package org.apache.hadoop.hbase.security.access;

import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.LogUtil;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.visibility.VisibilityConstants;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.zookeeper.ZKWatcher;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.yetus.audience.InterfaceStability;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({HBaseInterfaceAudience.COPROC})
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/AccessChecker.class */
public class AccessChecker {
    private static final Logger LOG = LoggerFactory.getLogger(AccessChecker.class);
    private static final Logger AUDITLOG = LoggerFactory.getLogger("SecurityLogger." + AccessChecker.class.getName());
    private AuthManager authManager;
    private static Groups groupService;
    private boolean authorizationEnabled;

    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/AccessChecker$InputUser.class */
    public static class InputUser extends User {
        private String name;
        private String shortName = null;
        private String[] groups;

        public InputUser(String str, String[] strArr) {
            this.name = str;
            this.groups = strArr;
        }

        @Override // org.apache.hadoop.hbase.security.User
        public String getShortName() {
            if (this.shortName == null) {
                try {
                    this.shortName = new HadoopKerberosName(this.name).getShortName();
                } catch (IOException e) {
                    throw new IllegalArgumentException("Illegal principal name " + this.name + ": " + e.toString(), e);
                }
            }
            return this.shortName;
        }

        @Override // org.apache.hadoop.hbase.security.User
        public String getName() {
            return this.name;
        }

        @Override // org.apache.hadoop.hbase.security.User
        public String[] getGroupNames() {
            return this.groups;
        }

        @Override // org.apache.hadoop.hbase.security.User
        public <T> T runAs(PrivilegedAction<T> privilegedAction) {
            throw new UnsupportedOperationException("Method not supported, this class has limited implementation");
        }

        @Override // org.apache.hadoop.hbase.security.User
        public <T> T runAs(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException, InterruptedException {
            throw new UnsupportedOperationException("Method not supported, this class has limited implementation");
        }

        @Override // org.apache.hadoop.hbase.security.User
        public String toString() {
            return this.name;
        }
    }

    public static boolean isAuthorizationSupported(Configuration configuration) {
        return configuration.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false);
    }

    public AccessChecker(Configuration configuration, ZKWatcher zKWatcher) throws RuntimeException {
        if (zKWatcher == null) {
            throw new NullPointerException("Error obtaining AccessChecker, zk found null.");
        }
        try {
            this.authManager = AuthManager.getOrCreate(zKWatcher, configuration);
            this.authorizationEnabled = isAuthorizationSupported(configuration);
            initGroupService(configuration);
        } catch (IOException e) {
            throw new RuntimeException("Error obtaining AccessChecker", e);
        }
    }

    public void stop() {
        AuthManager.release(this.authManager);
    }

    public AuthManager getAuthManager() {
        return this.authManager;
    }

    public void requireAccess(User user, String str, TableName tableName, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.accessUserTable(user, tableName, action)) {
                    authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, null, null);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, null, null);
                    i++;
                }
            }
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requirePermission(User user, String str, String str2, Permission.Action action) throws IOException {
        requireGlobalPermission(user, str, action, null, null, str2);
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map, String str2) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult allow = this.authManager.authorizeUserGlobal(user, action) ? AuthResult.allow(str, "Global check allowed", user, action, tableName, map) : AuthResult.deny(str, "Global check failed", user, action, tableName, map);
            allow.getParams().setTableName(tableName).setFamilies(map);
            allow.getParams().addExtraParam("filterUser", str2);
            logResult(allow);
            if (allow.isAllowed()) {
            } else {
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + VisibilityConstants.CLOSED_PARAN);
            }
        }
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, String str2) throws IOException {
        if (this.authorizationEnabled) {
            if (this.authManager.authorizeUserGlobal(user, action)) {
                AuthResult allow = AuthResult.allow(str, "Global check allowed", user, action, null);
                allow.getParams().setNamespace(str2);
                logResult(allow);
            } else {
                AuthResult deny = AuthResult.deny(str, "Global check failed", user, action, null);
                deny.getParams().setNamespace(str2);
                logResult(deny);
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + VisibilityConstants.CLOSED_PARAN);
            }
        }
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, String str2, String str3) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult allow = this.authManager.authorizeUserGlobal(user, action) ? AuthResult.allow(str, "Global check allowed", user, action, null, null) : AuthResult.deny(str, "Global check failed", user, action, null, null);
            allow.getParams().addExtraParam(str2, str3);
            logResult(allow);
            if (allow.isAllowed()) {
            } else {
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + VisibilityConstants.CLOSED_PARAN);
            }
        }
    }

