package org.apache.hadoop.crypto.key;

import com.sun.jersey.api.client.ClientResponse;
import java.io.FileOutputStream;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.KMSConfiguration;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Logger;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.util.RangerRESTClient;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/apache/hadoop/crypto/key/KeyTrusteeACLToRangerPolicy.class */
public class KeyTrusteeACLToRangerPolicy {
    private static final String HADOOP_KMS_PREFIX = "hadoop.kms.";
    private static final String HADOOP_KMS_BLACKLIST_PREFIX = "hadoop.kms.blacklist.";
    private static final String DEFAULT_KEY_PREFIX = "default.key.";
    private static final String WHITELIST_KEY_PREFIX = "whitelist.key.";
    private static final String KEY_ACL_PREFIX = "key.acl.";
    private static final String KEY_ACL_MANAGEMENT = "MANAGEMENT";
    private static final String KEY_ACL_READ = "READ";
    private static final String KEY_ACL_GENERATE_EEK = "GENERATE_EEK";
    private static final String KEY_ACL_DECRYPT_EEK = "DECRYPT_EEK";
    private static final String KEY_ACL_ALL = "ALL";
    private static final String KEY_ACL_CREATE = "CREATE";
    private static final String KEY_ACL_DELETE = "DELETE";
    private static final String KEY_ACL_ROLLOVER = "ROLLOVER";
    private static final String KEY_ACL_SET_KEY_MATERIAL = "SET_KEY_MATERIAL";
    private static final String KEY_ACL_GET = "GET";
    private static final String KEY_ACL_GET_KEYS = "GET_KEYS";
    private static final String KEY_ACL_GET_METADATA = "GET_METADATA";
    private static final String SERVICE_TYPE_ACL = "serviceTypeAcl";
    private static final String POLICY_TYPE_ACL = "policyTypeAcl";
    private static final String WHITELIST_TYPE_ACL = "whiteListTypeAcl";
    private static final String BLACKLIST_TYPE_ACL = "blackListTypeAcl";
    private static final String KEY_SPECIFIC_ACL = "keySpecificAcl";
    private static final String KEY_TRUSTEE_ACL = "keyTrusteeAcl";
    private static final String RANGER_KMS_REST_URL = "ranger.plugin.kms.policy.rest.url";
    private static final String DEFAULT_RANGER_KMS_SERVICE_NAME = "cm_kms";
    private static final String RANGER_KMS_SERVICE_TYPE = "kms";
    private static final String DEFAULT_KEY_POLICY_RESOURCE = "*";
    private static final String RESOURCE_KEY_NAME = "keyname";
    private static final String WHITELIST_RESOURCE_KEY_NAME = "***whitelist***";
    private static final String BLACKLIST_RESOURCE_KEY_NAME = "***blacklist***";
    private static final String GLOBAL_OVERRIDE_POLICY_NAME = "Global overrides";
    private static final String AUTHENTICATION_TYPE = "hadoop.kms.authentication.type";
    private static final String KMS_USER_PRINCIPAL = "ranger.ks.kerberos.principal";
    private static final String RANGER_SERVICE_HOST = "ranger.service.host";
    private static final String KMS_USER_KEYTAB = "ranger.ks.kerberos.keytab";
    private static final String RANGER_SERVICE_HTTPS_ATTRIB_SSL_ENABLED = "ranger.service.https.attrib.ssl.enabled";
    private static final String KMS_NAME_RULES = "hadoop.security.auth_to_local";
    private static final String RANGER_KMS_SECURITY = "ranger-kms-security.xml";
    private static final String RANGER_KMS_POLICY_MGR_SSL = "ranger-kms-policymgr-ssl.xml";
    private static final String RANGER_KMS_SITE = "ranger-kms-site.xml";
    private static final String AUTH_KERBEROS = "kerberos";
    private static final String USER_NOBODY = "nobody";
    private static final String REST_POLICIES = "/service/plugins/policies";
    private static final String REST_GET_USERS = "/service/xusers/lookup/users";
    private static final String REST_GET_GROUPS = "/service/xusers/lookup/groups";
    private static final String REST_GET_KMS_SERVICE = "/service/plugins/services/name/cm_kms";
    private final Path dbks_path;
    private final Path kms_acl_path;
    private final String principal;
    private final String keytab;
    private final String nameRules;
    private final String baseURL;
    private final RangerRESTClient restClient;
    private final List<String> existingUserList;
    private final List<String> existingGroupList;
    private final List<String> nonExistingUserList;
    private final List<String> nonExistingGroupList;
    private final Map<String, RangerKMSKeyUserGroupPermission> existingUserGroupkeyMap;
    private boolean isServiceWideACLPresent;
    private boolean isPolicyACLPresent;
    private static final Logger LOG = Logger.getLogger(KeyTrusteeACLToRangerPolicy.class.getName());
    private static final String ACCESS_TYPE_GET = "get";
    private static final String ACCESS_TYPE_GET_KEYS = "getkeys";
    private static final String ACCESS_TYPE_GET_METADATA = "getmetadata";
    private static final Set<String> READ_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_GET, ACCESS_TYPE_GET_KEYS, ACCESS_TYPE_GET_METADATA)));
    private static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek";
    private static final Set<String> DECRYPT_EEK_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_DECRYPT_EEK)));
    private static final String ACCESS_TYPE_GENERATE_EEK = "generateeek";
    private static final Set<String> GENERATE_EEK_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_GENERATE_EEK)));
    private static final String ACCESS_TYPE_CREATE = "create";
    private static final String ACCESS_TYPE_ROLLOVER = "rollover";
    private static final String ACCESS_TYPE_DELETE = "delete";
    private static final Set<String> ACL_MANAGEMENT_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_CREATE, ACCESS_TYPE_ROLLOVER, ACCESS_TYPE_DELETE)));
    private static final Set<String> CREATE_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_CREATE)));
    private static final Set<String> DELETE_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_DELETE)));
    private static final Set<String> ROLLOVER_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_ROLLOVER)));
    private static final String ACCESS_TYPE_SET_KEY_MATERIAL = "setkeymaterial";
    private static final Set<String> SET_KEY_MATERIAL_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_SET_KEY_MATERIAL)));
    private static final Set<String> GET_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_GET)));
    private static final Set<String> GET_KEYS_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_GET_KEYS)));
    private static final Set<String> GET_METADATA_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_GET_METADATA)));
    private static final Set<String> ALL_PERMISSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(ACCESS_TYPE_CREATE, ACCESS_TYPE_ROLLOVER, ACCESS_TYPE_DELETE, ACCESS_TYPE_SET_KEY_MATERIAL, ACCESS_TYPE_GET, ACCESS_TYPE_GET_KEYS, ACCESS_TYPE_GET_METADATA, ACCESS_TYPE_GENERATE_EEK, ACCESS_TYPE_DECRYPT_EEK)));

