package org.apache.ranger.plugin.service;

import com.juicefs.security.ranger.RangerPermissionChecker;
import com.juicefs.shaded.org.apache.commons.lang.StringUtils;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.plugin.client.HadoopConfigHolder;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
import org.apache.ranger.plugin.util.ServiceDefUtil;

/* loaded from: input_file:org/apache/ranger/plugin/service/RangerBaseService.class */
public abstract class RangerBaseService {
    private static final Log LOG = LogFactory.getLog(RangerBaseService.class);
    protected static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
    protected static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
    protected static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
    protected static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
    protected static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
    protected static final String KERBEROS_TYPE = "kerberos";
    private static final String PROP_DEFAULT_POLICY_PREFIX = "default-policy.";
    private static final String PROP_DEFAULT_POLICY_NAME_SUFFIX = "name";
    protected RangerServiceDef serviceDef;
    protected RangerService service;
    protected Map<String, String> configs;
    protected String serviceName;
    protected String serviceType;
    protected final RangerAdminConfig config = RangerAdminConfig.getInstance();
    protected String lookUpUser = getLookupUser(this.config.get("hadoop.security.authentication", "simple"), this.config.get(LOOKUP_PRINCIPAL), this.config.get(LOOKUP_KEYTAB));

    public void init(RangerServiceDef rangerServiceDef, RangerService rangerService) {
        this.serviceDef = rangerServiceDef;
        this.service = rangerService;
        this.configs = rangerService.getConfigs();
        this.serviceName = rangerService.getName();
        this.serviceType = rangerService.getType();
    }

    public RangerServiceDef getServiceDef() {
        return this.serviceDef;
    }

    public RangerService getService() {
        return this.service;
    }

    public Map<String, String> getConfigs() {
        return this.configs;
    }

    public void setConfigs(Map<String, String> map) {
        this.configs = map;
    }

    public String getServiceName() {
        return this.serviceName;
    }

    public void setServiceName(String str) {
        this.serviceName = str;
    }

    public String getServiceType() {
        return this.serviceType;
    }

    public void setServiceType(String str) {
        this.serviceType = str;
    }

    public RangerAdminConfig getConfig() {
        return this.config;
    }

    public abstract Map<String, Object> validateConfig() throws Exception;

    public abstract List<String> lookupResource(ResourceLookupContext resourceLookupContext) throws Exception;

    public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBaseService.getDefaultRangerPolicies() ");
        }
        ArrayList arrayList = new ArrayList();
        try {
            Iterator<List<RangerServiceDef.RangerResourceDef>> it = new RangerServiceDefHelper(this.serviceDef).filterHierarchies_containsOnlyMandatoryResources(0).iterator();
            while (it.hasNext()) {
                RangerPolicy defaultPolicy = getDefaultPolicy(it.next());
                if (defaultPolicy != null) {
                    arrayList.add(defaultPolicy);
                }
            }
        } catch (Exception e) {
            LOG.error("Error getting default polcies for Service: " + this.service.getName(), e);
        }
        if (Boolean.valueOf(this.configs.get("setup.additional.default.policies")).booleanValue()) {
            LOG.info(getServiceName() + ": looking for additional default policies in service-config");
            TreeSet treeSet = new TreeSet();
            for (String str : this.configs.keySet()) {
                if (str.startsWith(PROP_DEFAULT_POLICY_PREFIX) && str.endsWith("name")) {
                    treeSet.add(str.substring(PROP_DEFAULT_POLICY_PREFIX.length(), (str.length() - "name".length()) - 1));
                }
            }
            LOG.info(getServiceName() + ": found " + treeSet.size() + " additional default policies in service-config");
            Iterator it2 = treeSet.iterator();
            while (it2.hasNext()) {
                String str2 = PROP_DEFAULT_POLICY_PREFIX + ((String) it2.next()) + RangerPermissionChecker.DEFAULT_FILENAME_EXTENSION_SEPARATOR;
                Map<String, RangerPolicy.RangerPolicyResource> resourcesForPrefix = getResourcesForPrefix(str2 + "resource.");
                if (MapUtils.isNotEmpty(resourcesForPrefix)) {
                    addCustomRangerDefaultPolicies(arrayList, resourcesForPrefix, str2);
                } else {
                    LOG.warn(getServiceName() + ": no resources specified for default policy with prefix '" + str2 + "'. Ignored");
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBaseService.getDefaultRangerPolicies(): " + arrayList);
        }
        return arrayList;
    }

