package org.apache.ranger.rest;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.RoleDBStore;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXService;
import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.validation.RangerValidator;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.service.RangerRoleService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.RangerRoleList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

@Path("roles")
@Scope("request")
@Transactional(propagation = Propagation.REQUIRES_NEW)
@Component
/* loaded from: input_file:org/apache/ranger/rest/RoleREST.class */
public class RoleREST {
    private static final Log LOG = LogFactory.getLog(RoleREST.class);
    private static List<String> INVALID_USERS = new ArrayList();
    public static final String POLICY_DOWNLOAD_USERS = "policy.download.auth.users";

    @Autowired
    RESTErrorUtil restErrorUtil;

    @Autowired
    AssetMgr assetMgr;

    @Autowired
    RangerDaoManager daoManager;

    @Autowired
    RoleDBStore roleStore;

    @Autowired
    RangerRoleService roleService;

    @Autowired
    XUserService xUserService;

    @Autowired
    ServiceDBStore svcStore;

    @Autowired
    RangerSearchUtil searchUtil;

    @Autowired
    ServiceUtil serviceUtil;

    @Autowired
    RangerValidatorFactory validatorFactory;

    @Autowired
    RangerBizUtil bizUtil;

    @Autowired
    XUserMgr userMgr;

    @POST
    @Path("/roles")
    public RangerRole createRole(@QueryParam("serviceName") String str, RangerRole rangerRole, @QueryParam("createNonExistUserGroup") @DefaultValue("false") Boolean bool) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> createRole(" + rangerRole + ")");
        }
        try {
            this.validatorFactory.getRangerRoleValidator(this.roleStore).validate(rangerRole, RangerValidator.Action.CREATE);
            ensureAdminAccess(str, rangerRole.getCreatedByUser());
            if (containsInvalidMember(rangerRole.getUsers())) {
                throw new Exception("Invalid role user(s)");
            }
            RangerRole createRole = this.roleStore.createRole(rangerRole, bool);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== createRole(" + rangerRole + "):" + createRole);
            }
            return createRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("createRole(" + rangerRole + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}")
    @PUT
    public RangerRole updateRole(@PathParam("id") Long l, RangerRole rangerRole, @QueryParam("createNonExistUserGroup") @DefaultValue("false") Boolean bool) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> updateRole(id=" + l + ", " + rangerRole + ")");
        }
        if (rangerRole.getId() != null && !l.equals(rangerRole.getId())) {
            throw this.restErrorUtil.createRESTException("roleId mismatch!!");
        }
        rangerRole.setId(l);
        try {
            this.validatorFactory.getRangerRoleValidator(this.roleStore).validate(rangerRole, RangerValidator.Action.UPDATE);
            ensureAdminAccess(null, null);
            if (containsInvalidMember(rangerRole.getUsers())) {
                throw new Exception("Invalid role user(s)");
            }
            RangerRole updateRole = this.roleStore.updateRole(rangerRole, bool);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== updateRole(id=" + l + ", " + rangerRole + "):" + updateRole);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("updateRole(" + rangerRole + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/name/{name}")
    @DELETE
    public void deleteRole(@QueryParam("serviceName") String str, @QueryParam("execUser") String str2, @PathParam("name") String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> deleteRole(user=" + str2 + " name=" + str3 + ")");
        }
        try {
            this.validatorFactory.getRangerRoleValidator(this.roleStore).validate(str3, RangerValidator.Action.DELETE);
            ensureAdminAccess(str, str2);
            this.roleStore.deleteRole(str3);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== deleteRole(name=" + str3 + ")");
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("deleteRole(" + str3 + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}")
    @DELETE
    public void deleteRole(@PathParam("id") Long l) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> deleteRole(id=" + l + ")");
        }
        try {
            this.validatorFactory.getRangerRoleValidator(this.roleStore).validate(l, RangerValidator.Action.DELETE);
            ensureAdminAccess(null, null);
            this.roleStore.deleteRole(l);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== deleteRole(id=" + l + ")");
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("deleteRole(" + l + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles/name/{name}")
    public RangerRole getRole(@QueryParam("serviceName") String str, @QueryParam("execUser") String str2, @PathParam("name") String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getRole(name=" + str3 + ")");
        }
        try {
            RangerRole roleIfAccessible = getRoleIfAccessible(str3, str, str2, this.userMgr.getGroupsForUser(str2));
            if (roleIfAccessible == null) {
                throw this.restErrorUtil.createRESTException("User doesn't have permissions to get details for " + str3);
            }
            if (roleIfAccessible.getName() == null) {
                throw this.restErrorUtil.createRESTException("Role with name: " + str3 + " does not exist");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getRole(name=" + str3 + "):" + roleIfAccessible);
            }
            return roleIfAccessible;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRole(" + str3 + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles/{id}")
    public RangerRole getRole(@PathParam("id") Long l) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getRole(id=" + l + ")");
        }
        try {
            RangerRole role = this.roleStore.getRole(l);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getRole(id=" + l + "):" + role);
            }
            return role;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRole(" + l + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles")
    public RangerRoleList getAllRoles(@Context HttpServletRequest httpServletRequest) {
        RangerRoleList rangerRoleList = new RangerRoleList();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getAllRoles()");
        }
        try {