    public static void main(String[] strArr) {
        try {
            if (strArr.length == 0) {
                logErrorDetails("Invalid number of parameter found.");
                logErrorDetails("USAGE: java " + KeyTrusteeACLToRangerPolicy.class.getName() + " <Path for Conf Directory>");
                System.exit(1);
            }
            new KeyTrusteeACLToRangerPolicy(strArr[0]).execute();
            System.exit(0);
        } catch (Exception e) {
            logErrorDetails("Error : ", e);
            System.exit(1);
        }
    }

    public KeyTrusteeACLToRangerPolicy() {
        this.existingUserList = new ArrayList();
        this.existingGroupList = new ArrayList();
        this.nonExistingUserList = new ArrayList();
        this.nonExistingGroupList = new ArrayList();
        this.existingUserGroupkeyMap = new HashMap();
        this.isServiceWideACLPresent = false;
        this.isPolicyACLPresent = false;
        this.kms_acl_path = null;
        this.principal = null;
        this.keytab = null;
        this.nameRules = null;
        this.restClient = null;
        this.dbks_path = null;
        this.baseURL = null;
    }

    private KeyTrusteeACLToRangerPolicy(String str) throws Exception {
        this.existingUserList = new ArrayList();
        this.existingGroupList = new ArrayList();
        this.nonExistingUserList = new ArrayList();
        this.nonExistingGroupList = new ArrayList();
        this.existingUserGroupkeyMap = new HashMap();
        this.isServiceWideACLPresent = false;
        this.isPolicyACLPresent = false;
        Configuration dBKSConf = RangerKeyStoreProvider.getDBKSConf();
        dBKSConf.addResource(KMSConfiguration.getKMSConf());
        dBKSConf.addResource(KMSConfiguration.getConfiguration(true, RANGER_KMS_SECURITY));
        dBKSConf.addResource(KMSConfiguration.getConfiguration(true, RANGER_KMS_SITE));
        this.dbks_path = Paths.get(str, "dbks-site.xml");
        this.kms_acl_path = Paths.get(str, "kms-acls.xml");
        this.baseURL = dBKSConf.get(RANGER_KMS_REST_URL);
        String str2 = dBKSConf.get(AUTHENTICATION_TYPE);
        boolean z = dBKSConf.getBoolean(RANGER_SERVICE_HTTPS_ATTRIB_SSL_ENABLED, false);
        if (!StringUtil.isEmpty(str2) && !AUTH_KERBEROS.equals(str2)) {
            logErrorDetails("Authentication Type : " + str2);
            logErrorDetails("It is recommended to setup Ranger and Ranger KMS in Kerberize mode");
            System.exit(1);
        }
        if (z) {
            this.restClient = new RangerRESTClient(this.baseURL, Paths.get(str, RANGER_KMS_POLICY_MGR_SSL).toString(), dBKSConf);
        } else {
            this.restClient = new RangerRESTClient(this.baseURL, "", dBKSConf);
        }
        if (StringUtil.isEmpty(str2) || !AUTH_KERBEROS.equals(str2)) {
            this.principal = null;
            this.keytab = null;
            this.nameRules = null;
        } else {
            try {
                this.principal = SecureClientLogin.getPrincipal(dBKSConf.get(KMS_USER_PRINCIPAL), dBKSConf.get(RANGER_SERVICE_HOST));
                this.keytab = dBKSConf.get(KMS_USER_KEYTAB);
                this.nameRules = dBKSConf.get(KMS_NAME_RULES);
            } catch (Exception e) {
                logErrorDetails("Error while setting kerberos parameter", e);
                throw new Exception("Error while setting kerberos parameter", e);
            }
        }
    }

