package org.apache.ranger.biz;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestProcessor;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyRepository;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;

/* loaded from: input_file:org/apache/ranger/biz/RangerPolicyAdminImpl.class */
public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
    private static final Log LOG = LogFactory.getLog(RangerPolicyAdminImpl.class);
    private static final Log PERF_POLICYENGINE_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyengine.request");
    private final PolicyEngine policyEngine;
    private final RangerAccessRequestProcessor requestProcessor;

    public static RangerPolicyAdmin getPolicyAdmin(RangerPolicyAdminImpl rangerPolicyAdminImpl, ServicePolicies servicePolicies) {
        PolicyEngine cloneWithDelta;
        RangerPolicyAdminImpl rangerPolicyAdminImpl2 = null;
        if (rangerPolicyAdminImpl != null && servicePolicies != null && (cloneWithDelta = rangerPolicyAdminImpl.policyEngine.cloneWithDelta(servicePolicies)) != null) {
            rangerPolicyAdminImpl2 = new RangerPolicyAdminImpl(cloneWithDelta);
        }
        return rangerPolicyAdminImpl2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RangerPolicyAdminImpl(ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles) {
        this.policyEngine = new PolicyEngine(servicePolicies, rangerPluginContext, rangerRoles);
        this.requestProcessor = new RangerDefaultRequestProcessor(this.policyEngine);
    }

    private RangerPolicyAdminImpl(PolicyEngine policyEngine) {
        this.policyEngine = policyEngine;
        this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public boolean isAccessAllowed(RangerAccessResource rangerAccessResource, String str, String str2, Set<String> set, String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + str2 + ", " + set + ", " + str3 + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyAdminImpl.isAccessAllowed(user=" + str2 + ",accessType=" + str3 + "resource=" + rangerAccessResource.getAsString() + ")");
        }
        RangerPolicyRepository repositoryForZone = this.policyEngine.getRepositoryForZone(str);
        if (repositoryForZone != null) {
            Set<String> rolesFromUserAndGroups = getRolesFromUserAndGroups(str2, set);
            Iterator it = repositoryForZone.getLikelyMatchPolicyEvaluators(rangerAccessResource, 0).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerPolicyEvaluator rangerPolicyEvaluator = (RangerPolicyEvaluator) it.next();
                z = rangerPolicyEvaluator.isAccessAllowed(rangerAccessResource, str2, set, rolesFromUserAndGroups, str3);
                if (z) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Access granted by policy:[" + rangerPolicyEvaluator.getPolicy() + "]");
                    }
                }
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + str2 + ", " + set + ", " + str3 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public boolean isAccessAllowed(RangerPolicy rangerPolicy, String str, Set<String> set, Set<String> set2, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.isAccessAllowed(" + rangerPolicy.getId() + ", " + str + ", " + set + ", " + set2 + ", " + str2 + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + "," + set + ", roles=" + set2 + ",accessType=" + str2 + ")");
        }
        RangerPolicyRepository repositoryForMatchedZone = this.policyEngine.getRepositoryForMatchedZone(rangerPolicy);
        if (repositoryForMatchedZone != null) {
            Iterator it = repositoryForMatchedZone.getPolicyEvaluators().iterator();
            while (it.hasNext()) {
                z = ((RangerPolicyEvaluator) it.next()).isAccessAllowed(rangerPolicy, str, set, set2, str2);
                if (z) {
                    break;
                }
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.isAccessAllowed(" + rangerPolicy.getId() + ", " + str + ", " + set + ", " + set2 + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource rangerAccessResource, String str, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.getExactMatchPolicies(" + rangerAccessResource + ", " + str + ", " + map + ")");
        }
        ArrayList arrayList = null;
        RangerPolicyRepository repositoryForZone = this.policyEngine.getRepositoryForZone(str);
        if (repositoryForZone != null) {
            for (RangerPolicyEvaluator rangerPolicyEvaluator : repositoryForZone.getPolicyEvaluators()) {
                if (rangerPolicyEvaluator.isCompleteMatch(rangerAccessResource, map)) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.add(rangerPolicyEvaluator.getPolicy());
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<==> RangerPolicyAdminImpl.getExactMatchPolicies(" + rangerAccessResource + ", " + str + ", " + map + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public List<RangerPolicy> getExactMatchPolicies(RangerPolicy rangerPolicy, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.getExactMatchPolicies(" + rangerPolicy + ", " + map + ")");
        }
        ArrayList arrayList = null;
        RangerPolicyRepository repositoryForMatchedZone = this.policyEngine.getRepositoryForMatchedZone(rangerPolicy);
        if (repositoryForMatchedZone != null) {
            Map resources = rangerPolicy.getResources();
            for (RangerPolicyEvaluator rangerPolicyEvaluator : repositoryForMatchedZone.getPolicyEvaluators()) {
                if (rangerPolicyEvaluator.isCompleteMatch(resources, map)) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.add(rangerPolicyEvaluator.getPolicy());
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.getExactMatchPolicies(" + rangerPolicy + ", " + map + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public List<RangerPolicy> getMatchingPolicies(RangerAccessResource rangerAccessResource) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.getMatchingPolicies(" + rangerAccessResource + ")");
        }
        List<RangerPolicy> matchingPolicies = getMatchingPolicies(rangerAccessResource, "_any");
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.getMatchingPolicies(" + rangerAccessResource + ") : " + matchingPolicies.size());
        }
        return matchingPolicies;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public long getPolicyVersion() {
        return this.policyEngine.getPolicyVersion();
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public long getRoleVersion() {
        return this.policyEngine.getRoleVersion();
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public String getServiceName() {
        return this.policyEngine.getServiceName();
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public void setRoles(RangerRoles rangerRoles) {
        this.policyEngine.setRoles(rangerRoles);
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public Set<String> getRolesFromUserAndGroups(String str, Set<String> set) {
        return this.policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(str, set);
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public String getUniquelyMatchedZoneName(GrantRevokeRequest grantRevokeRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.getUniquelyMatchedZoneName(" + grantRevokeRequest + ")");
        }
        String uniquelyMatchedZoneName = this.policyEngine.getUniquelyMatchedZoneName(grantRevokeRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.getUniquelyMatchedZoneName(" + grantRevokeRequest + ") : " + uniquelyMatchedZoneName);
        }
        return uniquelyMatchedZoneName;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public boolean isAccessAllowedByUnzonedPolicies(Map<String, RangerPolicy.RangerPolicyResource> map, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.isAccessAllowedByUnzonedPolicies(" + map + ", " + str + ", " + set + ", " + str2 + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + "," + set + ",accessType=" + str2 + ")");
        }
        Iterator it = this.policyEngine.getPolicyRepository().getPolicyEvaluators().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerPolicyEvaluator rangerPolicyEvaluator = (RangerPolicyEvaluator) it.next();
            z = rangerPolicyEvaluator.isAccessAllowed(map, str, set, str2);
            if (z) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Access granted by policy:[" + rangerPolicyEvaluator.getPolicy() + "]");
                }
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.isAccessAllowedByUnzonedPolicies(" + map + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.biz.RangerPolicyAdmin
    public List<RangerPolicy> getAllowedUnzonedPolicies(String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.getAllowedByUnzonedPolicies(" + str + ", " + set + ", " + str2 + ")");
        }
        ArrayList arrayList = new ArrayList();
        Iterator it = this.policyEngine.getPolicyRepository().getPolicyEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicy policy = ((RangerPolicyEvaluator) it.next()).getPolicy();
            if (isAccessAllowedByUnzonedPolicies(policy.getResources(), str, set, str2)) {
                arrayList.add(policy);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.getAllowedByUnzonedPolicies(" + str + ", " + set + ", " + str2 + "): policyCount=" + arrayList.size());
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void releaseResources(boolean z) {
        if (this.policyEngine != null) {
            this.policyEngine.preCleanup(z);
        }
    }

