress(String str) {
            this.whiteRemoteAddress = str;
        }

        public boolean isAdmin() {
            return this.admin;
        }

        public void setAdmin(boolean z) {
            this.admin = z;
        }

        public String getDefaultTopicPerm() {
            return this.defaultTopicPerm;
        }

        public void setDefaultTopicPerm(String str) {
            this.defaultTopicPerm = str;
        }

        public String getDefaultGroupPerm() {
            return this.defaultGroupPerm;
        }

        public void setDefaultGroupPerm(String str) {
            this.defaultGroupPerm = str;
        }

        public List<String> getTopicPerms() {
            return this.topicPerms;
        }

        public void setTopicPerms(List<String> list) {
            this.topicPerms = list;
        }

        public List<String> getGroupPerms() {
            return this.groupPerms;
        }

        public void setGroupPerms(List<String> list) {
            this.groupPerms = list;
        }
    }

    public PlainPermissionLoader() {
        load();
        watch();
    }

    public void load() {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        JSONObject jSONObject = (JSONObject) AclUtils.getYamlDataObject(this.fileHome + File.separator + this.fileName, JSONObject.class);
        if (jSONObject == null || jSONObject.isEmpty()) {
            throw new AclException(String.format("%s file  is not data", this.fileHome + File.separator + this.fileName));
        }
        log.info("Broker plain acl conf data is : ", jSONObject.toString());
        JSONArray jSONArray = jSONObject.getJSONArray("globalWhiteRemoteAddresses");
        if (jSONArray != null && !jSONArray.isEmpty()) {
            for (int i = 0; i < jSONArray.size(); i++) {
                arrayList.add(this.remoteAddressStrategyFactory.getRemoteAddressStrategy(jSONArray.getString(i)));
            }
        }
        JSONArray jSONArray2 = jSONObject.getJSONArray("accounts");
        if (jSONArray2 != null && !jSONArray2.isEmpty()) {
            Iterator it = jSONArray2.toJavaList(PlainAccessConfig.class).iterator();
            while (it.hasNext()) {
                PlainAccessResource buildPlainAccessResource = buildPlainAccessResource((PlainAccessConfig) it.next());
                hashMap.put(buildPlainAccessResource.getAccessKey(), buildPlainAccessResource);
            }
        }
        this.globalWhiteRemoteAddressStrategy = arrayList;
        this.plainAccessResourceMap = hashMap;
    }

    private void watch() {
        try {
            new FileWatchService(new String[]{this.fileHome + this.fileName}, new FileWatchService.Listener() { // from class: org.apache.rocketmq.acl.plain.PlainPermissionLoader.1
                public void onChanged(String str) {
                    PlainPermissionLoader.log.info("The plain acl yml changed, reload the context");
                    PlainPermissionLoader.this.load();
                }
            }).start();
            log.info("Succeed to start AclWatcherService");
            this.isWatchStart = true;
        } catch (Exception e) {
            log.error("Failed to start AclWatcherService", e);
        }
    }

    void checkPerm(PlainAccessResource plainAccessResource, PlainAccessResource plainAccessResource2) {
        if (Permission.needAdminPerm(Integer.valueOf(plainAccessResource.getRequestCode())) && !plainAccessResource2.isAdmin()) {
            throw new AclException(String.format("Need admin permission for request code=%d, but accessKey=%s is not", Integer.valueOf(plainAccessResource.getRequestCode()), plainAccessResource2.getAccessKey()));
        }
        Map<String, Byte> resourcePermMap = plainAccessResource.getResourcePermMap();
        Map<String, Byte> resourcePermMap2 = plainAccessResource2.getResourcePermMap();
        if (resourcePermMap == null) {
            return;
        }
        if (resourcePermMap2 == null && plainAccessResource2.isAdmin()) {
            return;
        }
        for (Map.Entry<String, Byte> entry : resourcePermMap.entrySet()) {
            String key = entry.getKey();
            Byte value = entry.getValue();
            boolean isRetryTopic = PlainAccessResource.isRetryTopic(key);
            if (resourcePermMap2 == null || !resourcePermMap2.containsKey(key)) {
                if (!Permission.checkPermission(value.byteValue(), isRetryTopic ? plainAccessResource2.getDefaultGroupPerm() : plainAccessResource2.getDefaultTopicPerm())) {
                    throw new AclException(String.format("No default permission for %s", PlainAccessResource.printStr(key, isRetryTopic)));
                }
            } else if (!Permission.checkPermission(value.byteValue(), resourcePermMap2.get(key).byteValue())) {
                throw new AclException(String.format("No default permission for %s", PlainAccessResource.printStr(key, isRetryTopic)));
            }
        }
    }

    void clearPermissionInfo() {
        this.plainAccessResourceMap.clear();
        this.globalWhiteRemoteAddressStrategy.clear();
    }

    public PlainAccessResource buildPlainAccessResource(PlainAccessConfig plainAccessConfig) throws AclException {
        if (plainAccessConfig.getAccessKey() == null || plainAccessConfig.getSecretKey() == null || plainAccessConfig.getAccessKey().length() <= 6 || plainAccessConfig.getSecretKey().length() <= 6) {
            throw new AclException(String.format("The accessKey=%s and secretKey=%s cannot be null and length should longer than 6", plainAccessConfig.getAccessKey(), plainAccessConfig.getSecretKey()));
        }
        PlainAccessResource plainAccessResource = new PlainAccessResource();
        plainAccessResource.setAccessKey(plainAccessConfig.getAccessKey());
        plainAccessResource.setSecretKey(plainAccessConfig.getSecretKey());
        plainAccessResource.setWhiteRemoteAddress(plainAccessConfig.getWhiteRemoteAddress());
        plainAccessResource.setAdmin(plainAccessConfig.isAdmin());
        plainAccessResource.setDefaultGroupPerm(Permission.parsePermFromString(plainAccessConfig.getDefaultGroupPerm()));
        plainAccessResource.setDefaultTopicPerm(Permission.parsePermFromString(plainAccessConfig.getDefaultTopicPerm()));
        Permission.parseResourcePerms(plainAccessResource, false, plainAccessConfig.getGroupPerms());
        Permission.parseResourcePerms(plainAccessResource, true, plainAccessConfig.getTopicPerms());
        plainAccessResource.setRemoteAddressStrategy(this.remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource.getWhiteRemoteAddress()));
        return plainAccessResource;
    }

    public void validate(PlainAccessResource plainAccessResource) {
        Iterator<RemoteAddressStrategy> it = this.globalWhiteRemoteAddressStrategy.iterator();
        while (it.hasNext()) {
            if (it.next().match(plainAccessResource)) {
                return;
            }
        }
        if (plainAccessResource.getAccessKey() == null) {
            throw new AclException(String.format("No accessKey is configured", new Object[0]));
        }
        if (!this.plainAccessResourceMap.containsKey(plainAccessResource.getAccessKey())) {
            throw new AclException(String.format("No acl config for %s", plainAccessResource.getAccessKey()));
        }
        PlainAccessResource plainAccessResource2 = this.plainAccessResourceMap.get(plainAccessResource.getAccessKey());
        if (plainAccessResource2.getRemoteAddressStrategy().match(plainAccessResource)) {
            return;
        }
        if (!AclUtils.calSignature(plainAccessResource.getContent(), plainAccessResource2.getSecretKey()).equals(plainAccessResource.getSignature())) {
            throw new AclException(String.format("Check signature failed for accessKey=%s", plainAccessResource.getAccessKey()));
        }
        checkPerm(plainAccessResource, plainAccessResource2);
    }

    public boolean isWatchStart() {
        return this.isWatchStart;
    }
}