            this.roleStore.getRoles(this.searchUtil.getSearchFilter(httpServletRequest, this.roleService.sortFields), rangerRoleList);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getAllRoles():" + rangerRoleList);
            }
            return rangerRoleList;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/lookup/roles")
    public RangerRoleList getAllRolesForUser(@Context HttpServletRequest httpServletRequest) {
        RangerRoleList rangerRoleList = new RangerRoleList();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getAllRolesForUser()");
        }
        try {
            this.roleStore.getRolesForUser(this.searchUtil.getSearchFilter(httpServletRequest, this.roleService.sortFields), rangerRoleList);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getAllRoles():" + rangerRoleList);
            }
            return rangerRoleList;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles/names")
    public List<String> getAllRoleNames(@QueryParam("serviceName") String str, @QueryParam("execUser") String str2, @Context HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getAllRoleNames()");
        }
        SearchFilter searchFilter = this.searchUtil.getSearchFilter(httpServletRequest, this.roleService.sortFields);
        try {
            ensureAdminAccess(str, str2);
            List<String> roleNames = this.roleStore.getRoleNames(searchFilter);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getAllRoleNames():" + roleNames);
            }
            return roleNames;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getAllRoleNames() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}/addUsersAndGroups")
    @PUT
    public RangerRole addUsersAndGroups(Long l, List<String> list, List<String> list2, Boolean bool) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> addUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ", isAdmin=" + bool + ")");
        }
        try {
            ensureAdminAccess(null, null);
            if (containsInvalidUser(list)) {
                throw new Exception("Invalid role user(s)");
            }
            RangerRole role = getRole(l);
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (RangerRole.RoleMember roleMember : role.getUsers()) {
                if (list.contains(roleMember.getName()) && bool == Boolean.TRUE) {
                    roleMember.setIsAdmin(bool.booleanValue());
                    hashSet.add(roleMember);
                }
            }
            Set<String> userNames = getUserNames(role);
            for (String str : list) {
                if (!userNames.contains(str)) {
                    hashSet.add(new RangerRole.RoleMember(str, bool.booleanValue()));
                }
            }
            for (RangerRole.RoleMember roleMember2 : role.getGroups()) {
                if (roleMember2.getIsAdmin() == bool.booleanValue()) {
                    hashSet2.add(roleMember2);
                }
            }
            Iterator<String> it = list2.iterator();
            while (it.hasNext()) {
                hashSet2.add(new RangerRole.RoleMember(it.next(), bool.booleanValue()));
            }
            role.setUsers(new ArrayList(hashSet));
            role.setGroups(new ArrayList(hashSet2));
            RangerRole updateRole = this.roleStore.updateRole(role, false);
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> addUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ", isAdmin=" + bool + ")");
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("addUsersAndGroups() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}/removeUsersAndGroups")
    @PUT
    public RangerRole removeUsersAndGroups(Long l, List<String> list, List<String> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ")");
        }
        try {
            ensureAdminAccess(null, null);
            RangerRole role = getRole(l);
            for (String str : list) {
                Iterator it = role.getUsers().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(((RangerRole.RoleMember) it.next()).getName(), str)) {
                        it.remove();
                        break;
                    }
                }
            }
            for (String str2 : list2) {
                Iterator it2 = role.getGroups().iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(((RangerRole.RoleMember) it2.next()).getName(), str2)) {
                        it2.remove();
                        break;
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(role, false);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== removeUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ")");
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeUsersAndGroups() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}/removeAdminFromUsersAndGroups")
    @PUT
    public RangerRole removeAdminFromUsersAndGroups(Long l, List<String> list, List<String> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeAdminFromUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ")");
        }
        try {
            ensureAdminAccess(null, null);
            RangerRole role = getRole(l);
            for (String str : list) {
                for (RangerRole.RoleMember roleMember : role.getUsers()) {
                    if (StringUtils.equals(roleMember.getName(), str) && roleMember.getIsAdmin()) {
                        roleMember.setIsAdmin(false);
                    }
                }
            }
            for (String str2 : list2) {
                for (RangerRole.RoleMember roleMember2 : role.getGroups()) {
                    if (StringUtils.equals(roleMember2.getName(), str2) && roleMember2.getIsAdmin()) {
                        roleMember2.setIsAdmin(false);
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(role, false);
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> removeAdminFromUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ")");
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeAdminFromUsersAndGroups() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/grant/{serviceName}")
    @Consumes({"application/json", "application/xml"})
    @Produces({"application/json", "application/xml"})
    @PUT
    public RESTResponse grantRole(@PathParam("serviceName") String str, GrantRevokeRoleRequest grantRevokeRoleRequest, @Context HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RoleREST.grantRole(" + str + ", " + grantRevokeRoleRequest + ")");
        }
        RESTResponse rESTResponse = new RESTResponse();
        try {
            validateUsersGroupsAndRoles(grantRevokeRoleRequest);
            String grantor = grantRevokeRoleRequest.getGrantor();
            for (String str2 : grantRevokeRoleRequest.getTargetRoles()) {
