package com.juicefs.security.ranger;

import com.juicefs.JuiceFileSystemImpl;
import java.io.FileNotFoundException;
import java.io.IOException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerServiceNotFoundException;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.apache.ranger.plugin.util.ServiceTags;

/* loaded from: input_file:com/juicefs/security/ranger/RangerAdminRefresherV2.class */
public class RangerAdminRefresherV2 extends RangerAdminRefresher {
    private static final Log LOG = LogFactory.getLog(RangerAdminRefresherV2.class);

    public RangerAdminRefresherV2(RangerBasePlugin rangerBasePlugin, RangerAdminClient rangerAdminClient, JuiceFileSystemImpl juiceFileSystemImpl, boolean z) {
        super(rangerBasePlugin, rangerAdminClient, juiceFileSystemImpl, z);
    }

    @Override // com.juicefs.security.ranger.RangerAdminRefresher
    public void loadRangerItem(boolean z) {
        ServicePolicies servicePolicies = null;
        ServiceTags serviceTags = null;
        RangerRoles rangerRoles = null;
        boolean z2 = false;
        ServicePolicies servicePolicies2 = null;
        ServiceTags serviceTags2 = null;
        RangerRoles rangerRoles2 = null;
        try {
            byte[] loadFromJfs = loadFromJfs(this.ruleName);
            if (loadFromJfs != null) {
                RangerRulesV2 rangerRulesV2 = (RangerRulesV2) this.gson.fromJson(new String(loadFromJfs), RangerRulesV2.class);
                servicePolicies2 = rangerRulesV2.getPolicies();
                serviceTags2 = rangerRulesV2.getTags();
                rangerRoles2 = rangerRulesV2.getRoles();
            }
        } catch (FileNotFoundException e) {
            LOG.warn("ranger rules not exist in juicefs");
            z2 = true;
        } catch (Exception e2) {
            LOG.warn("load rules from juicefs failed", e2);
            z2 = true;
        }
        if (z2) {
            this.lastKnownPolicyVersion = -1L;
            this.lastKnownTagVersion = -1L;
            this.lastKnownRoleVersion = -1L;
        } else {
            if (this.plugIn instanceof RangerExtra) {
                ((RangerExtra) this.plugIn).setAvailable(true);
            }
            if (servicePolicies2 != null) {
                long longValue = servicePolicies2.getPolicyVersion() == null ? -1L : servicePolicies2.getPolicyVersion().longValue();
                if (this.lastKnownPolicyVersion != longValue) {
                    servicePolicies = servicePolicies2;
                    this.lastKnownPolicyVersion = longValue;
                }
            }
            if (serviceTags2 != null) {
                long longValue2 = serviceTags2.getTagVersion() == null ? -1L : serviceTags2.getTagVersion().longValue();
                if (this.lastKnownTagVersion != longValue2) {
                    serviceTags = serviceTags2;
                    this.lastKnownTagVersion = longValue2;
                }
            }
            if (rangerRoles2 != null) {
                long longValue3 = rangerRoles2.getRoleVersion() == null ? -1L : rangerRoles2.getRoleVersion().longValue();
                if (this.lastKnownRoleVersion != longValue3) {
                    rangerRoles = rangerRoles2;
                    this.lastKnownRoleVersion = longValue3;
                }
            }
        }
        if (!z) {
            if (z2) {
                LOG.error("please use kerberos credential to download ranger policy");
                return;
            } else {
                updateRules(servicePolicies, serviceTags, rangerRoles);
                return;
            }
        }
        boolean z3 = false;
        try {
            z3 = this.fs.shouldSaveRangerRules(this.ruleName, this.pollingIntervalMs);
        } catch (IOException e3) {
            LOG.warn(e3);
        }
        if (z3 || z2) {
            try {
                ServicePolicies servicePoliciesIfUpdated = this.rangerAdmin.getServicePoliciesIfUpdated(this.lastKnownPolicyVersion, this.lastPolicyActivationTimeInMillis);
                ServiceTags serviceTagsIfUpdated = this.rangerAdmin.getServiceTagsIfUpdated(this.lastKnownTagVersion, this.lastTagActivationTimeInMillis);
                RangerRoles rolesIfUpdated = this.rangerAdmin.getRolesIfUpdated(this.lastKnownRoleVersion, this.lastRoleActivationTimeInMillis);
                if (this.plugIn instanceof RangerExtra) {
                    ((RangerExtra) this.plugIn).setAvailable(true);
                }
                if (servicePoliciesIfUpdated != null) {
                    servicePolicies = servicePoliciesIfUpdated;
                }
                if (serviceTagsIfUpdated != null) {
                    serviceTags = serviceTagsIfUpdated;
                }
                if (rolesIfUpdated != null) {
                    rangerRoles = rolesIfUpdated;
                }
                if (z3) {
                    boolean z4 = (servicePoliciesIfUpdated == null && serviceTagsIfUpdated == null && rolesIfUpdated == null) ? false : true;
                    ServicePolicies servicePolicies3 = servicePoliciesIfUpdated != null ? servicePoliciesIfUpdated : servicePolicies2;
                    replaceTagEnricher(servicePolicies3);
                    RangerRulesV2 rangerRulesV22 = new RangerRulesV2(servicePolicies3, serviceTagsIfUpdated != null ? serviceTagsIfUpdated : serviceTags2, rolesIfUpdated != null ? rolesIfUpdated : rangerRoles2);
                    if (z4) {
                        try {
                            this.fs.saveRangerRules(this.ruleName, this.gson.toJson(rangerRulesV22).getBytes());
                        } catch (IOException e4) {
                            LOG.warn("save rules to juicefs failed", e4);
                        }
                    }
                }
            } catch (RangerServiceNotFoundException e5) {
                LOG.warn("failed to find service. Will clean up local cache of policies (" + this.lastKnownPolicyVersion + ")", e5);
                disableRuleCache(this.ruleName);
            } catch (Exception e6) {
                if (z2) {
                    if (this.plugIn instanceof RangerExtra) {
                        ((RangerExtra) this.plugIn).setAvailable(false);
                    }
                    LOG.warn("load ranger policy from juicefs and ranger both failed, deny all access", e6);
                }
                LOG.warn("load ranger policy failed", e6);
            }
        }
        updateRules(servicePolicies, serviceTags, rangerRoles);
    }

