package org.apache.hadoop.hdfs.nodelabel;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.UserGroupInformation;

/* loaded from: input_file:org/apache/hadoop/hdfs/nodelabel/NodeLabelAclChecker.class */
public class NodeLabelAclChecker {
    private static final Log LOG = LogFactory.getLog(NodeLabelManager.class);
    private Map<String, LabelAcl> labelToLabelAcl = new HashMap();
    private Groups groupService;
    private String fsOwner;
    private String supergroup;
    private boolean superUserAclCheckEnable;

    public NodeLabelAclChecker(Configuration configuration, Set<String> set) throws IOException {
        loadLabelsAclFromFile(configuration, set);
        this.groupService = Groups.getUserToGroupsMappingService(configuration);
        this.supergroup = configuration.get(DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY, DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT);
        this.fsOwner = UserGroupInformation.getCurrentUser().getShortUserName();
        this.superUserAclCheckEnable = configuration.getBoolean(DFSConfigKeys.DFS_NODELABEL_ACL_CHECK_SUPERUSER_ENABLE, false);
    }

    public void checkLabelAcl(String str, UserGroupInformation userGroupInformation) throws InvalidLabelExpressionException, AccessControlException {
        if (this.labelToLabelAcl.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("No label ACL configured. All labels are accessible.");
                return;
            }
            return;
        }
        String shortUserName = userGroupInformation.getShortUserName();
        List<String> asList = Arrays.asList(userGroupInformation.getGroupNames());
        if (this.superUserAclCheckEnable || !(this.fsOwner.equals(shortUserName) || asList.contains(this.supergroup))) {
            Iterator<ReplicaPolicy> it = new LabelExpression(str).getReplicaPolicies().iterator();
            while (it.hasNext()) {
                for (LabelExpressionElem labelExpressionElem : it.next().getOpElemList()) {
                    if (labelExpressionElem instanceof Label) {
                        String label = ((Label) labelExpressionElem).getLabel();
                        LabelAcl labelAcl = this.labelToLabelAcl.get(label);
                        if (labelAcl == null) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("ACL is not configured for label " + label + ", any user can access it.");
                            }
                        } else if (!labelAcl.checkUserAcl(shortUserName) && !labelAcl.checkGroupAcl(asList)) {
                            throw new AccessControlException("Access is denied for label " + label + ". Please check the list of accessbile label before setting in expression.");
                        }
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void loadLabelsAclFromFile(Configuration configuration, Set<String> set) throws IOException {
        this.labelToLabelAcl.clear();
        this.labelToLabelAcl = NodeLabelAclParser.parse(configuration);
        if (set.containsAll(this.labelToLabelAcl.keySet())) {
            return;
        }
        LOG.warn("Some configured labels in ACL file is not belong to any Datanodes");
    }

    /* JADX WARN: Multi-variable type inference failed */
    public List<String> getRestrictedLabels(String str, String str2) {
        List arrayList;
        if (this.labelToLabelAcl.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("No label ACL configured. All labels are accessible.");
            }
            return new ArrayList(0);
        }
        if (str == null && str2 == null) {
            return new ArrayList(0);
        }
        ArrayList arrayList2 = new ArrayList();
        try {
            arrayList = this.groupService.getGroups(str);
        } catch (IOException e) {
            LOG.warn("Failed to get group list for user " + str + " from group service");
            arrayList = new ArrayList();
            if (str2 != null) {
                arrayList.add(str2);
            }
        }
        if (!this.superUserAclCheckEnable && (this.fsOwner.equals(str) || arrayList.contains(this.supergroup))) {
            return new ArrayList(0);
        }
        for (Map.Entry<String, LabelAcl> entry : this.labelToLabelAcl.entrySet()) {
            LabelAcl value = entry.getValue();
            if (!value.checkUserAcl(str) && !value.checkGroupAcl(arrayList)) {
                arrayList2.add(entry.getKey());
            }
        }
        return arrayList2;
    }

    public boolean isAclsEnable() {
        return !this.labelToLabelAcl.isEmpty();
    }
}