                RangerRole roleIfAccessible = getRoleIfAccessible(str2, str, grantor, CollectionUtils.isNotEmpty(grantRevokeRoleRequest.getGrantorGroups()) ? grantRevokeRoleRequest.getGrantorGroups() : this.userMgr.getGroupsForUser(grantor));
                if (roleIfAccessible == null) {
                    throw this.restErrorUtil.createRESTException("User doesn't have permissions to grant role " + str2);
                }
                roleIfAccessible.setUpdatedBy(grantor);
                addUsersGroupsAndRoles(roleIfAccessible, grantRevokeRoleRequest.getUsers(), grantRevokeRoleRequest.getGroups(), grantRevokeRoleRequest.getRoles(), grantRevokeRoleRequest.getGrantOption());
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> grantRole(serviceName=" + str + ", users=" + Arrays.toString(grantRevokeRoleRequest.getUsers().toArray()) + ", groups=" + Arrays.toString(grantRevokeRoleRequest.getRoles().toArray()) + ", isAdmin=" + grantRevokeRoleRequest.getGrantOption() + ")");
            }
            rESTResponse.setStatusCode(0);
            return rESTResponse;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("grantRole() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/revoke/{serviceName}")
    @Consumes({"application/json", "application/xml"})
    @Produces({"application/json", "application/xml"})
    @PUT
    public RESTResponse revokeRole(@PathParam("serviceName") String str, GrantRevokeRoleRequest grantRevokeRoleRequest, @Context HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RoleREST.revokeRole(" + str + ", " + grantRevokeRoleRequest + ")");
        }
        RESTResponse rESTResponse = new RESTResponse();
        try {
            validateUsersGroupsAndRoles(grantRevokeRoleRequest);
            String grantor = grantRevokeRoleRequest.getGrantor();
            for (String str2 : grantRevokeRoleRequest.getTargetRoles()) {
                RangerRole roleIfAccessible = getRoleIfAccessible(str2, str, grantor, CollectionUtils.isNotEmpty(grantRevokeRoleRequest.getGrantorGroups()) ? grantRevokeRoleRequest.getGrantorGroups() : this.userMgr.getGroupsForUser(grantor));
                if (roleIfAccessible == null) {
                    throw this.restErrorUtil.createRESTException("User doesn't have permissions to revoke role " + str2);
                }
                roleIfAccessible.setUpdatedBy(grantor);
                if (grantRevokeRoleRequest.getGrantOption().booleanValue()) {
                    removeAdminFromUsersGroupsAndRoles(roleIfAccessible, grantRevokeRoleRequest.getUsers(), grantRevokeRoleRequest.getGroups(), grantRevokeRoleRequest.getRoles());
                } else {
                    removeUsersGroupsAndRoles(roleIfAccessible, grantRevokeRoleRequest.getUsers(), grantRevokeRoleRequest.getGroups(), grantRevokeRoleRequest.getRoles());
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> revokeRole(serviceName=" + str + ", users=" + Arrays.toString(grantRevokeRoleRequest.getUsers().toArray()) + ", roles=" + Arrays.toString(grantRevokeRoleRequest.getRoles().toArray()) + ", isAdmin=" + grantRevokeRoleRequest.getGrantOption() + ")");
            }
            rESTResponse.setStatusCode(0);
            return rESTResponse;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("revokeRole() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Produces({"application/json", "application/xml"})
    @Path("/roles/user/{user}")
    public List<String> getUserRoles(@PathParam("user") String str, @Context HttpServletRequest httpServletRequest) {
        HashSet hashSet = new HashSet();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getUserRoles()");
        }
        try {
            for (RangerRole rangerRole : this.roleStore.getRoleNames(str, this.userMgr.getGroupsForUser(str))) {
                hashSet.add(rangerRole.getName());
                HashSet hashSet2 = new HashSet();
                getRoleMemberNames(hashSet2, rangerRole);
                hashSet.addAll(hashSet2);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getUserRoles():" + hashSet);
            }
            return new ArrayList(hashSet);
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getUserRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Produces({"application/json", "application/xml"})
    @Path("/download/{serviceName}")
    public RangerRoles getRangerRolesIfUpdated(@PathParam("serviceName") String str, @QueryParam("lastKnownRoleVersion") Long l, @QueryParam("lastActivationTime") @DefaultValue("0") Long l2, @QueryParam("pluginId") String str2, @QueryParam("clusterName") @DefaultValue("") String str3, @QueryParam("pluginCapabilities") @DefaultValue("") String str4, @Context HttpServletRequest httpServletRequest) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RoleREST.getRangerRolesIfUpdated(" + str + ", " + l + ", " + l2 + ")");
        }
        RangerRoles rangerRoles = null;
        boolean z = false;
        int i = 200;
        Long l3 = null;
        String str5 = null;
        try {
            this.bizUtil.failUnauthenticatedIfNotAllowed();
            z = this.serviceUtil.isValidService(str, httpServletRequest);
        } catch (Exception e) {
            i = 400;
            str5 = e.getMessage();
        } catch (WebApplicationException e2) {
            i = e2.getResponse().getStatus();
            str5 = e2.getResponse().getEntity().toString();
        }
        if (z) {
            if (l == null) {
                l = -1L;
            }
            try {
                RangerRoles roles = this.roleStore.getRoles(str, l);
                if (roles == null) {
                    l3 = l;
                    i = 304;
                    str5 = "No change since last update";
                } else {
                    l3 = roles.getRoleVersion();
                    roles.setServiceName(str);
                    rangerRoles = roles;
                    i = 200;
                    str5 = "Returning RangerRoles =>" + rangerRoles.toString();
                }
            } catch (Throwable th) {
                LOG.error("getRangerRolesIfUpdated(" + str + ", " + l + ", " + l2 + ") failed", th);
                i = 400;
                str5 = th.getMessage();
            }
        }
        this.assetMgr.createPluginInfo(str, str2, httpServletRequest, 2, l3, l.longValue(), l2.longValue(), i, str3, str4);
        if (i != 200) {
            throw this.restErrorUtil.createRESTException(i, str5, i != 304);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RoleREST.getRangerRolesIfUpdated(" + str + ", " + l + ", " + l2 + ")" + rangerRoles);
        }
        return rangerRoles;
    }

