package org.apache.hudi.org.apache.hadoop.hbase.security.access;

import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.hadoop.conf.Configuration;
import org.apache.hudi.org.apache.hadoop.hbase.AuthUtil;
import org.apache.hudi.org.apache.hadoop.hbase.Cell;
import org.apache.hudi.org.apache.hadoop.hbase.TableName;
import org.apache.hudi.org.apache.hadoop.hbase.exceptions.DeserializationException;
import org.apache.hudi.org.apache.hadoop.hbase.security.Superusers;
import org.apache.hudi.org.apache.hadoop.hbase.security.User;
import org.apache.hudi.org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hudi.org.apache.hadoop.hbase.util.Bytes;
import org.apache.hudi.org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hudi/org/apache/hadoop/hbase/security/access/AuthManager.class */
public final class AuthManager {
    private static final Logger LOG = LoggerFactory.getLogger(AuthManager.class);
    private Configuration conf;
    PermissionCache<NamespacePermission> NS_NO_PERMISSION = new PermissionCache<>();
    PermissionCache<TablePermission> TBL_NO_PERMISSION = new PermissionCache<>();
    private Map<String, GlobalPermission> globalCache = new ConcurrentHashMap();
    private ConcurrentHashMap<String, PermissionCache<NamespacePermission>> namespaceCache = new ConcurrentHashMap<>();
    private ConcurrentHashMap<TableName, PermissionCache<TablePermission>> tableCache = new ConcurrentHashMap<>();
    private final AtomicLong mtime = new AtomicLong(0);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hudi/org/apache/hadoop/hbase/security/access/AuthManager$PermissionCache.class */
    public static class PermissionCache<T extends Permission> {
        ReentrantReadWriteLock lock;
        private Map<String, Set<T>> cache;

        private PermissionCache() {
            this.lock = new ReentrantReadWriteLock();
            this.cache = new HashMap();
        }

        void put(String str, T t) {
            this.lock.writeLock().lock();
            try {
                Set<T> orDefault = this.cache.getOrDefault(str, ConcurrentHashMap.newKeySet());
                orDefault.add(t);
                this.cache.put(str, orDefault);
                this.lock.writeLock().unlock();
            } catch (Throwable th) {
                this.lock.writeLock().unlock();
                throw th;
            }
        }

        Set<T> get(String str) {
            this.lock.readLock().lock();
            try {
                return this.cache.get(str);
            } finally {
                this.lock.readLock().unlock();
            }
        }

        void clear() {
            this.lock.writeLock().lock();
            try {
                Iterator<Map.Entry<String, Set<T>>> it = this.cache.entrySet().iterator();
                while (it.hasNext()) {
                    it.next().getValue().clear();
                }
                this.cache.clear();
            } finally {
                this.lock.writeLock().unlock();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthManager(Configuration configuration) {
        this.conf = configuration;
    }

    public void refreshTableCacheFromWritable(TableName tableName, byte[] bArr) throws IOException {
        if (bArr == null || bArr.length <= 0) {
            LOG.info("Skipping permission cache refresh because writable data is empty");
            return;
        }
        try {
            ListMultimap<String, Permission> readPermissions = PermissionStorage.readPermissions(bArr, this.conf);
            if (readPermissions != null) {
                if (Bytes.equals(tableName.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
                    updateGlobalCache(readPermissions);
                } else {
                    updateTableCache(tableName, readPermissions);
                }
            }
        } catch (DeserializationException e) {
            throw new IOException(e);
        }
    }

    public void refreshNamespaceCacheFromWritable(String str, byte[] bArr) throws IOException {
        if (bArr == null || bArr.length <= 0) {
            LOG.debug("Skipping permission cache refresh because writable data is empty");
            return;
        }
        try {
            ListMultimap<String, Permission> readPermissions = PermissionStorage.readPermissions(bArr, this.conf);
            if (readPermissions != null) {
                updateNamespaceCache(str, readPermissions);
            }
        } catch (DeserializationException e) {
            throw new IOException(e);
        }
    }

    private void updateGlobalCache(ListMultimap<String, Permission> listMultimap) {
        this.globalCache.clear();
        for (String str : listMultimap.keySet()) {
            for (Permission permission : listMultimap.get((ListMultimap<String, Permission>) str)) {
                if (permission instanceof TablePermission) {
                    this.globalCache.put(str, new GlobalPermission(permission.getActions()));
                } else {
                    this.globalCache.put(str, (GlobalPermission) permission);
                }
            }
        }
        this.mtime.incrementAndGet();
    }

    private void updateTableCache(TableName tableName, ListMultimap<String, Permission> listMultimap) {
        PermissionCache<TablePermission> orDefault = this.tableCache.getOrDefault(tableName, new PermissionCache<>());
        clearCache(orDefault);
        updateCache(listMultimap, orDefault);
        this.tableCache.put(tableName, orDefault);
        this.mtime.incrementAndGet();
    }

    private void updateNamespaceCache(String str, ListMultimap<String, Permission> listMultimap) {
        PermissionCache<NamespacePermission> orDefault = this.namespaceCache.getOrDefault(str, new PermissionCache<>());
        clearCache(orDefault);
        updateCache(listMultimap, orDefault);
        this.namespaceCache.put(str, orDefault);
        this.mtime.incrementAndGet();
    }

    private void clearCache(PermissionCache permissionCache) {
        permissionCache.clear();
    }

    private void updateCache(ListMultimap<String, ? extends Permission> listMultimap, PermissionCache permissionCache) {
        for (String str : listMultimap.keySet()) {
            Iterator<? extends Permission> it = listMultimap.get((ListMultimap<String, ? extends Permission>) str).iterator();
            while (it.hasNext()) {
                permissionCache.put(str, it.next());
            }
        }
    }

