package com.juicefs.security.ranger;

import com.juicefs.JuiceFileSystemImpl;
import com.juicefs.security.ranger.PermissionChecker;
import com.juicefs.shaded.com.google.common.collect.Sets;
import com.juicefs.shaded.org.apache.commons.lang.StringUtils;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/juicefs/security/ranger/RangerPermissionChecker.class */
public class RangerPermissionChecker implements PermissionChecker {
    private static final Logger LOG = LoggerFactory.getLogger(RangerPermissionChecker.class);
    public static final String KEY_FILENAME = "FILENAME";
    public static final String KEY_BASE_FILENAME = "BASE_FILENAME";
    public static final String DEFAULT_FILENAME_EXTENSION_SEPARATOR = ".";
    public static final String KEY_RESOURCE_PATH = "path";
    public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
    private RangerBasePlugin rangerPlugin;
    private String fileNameExtensionSeparator;
    private final Map<FsAction, Set<String>> access2ActionListMapper = new HashMap();
    private final JuiceFileSystemImpl superFs;
    private final UserGroupInformation ugi;

    public RangerPermissionChecker(JuiceFileSystemImpl juiceFileSystemImpl, UserGroupInformation userGroupInformation) {
        this.superFs = juiceFileSystemImpl;
        this.ugi = userGroupInformation;
        this.access2ActionListMapper.put(FsAction.NONE, new HashSet());
        this.access2ActionListMapper.put(FsAction.ALL, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE, RangerHadoopConstants.WRITE_ACCCESS_TYPE, RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
        this.access2ActionListMapper.put(FsAction.READ, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE));
        this.access2ActionListMapper.put(FsAction.READ_WRITE, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE, RangerHadoopConstants.WRITE_ACCCESS_TYPE));
        this.access2ActionListMapper.put(FsAction.READ_EXECUTE, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE, RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
        this.access2ActionListMapper.put(FsAction.WRITE, Sets.newHashSet(RangerHadoopConstants.WRITE_ACCCESS_TYPE));
        this.access2ActionListMapper.put(FsAction.WRITE_EXECUTE, Sets.newHashSet(RangerHadoopConstants.WRITE_ACCCESS_TYPE, RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
        this.access2ActionListMapper.put(FsAction.EXECUTE, Sets.newHashSet(RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
        this.rangerPlugin = new RangerJfsPluginV210(juiceFileSystemImpl, !UserGroupInformation.isSecurityEnabled());
        this.rangerPlugin.init();
        if (this.rangerPlugin instanceof RangerExtra) {
            this.fileNameExtensionSeparator = ((RangerExtra) this.rangerPlugin).getFileNameExtensionSeparator();
        }
    }

    @Override // com.juicefs.security.ranger.PermissionChecker
    public PermissionChecker.AuthzStatus checkPathAccess(Path path, FsAction fsAction, String str) throws IOException {
        return checkRangerPermission(path, false, null, FsAction.EXECUTE, fsAction, str);
    }

    @Override // com.juicefs.security.ranger.PermissionChecker
    public PermissionChecker.AuthzStatus checkParentAccess(Path path, FsAction fsAction, String str) throws IOException {
        return checkRangerPermission(path, false, null, fsAction, null, str);
    }

    @Override // com.juicefs.security.ranger.PermissionChecker
    public PermissionChecker.AuthzStatus checkAncestorAccess(Path path, FsAction fsAction, String str) throws IOException {
        return checkRangerPermission(path, false, fsAction, null, null, str);
    }

    @Override // com.juicefs.security.ranger.PermissionChecker
    public PermissionChecker.AuthzStatus checkOwner(Path path, String str) throws IOException {
        return checkRangerPermission(path, true, null, null, null, str);
    }