    private void execute() throws Exception {
        if (SecureClientLogin.isKerberosCredentialExists(this.principal, this.keytab)) {
            try {
                logInfoDetails("Provided Kerberos Credential : Principal = " + this.principal + " and Keytab = " + this.keytab);
                Subject.doAs(SecureClientLogin.loginUserFromKeytab(this.principal, this.keytab, this.nameRules), new PrivilegedAction<Void>() { // from class: org.apache.hadoop.crypto.key.KeyTrusteeACLToRangerPolicy.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public Void run() {
                        KeyTrusteeACLToRangerPolicy.logInfoDetails("Starting ACL migration using kerberos credential");
                        try {
                            KeyTrusteeACLToRangerPolicy.this.operation();
                            return null;
                        } catch (Exception e) {
                            KeyTrusteeACLToRangerPolicy.logErrorDetails("Migration fail in kerberos mode", e);
                            throw new RuntimeException("Migration fail in kerberos mode", e);
                        }
                    }
                });
            } catch (Exception e) {
                logErrorDetails("Migration fail in kerberos mode", e);
                throw new Exception("Migration fail in kerberos mode", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void operation() throws Exception {
        try {
            validateAclConfigFilePath();
            verifyRangerKmsServiceExists();
            getLookUpUserAndGroup();
            Document parseAclXmlFile = parseAclXmlFile();
            if (this.nonExistingUserList.isEmpty() && this.nonExistingGroupList.isEmpty()) {
                if (this.isServiceWideACLPresent) {
                    writeToDBKSFile(parseAclXmlFile);
                }
                if (this.isPolicyACLPresent) {
                    createOrUpdatePolicies();
                }
            } else {
                messageForNonExistingUserAndGroup();
                System.exit(1);
            }
        } catch (Exception e) {
            logErrorDetails("Error while migrating ACL", e);
            throw new Exception("Error while migrating ACL", e);
        }
    }

    private void validateAclConfigFilePath() {
        if (!this.dbks_path.toFile().exists()) {
            logErrorDetails("dbks-site.xml file not found at: " + this.dbks_path);
            System.exit(1);
        }
        if (this.kms_acl_path.toFile().exists()) {
            return;
        }
        logErrorDetails("kms-acls.xml file not found at: " + this.kms_acl_path);
        System.exit(1);
    }

    private void verifyRangerKmsServiceExists() throws Exception {
        try {
            ClientResponse clientResponse = this.restClient.get(REST_GET_KMS_SERVICE, (Map) null);
            RangerService rangerService = (RangerService) clientResponse.getEntity(RangerService.class);
            if (clientResponse.getStatus() == 200 && rangerService != null && rangerService.getName().equals(DEFAULT_RANGER_KMS_SERVICE_NAME)) {
                logInfoDetails("Found Ranger KMS Service with name cm_kms");
            } else {
                logErrorDetails("Default Ranger KMS Service does not exist. Kindly create it with name cm_kms");
                System.exit(1);
            }
        } catch (Exception e) {
            logErrorDetails("Error while getting Ranger KMS default service", e);
            throw new Exception("Error while getting Ranger KMS default service", e);
        }
    }