    @GET
    @Produces({"application/json", "application/xml"})
    @Path("/secure/download/{serviceName}")
    public RangerRoles getSecureRangerRolesIfUpdated(@PathParam("serviceName") String str, @QueryParam("lastKnownRoleVersion") Long l, @QueryParam("lastActivationTime") @DefaultValue("0") Long l2, @QueryParam("pluginId") String str2, @QueryParam("clusterName") @DefaultValue("") String str3, @QueryParam("pluginCapabilities") @DefaultValue("") String str4, @Context HttpServletRequest httpServletRequest) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RoleREST.getSecureRangerRolesIfUpdated(" + str + ", " + l + ", " + l + ")");
        }
        RangerRoles rangerRoles = null;
        int i = 200;
        String str5 = null;
        boolean isAdmin = this.bizUtil.isAdmin();
        boolean isKeyAdmin = this.bizUtil.isKeyAdmin();
        Long l3 = null;
        httpServletRequest.setAttribute("downloadPolicy", "secure");
        boolean z = false;
        try {
            z = this.serviceUtil.isValidService(str, httpServletRequest);
        } catch (Exception e) {
            i = 400;
            str5 = e.getMessage();
        } catch (WebApplicationException e2) {
            i = e2.getResponse().getStatus();
            str5 = e2.getResponse().getEntity().toString();
        }
        if (z) {
            if (l == null) {
                l = -1L;
            }
            try {
                XXService findByName = this.daoManager.getXXService().findByName(str);
                if (findByName == null) {
                    LOG.error("Requested Service not found. serviceName=" + str);
                    throw this.restErrorUtil.createRESTException(404, "Service:" + str + " not found", false);
                }
                XXServiceDef byId = this.daoManager.getXXServiceDef().getById(findByName.getType());
                RangerService serviceByName = this.svcStore.getServiceByName(str);
                if (org.apache.commons.lang.StringUtils.equals(byId.getImplclassname(), "org.apache.ranger.services.kms.RangerServiceKMS") ? isKeyAdmin ? true : this.bizUtil.isUserAllowed(serviceByName, "policy.download.auth.users") : isAdmin ? true : this.bizUtil.isUserAllowed(serviceByName, "policy.download.auth.users")) {
                    RangerRoles roles = this.roleStore.getRoles(str, l);
                    if (roles == null) {
                        l3 = l;
                        i = 304;
                        str5 = "No change since last update";
                    } else {
                        l3 = roles.getRoleVersion();
                        roles.setServiceName(str);
                        rangerRoles = roles;
                        i = 200;
                        str5 = "Returning RangerRoles =>" + rangerRoles.toString();
                    }
                } else {
                    LOG.error("getSecureRangerRolesIfUpdated(" + str + ", " + l + ") failed as User doesn't have permission to UserGroupRoles");
                    i = 401;
                    str5 = "User doesn't have permission to download UserGroupRoles";
                }
            } catch (Throwable th) {
                LOG.error("getSecureRangerRolesIfUpdated(" + str + ", " + l + ", " + l2 + ") failed", th);
                i = 400;
                str5 = th.getMessage();
            }
        }
        this.assetMgr.createPluginInfo(str, str2, httpServletRequest, 2, l3, l.longValue(), l2.longValue(), i, str3, str4);
        if (i != 200) {
            throw this.restErrorUtil.createRESTException(i, str5, i != 304);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RoleREST.getSecureRangerRolesIfUpdated(" + str + ", " + l + ", " + l2 + ")" + rangerRoles);
        }
        return rangerRoles;
    }

