package org.apache.ranger.authorization.hbase;

import com.google.common.base.MoreObjects;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.Date;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;

/* loaded from: input_file:org/apache/ranger/authorization/hbase/AuthorizationSession.class */
public class AuthorizationSession {
    private static final Log LOG = LogFactory.getLog(AuthorizationSession.class.getName());
    final RangerBasePlugin _authorizer;
    String _operation;
    String _otherInformation;
    String _access;
    String _table;
    String _column;
    String _columnFamily;
    String _remoteAddress;
    User _user;
    Set<String> _groups;
    RangerAccessRequest _request;
    RangerAccessResult _result;
    final HbaseFactory _factory = HbaseFactory.getInstance();
    final HbaseUserUtils _userUtils = this._factory.getUserUtils();
    final HbaseAuthUtils _authUtils = this._factory.getAuthUtils();
    HbaseAuditHandler _auditHandler = null;
    boolean _superUser = false;
    private RangerAccessRequest.ResourceMatchingScope _resourceMatchingScope = RangerAccessRequest.ResourceMatchingScope.SELF;

    public AuthorizationSession(RangerBasePlugin rangerBasePlugin) {
        this._authorizer = rangerBasePlugin;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession operation(String str) {
        this._operation = str;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession otherInformation(String str) {
        this._otherInformation = str;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession remoteAddress(String str) {
        this._remoteAddress = str;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession access(String str) {
        this._access = str;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession user(User user) {
        String[] groupNames;
        this._user = user;
        if (this._user == null) {
            LOG.warn("AuthorizationSession.user: user is null!");
            this._groups = null;
        } else {
            this._groups = this._userUtils.getUserGroups(this._user);
            if (this._groups.isEmpty() && this._user.getUGI() != null && (groupNames = this._user.getUGI().getGroupNames()) != null) {
                this._groups = Sets.newHashSet(groupNames);
            }
            this._superUser = this._userUtils.isSuperUser(this._user);
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession table(String str) {
        this._table = str;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession columnFamily(String str) {
        this._columnFamily = str;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession column(String str) {
        this._column = str;
        return this;
    }

    void verifyBuildable() {
        if (this._factory == null) {
            String format = String.format("Internal error: Incomplete/inconsisten state: [%s]. Can't build auth request!", "factory is null");
            LOG.error(format);
            throw new IllegalStateException(format);
        }
        if (this._access == null || this._access.isEmpty()) {
            String format2 = String.format("Internal error: Incomplete/inconsisten state: [%s]. Can't build auth request!", "access is null");
            LOG.error(format2);
            throw new IllegalStateException(format2);
        }
        if (this._user == null) {
            String format3 = String.format("Internal error: Incomplete/inconsisten state: [%s]. Can't build auth request!", "user is null");
            LOG.error(format3);
            throw new IllegalStateException(format3);
        }
        if (isProvided(this._columnFamily) && !isProvided(this._table)) {
            String format4 = String.format("Internal error: Incomplete/inconsisten state: [%s]. Can't build auth request!", "Table must be provided if column-family is provided");
            LOG.error(format4);
            throw new IllegalStateException(format4);
        }
        if (!isProvided(this._column) || isProvided(this._columnFamily)) {
            return;
        }
        String format5 = String.format("Internal error: Incomplete/inconsisten state: [%s]. Can't build auth request!", "Column family must be provided if column is provided");
        LOG.error(format5);
        throw new IllegalStateException(format5);
    }

    void zapAuthorizationState() {
        this._request = null;
        this._result = null;
    }

    boolean isProvided(String str) {
        return (str == null || str.isEmpty()) ? false : true;
    }

