package org.apache.ranger.rest;

import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.SecurityZoneDBStore;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXService;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.validation.RangerValidator;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.service.RangerSecurityZoneServiceService;
import org.apache.ranger.view.RangerSecurityZoneList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

@Path("zones")
@Scope("request")
@Transactional(propagation = Propagation.REQUIRES_NEW)
@Component
/* loaded from: input_file:org/apache/ranger/rest/SecurityZoneREST.class */
public class SecurityZoneREST {
    private static final Log LOG = LogFactory.getLog(SecurityZoneREST.class);

    @Autowired
    RESTErrorUtil restErrorUtil;

    @Autowired
    SecurityZoneDBStore securityZoneStore;

    @Autowired
    RangerSecurityZoneServiceService securityZoneService;

    @Autowired
    ServiceDBStore svcStore;

    @Autowired
    RangerSearchUtil searchUtil;

    @Autowired
    RangerValidatorFactory validatorFactory;

    @Autowired
    RangerBizUtil bizUtil;

    @Autowired
    ServiceREST serviceRest;

    @Autowired
    RangerDaoManager daoManager;

    @Autowired
    ServiceMgr serviceMgr;

    @POST
    @Path("/zones")
    public RangerSecurityZone createSecurityZone(RangerSecurityZone rangerSecurityZone) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> createSecurityZone(" + rangerSecurityZone + ")");
        }
        try {
            ensureAdminAccess(rangerSecurityZone);
            removeEmptyEntries(rangerSecurityZone);
            this.validatorFactory.getSecurityZoneValidator(this.svcStore, this.securityZoneStore).validate(rangerSecurityZone, RangerValidator.Action.CREATE);
            RangerSecurityZone createSecurityZone = this.securityZoneStore.createSecurityZone(rangerSecurityZone);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== createSecurityZone(" + rangerSecurityZone + "):" + createSecurityZone);
            }
            return createSecurityZone;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("createSecurityZone(" + rangerSecurityZone + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/zones/{id}")
    @PUT
    public RangerSecurityZone updateSecurityZone(@PathParam("id") Long l, RangerSecurityZone rangerSecurityZone) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> updateSecurityZone(id=" + l + ", " + rangerSecurityZone + ")");
        }
        if (l != null && l.equals(1L)) {
            throw this.restErrorUtil.createRESTException("Cannot update unzoned zone");
        }
        ensureUserAllowOperationOnServiceForZone(rangerSecurityZone);
        removeEmptyEntries(rangerSecurityZone);
        if (rangerSecurityZone.getId() != null && !l.equals(rangerSecurityZone.getId())) {
            throw this.restErrorUtil.createRESTException("zoneId mismatch!!");
        }
        rangerSecurityZone.setId(l);
        try {
            this.validatorFactory.getSecurityZoneValidator(this.svcStore, this.securityZoneStore).validate(rangerSecurityZone, RangerValidator.Action.UPDATE);
            RangerSecurityZone updateSecurityZoneById = this.securityZoneStore.updateSecurityZoneById(rangerSecurityZone);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== updateSecurityZone(id=" + l + ", " + rangerSecurityZone + "):" + updateSecurityZoneById);
            }
            return updateSecurityZoneById;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("updateSecurityZone(" + rangerSecurityZone + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/zones/name/{name}")
    @DELETE
    public void deleteSecurityZone(@PathParam("name") String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> deleteSecurityZone(name=" + str + ")");
        }
        try {
            ensureAdminAccess();
            this.validatorFactory.getSecurityZoneValidator(this.svcStore, this.securityZoneStore).validate(str, RangerValidator.Action.DELETE);
            this.securityZoneStore.deleteSecurityZoneByName(str);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== deleteSecurityZone(name=" + str + ")");
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("deleteSecurityZone(" + str + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/zones/{id}")
    @DELETE
    public void deleteSecurityZone(@PathParam("id") Long l) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> deleteSecurityZone(id=" + l + ")");
        }
        if (l != null && l.equals(1L)) {
            throw this.restErrorUtil.createRESTException("Cannot delete unzoned zone");
        }
        try {
            ensureAdminAccess();
            this.validatorFactory.getSecurityZoneValidator(this.svcStore, this.securityZoneStore).validate(l, RangerValidator.Action.DELETE);
            this.securityZoneStore.deleteSecurityZoneById(l);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== deleteSecurityZone(id=" + l + ")");
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("deleteSecurityZone(" + l + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/zones/name/{name}")
    public RangerSecurityZone getSecurityZone(@PathParam("name") String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getSecurityZone(name=" + str + ")");
        }
        try {
            RangerSecurityZone securityZoneByName = this.securityZoneStore.getSecurityZoneByName(str);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getSecurityZone(name=" + str + "):" + securityZoneByName);
            }
            return securityZoneByName;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getSecurityZone(" + str + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/zones/{id}")
    public RangerSecurityZone getSecurityZone(@PathParam("id") Long l) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getSecurityZone(id=" + l + ")");
        }
        if (l != null && l.equals(1L)) {
            throw this.restErrorUtil.createRESTException("Cannot delete unzoned zone");
        }
        try {
            RangerSecurityZone securityZone = this.securityZoneStore.getSecurityZone(l);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getSecurityZone(id=" + l + "):" + securityZone);
            }
            return securityZone;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getSecurityZone(" + l + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/zones")
    public RangerSecurityZoneList getAllZones(@Context HttpServletRequest httpServletRequest) {
        RangerSecurityZoneList rangerSecurityZoneList = new RangerSecurityZoneList();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getAllZones()");
        }
        SearchFilter searchFilter = this.searchUtil.getSearchFilter(httpServletRequest, this.securityZoneService.sortFields);
        try {
            List<RangerSecurityZone> securityZones = this.securityZoneStore.getSecurityZones(searchFilter);
            rangerSecurityZoneList.setSecurityZoneList(securityZones);
            if (securityZones != null) {
                rangerSecurityZoneList.setTotalCount(securityZones.size());
                rangerSecurityZoneList.setSortBy(searchFilter.getSortBy());
                rangerSecurityZoneList.setSortType(searchFilter.getSortType());
                rangerSecurityZoneList.setResultSize(securityZones.size());
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getAllZones():" + rangerSecurityZoneList);
            }
            return rangerSecurityZoneList;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getSecurityZones() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private void ensureAdminAccess() {
        if (this.bizUtil.isAdmin()) {
            return;
        }
        throw this.restErrorUtil.createRESTException(403, "Ranger Security Zone is not accessible for user '" + this.bizUtil.getCurrentUserLoginId() + "'.", true);
    }