    private void ensureAdminAccess(String str, String str2) throws Exception {
        String str3;
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        String loginId = currentUserSession != null ? currentUserSession.getLoginId() : null;
        if (StringUtil.equals(str2, loginId)) {
            str3 = loginId;
        } else {
            if (!this.bizUtil.isUserRangerAdmin(loginId) && !userIsSrvAdmOrSrvUser(str, loginId)) {
                throw new Exception("User does not have permission for this operation");
            }
            str3 = str2 != null ? str2 : loginId;
        }
        if (!this.bizUtil.isUserRangerAdmin(str3)) {
            throw new Exception("User " + str3 + " does not have permission for this operation");
        }
    }

    private RangerRole getRoleIfAccessible(String str, String str2, String str3, Set<String> set) {
        String str4;
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        String loginId = currentUserSession != null ? currentUserSession.getLoginId() : null;
        if (StringUtil.equals(str3, loginId)) {
            str4 = loginId;
        } else {
            if (!this.bizUtil.isUserRangerAdmin(loginId) && !userIsSrvAdmOrSrvUser(str2, loginId)) {
                LOG.error("User does not have permission for this operation");
                return null;
            }
            str4 = str3 != null ? str3 : loginId;
        }
        try {
            RangerRole role = this.roleStore.getRole(str);
            if (this.bizUtil.isUserRangerAdmin(str4) || ensureRoleAccess(str4, set, role)) {
                return role;
            }
            LOG.error("User does not have permission for this operation");
            return null;
        } catch (Exception e) {
            if (this.bizUtil.isUserRangerAdmin(str4)) {
                return new RangerRole();
            }
            return null;
        }
    }