    private List<RangerPolicy> getMatchingPolicies(RangerAccessResource rangerAccessResource, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyAdminImpl.getMatchingPolicies(" + rangerAccessResource + ", " + str + ")");
        }
        ArrayList arrayList = new ArrayList();
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerAccessResource, str, (String) null, (Set) null, (Set) null);
        this.requestProcessor.preProcess(rangerAccessRequestImpl);
        Set matchedZonesForResourceAndChildren = this.policyEngine.getMatchedZonesForResourceAndChildren(rangerAccessResource);
        if (CollectionUtils.isEmpty(matchedZonesForResourceAndChildren)) {
            getMatchingPoliciesForZone(rangerAccessRequestImpl, null, arrayList);
        } else {
            Iterator it = matchedZonesForResourceAndChildren.iterator();
            while (it.hasNext()) {
                getMatchingPoliciesForZone(rangerAccessRequestImpl, (String) it.next(), arrayList);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyAdminImpl.getMatchingPolicies(" + rangerAccessResource + ", " + str + ") : " + arrayList.size());
        }
        return arrayList;
    }

    /* JADX WARN: Removed duplicated region for block: B:32:0x015e A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:47:0x0093 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void getMatchingPoliciesForZone(org.apache.ranger.plugin.policyengine.RangerAccessRequest r6, java.lang.String r7, java.util.List<org.apache.ranger.plugin.model.RangerPolicy> r8) {
        /*
            Method dump skipped, instructions count: 548
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.ranger.biz.RangerPolicyAdminImpl.getMatchingPoliciesForZone(org.apache.ranger.plugin.policyengine.RangerAccessRequest, java.lang.String, java.util.List):void");
    }
}