    private void ensureUserAllowOperationOnServiceForZone(RangerSecurityZone rangerSecurityZone) {
        if (this.bizUtil.isAdmin()) {
            return;
        }
        String currentUserLoginId = this.bizUtil.getCurrentUserLoginId();
        try {
            RangerSecurityZone securityZone = this.svcStore.getSecurityZone(rangerSecurityZone.getId());
            if (securityZone != null) {
                if (!rangerSecurityZone.getName().equals(securityZone.getName())) {
                    throwRestError("User : " + currentUserLoginId + " is not allowed to edit zone name of zone : " + securityZone.getName());
                } else if (!rangerSecurityZone.getDescription().equals(securityZone.getDescription())) {
                    throwRestError("User : " + currentUserLoginId + " is not allowed to edit zone description of zone : " + securityZone.getName());
                }
                if (!this.serviceMgr.isZoneAdmin(securityZone.getName())) {
                    if (!rangerSecurityZone.getAdminUserGroups().equals(securityZone.getAdminUserGroups())) {
                        throwRestError("User : " + currentUserLoginId + " is not allowed to edit zone Admin User Group of zone : " + securityZone.getName());
                    } else if (!rangerSecurityZone.getAdminUsers().equals(securityZone.getAdminUsers())) {
                        throwRestError("User : " + currentUserLoginId + " is not allowed to edit zone Admin User of zone : " + securityZone.getName());
                    } else if (!rangerSecurityZone.getAuditUsers().equals(securityZone.getAuditUsers())) {
                        throwRestError("User : " + currentUserLoginId + " is not allowed to edit zone Audit User of zone : " + securityZone.getName());
                    } else if (!rangerSecurityZone.getAuditUserGroups().equals(securityZone.getAuditUserGroups())) {
                        throwRestError("User : " + currentUserLoginId + " is not allowed to edit zone Audit User Group of zone : " + securityZone.getName());
                    }
                }
                List<String> tagServices = securityZone.getTagServices();
                List<String> tagServices2 = rangerSecurityZone.getTagServices();
                ArrayList<String> arrayList = new ArrayList();
                if (!tagServices.equals(tagServices2)) {
                    for (String str : tagServices) {
                        if (!tagServices2.contains(str)) {
                            arrayList.add(str);
                        }
                    }
                    for (String str2 : tagServices2) {
                        if (!tagServices.contains(str2)) {
                            arrayList.add(str2);
                        }
                    }
                }
                if (!arrayList.isEmpty()) {
                    for (String str3 : arrayList) {
                        if (!this.svcStore.isServiceAdminUser(str3, currentUserLoginId)) {
                            throwRestError("User : " + currentUserLoginId + " is not allowed to add/remove tag service : " + str3 + " in Ranger Security zone : " + securityZone.getName());
                        }
                    }
                }
                Set<String> keySet = securityZone.getServices().keySet();
                Set keySet2 = rangerSecurityZone.getServices().keySet();
                HashSet<String> hashSet = new HashSet((Collection) Sets.difference(keySet2, keySet));
                hashSet.addAll(Sets.difference(keySet, keySet2));
                if (hashSet != null && hashSet.size() > 0) {
                    for (String str4 : hashSet) {
                        if (!this.svcStore.isServiceAdminUser(str4, currentUserLoginId)) {
                            throwRestError("User : " + currentUserLoginId + " is not allowed to add/remove service : " + str4 + " in Ranger Security zone : " + securityZone.getName());
                        }
                    }
                }
                for (String str5 : keySet) {
                    RangerSecurityZone.RangerSecurityZoneService rangerSecurityZoneService = (RangerSecurityZone.RangerSecurityZoneService) securityZone.getServices().get(str5);
                    RangerSecurityZone.RangerSecurityZoneService rangerSecurityZoneService2 = (RangerSecurityZone.RangerSecurityZoneService) rangerSecurityZone.getServices().get(str5);
                    if (rangerSecurityZoneService2 != null && !rangerSecurityZoneService.getResources().equals(rangerSecurityZoneService2.getResources()) && !this.svcStore.isServiceAdminUser(str5, currentUserLoginId)) {
                        throwRestError("User : " + currentUserLoginId + " is not allowed to edit resource in service : " + str5 + " in Ranger Security zone : " + securityZone.getName());
                    }
                }
            }
        } catch (Exception e) {
            LOG.error("Unable to get Security Zone with id : " + rangerSecurityZone.getId(), e);
            throw this.restErrorUtil.createRESTException(e.getMessage());
        }
    }

