package org.apache.ranger.authorization.kafka.authorizer;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerPerfTracer;

/* loaded from: input_file:org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.class */
public class RangerKafkaAuthorizer implements Authorizer {
    public static final String ACCESS_TYPE_ALTER_CONFIGS = "alter_configs";
    public static final String KEY_TOPIC = "topic";
    public static final String KEY_CLUSTER = "cluster";
    public static final String KEY_CONSUMER_GROUP = "consumergroup";
    public static final String KEY_TRANSACTIONALID = "transactionalid";
    public static final String KEY_DELEGATIONTOKEN = "delegationtoken";
    public static final String ACCESS_TYPE_READ = "consume";
    public static final String ACCESS_TYPE_WRITE = "publish";
    public static final String ACCESS_TYPE_CREATE = "create";
    public static final String ACCESS_TYPE_DELETE = "delete";
    public static final String ACCESS_TYPE_CONFIGURE = "configure";
    public static final String ACCESS_TYPE_DESCRIBE = "describe";
    public static final String ACCESS_TYPE_DESCRIBE_CONFIGS = "describe_configs";
    public static final String ACCESS_TYPE_CLUSTER_ACTION = "cluster_action";
    public static final String ACCESS_TYPE_IDEMPOTENT_WRITE = "idempotent_write";
    RangerKafkaAuditHandler auditHandler = null;
    private static final Log logger = LogFactory.getLog(RangerKafkaAuthorizer.class);
    private static final Log PERF_KAFKAAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("kafkaauth.request");
    private static volatile RangerBasePlugin rangerPlugin = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclOperation;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$resource$ResourceType = new int[ResourceType.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.TOPIC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.CLUSTER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.GROUP.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.TRANSACTIONAL_ID.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.DELEGATION_TOKEN.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.ANY.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.UNKNOWN.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            $SwitchMap$org$apache$kafka$common$acl$AclOperation = new int[AclOperation.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.READ.ordinal()] = 1;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.ALTER.ordinal()] = 3;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.DESCRIBE.ordinal()] = 4;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.CLUSTER_ACTION.ordinal()] = 5;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.CREATE.ordinal()] = 6;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.DELETE.ordinal()] = 7;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.DESCRIBE_CONFIGS.ordinal()] = 8;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.ALTER_CONFIGS.ordinal()] = 9;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.IDEMPOTENT_WRITE.ordinal()] = 10;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.UNKNOWN.ordinal()] = 11;
            } catch (NoSuchFieldError e18) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.ANY.ordinal()] = 12;
            } catch (NoSuchFieldError e19) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.ALL.ordinal()] = 13;
            } catch (NoSuchFieldError e20) {
            }
        }
    }

    private static String mapToRangerAccessType(AclOperation aclOperation) {
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclOperation[aclOperation.ordinal()]) {
            case 1:
                return ACCESS_TYPE_READ;
            case 2:
                return ACCESS_TYPE_WRITE;
            case 3:
                return ACCESS_TYPE_CONFIGURE;
            case 4:
                return "describe";
            case 5:
                return ACCESS_TYPE_CLUSTER_ACTION;
            case 6:
                return ACCESS_TYPE_CREATE;
            case 7:
                return ACCESS_TYPE_DELETE;
            case 8:
                return ACCESS_TYPE_DESCRIBE_CONFIGS;
            case 9:
                return ACCESS_TYPE_ALTER_CONFIGS;
            case 10:
                return ACCESS_TYPE_IDEMPOTENT_WRITE;
            case 11:
            case 12:
            case 13:
            default:
                return null;
        }
    }

    private static String mapToResourceType(ResourceType resourceType) {
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$ResourceType[resourceType.ordinal()]) {
            case 1:
                return KEY_TOPIC;
            case 2:
                return KEY_CLUSTER;
            case 3:
                return KEY_CONSUMER_GROUP;
            case 4:
                return KEY_TRANSACTIONALID;
            case 5:
                return KEY_DELEGATIONTOKEN;
            case 6:
            case 7:
            default:
                return null;
        }
    }