    private Map<String, RangerPolicy.RangerPolicyResource> getResourcesForPrefix(String str) {
        HashMap hashMap = new HashMap();
        if (this.configs != null) {
            for (Map.Entry<String, String> entry : this.configs.entrySet()) {
                String key = entry.getKey();
                String value = entry.getValue();
                if (key.startsWith(str) && StringUtils.isNotBlank(value)) {
                    RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
                    String substring = key.substring(str.length());
                    ArrayList arrayList = new ArrayList(Arrays.asList(value.split(",")));
                    rangerPolicyResource.setIsExcludes(false);
                    rangerPolicyResource.setIsRecursive(false);
                    rangerPolicyResource.setValues(arrayList);
                    hashMap.put(substring, rangerPolicyResource);
                }
            }
        }
        return hashMap;
    }

    private void addCustomRangerDefaultPolicies(List<RangerPolicy> list, Map<String, RangerPolicy.RangerPolicyResource> map, String str) throws Exception {
        String str2 = this.configs.get(str + "name");
        String str3 = this.configs.get(str + "description");
        if (StringUtils.isEmpty(str3)) {
            str3 = "Policy for " + str2;
        }
        RangerPolicy rangerPolicy = new RangerPolicy();
        rangerPolicy.setName(str2);
        rangerPolicy.setIsEnabled(true);
        rangerPolicy.setVersion(1L);
        rangerPolicy.setIsAuditEnabled(true);
        rangerPolicy.setService(this.serviceName);
        rangerPolicy.setDescription(str3);
        rangerPolicy.setName(str2);
        rangerPolicy.setResources(map);
        int i = 1;
        while (true) {
            String str4 = str + "policyItem." + i + RangerPermissionChecker.DEFAULT_FILENAME_EXTENSION_SEPARATOR;
            String str5 = this.configs.get(str4 + "users");
            String str6 = this.configs.get(str4 + "groups");
            String str7 = this.configs.get(str4 + "roles");
            String str8 = this.configs.get(str4 + "accessTypes");
            String str9 = this.configs.get(str4 + "isDelegateAdmin");
            if (StringUtils.isEmpty(str8) || (StringUtils.isEmpty(str5) && StringUtils.isEmpty(str6) && StringUtils.isEmpty(str7))) {
                break;
            }
            RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
            rangerPolicyItem.setDelegateAdmin(Boolean.valueOf(Boolean.parseBoolean(str9)));
            if (StringUtils.isNotBlank(str5)) {
                rangerPolicyItem.setUsers(Arrays.asList(str5.split(",")));
            }
            if (StringUtils.isNotBlank(str6)) {
                rangerPolicyItem.setGroups(Arrays.asList(str6.split(",")));
            }
            if (StringUtils.isNotBlank(str7)) {
                rangerPolicyItem.setRoles(Arrays.asList(str7.split(",")));
            }
            if (StringUtils.isNotBlank(str8)) {
                Iterator it = Arrays.asList(str8.split(",")).iterator();
                while (it.hasNext()) {
                    rangerPolicyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess((String) it.next(), true));
                }
            }
            rangerPolicy.getPolicyItems().add(rangerPolicyItem);
            i++;
        }
        LOG.info(getServiceName() + ": adding default policy: name=" + rangerPolicy.getName());
        list.add(rangerPolicy);
    }

    private RangerPolicy getDefaultPolicy(List<RangerServiceDef.RangerResourceDef> list) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBaseService.getDefaultPolicy()");
        }
        RangerPolicy rangerPolicy = new RangerPolicy();
        String buildPolicyName = buildPolicyName(list);
        rangerPolicy.setIsEnabled(true);
        rangerPolicy.setVersion(1L);
        rangerPolicy.setName(buildPolicyName);
        rangerPolicy.setService(this.service.getName());
        rangerPolicy.setDescription("Policy for " + buildPolicyName);
        rangerPolicy.setIsAuditEnabled(true);
        rangerPolicy.setResources(createDefaultPolicyResource(list));
        ArrayList arrayList = new ArrayList();
        arrayList.add(createDefaultPolicyItem(rangerPolicy.getResources()));
        rangerPolicy.setPolicyItems(arrayList);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBaseService.getDefaultPolicy()" + rangerPolicy);
        }
        return rangerPolicy;
    }

    private RangerPolicy.RangerPolicyItem createDefaultPolicyItem(Map<String, RangerPolicy.RangerPolicyResource> map) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBaseService.createDefaultPolicyItem()");
        }
        RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
        rangerPolicyItem.setUsers(getUserList());
        rangerPolicyItem.setGroups(getGroupList());
        rangerPolicyItem.setAccesses(getAllowedAccesses(map));
        rangerPolicyItem.setDelegateAdmin(true);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBaseService.createDefaultPolicyItem(): " + rangerPolicyItem);
        }
        return rangerPolicyItem;
    }