    private void getLookUpUserAndGroup() throws Exception {
        try {
            long j = -1;
            long j2 = 0;
            boolean z = false;
            HashMap hashMap = new HashMap();
            hashMap.put("isVisible", "1");
            hashMap.put("pageSize", Integer.toString(200));
            int i = 0;
            while (!z) {
                logInfoDetails("Retrieving users from Ranger: startIdx=" + i + ", pageSize=200");
                hashMap.put("startIndex", Integer.toString(i));
                ClientResponse clientResponse = this.restClient.get(REST_GET_USERS, hashMap);
                VXStringList vXStringList = (VXStringList) clientResponse.getEntity(VXStringList.class);
                if (clientResponse.getStatus() == 200) {
                    if (j == -1) {
                        j = vXStringList.getTotalCount();
                        logInfoDetails("Total number of users found in Ranger: " + j);
                    }
                    List<VXString> list = vXStringList.getvXStrings();
                    if (list.isEmpty()) {
                        z = true;
                    } else {
                        Iterator<VXString> it = list.iterator();
                        while (it.hasNext()) {
                            this.existingUserList.add(it.next().getValue());
                        }
                        j2 += list.size();
                        z = j2 >= j;
                    }
                } else {
                    logErrorDetails("Failed to get User from Ranger: " + clientResponse.getStatus());
                    System.exit(1);
                }
                i += 200;
            }
            if (this.existingUserList.isEmpty()) {
                logInfoDetails("No users are present in Ranger.");
            }
            long j3 = -1;
            long j4 = 0;
            boolean z2 = false;
            hashMap.clear();
            hashMap.put("isVisible", "1");
            hashMap.put("pageSize", Integer.toString(200));
            int i2 = 0;
            while (!z2) {
                logInfoDetails("Retrieving groups from Ranger: startIdx=" + i2 + ", pageSize=200");
                hashMap.put("startIndex", Integer.toString(i2));
                ClientResponse clientResponse2 = this.restClient.get(REST_GET_GROUPS, hashMap);
                VXStringList vXStringList2 = (VXStringList) clientResponse2.getEntity(VXStringList.class);
                if (clientResponse2.getStatus() == 200) {
                    if (j3 == -1) {
                        j3 = vXStringList2.getTotalCount();
                        logInfoDetails("Total number of groups found in Ranger: " + j3);
                    }
                    List<VXString> list2 = vXStringList2.getvXStrings();
                    if (list2.isEmpty()) {
                        z2 = true;
                    } else {
                        Iterator<VXString> it2 = list2.iterator();
                        while (it2.hasNext()) {
                            this.existingGroupList.add(it2.next().getValue());
                        }
                        j4 += list2.size();
                        z2 = j4 >= j3;
                    }
                } else {
                    logErrorDetails("Failed to get group from Ranger: " + clientResponse2.getStatus());
                    System.exit(1);
                }
                i2 += 200;
            }
            if (this.existingGroupList.isEmpty()) {
                logInfoDetails("No groups are present in Ranger.");
            }
        } catch (Exception e) {
            logErrorDetails("Error while getting exiting user / groups", e);
            throw new Exception("Error while getting exiting user / groups", e);
        }
    }

    public Path getKmsAclPath() {
        return this.kms_acl_path;
    }

    public Path getDbksPath() {
        return this.dbks_path;
    }

    public List<String> getExistingUserList() {
        return this.existingUserList;
    }

    public List<String> getExistingGroupList() {
        return this.existingGroupList;
    }

    public Map<String, RangerKMSKeyUserGroupPermission> getUserGroupMap() {
        return this.existingUserGroupkeyMap;
    }