    private static RangerAccessResourceImpl createRangerAccessResource(String str, String str2) {
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessResourceImpl.setValue(str, str2);
        return rangerAccessResourceImpl;
    }

    private static RangerAccessRequestImpl createRangerAccessRequest(String str, Set<String> set, String str2, Date date, String str3, String str4, String str5) {
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setResource(createRangerAccessResource(str3, str4));
        rangerAccessRequestImpl.setUser(str);
        rangerAccessRequestImpl.setUserGroups(set);
        rangerAccessRequestImpl.setClientIPAddress(str2);
        rangerAccessRequestImpl.setAccessTime(date);
        rangerAccessRequestImpl.setAccessType(str5);
        rangerAccessRequestImpl.setAction(str5);
        rangerAccessRequestImpl.setRequestData(str4);
        return rangerAccessRequestImpl;
    }

    private static List<AuthorizationResult> denyAll(List<Action> list) {
        return (List) list.stream().map(action -> {
            return AuthorizationResult.DENIED;
        }).collect(Collectors.toList());
    }

    private static List<AuthorizationResult> mapResults(List<Action> list, Collection<RangerAccessResult> collection) {
        if (!CollectionUtils.isEmpty(collection)) {
            return (List) collection.stream().map(rangerAccessResult -> {
                return (rangerAccessResult == null || !rangerAccessResult.getIsAllowed()) ? AuthorizationResult.DENIED : AuthorizationResult.ALLOWED;
            }).collect(Collectors.toList());
        }
        logger.error("Ranger Plugin returned null or empty. Returning Denied for all");
        return denyAll(list);
    }

    private static String toString(AuthorizableRequestContext authorizableRequestContext) {
        if (authorizableRequestContext == null) {
            return null;
        }
        return String.format("AuthorizableRequestContext{principal=%s, clientAddress=%s, clientId=%s}", authorizableRequestContext.principal(), authorizableRequestContext.clientAddress(), authorizableRequestContext.clientId());
    }

    public void close() {
        logger.info("close() called on authorizer.");
        try {
            if (rangerPlugin != null) {
                rangerPlugin.cleanup();
            }
        } catch (Throwable th) {
            logger.error("Error closing RangerPlugin.", th);
        }
    }

    public void configure(Map<String, ?> map) {
        if (rangerPlugin == null) {
            synchronized (RangerKafkaAuthorizer.class) {
                if (rangerPlugin == null) {
                    try {
                        Object obj = map.get("ranger.jaas.context");
                        MiscUtil.setUGIFromJAASConfig(JaasContext.loadServerContext(new ListenerName(((obj instanceof String) && StringUtils.isNotEmpty((String) obj)) ? (String) obj : SecurityProtocol.SASL_PLAINTEXT.name()), "GSSAPI", map).name());
                        UserGroupInformation uGILoginUser = MiscUtil.getUGILoginUser();
                        if (logger.isInfoEnabled()) {
                            logger.info("LoginUser=" + uGILoginUser);
                        }
                    } catch (Throwable th) {
                        logger.error("Error getting principal.", th);
                    }
                    rangerPlugin = new RangerBasePlugin("kafka", "kafka");
                    logger.info("Calling plugin.init()");
                    rangerPlugin.init();
                    this.auditHandler = new RangerKafkaAuditHandler();
                    rangerPlugin.setResultProcessor(this.auditHandler);
                }
            }
        }
    }

    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        return (Map) authorizerServerInfo.endpoints().stream().collect(Collectors.toMap(endpoint -> {
            return endpoint;
        }, endpoint2 -> {
            return CompletableFuture.completedFuture(null);
        }, (completableFuture, completableFuture2) -> {
            return completableFuture2;
        }));
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        if (rangerPlugin == null) {
            MiscUtil.logErrorMessageByInterval(logger, "Authorizer is still not initialized");
            return denyAll(list);
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_KAFKAAUTH_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_KAFKAAUTH_REQUEST_LOG, "RangerKafkaAuthorizer.authorize(actions=" + list + ")");
        }
        try {
            List<AuthorizationResult> wrappedAuthorization = wrappedAuthorization(authorizableRequestContext, list);
            RangerPerfTracer.log(rangerPerfTracer);
            return wrappedAuthorization;
        } catch (Throwable th) {
            RangerPerfTracer.log(rangerPerfTracer);
            throw th;
        }
    }