    private boolean userIsSrvAdmOrSrvUser(String str, String str2) {
        RangerService serviceByName;
        boolean z = false;
        if (!StringUtil.isEmpty(str)) {
            try {
                z = this.svcStore.isServiceAdminUser(str, str2);
                if (!z && (serviceByName = this.svcStore.getServiceByName(str)) != null) {
                    z = StringUtil.equals(PropertiesUtil.getProperty("ranger.plugins." + serviceByName.getType() + ".serviceuser"), str2);
                }
            } catch (Exception e) {
                LOG.error(e.getMessage());
            }
        }
        return z;
    }

    private boolean containsInvalidMember(List<RangerRole.RoleMember> list) {
        boolean z = false;
        for (RangerRole.RoleMember roleMember : list) {
            Iterator<String> it = INVALID_USERS.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (StringUtils.equals(roleMember.getName(), it.next())) {
                    z = true;
                    break;
                }
            }
            if (z) {
                break;
            }
        }
        return z;
    }

    private boolean containsInvalidUser(List<String> list) {
        return CollectionUtils.isNotEmpty(list) && CollectionUtils.containsAny(list, INVALID_USERS);
    }

    private boolean ensureRoleAccess(String str, Set<String> set, RangerRole rangerRole) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> ensureRoleAccess(" + str + ", " + rangerRole + ")");
        }
        List users = rangerRole.getUsers();
        RangerRole.RoleMember roleMember = new RangerRole.RoleMember(str, true);
        if (!CollectionUtils.isEmpty(users) && users.contains(roleMember)) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("==> ensureRoleAccess(): user " + str + " has permission for role " + rangerRole.getName());
            return true;
        }
        if (!CollectionUtils.isEmpty(set)) {
            for (RangerRole.RoleMember roleMember2 : rangerRole.getGroups()) {
                if (roleMember2.getIsAdmin() && set.contains(roleMember2.getName())) {
                    if (!LOG.isDebugEnabled()) {
                        return true;
                    }
                    LOG.debug("==> ensureRoleAccess(): group " + roleMember2.getName() + " has permission for role " + rangerRole.getName());
                    return true;
                }
            }
        }
        HashSet hashSet = new HashSet();
        getRoleMembers(hashSet, rangerRole);
        for (RangerRole.RoleMember roleMember3 : hashSet) {
            if (roleMember3.getIsAdmin()) {
                RangerRole role = this.roleStore.getRole(roleMember3.getName());
                if (getUserNames(role).contains(str)) {
                    if (!LOG.isDebugEnabled()) {
                        return true;
                    }
                    LOG.debug("==> ensureRoleAccess(): role " + roleMember3.getName() + " has permission for role " + rangerRole.getName());
                    return true;
                }
                if (!CollectionUtils.isEmpty(set) && !CollectionUtils.intersection(set, getGroupNames(role)).isEmpty()) {
                    if (!LOG.isDebugEnabled()) {
                        return true;
                    }
                    LOG.debug("==> ensureRoleAccess(): role " + roleMember3.getName() + " has permission for role " + rangerRole.getName());
                    return true;
                }
            }
        }
        return false;
    }