    boolean isNameSpaceOperation() {
        return StringUtils.equals(this._operation, "createNamespace") || StringUtils.equals(this._operation, "deleteNamespace") || StringUtils.equals(this._operation, "modifyNamespace") || StringUtils.equals(this._operation, "setUserNamespaceQuota") || StringUtils.equals(this._operation, "setNamespaceQuota") || StringUtils.equals(this._operation, "getUserPermissionForNamespace");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession buildRequest() {
        verifyBuildable();
        zapAuthorizationState();
        RangerHBaseResource rangerHBaseResource = new RangerHBaseResource();
        if (isNameSpaceOperation() && StringUtils.isNotBlank(this._otherInformation)) {
            rangerHBaseResource.setValue(RangerHBaseResource.KEY_TABLE, this._otherInformation + RangerHBaseResource.NAMESPACE_SEPARATOR);
        } else {
            rangerHBaseResource.setValue(RangerHBaseResource.KEY_TABLE, this._table);
        }
        rangerHBaseResource.setValue(RangerHBaseResource.KEY_COLUMN_FAMILY, this._columnFamily);
        rangerHBaseResource.setValue(RangerHBaseResource.KEY_COLUMN, this._column);
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerHBaseResource, this._access, this._userUtils.getUserAsString(this._user), this._groups, (Set) null);
        rangerAccessRequestImpl.setAction(this._operation);
        rangerAccessRequestImpl.setRequestData(this._otherInformation);
        rangerAccessRequestImpl.setClientIPAddress(this._remoteAddress);
        rangerAccessRequestImpl.setResourceMatchingScope(this._resourceMatchingScope);
        rangerAccessRequestImpl.setAccessTime(new Date());
        this._request = rangerAccessRequestImpl;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Built request: " + rangerAccessRequestImpl.toString());
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession authorize() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> AuthorizationSession.authorize: " + getRequestMessage());
        }
        if (this._request == null) {
            throw new IllegalStateException(String.format("Invalid state transition: buildRequest() must be called before authorize().  This request would ultimately get denied.!", new Object[0]));
        }
        if (this._auditHandler != null && this._superUser) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Setting super-user override on audit handler");
            }
            this._auditHandler.setSuperUserOverride(this._superUser);
        }
        this._result = this._authorizer.isAccessAllowed(this._request, this._auditHandler);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== AuthorizationSession.authorize: " + getLogMessage(isAuthorized(), getDenialReason()));
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void logCapturedEvents() {
        if (this._auditHandler != null) {
            this._auditHandler.logAuthzAudits(this._auditHandler.getCapturedEvents());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public void publishResults() throws AccessDeniedException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> AuthorizationSession.publishResults()");
        }
        boolean isAuthorized = isAuthorized();
        if (this._auditHandler != null && isAudited()) {
            List list = null;
            if (isAuthorized) {
                List capturedEvents = this._auditHandler.getCapturedEvents();
                if (capturedEvents != null && !capturedEvents.isEmpty()) {
                    list = capturedEvents;
                }
            } else {
                AuthzAuditEvent andDiscardMostRecentEvent = this._auditHandler.getAndDiscardMostRecentEvent();
                if (andDiscardMostRecentEvent != null) {
                    list = Lists.newArrayList(new AuthzAuditEvent[]{andDiscardMostRecentEvent});
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Writing %d messages to audit: [%s]", Integer.valueOf(list == null ? 0 : list.size()), list == null ? "" : list.toString()));
            }
            this._auditHandler.logAuthzAudits(list);
        }
        if (isAuthorized) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== AuthorizationSession.publishResults()");
            }
        } else {
            String logMessage = getLogMessage(false, getDenialReason());
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== AuthorizationSession.publishResults: throwing exception: " + logMessage);
            }
            throw new AccessDeniedException("Insufficient permissions for user '" + this._user.getName() + "' (action=" + this._access + ")");
        }
    }

    boolean isAudited() {
        boolean z = false;
        if (this._result == null) {
            LOG.error(String.format("Internal error: _result was null!  Assuming no audit. Request[%s]", this._request.toString()));
        } else {
            z = this._result.getIsAudited();
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAuthorized() {
        boolean z = false;
        if (this._result == null) {
            LOG.error(String.format("Internal error: _result was null! Returning false.", new Object[0]));
        } else {
            z = this._result.getIsAllowed();
        }
        if (!z && this._superUser) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("User [" + this._user + "] is a superUser!  Overriding policy engine's decision.  Request is deemed authorized!");
            }
            z = true;
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getDenialReason() {
        String str = "";
        if (this._result == null) {
            LOG.error(String.format("Internal error: _result was null!  Returning empty reason.", new Object[0]));
        } else if (!this._result.getIsAllowed()) {
            str = this._result.getReason();
        }
        return str;
    }

    String requestToString() {
        return MoreObjects.toStringHelper(this._request.getClass()).add("operation", this._operation).add("otherInformation", this._otherInformation).add("access", this._access).add("user", this._user == null ? null : this._user.getName()).add("groups", this._groups).add("auditHandler", this._auditHandler == null ? null : this._auditHandler.getClass().getSimpleName()).add(RangerHBaseResource.KEY_TABLE, this._table).add(RangerHBaseResource.KEY_COLUMN, this._column).add(RangerHBaseResource.KEY_COLUMN_FAMILY, this._columnFamily).add("resource-matching-scope", this._resourceMatchingScope).toString();
    }

    String getPrintableValue(String str) {
        return isProvided(str) ? str : "";
    }

    String getRequestMessage() {
        return String.format("Access[%s] by user[%s] belonging to groups[%s] to table[%s] for column-family[%s], column[%s] triggered by operation[%s], otherInformation[%s]", getPrintableValue(this._access), getPrintableValue(this._userUtils.getUserAsString()), this._groups, getPrintableValue(this._table), getPrintableValue(this._columnFamily), getPrintableValue(this._column), getPrintableValue(this._operation), getPrintableValue(this._otherInformation));
    }

    String getLogMessage(boolean z, String str) {
        Object[] objArr = new Object[3];
        objArr[0] = getRequestMessage();
        objArr[1] = z ? "allowed" : "denied";
        objArr[2] = str;
        return String.format(" %s: status[%s], reason[%s]", objArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession auditHandler(HbaseAuditHandler hbaseAuditHandler) {
        this._auditHandler = hbaseAuditHandler;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationSession resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope resourceMatchingScope) {
        this._resourceMatchingScope = resourceMatchingScope;
        return this;
    }
}