    protected List<RangerPolicy.RangerPolicyItemAccess> getAllowedAccesses(Map<String, RangerPolicy.RangerPolicyResource> map) {
        ArrayList arrayList = new ArrayList();
        RangerServiceDef.RangerResourceDef leafResourceDef = ServiceDefUtil.getLeafResourceDef(this.serviceDef, map);
        if (leafResourceDef != null) {
            Set<String> accessTypeRestrictions = leafResourceDef.getAccessTypeRestrictions();
            for (RangerServiceDef.RangerAccessTypeDef rangerAccessTypeDef : this.serviceDef.getAccessTypes()) {
                if (CollectionUtils.isEmpty(accessTypeRestrictions) || accessTypeRestrictions.contains(rangerAccessTypeDef.getName())) {
                    RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess = new RangerPolicy.RangerPolicyItemAccess();
                    rangerPolicyItemAccess.setType(rangerAccessTypeDef.getName());
                    rangerPolicyItemAccess.setIsAllowed(true);
                    arrayList.add(rangerPolicyItemAccess);
                }
            }
        }
        return arrayList;
    }

    protected Map<String, RangerPolicy.RangerPolicyResource> createDefaultPolicyResource(List<RangerServiceDef.RangerResourceDef> list) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBaseService.createDefaultPolicyResource()");
        }
        HashMap hashMap = new HashMap();
        for (RangerServiceDef.RangerResourceDef rangerResourceDef : list) {
            RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
            rangerPolicyResource.setIsExcludes(false);
            rangerPolicyResource.setIsRecursive(rangerResourceDef.getRecursiveSupported());
            rangerPolicyResource.setValue("*");
            hashMap.put(rangerResourceDef.getName(), rangerPolicyResource);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBaseService.createDefaultPolicyResource():" + hashMap);
        }
        return hashMap;
    }

    private String buildPolicyName(List<RangerServiceDef.RangerResourceDef> list) {
        StringBuilder sb = new StringBuilder("all");
        if (CollectionUtils.isNotEmpty(list)) {
            int i = 0;
            for (RangerServiceDef.RangerResourceDef rangerResourceDef : list) {
                if (i > 0) {
                    sb.append(", ");
                } else {
                    sb.append(" - ");
                }
                sb.append(rangerResourceDef.getName());
                i++;
            }
        }
        return sb.toString().trim();
    }

    private List<String> getUserList() {
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        String[] strings = this.config.getStrings("ranger.default.policy.users");
        if (strings != null) {
            for (String str : strings) {
                hashSet.add(str);
            }
        }
        Map<String, String> configs = this.service.getConfigs();
        if (configs != null) {
            if (StringUtils.isNotBlank(configs.get(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP))) {
                hashSet.add(configs.get(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP));
            }
            String str2 = configs.get("default.policy.users");
            if (!StringUtils.isEmpty(str2)) {
                ArrayList arrayList2 = new ArrayList(Arrays.asList(StringUtils.split(str2, ",")));
                if (!arrayList2.isEmpty()) {
                    hashSet.addAll(arrayList2);
                }
            }
        }
        arrayList.addAll(hashSet);
        return arrayList;
    }

    private List<String> getGroupList() {
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        String[] strings = this.config.getStrings("ranger.default.policy.groups");
        if (strings != null) {
            for (String str : strings) {
                hashSet.add(str);
            }
        }
        Map<String, String> configs = this.service.getConfigs();
        if (configs != null) {
            String str2 = configs.get("default.policy.groups");
            if (!StringUtils.isEmpty(str2)) {
                ArrayList arrayList2 = new ArrayList(Arrays.asList(StringUtils.split(str2, ",")));
                if (!arrayList2.isEmpty()) {
                    hashSet.addAll(arrayList2);
                }
            }
        }
        arrayList.addAll(hashSet);
        return arrayList;
    }

    protected String getLookupUser(String str, String str2, String str3) {
        String str4 = null;
        if (!StringUtils.isEmpty(str) && str.equalsIgnoreCase("kerberos") && SecureClientLogin.isKerberosCredentialExists(str2, str3)) {
            try {
                str4 = new KerberosName(str2).getShortName();
            } catch (IOException e) {
                LOG.error("Unknown lookup user", e);
            }
        }
        return str4;
    }
}