    public void requireNamespacePermission(User user, String str, String str2, String str3, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorizeUserNamespace(user, str2, action)) {
                    authResult = AuthResult.allow(str, "Namespace permission granted", user, action, str2);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, str2);
                    i++;
                }
            }
            authResult.getParams().addExtraParam("filterUser", str3);
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requireNamespacePermission(User user, String str, String str2, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorizeUserNamespace(user, str2, action)) {
                    authResult = AuthResult.allow(str, "Namespace permission granted", user, action, str2);
                    authResult.getParams().setTableName(tableName).setFamilies(map);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, str2);
                    authResult.getParams().setTableName(tableName).setFamilies(map);
                    i++;
                }
            }
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requirePermission(User user, String str, TableName tableName, byte[] bArr, byte[] bArr2, String str2, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorizeUserTable(user, tableName, bArr, bArr2, action)) {
                    authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, bArr, bArr2);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, bArr, bArr2);
                    i++;
                }
            }
            authResult.getParams().addExtraParam("filterUser", str2);
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requireTablePermission(User user, String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorizeUserTable(user, tableName, action)) {
                    authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, null, null);
                    authResult.getParams().setFamily(bArr).setQualifier(bArr2);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, bArr, bArr2);
                    authResult.getParams().setFamily(bArr).setQualifier(bArr2);
                    i++;
                }
            }
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void performOnSuperuser(String str, User user, String str2) throws IOException {
        if (this.authorizationEnabled) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(str2);
            if (!AuthUtil.isGroupPrincipal(str2)) {
                Iterator<String> it = getUserGroups(str2).iterator();
                while (it.hasNext()) {
                    arrayList.add(AuthUtil.toGroupEntry(it.next()));
                }
            }
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                if (Superusers.isSuperUser((String) it2.next())) {
                    AuthResult deny = AuthResult.deny(str, "Granting or revoking superusers's or supergroups's permissions is not allowed", user, Permission.Action.ADMIN, NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR);
                    logResult(deny);
                    throw new AccessDeniedException(deny.getReason());
                }
            }
        }
    }

    public void checkLockPermissions(User user, String str, TableName tableName, RegionInfo[] regionInfoArr, String str2) throws IOException {
        if (str != null && !str.isEmpty()) {
            requireNamespacePermission(user, str2, str, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        } else {
            if (tableName == null && (regionInfoArr == null || regionInfoArr.length <= 0)) {
                throw new DoNotRetryIOException("Invalid lock level when requesting permissions.");
            }
            requireTablePermission(user, str2, tableName != null ? tableName : regionInfoArr[0].getTable(), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        }
    }

    public static void logResult(AuthResult authResult) {
        LogUtil.LogLevel requestLogLevel = LogUtil.getRequestLogLevel(authResult);
        if (LogUtil.isLogLevelEnabled(AUDITLOG, requestLogLevel)) {
            String str = (String) RpcServer.getRemoteAddress().map((v0) -> {
                return v0.toString();
            }).orElse("");
            StringBuilder sb = new StringBuilder();
            sb.append("Access ");
            if (authResult.isAllowed()) {
                sb.append("allowed");
            } else {
                sb.append("denied");
            }
            sb.append(" for user ");
            if (authResult.getUser() != null) {
                sb.append(authResult.getUser().getShortName());
            } else {
                sb.append("UNKNOWN");
            }
            sb.append("; reason: ").append(authResult.getReason()).append("; remote address: ").append(str).append("; request: ").append(authResult.getRequest()).append("; context: ").append(authResult.toContextString());
            switch (requestLogLevel) {
                case trace:
                    AUDITLOG.trace(sb.toString());
                    return;
                case debug:
                    AUDITLOG.debug(sb.toString());
                    return;
                case info:
                    AUDITLOG.info(sb.toString());
                    return;
                case warn:
                    AUDITLOG.warn(sb.toString());
                    return;
                case error:
                    AUDITLOG.error(sb.toString());
                    return;
                default:
                    return;
            }
        }
    }

    public User validateCallerWithFilterUser(User user, TablePermission tablePermission, String str) throws IOException {
        User user2;
        if (user.getShortName().equals(str)) {
            logResult(AuthResult.allow("hasPermission", "Self user validation allowed", user, null, tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier()));
            user2 = user;
        } else {
            requirePermission(user, "hasPermission", tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier(), str, Permission.Action.ADMIN);
            List<String> userGroups = getUserGroups(str);
            user2 = new InputUser(str, (String[]) userGroups.toArray(new String[userGroups.size()]));
        }
        return user2;
    }

    private void initGroupService(Configuration configuration) {
        if (groupService == null) {
            if (!configuration.getBoolean(User.TestingGroups.TEST_CONF, false)) {
                groupService = Groups.getUserToGroupsMappingService(configuration);
            } else {
                UserProvider.setGroups(new User.TestingGroups(UserProvider.getGroups()));
                groupService = UserProvider.getGroups();
            }
        }
    }