    private void updateRules(ServicePolicies servicePolicies, ServiceTags serviceTags, RangerRoles rangerRoles) {
        RangerTagEnricher enricher;
        if (servicePolicies != null) {
            this.plugIn.setPolicies(servicePolicies);
            this.lastKnownPolicyVersion = servicePolicies.getPolicyVersion() == null ? -1L : servicePolicies.getPolicyVersion().longValue();
            this.lastPolicyActivationTimeInMillis = System.currentTimeMillis();
        }
        if (serviceTags != null) {
            if ((this.plugIn instanceof RangerExtra) && (enricher = ((RangerExtra) this.plugIn).getEnricher()) != null) {
                enricher.setServiceTags(serviceTags);
            }
            this.lastKnownTagVersion = serviceTags.getTagVersion() == null ? -1L : serviceTags.getTagVersion().longValue();
            this.lastTagActivationTimeInMillis = System.currentTimeMillis();
        }
        if (rangerRoles != null) {
            this.plugIn.setRoles(rangerRoles);
            this.lastKnownRoleVersion = rangerRoles.getRoleVersion() == null ? -1L : rangerRoles.getRoleVersion().longValue();
            this.lastRoleActivationTimeInMillis = System.currentTimeMillis();
        }
    }

    protected void disableRuleCache(String str) {
        RangerTagEnricher enricher;
        try {
            this.fs.deleteRangerRules(str);
            this.plugIn.setPolicies(null);
            if ((this.plugIn instanceof RangerExtra) && (enricher = ((RangerExtra) this.plugIn).getEnricher()) != null) {
                enricher.setServiceTags(null);
            }
            this.plugIn.setRoles(null);
            this.lastKnownPolicyVersion = -1L;
            this.lastKnownTagVersion = -1L;
            this.lastKnownRoleVersion = -1L;
        } catch (IOException e) {
            LOG.warn("delete cache failed", e);
        }
    }
}