    private void throwRestError(String str) {
        throw this.restErrorUtil.createRESTException(403, str, true);
    }

    private void ensureAdminAccess(RangerSecurityZone rangerSecurityZone) {
        if (this.bizUtil.isAdmin()) {
            blockAdminFromKMSService(rangerSecurityZone);
        } else {
            throw this.restErrorUtil.createRESTException("Ranger Securtiy Zone is not accessible for user '" + this.bizUtil.getCurrentUserLoginId() + "'.", MessageEnums.OPER_NO_PERMISSION);
        }
    }

    private void blockAdminFromKMSService(RangerSecurityZone rangerSecurityZone) {
        Map services;
        if (rangerSecurityZone == null || (services = rangerSecurityZone.getServices()) == null) {
            return;
        }
        Iterator it = services.keySet().iterator();
        while (it.hasNext()) {
            XXService findByName = this.daoManager.getXXService().findByName((String) it.next());
            if (findByName != null && "org.apache.ranger.services.kms.RangerServiceKMS".equals(this.daoManager.getXXServiceDef().getById(findByName.getType()).getImplclassname())) {
                throw this.restErrorUtil.createRESTException("KMS Services/Service-Defs are not accessible for Zone operations", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
            }
        }
    }

    private void removeEmptyEntries(RangerSecurityZone rangerSecurityZone) {
        this.bizUtil.removeEmptyStrings(rangerSecurityZone.getTagServices());
        this.bizUtil.removeEmptyStrings(rangerSecurityZone.getAdminUsers());
        this.bizUtil.removeEmptyStrings(rangerSecurityZone.getAdminUserGroups());
        this.bizUtil.removeEmptyStrings(rangerSecurityZone.getAuditUsers());
        this.bizUtil.removeEmptyStrings(rangerSecurityZone.getAuditUserGroups());
        Map services = rangerSecurityZone.getServices();
        if (services != null) {
            Iterator it = services.entrySet().iterator();
            while (it.hasNext()) {
                List<Map> resources = ((RangerSecurityZone.RangerSecurityZoneService) ((Map.Entry) it.next()).getValue()).getResources();
                if (resources != null) {
                    for (Map map : resources) {
                        if (map != null) {
                            Iterator it2 = map.entrySet().iterator();
                            while (it2.hasNext()) {
                                this.bizUtil.removeEmptyStrings((List) ((Map.Entry) it2.next()).getValue());
                            }
                        }
                    }
                }
            }
        }
    }
}
