package org.apache.ranger.plugin.policyevaluator;

import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.conditionevaluator.RangerAbstractConditionEvaluator;
import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;

/* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.class */
public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEvaluator {
    private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyItemEvaluator.class);
    private static final Log PERF_POLICYITEM_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyitem.request");
    private static final Log PERF_POLICYCONDITION_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policycondition.request");
    private boolean hasCurrentUser;
    private boolean hasResourceOwner;

    public RangerDefaultPolicyItemEvaluator(RangerServiceDef rangerServiceDef, RangerPolicy rangerPolicy, RangerPolicy.RangerPolicyItem rangerPolicyItem, int i, int i2, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        super(rangerServiceDef, rangerPolicy, rangerPolicyItem, i, i2, rangerPolicyEngineOptions);
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
    public void init() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator(policyId=" + this.policyId + ", policyItem=" + this.policyItem + ", serviceType=" + getServiceType() + ", conditionsDisabled=" + getConditionsDisabledOption() + ")");
        }
        this.conditionEvaluators = new RangerCustomConditionEvaluator().getPolicyItemConditionEvaluator(this.policy, this.policyItem, this.serviceDef, this.options, this.policyItemIndex);
        List<String> users = this.policyItem.getUsers();
        this.hasCurrentUser = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.USER_CURRENT);
        this.hasResourceOwner = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.RESOURCE_OWNER);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator(policyId=" + this.policyId + ", conditionsCount=" + getConditionEvaluators().size() + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
    public boolean isMatch(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.isMatch(" + rangerAccessRequest + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_REQUEST_LOG, "RangerPolicyItemEvaluator.isMatch(resource=" + rangerAccessRequest.getResource().getAsString() + ")");
        }
        if (this.policyItem != null && matchUserGroupAndOwner(rangerAccessRequest)) {
            if (rangerAccessRequest.isAccessTypeDelegatedAdmin()) {
                if (this.policyItem.getDelegateAdmin().booleanValue()) {
                    z = true;
                }
            } else if (CollectionUtils.isNotEmpty(this.policyItem.getAccesses())) {
                boolean z2 = false;
                Iterator<RangerPolicy.RangerPolicyItemAccess> it = this.policyItem.getAccesses().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerPolicy.RangerPolicyItemAccess next = it.next();
                    if (next.getIsAllowed().booleanValue() && StringUtils.equalsIgnoreCase(next.getType(), rangerAccessRequest.getAccessType())) {
                        z2 = true;
                        break;
                    }
                }
                if (z2 && matchCustomConditions(rangerAccessRequest)) {
                    z = true;
                }
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.isMatch(" + rangerAccessRequest + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
    public boolean matchUserGroupAndOwner(String str, Set<String> set, Set<String> set2, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroup(" + this.policyItem + ", " + str + ", " + set + ", " + set2 + ", " + str2 + ")");
        }
        boolean z = false;
        if (this.policyItem != null) {
            if (0 == 0 && str != null && this.policyItem.getUsers() != null) {
                z = this.hasCurrentUser || this.policyItem.getUsers().contains(str);
            }
            if (!z && set != null && this.policyItem.getGroups() != null) {
                z = this.policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC) || !Collections.disjoint(this.policyItem.getGroups(), set);
            }
            if (!z && CollectionUtils.isNotEmpty(set2) && CollectionUtils.isNotEmpty(this.policyItem.getRoles())) {
                z = !Collections.disjoint(this.policyItem.getRoles(), set2);
            }
            if (!z && this.hasResourceOwner) {
                z = str != null && str.equals(str2);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroup(" + this.policyItem + ", " + str + ", " + set + ", " + set2 + ", " + str2 + "): " + z);
        }
        return z;
    }