    public static List<String> getUserGroups(String str) {
        try {
            return groupService.getGroups(str);
        } catch (IOException e) {
            LOG.error("Error occurred while retrieving group for " + str, e);
            return new ArrayList();
        }
    }

    public boolean hasUserPermission(User user, String str, Permission permission) {
        if (!this.authorizationEnabled) {
            return true;
        }
        if (permission instanceof TablePermission) {
            TablePermission tablePermission = (TablePermission) permission;
            for (Permission.Action action : permission.getActions()) {
                AuthResult permissionGranted = permissionGranted(str, user, action, tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier());
                logResult(permissionGranted);
                if (!permissionGranted.isAllowed()) {
                    return false;
                }
            }
            return true;
        }
        if (!(permission instanceof NamespacePermission)) {
            for (Permission.Action action2 : permission.getActions()) {
                AuthResult allow = getAuthManager().authorizeUserGlobal(user, action2) ? AuthResult.allow(str, "Global action allowed", user, action2, null, null) : AuthResult.deny(str, "Global action denied", user, action2, null, null);
                logResult(allow);
                if (!allow.isAllowed()) {
                    return false;
                }
            }
            return true;
        }
        NamespacePermission namespacePermission = (NamespacePermission) permission;
        for (Permission.Action action3 : namespacePermission.getActions()) {
            AuthResult allow2 = getAuthManager().authorizeUserNamespace(user, namespacePermission.getNamespace(), action3) ? AuthResult.allow(str, "Namespace action allowed", user, action3, null, null) : AuthResult.deny(str, "Namespace action denied", user, action3, null, null);
            logResult(allow2);
            if (!allow2.isAllowed()) {
                return false;
            }
        }
        return true;
    }

    private AuthResult permissionGranted(String str, User user, Permission.Action action, TableName tableName, byte[] bArr, byte[] bArr2) {
        return permissionGranted(str, user, action, tableName, makeFamilyMap(bArr, bArr2));
    }

    public AuthResult permissionGranted(String str, User user, Permission.Action action, TableName tableName, Map<byte[], ? extends Collection<?>> map) {
        if (!this.authorizationEnabled) {
            return AuthResult.allow(str, "All users allowed because authorization is disabled", user, action, tableName, map);
        }
        if (TableName.META_TABLE_NAME.equals(tableName) && action == Permission.Action.READ) {
            return AuthResult.allow(str, "All users allowed", user, action, tableName, map);
        }
        if (user == null) {
            return AuthResult.deny(str, "No user associated with request!", null, action, tableName, map);
        }
        if (getAuthManager().authorizeUserTable(user, tableName, action)) {
            return AuthResult.allow(str, "Table permission granted", user, action, tableName, map);
        }
        if (map == null || map.size() <= 0) {
            return AuthResult.deny(str, "No families to check and table permission failed", user, action, tableName, map);
        }
        for (Map.Entry<byte[], ? extends Collection<?>> entry : map.entrySet()) {
            if (!getAuthManager().authorizeUserTable(user, tableName, entry.getKey(), action)) {
                if (entry.getValue() == null || entry.getValue().size() <= 0) {
                    return AuthResult.deny(str, "Failed family check", user, action, tableName, makeFamilyMap(entry.getKey(), null));
                }
                if (entry.getValue() instanceof Set) {
                    for (byte[] bArr : (Set) entry.getValue()) {
                        if (!getAuthManager().authorizeUserTable(user, tableName, entry.getKey(), bArr, action)) {
                            return AuthResult.deny(str, "Failed qualifier check", user, action, tableName, makeFamilyMap(entry.getKey(), bArr));
                        }
                    }
                } else if (entry.getValue() instanceof List) {
                    for (Cell cell : (List) entry.getValue()) {
                        if (!getAuthManager().authorizeUserTable(user, tableName, entry.getKey(), CellUtil.cloneQualifier(cell), action)) {
                            return AuthResult.deny(str, "Failed qualifier check", user, action, tableName, makeFamilyMap(entry.getKey(), CellUtil.cloneQualifier(cell)));
                        }
                    }
                } else {
                    continue;
                }
            }
        }
        return AuthResult.allow(str, "All family checks passed", user, action, tableName, map);
    }

    private Map<byte[], ? extends Collection<byte[]>> makeFamilyMap(byte[] bArr, byte[] bArr2) {
        if (bArr == null) {
            return null;
        }
        TreeMap treeMap = new TreeMap(Bytes.BYTES_COMPARATOR);
        treeMap.put(bArr, bArr2 != null ? ImmutableSet.of(bArr2) : null);
        return treeMap;
    }
}