    private RangerRole addUsersGroupsAndRoles(RangerRole rangerRole, Set<String> set, Set<String> set2, Set<String> set3, Boolean bool) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> addUsersGroupsAndRoles(name=" + rangerRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ", isAdmin=" + bool + ")");
        }
        try {
            for (String str : set3) {
                HashSet hashSet = new HashSet();
                getRoleMemberNames(hashSet, this.roleStore.getRole(str));
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Role members for " + str + " = " + hashSet);
                }
                if (hashSet.contains(rangerRole.getName())) {
                    throw new Exception("Invalid role grant");
                }
            }
            HashSet hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            HashSet hashSet4 = new HashSet();
            for (RangerRole.RoleMember roleMember : rangerRole.getUsers()) {
                if (set.contains(roleMember.getName()) && bool == Boolean.TRUE) {
                    roleMember.setIsAdmin(bool.booleanValue());
                    hashSet2.add(roleMember);
                } else if (!set.contains(roleMember.getName())) {
                    hashSet2.add(roleMember);
                }
            }
            Set<String> userNames = getUserNames(rangerRole);
            for (String str2 : set) {
                if (!userNames.contains(str2)) {
                    hashSet2.add(new RangerRole.RoleMember(str2, bool.booleanValue()));
                }
            }
            for (RangerRole.RoleMember roleMember2 : rangerRole.getGroups()) {
                if (set2.contains(roleMember2.getName()) && bool == Boolean.TRUE) {
                    roleMember2.setIsAdmin(bool.booleanValue());
                    hashSet3.add(roleMember2);
                } else if (!set2.contains(roleMember2.getName())) {
                    hashSet3.add(roleMember2);
                }
            }
            Set<String> groupNames = getGroupNames(rangerRole);
            for (String str3 : set2) {
                if (!groupNames.contains(str3)) {
                    hashSet3.add(new RangerRole.RoleMember(str3, bool.booleanValue()));
                }
            }
            for (RangerRole.RoleMember roleMember3 : rangerRole.getRoles()) {
                if (set3.contains(roleMember3.getName()) && bool == Boolean.TRUE) {
                    roleMember3.setIsAdmin(bool.booleanValue());
                    hashSet4.add(roleMember3);
                } else if (!set3.contains(roleMember3.getName())) {
                    hashSet4.add(roleMember3);
                }
            }
            Set<String> roleNames = getRoleNames(rangerRole);
            for (String str4 : set3) {
                if (!roleNames.contains(str4)) {
                    hashSet4.add(new RangerRole.RoleMember(str4, bool.booleanValue()));
                }
            }
            rangerRole.setUsers(new ArrayList(hashSet2));
            rangerRole.setGroups(new ArrayList(hashSet3));
            rangerRole.setRoles(new ArrayList(hashSet4));
            RangerRole updateRole = this.roleStore.updateRole(rangerRole, false);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== addUsersGroupsAndRoles(name=" + updateRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ", isAdmin=" + bool + ")");
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("addUsersGroupsAndRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private RangerRole removeUsersGroupsAndRoles(RangerRole rangerRole, Set<String> set, Set<String> set2, Set<String> set3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeUsersGroupsAndRoles(name=" + rangerRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ")");
        }
        try {
            for (String str : set) {
                Iterator it = rangerRole.getUsers().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(((RangerRole.RoleMember) it.next()).getName(), str)) {
                        it.remove();
                        break;
                    }
                }
            }
            for (String str2 : set2) {
                Iterator it2 = rangerRole.getGroups().iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(((RangerRole.RoleMember) it2.next()).getName(), str2)) {
                        it2.remove();
                        break;
                    }
                }
            }
            for (String str3 : set3) {
                Iterator it3 = rangerRole.getRoles().iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(((RangerRole.RoleMember) it3.next()).getName(), str3)) {
                        it3.remove();
                        break;
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(rangerRole, false);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== removeUsersGroupsAndRoles(name=" + updateRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ")");
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeUsersGroupsAndRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private RangerRole removeAdminFromUsersGroupsAndRoles(RangerRole rangerRole, Set<String> set, Set<String> set2, Set<String> set3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeAdminFromUsersGroupsAndRoles(name=" + rangerRole + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ")");
        }
        try {
            for (String str : set) {
                for (RangerRole.RoleMember roleMember : rangerRole.getUsers()) {
                    if (StringUtils.equals(roleMember.getName(), str) && roleMember.getIsAdmin()) {
                        roleMember.setIsAdmin(false);
                    }
                }
            }
            for (String str2 : set2) {
                for (RangerRole.RoleMember roleMember2 : rangerRole.getGroups()) {
                    if (StringUtils.equals(roleMember2.getName(), str2) && roleMember2.getIsAdmin()) {
                        roleMember2.setIsAdmin(false);
                    }
                }
            }
            for (String str3 : set3) {
                for (RangerRole.RoleMember roleMember3 : rangerRole.getRoles()) {
                    if (StringUtils.equals(roleMember3.getName(), str3) && roleMember3.getIsAdmin()) {
                        roleMember3.setIsAdmin(false);
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(rangerRole, false);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== removeAdminFromUsersGroupsAndRoles(name=" + updateRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ")");
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeAdminFromUsersGroupsAndRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private Set<String> getUserNames(RangerRole rangerRole) {
        HashSet hashSet = new HashSet();
        Iterator it = rangerRole.getUsers().iterator();
        while (it.hasNext()) {
            hashSet.add(((RangerRole.RoleMember) it.next()).getName());
        }
        return hashSet;
    }