    public Document parseAclXmlFile() throws Exception {
        String str;
        Set<String> emptySet;
        HashSet hashSet;
        HashSet hashSet2;
        try {
            DocumentBuilder newDocumentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
            Document parse = newDocumentBuilder.parse(getKmsAclPath().toFile());
            parse.getDocumentElement().normalize();
            NodeList elementsByTagName = parse.getElementsByTagName("property");
            Document parse2 = newDocumentBuilder.parse(getDbksPath().toFile());
            parse2.getDocumentElement().normalize();
            NodeList elementsByTagName2 = parse2.getElementsByTagName("property");
            Element documentElement = parse2.getDocumentElement();
            for (int i = 0; i < elementsByTagName.getLength(); i++) {
                Node item = elementsByTagName.item(i);
                if (item.getNodeType() == 1) {
                    Element element = (Element) item;
                    Node item2 = element.getElementsByTagName("name").item(0);
                    Node item3 = element.getElementsByTagName("value").item(0);
                    String textContent = item2 != null ? item2.getTextContent() : null;
                    String textContent2 = item3 != null ? item3.getTextContent() : "";
                    String aCLType = getACLType(textContent);
                    if (!StringUtils.isEmpty(textContent) && !StringUtil.isEmpty(textContent2)) {
                        if (aCLType.equals(SERVICE_TYPE_ACL)) {
                            this.isServiceWideACLPresent = true;
                            Element element2 = null;
                            int i2 = 0;
                            while (true) {
                                if (i2 >= elementsByTagName2.getLength()) {
                                    break;
                                }
                                Node item4 = elementsByTagName2.item(i2);
                                if (item4.getNodeType() == 1) {
                                    Element element3 = (Element) item4;
                                    if (element3.getElementsByTagName("name").item(0).getTextContent().equals(textContent)) {
                                        element2 = element3;
                                        break;
                                    }
                                }
                                i2++;
                            }
                            Element createElement = parse2.createElement("property");
                            Element createElement2 = parse2.createElement("name");
                            createElement2.appendChild(parse2.createTextNode(textContent));
                            createElement.appendChild(createElement2);
                            Element createElement3 = parse2.createElement("value");
                            createElement3.appendChild(parse2.createTextNode(textContent2));
                            createElement.appendChild(createElement3);
                            if (element2 == null) {
                                logInfoDetails("Adding new property : " + createElement.getElementsByTagName("name").item(0).getTextContent() + " = " + createElement.getElementsByTagName("value").item(0).getTextContent());
                                documentElement.appendChild(createElement);
                            } else {
                                logInfoDetails("Replacing existing property with new value : ");
                                logInfoDetails("  Old Config : " + element2.getElementsByTagName("name").item(0).getTextContent() + " = " + element2.getElementsByTagName("value").item(0).getTextContent());
                                logInfoDetails("  New Config : " + createElement.getElementsByTagName("name").item(0).getTextContent() + " = " + createElement.getElementsByTagName("value").item(0).getTextContent());
                                documentElement.replaceChild(createElement, element2);
                            }
                        } else if (aCLType.equals(POLICY_TYPE_ACL) || aCLType.equals(KEY_SPECIFIC_ACL) || aCLType.equals(WHITELIST_TYPE_ACL) || aCLType.equals(BLACKLIST_TYPE_ACL)) {
                            this.isPolicyACLPresent = true;
                            HashMap hashMap = new HashMap();
                            HashMap hashMap2 = new HashMap();
                            String[] split = textContent.split("\\.");
                            String str2 = split[3];
                            if (aCLType.equals(POLICY_TYPE_ACL)) {
                                str = "*";
                                emptySet = createPermissionSet(str2);
                            } else if (aCLType.equals(KEY_SPECIFIC_ACL)) {
                                str = split[2];
                                emptySet = createPermissionSet(str2);
                            } else if (aCLType.equals(WHITELIST_TYPE_ACL)) {
                                str = WHITELIST_RESOURCE_KEY_NAME;
                                emptySet = createPermissionSet(str2);
                            } else if (aCLType.equals(BLACKLIST_TYPE_ACL)) {
                                str = BLACKLIST_RESOURCE_KEY_NAME;
                                emptySet = createPermissionSet(str2);
                            } else {
                                str = null;
                                emptySet = Collections.emptySet();
                            }
                            if (textContent2.equals("*")) {
                                hashSet = null;
                                hashSet2 = new HashSet();
                                hashSet2.add("public");
                            } else {
                                String[] split2 = textContent2.split(" ");
                                if (split2.length == 2) {
                                    hashSet = new HashSet(Arrays.asList(split2[0].split(",")));
                                    hashSet2 = new HashSet(Arrays.asList(split2[1].split(",")));
                                } else {
                                    hashSet = new HashSet(Arrays.asList(textContent2.split(",")));
                                    hashSet2 = null;
                                }
                            }
                            if (hashSet != null && !hashSet.isEmpty()) {
                                Iterator it = hashSet.iterator();
                                while (it.hasNext()) {
                                    String trim = ((String) it.next()).trim();
                                    if (!StringUtil.isEmpty(trim) && !trim.equalsIgnoreCase(USER_NOBODY)) {
                                        if (getExistingUserList().contains(trim.trim())) {
                                            hashMap.put(trim, new HashSet(emptySet));
                                        } else {
                                            this.nonExistingUserList.add(trim);
                                        }
                                    }
                                }
                            }
                            if (hashSet2 != null && !hashSet2.isEmpty()) {
                                Iterator it2 = hashSet2.iterator();
                                while (it2.hasNext()) {
                                    String trim2 = ((String) it2.next()).trim();
                                    if (!StringUtil.isEmpty(trim2)) {
                                        if (getExistingGroupList().contains(trim2)) {
                                            hashMap2.put(trim2, new HashSet(emptySet));
                                        } else {
                                            this.nonExistingGroupList.add(trim2);
                                        }
                                    }
                                }
                            }
                            collectUserGroupPermissions(str, hashMap, hashMap2);
                        }
                    }
                }
            }
            return parse2;
        } catch (Exception e) {
            logErrorDetails("Error while parsing ACL XML file", e);
            throw new Exception("Error while parsing ACL XML file", e);
        }
    }

    private void messageForNonExistingUserAndGroup() {
        if (!this.nonExistingUserList.isEmpty()) {
            logErrorDetails("Following users do not exist in Ranger DB: " + this.nonExistingUserList.stream().distinct().collect(Collectors.toList()));
        }
        if (!this.nonExistingGroupList.isEmpty()) {
            logErrorDetails("Following groups do not exist in Ranger DB: " + this.nonExistingGroupList.stream().distinct().collect(Collectors.toList()));
        }
        logErrorDetails("To fix this problem, either add the above listed users/groups to your user management system and re-sync the users/groups, or create the listed users/groups in Ranger using the Ranger Admin Web UI : " + this.baseURL);
    }

    public void writeToDBKSFile(Document document) throws Exception {
        logInfoDetails("Updating " + getDbksPath().toString());
        try {
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            newTransformer.setOutputProperty("indent", "yes");
            newTransformer.setOutputProperty("method", "xml");
            newTransformer.setOutputProperty("encoding", "UTF-8");
            newTransformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
            newTransformer.transform(new DOMSource(document), new StreamResult(new FileOutputStream(getDbksPath().toString())));
        } catch (Exception e) {
            logErrorDetails("Error while writing in dbks-site.xml of Ranger KMS file", e);
            throw new Exception("Error while writing in dbks-site.xml of Ranger KMS file", e);
        }
    }

    private void createOrUpdatePolicies() throws Exception {
        logInfoDetails("Updating Ranger with KMS policies for " + this.existingUserGroupkeyMap.size() + " keys");
        for (Map.Entry<String, RangerKMSKeyUserGroupPermission> entry : this.existingUserGroupkeyMap.entrySet()) {
            String key = entry.getKey();
            RangerKMSKeyUserGroupPermission value = entry.getValue();
            RangerPolicy rangerKMSPolicyForResource = getRangerKMSPolicyForResource(key);
            if (rangerKMSPolicyForResource == null) {
                createPolicy(value);
            } else {
                updatePolicy(rangerKMSPolicyForResource, value);
            }
        }
    }