    public PermissionChecker.AuthzStatus checkRangerPermission(Path path, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, String str) throws IOException {
        PermissionChecker.AuthzStatus authzStatus = PermissionChecker.AuthzStatus.ALLOW;
        AuthzContext authzContext = new AuthzContext(this.ugi, str);
        FileStatusInPath fileStatusInPath = SecurityUtil.getFileStatusInPath(this.superFs, path);
        FileStatus fileStatus = null;
        if (this.rangerPlugin != null) {
            FileStatus ancestor = fileStatusInPath.getAncestor();
            FileStatus parent = fileStatusInPath.getParent();
            FileStatus inode = fileStatusInPath.getInode();
            if (fsAction2 != null && fsAction2.implies(FsAction.WRITE) && parent != null && inode != null && parent.getPermission().getStickyBit()) {
                fileStatus = inode;
                authzStatus = (StringUtils.equals(parent.getOwner(), authzContext.user) || StringUtils.equals(fileStatus.getOwner(), authzContext.user)) ? PermissionChecker.AuthzStatus.ALLOW : PermissionChecker.AuthzStatus.DENY;
            }
            if (authzStatus == PermissionChecker.AuthzStatus.ALLOW && fsAction != null && ancestor != null) {
                fileStatus = ancestor;
                authzStatus = isAccessAllowed(fileStatus, fsAction, authzContext);
            }
            if (authzStatus == PermissionChecker.AuthzStatus.ALLOW && fsAction2 != null && parent != null) {
                fileStatus = parent;
                authzStatus = isAccessAllowed(fileStatus, fsAction2, authzContext);
                if (authzStatus == PermissionChecker.AuthzStatus.NOT_DETERMINED && fsAction2 == FsAction.EXECUTE) {
                    authzStatus = PermissionChecker.AuthzStatus.ALLOW;
                }
            }
            if (authzStatus == PermissionChecker.AuthzStatus.ALLOW && fsAction3 != null && inode != null) {
                fileStatus = inode;
                authzStatus = isAccessAllowed(fileStatus, fsAction3, authzContext);
            }
            if (authzStatus == PermissionChecker.AuthzStatus.ALLOW && z) {
                fileStatus = inode;
                authzStatus = Objects.equals(authzContext.user, fileStatus != null ? fileStatus.getOwner() : null) ? PermissionChecker.AuthzStatus.ALLOW : PermissionChecker.AuthzStatus.DENY;
            }
        }
        if (authzStatus != PermissionChecker.AuthzStatus.DENY) {
            return authzStatus;
        }
        FsAction fsAction4 = fsAction3;
        if (fsAction4 == null) {
            fsAction4 = fsAction2 != null ? fsAction2 : fsAction != null ? fsAction : FsAction.EXECUTE;
        }
        throw new AccessControlException("Permission denied: user=" + authzContext.user + ", access=" + fsAction4 + ", path=\"" + toPath(fileStatus.getPath()) + "\"");
    }

    private String toPath(Path path) {
        return path.toUri().getPath();
    }

    private PermissionChecker.AuthzStatus isAccessAllowed(FileStatus fileStatus, FsAction fsAction, AuthzContext authzContext) {
        if ((this.rangerPlugin instanceof RangerExtra) && !((RangerExtra) this.rangerPlugin).isAvailable()) {
            return PermissionChecker.AuthzStatus.DENY;
        }
        PermissionChecker.AuthzStatus authzStatus = null;
        String owner = fileStatus.getOwner();
        String path = toPath(fileStatus.getPath());
        Set<String> set = this.access2ActionListMapper.get(fsAction);
        if (set == null) {
            LOG.warn("RangerAccessControlEnforcer.isAccessAllowed(" + path + ", " + fsAction + ", " + authzContext.user + "): no Ranger accessType found for " + fsAction);
            set = this.access2ActionListMapper.get(FsAction.NONE);
        }
        Iterator<String> it = set.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerJfsAccessRequest rangerJfsAccessRequest = new RangerJfsAccessRequest(fileStatus, path, owner, fsAction, it.next(), authzContext.operationName, authzContext.user, authzContext.userGroups, this.fileNameExtensionSeparator);
            rangerJfsAccessRequest.getContext().put("ACCESSTYPES", set);
            RangerAccessResult isAccessAllowed = this.rangerPlugin.isAccessAllowed(rangerJfsAccessRequest, (RangerAccessResultProcessor) null);
            if (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined()) {
                authzStatus = PermissionChecker.AuthzStatus.NOT_DETERMINED;
            } else {
                if (!isAccessAllowed.getIsAllowed()) {
                    authzStatus = PermissionChecker.AuthzStatus.DENY;
                    break;
                }
                if (!PermissionChecker.AuthzStatus.NOT_DETERMINED.equals(authzStatus)) {
                    authzStatus = PermissionChecker.AuthzStatus.ALLOW;
                }
            }
        }
        if (authzStatus == null) {
            authzStatus = PermissionChecker.AuthzStatus.NOT_DETERMINED;
        }
        return authzStatus;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.rangerPlugin != null) {
            this.rangerPlugin.cleanup();
        }
    }
}