    private boolean matchUserGroupAndOwner(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + rangerAccessRequest + ")");
        }
        boolean z = false;
        String user = rangerAccessRequest.getUser();
        Set<String> userGroups = rangerAccessRequest.getUserGroups();
        RangerAccessResource resource = rangerAccessRequest.getResource();
        String ownerUser = resource != null ? resource.getOwnerUser() : null;
        if (0 == 0) {
            Set<String> set = null;
            if (CollectionUtils.isNotEmpty(this.policyItem.getRoles())) {
                set = RangerAccessRequestUtil.getCurrentUserRolesFromContext(rangerAccessRequest.getContext());
            }
            z = matchUserGroupAndOwner(user, userGroups, set, ownerUser);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroupAndOwner(" + rangerAccessRequest + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
    public boolean matchAccessType(String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchAccessType(" + str + ")");
        }
        boolean z = false;
        if (this.policyItem != null) {
            if (StringUtils.equals(str, RangerPolicyEngine.ADMIN_ACCESS)) {
                z = this.policyItem.getDelegateAdmin().booleanValue();
            } else if (CollectionUtils.isNotEmpty(this.policyItem.getAccesses())) {
                boolean equals = StringUtils.equals(str, RangerPolicyEngine.ANY_ACCESS);
                Iterator<RangerPolicy.RangerPolicyItemAccess> it = this.policyItem.getAccesses().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerPolicy.RangerPolicyItemAccess next = it.next();
                    if (next.getIsAllowed().booleanValue()) {
                        if (equals) {
                            z = true;
                            break;
                        }
                        if (StringUtils.equalsIgnoreCase(next.getType(), str)) {
                            z = true;
                            break;
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchAccessType(" + str + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
    public boolean matchCustomConditions(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchCustomConditions(" + rangerAccessRequest + ")");
        }
        boolean z = true;
        if (CollectionUtils.isNotEmpty(this.conditionEvaluators)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerDefaultPolicyItemEvaluator.matchCustomConditions(): conditionCount=" + this.conditionEvaluators.size());
            }
            Iterator<RangerConditionEvaluator> it = this.conditionEvaluators.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerConditionEvaluator next = it.next();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("evaluating condition: " + next);
                }
                RangerPerfTracer rangerPerfTracer = null;
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_REQUEST_LOG)) {
                    String str = null;
                    if (next instanceof RangerAbstractConditionEvaluator) {
                        str = ((RangerAbstractConditionEvaluator) next).getPolicyItemCondition().getType();
                    }
                    rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchCondition(policyId=" + this.policyId + ",policyItemIndex=" + getPolicyItemIndex() + ",policyConditionType=" + str + ")");
                }
                boolean isMatched = next.isMatched(rangerAccessRequest);
                RangerPerfTracer.log(rangerPerfTracer);
                if (!isMatched) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(next + " returned false");
                    }
                    z = false;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchCustomConditions(" + rangerAccessRequest + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
    public void updateAccessResult(RangerPolicyEvaluator rangerPolicyEvaluator, RangerAccessResult rangerAccessResult, RangerPolicyResourceMatcher.MatchType matchType) {
        rangerPolicyEvaluator.updateAccessResult(rangerAccessResult, matchType, getPolicyItemType() != 1, getComments());
    }

    RangerServiceDef.RangerPolicyConditionDef getConditionDef(String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.getConditionDef(" + str + ")");
        }
        RangerServiceDef.RangerPolicyConditionDef rangerPolicyConditionDef = null;
        if (this.serviceDef != null && CollectionUtils.isNotEmpty(this.serviceDef.getPolicyConditions())) {
            Iterator<RangerServiceDef.RangerPolicyConditionDef> it = this.serviceDef.getPolicyConditions().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerServiceDef.RangerPolicyConditionDef next = it.next();
                if (StringUtils.equals(str, next.getName())) {
                    rangerPolicyConditionDef = next;
                    break;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.getConditionDef(" + str + "): " + rangerPolicyConditionDef);
        }
        return rangerPolicyConditionDef;
    }

    RangerConditionEvaluator newConditionEvaluator(String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + str + ")");
        }
        RangerConditionEvaluator rangerConditionEvaluator = null;
        try {
            rangerConditionEvaluator = (RangerConditionEvaluator) Class.forName(str).newInstance();
        } catch (Throwable th) {
            LOG.error("RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + str + "): error instantiating evaluator", th);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyItemEvaluator.newConditionEvaluator(" + str + "): " + rangerConditionEvaluator);
        }
        return rangerConditionEvaluator;
    }
}