    private RangerPolicy getRangerKMSPolicyForResource(String str) throws Exception {
        RangerPolicy rangerPolicy = null;
        HashMap hashMap = new HashMap();
        int i = 0;
        hashMap.put("serviceName", DEFAULT_RANGER_KMS_SERVICE_NAME);
        hashMap.put("serviceType", RANGER_KMS_SERVICE_TYPE);
        if (StringUtils.equals(str, WHITELIST_RESOURCE_KEY_NAME) || StringUtils.equals(str, BLACKLIST_RESOURCE_KEY_NAME)) {
            i = 1;
            hashMap.put("policyPriority", Integer.toString(1));
            str = "*";
        }
        hashMap.put("resource:keyname", str);
        try {
            ClientResponse clientResponse = this.restClient.get(REST_POLICIES, hashMap);
            if (clientResponse.getStatus() == 200) {
                RangerKMSPolicyList rangerKMSPolicyList = (RangerKMSPolicyList) clientResponse.getEntity(RangerKMSPolicyList.class);
                List<RangerPolicy> policies = rangerKMSPolicyList != null ? rangerKMSPolicyList.getPolicies() : null;
                if (policies != null) {
                    Iterator<RangerPolicy> it = policies.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        RangerPolicy next = it.next();
                        if ((next.getPolicyPriority() == null ? 0 : next.getPolicyPriority().intValue()) == i) {
                            RangerPolicy.RangerPolicyResource rangerPolicyResource = next.getResources() != null ? (RangerPolicy.RangerPolicyResource) next.getResources().get(RESOURCE_KEY_NAME) : null;
                            List values = rangerPolicyResource != null ? rangerPolicyResource.getValues() : null;
                            if (values != null && values.size() == 1 && StringUtils.equals(str, (String) values.get(0))) {
                                rangerPolicy = next;
                                break;
                            }
                        }
                    }
                }
            } else {
                logErrorDetails("Failed to get Ranger KMS policy for resource: " + str + "; http-status: " + clientResponse.getStatus());
            }
            if (rangerPolicy == null) {
                logInfoDetails("Ranger KMS policy does not exist for resource: " + str + ", priority=" + (i == 1 ? "override" : "normal"));
            }
            return rangerPolicy;
        } catch (Exception e) {
            logErrorDetails("Error while getting Ranger KMS policy for resource: " + str, e);
            throw new Exception("Error while getting Ranger KMS policy for resource: " + str, e);
        }
    }

    private void createPolicy(RangerKMSKeyUserGroupPermission rangerKMSKeyUserGroupPermission) throws Exception {
        try {
            ClientResponse post = this.restClient.post(REST_POLICIES, (Map) null, getPolicyObj(rangerKMSKeyUserGroupPermission));
            RangerPolicy rangerPolicy = (RangerPolicy) post.getEntity(RangerPolicy.class);
            if (post.getStatus() != 200 || rangerPolicy == null) {
                logErrorDetails("Failed to create Ranger KMS policy: key-name='" + rangerKMSKeyUserGroupPermission.getKeyname() + "'. Status : " + post.getStatus());
            } else {
                logInfoDetails("Created Ranger KMS policy: name='" + rangerPolicy.getName() + "', id=" + rangerPolicy.getId());
            }
        } catch (Exception e) {
            logErrorDetails("Error while creating policy for keyname: " + rangerKMSKeyUserGroupPermission.getKeyname(), e);
            throw new Exception("Error while creating policy for keyname: " + rangerKMSKeyUserGroupPermission.getKeyname(), e);
        }
    }

    private void updatePolicy(RangerPolicy rangerPolicy, RangerKMSKeyUserGroupPermission rangerKMSKeyUserGroupPermission) throws Exception {
        if (!updatePolicyItems(rangerPolicy, rangerKMSKeyUserGroupPermission)) {
            logInfoDetails("No update is required for Ranger KMS Policy name: '" + rangerPolicy.getName() + "', id=" + rangerPolicy.getId());
            return;
        }
        try {
            ClientResponse put = this.restClient.put("/service/plugins/policies/" + rangerPolicy.getId(), (Map) null, rangerPolicy);
            if (put.getStatus() == 200) {
                RangerPolicy rangerPolicy2 = (RangerPolicy) put.getEntity(RangerPolicy.class);
                logInfoDetails("Updated Ranger KMS policy: name='" + rangerPolicy2.getName() + "', id=" + rangerPolicy2.getId());
            } else {
                logErrorDetails("Failed to update Ranger KMS policy: name='" + rangerPolicy.getName() + "', id=" + rangerPolicy.getId() + ". Status : " + put.getStatus());
            }
        } catch (Exception e) {
            logErrorDetails("Error while updating Ranger KMS policy: name='" + rangerPolicy.getName() + "', id=" + rangerPolicy.getId(), e);
            throw new Exception("Error while updating Ranger KMS policy: name='" + rangerPolicy.getName() + "', id=" + rangerPolicy.getId(), e);
        }
    }