    private List<AuthorizationResult> wrappedAuthorization(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        if (CollectionUtils.isEmpty(list)) {
            return Collections.emptyList();
        }
        String name = authorizableRequestContext.principal() == null ? null : authorizableRequestContext.principal().getName();
        Set groupsForRequestUser = MiscUtil.getGroupsForRequestUser(name);
        String hostAddress = authorizableRequestContext.clientAddress() == null ? null : authorizableRequestContext.clientAddress().getHostAddress();
        String substring = (StringUtils.isNotEmpty(hostAddress) && hostAddress.charAt(0) == '/') ? hostAddress.substring(1) : hostAddress;
        Date date = new Date();
        ArrayList arrayList = new ArrayList();
        for (Action action : list) {
            String mapToRangerAccessType = mapToRangerAccessType(action.operation());
            if (mapToRangerAccessType == null) {
                MiscUtil.logErrorMessageByInterval(logger, "Unsupported access type, requestContext=" + toString(authorizableRequestContext) + ", actions=" + list + ", operation=" + action.operation());
                return denyAll(list);
            }
            String mapToResourceType = mapToResourceType(action.resourcePattern().resourceType());
            if (mapToResourceType == null) {
                MiscUtil.logErrorMessageByInterval(logger, "Unsupported resource type, requestContext=" + toString(authorizableRequestContext) + ", actions=" + list + ", resourceType=" + action.resourcePattern().resourceType());
                return denyAll(list);
            }
            arrayList.add(createRangerAccessRequest(name, groupsForRequestUser, substring, date, mapToResourceType, action.resourcePattern().name(), mapToRangerAccessType));
        }
        List<AuthorizationResult> mapResults = mapResults(list, callRangerPlugin(arrayList));
        if (logger.isDebugEnabled()) {
            logger.debug("rangerRequests=" + arrayList + ", return=" + mapResults);
        }
        return mapResults;
    }

    private Collection<RangerAccessResult> callRangerPlugin(List<RangerAccessRequest> list) {
        try {
            try {
                Collection<RangerAccessResult> isAccessAllowed = rangerPlugin.isAccessAllowed(list);
                this.auditHandler.flushAudit();
                return isAccessAllowed;
            } catch (Throwable th) {
                logger.error("Error while calling isAccessAllowed(). requests=" + list, th);
                this.auditHandler.flushAudit();
                return null;
            }
        } catch (Throwable th2) {
            this.auditHandler.flushAudit();
            throw th2;
        }
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        logger.error("createAcls is not supported by Ranger for Kafka");
        return (List) list.stream().map(aclBinding -> {
            CompletableFuture completableFuture = new CompletableFuture();
            completableFuture.completeExceptionally(new UnsupportedOperationException("createAcls is not supported by Ranger for Kafka"));
            return completableFuture;
        }).collect(Collectors.toList());
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        logger.error("deleteAcls is not supported by Ranger for Kafka");
        return (List) list.stream().map(aclBindingFilter -> {
            CompletableFuture completableFuture = new CompletableFuture();
            completableFuture.completeExceptionally(new UnsupportedOperationException("deleteAcls is not supported by Ranger for Kafka"));
            return completableFuture;
        }).collect(Collectors.toList());
    }

    public AuthorizationResult authorizeByResourceType(AuthorizableRequestContext authorizableRequestContext, AclOperation aclOperation, ResourceType resourceType) {
        SecurityUtils.authorizeByResourceTypeCheckArgs(aclOperation, resourceType);
        logger.debug("authorizeByResourceType call is not supported by Ranger for Kafka yet");
        return AuthorizationResult.DENIED;
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        logger.error("(getting) acls is not supported by Ranger for Kafka");
        throw new UnsupportedOperationException("(getting) acls is not supported by Ranger for Kafka");
    }
}