    public boolean authorizeUserGlobal(User user, Permission.Action action) {
        if (user == null) {
            return false;
        }
        if (Superusers.isSuperUser(user) || authorizeGlobal(this.globalCache.get(user.getShortName()), action)) {
            return true;
        }
        for (String str : user.getGroupNames()) {
            if (authorizeGlobal(this.globalCache.get(AuthUtil.toGroupEntry(str)), action)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorizeGlobal(GlobalPermission globalPermission, Permission.Action action) {
        return globalPermission != null && globalPermission.implies(action);
    }

    public boolean authorizeUserNamespace(User user, String str, Permission.Action action) {
        if (user == null) {
            return false;
        }
        if (authorizeUserGlobal(user, action)) {
            return true;
        }
        PermissionCache<NamespacePermission> orDefault = this.namespaceCache.getOrDefault(str, this.NS_NO_PERMISSION);
        if (authorizeNamespace(orDefault.get(user.getShortName()), str, action)) {
            return true;
        }
        for (String str2 : user.getGroupNames()) {
            if (authorizeNamespace(orDefault.get(AuthUtil.toGroupEntry(str2)), str, action)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorizeNamespace(Set<NamespacePermission> set, String str, Permission.Action action) {
        if (set == null) {
            return false;
        }
        Iterator<NamespacePermission> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().implies(str, action)) {
                return true;
            }
        }
        return false;
    }

    public boolean accessUserTable(User user, TableName tableName, Permission.Action action) {
        if (user == null) {
            return false;
        }
        if (tableName == null) {
            tableName = PermissionStorage.ACL_TABLE_NAME;
        }
        if (authorizeUserNamespace(user, tableName.getNamespaceAsString(), action)) {
            return true;
        }
        PermissionCache<TablePermission> orDefault = this.tableCache.getOrDefault(tableName, this.TBL_NO_PERMISSION);
        if (hasAccessTable(orDefault.get(user.getShortName()), action)) {
            return true;
        }
        for (String str : user.getGroupNames()) {
            if (hasAccessTable(orDefault.get(AuthUtil.toGroupEntry(str)), action)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasAccessTable(Set<TablePermission> set, Permission.Action action) {
        if (set == null) {
            return false;
        }
        Iterator<TablePermission> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().implies(action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorizeUserTable(User user, TableName tableName, Permission.Action action) {
        return authorizeUserTable(user, tableName, null, null, action);
    }

    public boolean authorizeUserTable(User user, TableName tableName, byte[] bArr, Permission.Action action) {
        return authorizeUserTable(user, tableName, bArr, null, action);
    }

    public boolean authorizeUserTable(User user, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        if (user == null) {
            return false;
        }
        if (tableName == null) {
            tableName = PermissionStorage.ACL_TABLE_NAME;
        }
        if (authorizeUserNamespace(user, tableName.getNamespaceAsString(), action)) {
            return true;
        }
        PermissionCache<TablePermission> orDefault = this.tableCache.getOrDefault(tableName, this.TBL_NO_PERMISSION);
        if (authorizeTable(orDefault.get(user.getShortName()), tableName, bArr, bArr2, action)) {
            return true;
        }
        for (String str : user.getGroupNames()) {
            if (authorizeTable(orDefault.get(AuthUtil.toGroupEntry(str)), tableName, bArr, bArr2, action)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorizeTable(Set<TablePermission> set, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        if (set == null) {
            return false;
        }
        Iterator<TablePermission> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().implies(tableName, bArr, bArr2, action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorizeUserFamily(User user, TableName tableName, byte[] bArr, Permission.Action action) {
        PermissionCache<TablePermission> orDefault = this.tableCache.getOrDefault(tableName, this.TBL_NO_PERMISSION);
        if (authorizeFamily(orDefault.get(user.getShortName()), tableName, bArr, action)) {
            return true;
        }
        for (String str : user.getGroupNames()) {
            if (authorizeFamily(orDefault.get(AuthUtil.toGroupEntry(str)), tableName, bArr, action)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorizeFamily(Set<TablePermission> set, TableName tableName, byte[] bArr, Permission.Action action) {
        if (set == null) {
            return false;
        }
        Iterator<TablePermission> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().implies(tableName, bArr, action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorizeCell(User user, TableName tableName, Cell cell, Permission.Action action) {
        try {
            List<Permission> cellPermissionsForUser = PermissionStorage.getCellPermissionsForUser(user, cell);
            if (LOG.isTraceEnabled()) {
                Logger logger = LOG;
                Object[] objArr = new Object[4];
                objArr[0] = user.getShortName();
                objArr[1] = tableName;
                objArr[2] = cell;
                objArr[3] = cellPermissionsForUser != null ? cellPermissionsForUser : "";
                logger.trace("Perms for user {} in table {} in cell {}: {}", objArr);
            }
            if (cellPermissionsForUser != null) {
                Iterator<Permission> it = cellPermissionsForUser.iterator();
                while (it.hasNext()) {
                    if (it.next().implies(action)) {
                        return true;
                    }
                }
            }
            return false;
        } catch (IOException e) {
            LOG.error("Failed parse of ACL tag in cell " + cell);
            return false;
        }
    }

    public void removeNamespace(byte[] bArr) {
        this.namespaceCache.remove(Bytes.toString(bArr));
    }

    public void removeTable(TableName tableName) {
        this.tableCache.remove(tableName);
    }

    public long getMTime() {
        return this.mtime.get();
    }
}