    private RangerPolicy getPolicyObj(RangerKMSKeyUserGroupPermission rangerKMSKeyUserGroupPermission) {
        RangerPolicy rangerPolicy = new RangerPolicy();
        String keyname = rangerKMSKeyUserGroupPermission.getKeyname();
        String str = keyname;
        boolean z = true;
        String str2 = "ACLs for key '" + keyname + "', migrated from KT-KMS";
        Map<String, Set<String>> userPermissionMap = rangerKMSKeyUserGroupPermission.getUserPermissionMap();
        Map<String, Set<String>> groupPermissionMap = rangerKMSKeyUserGroupPermission.getGroupPermissionMap();
        if (StringUtils.equals(keyname, WHITELIST_RESOURCE_KEY_NAME) || StringUtils.equals(keyname, BLACKLIST_RESOURCE_KEY_NAME)) {
            r14 = StringUtils.equals(keyname, BLACKLIST_RESOURCE_KEY_NAME);
            rangerPolicy.setPolicyPriority(1);
            keyname = "*";
            str = GLOBAL_OVERRIDE_POLICY_NAME;
            z = false;
            str2 = "Global override policy, migrated from KT-KMS";
        }
        rangerPolicy.setService(DEFAULT_RANGER_KMS_SERVICE_NAME);
        rangerPolicy.setServiceType(RANGER_KMS_SERVICE_TYPE);
        rangerPolicy.setName(str);
        rangerPolicy.setDescription(str2);
        rangerPolicy.setIsEnabled(true);
        rangerPolicy.setPolicyType(0);
        rangerPolicy.setResources(Collections.singletonMap(RESOURCE_KEY_NAME, new RangerPolicy.RangerPolicyResource(keyname, false, false)));
        rangerPolicy.setIsDenyAllElse(Boolean.valueOf(z));
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, Set<String>> entry : userPermissionMap.entrySet()) {
            String key = entry.getKey();
            Set<String> value = entry.getValue();
            RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
            rangerPolicyItem.setDelegateAdmin(false);
            rangerPolicyItem.getUsers().add(key);
            Iterator<String> it = value.iterator();
            while (it.hasNext()) {
                rangerPolicyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(it.next(), true));
            }
            arrayList.add(rangerPolicyItem);
        }
        for (Map.Entry<String, Set<String>> entry2 : groupPermissionMap.entrySet()) {
            String key2 = entry2.getKey();
            Set<String> value2 = entry2.getValue();
            RangerPolicy.RangerPolicyItem rangerPolicyItem2 = new RangerPolicy.RangerPolicyItem();
            rangerPolicyItem2.setDelegateAdmin(false);
            rangerPolicyItem2.getGroups().add(key2);
            Iterator<String> it2 = value2.iterator();
            while (it2.hasNext()) {
                rangerPolicyItem2.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(it2.next(), true));
            }
            arrayList.add(rangerPolicyItem2);
        }
        if (r14) {
            rangerPolicy.setDenyPolicyItems(arrayList);
        } else {
            rangerPolicy.setPolicyItems(arrayList);
        }
        return rangerPolicy;
    }

    private void collectUserGroupPermissions(String str, Map<String, Set<String>> map, Map<String, Set<String>> map2) {
        RangerKMSKeyUserGroupPermission rangerKMSKeyUserGroupPermission = this.existingUserGroupkeyMap.get(str);
        if (rangerKMSKeyUserGroupPermission == null) {
            RangerKMSKeyUserGroupPermission rangerKMSKeyUserGroupPermission2 = new RangerKMSKeyUserGroupPermission();
            if (!map2.isEmpty()) {
                rangerKMSKeyUserGroupPermission2.setGroupPermissionMap(map2);
            }
            if (!map.isEmpty()) {
                rangerKMSKeyUserGroupPermission2.setUserPermissionMap(map);
            }
            rangerKMSKeyUserGroupPermission2.setKeyname(str);
            this.existingUserGroupkeyMap.put(str, rangerKMSKeyUserGroupPermission2);
            return;
        }
        for (Map.Entry<String, Set<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            Set<String> value = entry.getValue();
            Set<String> set = rangerKMSKeyUserGroupPermission.getUserPermissionMap().get(key);
            if (set != null) {
                set.addAll(value);
            } else {
                rangerKMSKeyUserGroupPermission.getUserPermissionMap().put(key, value);
            }
        }
        for (Map.Entry<String, Set<String>> entry2 : map2.entrySet()) {
            String key2 = entry2.getKey();
            Set<String> value2 = entry2.getValue();
            Set<String> set2 = rangerKMSKeyUserGroupPermission.getGroupPermissionMap().get(key2);
            if (set2 != null) {
                set2.addAll(value2);
            } else {
                rangerKMSKeyUserGroupPermission.getGroupPermissionMap().put(key2, value2);
            }
        }
    }