    private Set<String> getGroupNames(RangerRole rangerRole) {
        HashSet hashSet = new HashSet();
        Iterator it = rangerRole.getGroups().iterator();
        while (it.hasNext()) {
            hashSet.add(((RangerRole.RoleMember) it.next()).getName());
        }
        return hashSet;
    }

    private Set<String> getRoleNames(RangerRole rangerRole) {
        HashSet hashSet = new HashSet();
        Iterator it = rangerRole.getRoles().iterator();
        while (it.hasNext()) {
            hashSet.add(((RangerRole.RoleMember) it.next()).getName());
        }
        return hashSet;
    }

    private void getRoleMemberNames(Set<String> set, RangerRole rangerRole) throws Exception {
        for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
            set.add(roleMember.getName());
            getRoleMemberNames(set, this.roleStore.getRole(roleMember.getName()));
        }
    }

    private void getRoleMembers(Set<RangerRole.RoleMember> set, RangerRole rangerRole) throws Exception {
        for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
            set.add(roleMember);
            getRoleMembers(set, this.roleStore.getRole(roleMember.getName()));
        }
    }

    private void validateUsersGroupsAndRoles(GrantRevokeRoleRequest grantRevokeRoleRequest) {
        if (grantRevokeRoleRequest == null) {
            throw this.restErrorUtil.createRESTException("Invalid grant/revoke role request");
        }
        if (CollectionUtils.isEmpty(grantRevokeRoleRequest.getUsers()) && CollectionUtils.isEmpty(grantRevokeRoleRequest.getGroups()) && CollectionUtils.isEmpty(grantRevokeRoleRequest.getRoles())) {
            throw this.restErrorUtil.createRESTException("Grantee users/groups/roles list is empty");
        }
        if (grantRevokeRoleRequest.getUsers() == null) {
            grantRevokeRoleRequest.setUsers(new HashSet());
        }
        if (grantRevokeRoleRequest.getGroups() == null) {
            grantRevokeRoleRequest.setGroups(new HashSet());
        }
        if (grantRevokeRoleRequest.getRoles() == null) {
            grantRevokeRoleRequest.setRoles(new HashSet());
        }
    }

    static {
        INVALID_USERS.add("{USER}");
        INVALID_USERS.add("{OWNER}");
    }
}