    private RangerPolicy.RangerPolicyItem getPolicyItemForUser(List<RangerPolicy.RangerPolicyItem> list, String str) {
        RangerPolicy.RangerPolicyItem rangerPolicyItem = null;
        Iterator<RangerPolicy.RangerPolicyItem> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerPolicy.RangerPolicyItem next = it.next();
            if (next.getUsers().size() == 1 && next.getGroups().isEmpty() && next.getUsers().contains(str)) {
                rangerPolicyItem = next;
                break;
            }
        }
        return rangerPolicyItem;
    }

    private RangerPolicy.RangerPolicyItem getPolicyItemForGroup(List<RangerPolicy.RangerPolicyItem> list, String str) {
        RangerPolicy.RangerPolicyItem rangerPolicyItem = null;
        Iterator<RangerPolicy.RangerPolicyItem> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerPolicy.RangerPolicyItem next = it.next();
            if (next.getUsers().isEmpty() && next.getGroups().size() == 1 && next.getGroups().contains(str)) {
                rangerPolicyItem = next;
                break;
            }
        }
        return rangerPolicyItem;
    }

    private boolean addAccessType(RangerPolicy.RangerPolicyItem rangerPolicyItem, String str) {
        boolean z = false;
        Iterator it = rangerPolicyItem.getAccesses().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (StringUtils.equalsIgnoreCase(((RangerPolicy.RangerPolicyItemAccess) it.next()).getType(), str)) {
                z = true;
                break;
            }
        }
        if (!z) {
            rangerPolicyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(str, true));
        }
        return !z;
    }

    private boolean updatePolicyItems(RangerPolicy rangerPolicy, RangerKMSKeyUserGroupPermission rangerKMSKeyUserGroupPermission) {
        boolean z = false;
        Map<String, Set<String>> userPermissionMap = rangerKMSKeyUserGroupPermission.getUserPermissionMap();
        Map<String, Set<String>> groupPermissionMap = rangerKMSKeyUserGroupPermission.getGroupPermissionMap();
        List<RangerPolicy.RangerPolicyItem> denyPolicyItems = StringUtils.equals(rangerKMSKeyUserGroupPermission.getKeyname(), BLACKLIST_RESOURCE_KEY_NAME) ? rangerPolicy.getDenyPolicyItems() : rangerPolicy.getPolicyItems();
        for (Map.Entry<String, Set<String>> entry : userPermissionMap.entrySet()) {
            String key = entry.getKey();
            Set<String> value = entry.getValue();
            if (value != null && !value.isEmpty()) {
                RangerPolicy.RangerPolicyItem policyItemForUser = getPolicyItemForUser(denyPolicyItems, key);
                if (policyItemForUser == null) {
                    policyItemForUser = new RangerPolicy.RangerPolicyItem();
                    policyItemForUser.setDelegateAdmin(false);
                    policyItemForUser.getUsers().add(key);
                    denyPolicyItems.add(policyItemForUser);
                }
                Iterator<String> it = value.iterator();
                while (it.hasNext()) {
                    z = addAccessType(policyItemForUser, it.next()) || z;
                }
            }
        }
        for (Map.Entry<String, Set<String>> entry2 : groupPermissionMap.entrySet()) {
            String key2 = entry2.getKey();
            Set<String> value2 = entry2.getValue();
            if (value2 != null && !value2.isEmpty()) {
                RangerPolicy.RangerPolicyItem policyItemForGroup = getPolicyItemForGroup(denyPolicyItems, key2);
                if (policyItemForGroup == null) {
                    policyItemForGroup = new RangerPolicy.RangerPolicyItem();
                    policyItemForGroup.setDelegateAdmin(false);
                    policyItemForGroup.getGroups().add(key2);
                    denyPolicyItems.add(policyItemForGroup);
                }
                Iterator<String> it2 = value2.iterator();
                while (it2.hasNext()) {
                    z = addAccessType(policyItemForGroup, it2.next()) || z;
                }
            }
        }
        return z;
    }

    private String getACLType(String str) {
        return str.startsWith(HADOOP_KMS_BLACKLIST_PREFIX) ? BLACKLIST_TYPE_ACL : str.startsWith("hadoop.kms.") ? SERVICE_TYPE_ACL : str.startsWith(DEFAULT_KEY_PREFIX) ? POLICY_TYPE_ACL : str.startsWith(WHITELIST_KEY_PREFIX) ? WHITELIST_TYPE_ACL : str.startsWith("key.acl.") ? KEY_SPECIFIC_ACL : KEY_TRUSTEE_ACL;
    }

    private Set<String> createPermissionSet(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2059745768:
                if (str.equals(KEY_ACL_GET_METADATA)) {
                    z = 10;
                    break;
                }
                break;
            case -1880449020:
                if (str.equals(KEY_ACL_SET_KEY_MATERIAL)) {
                    z = 7;
                    break;
                }
                break;
            case -1506386595:
                if (str.equals(KEY_ACL_GET_KEYS)) {
                    z = 9;
                    break;
                }
                break;
            case -1314888637:
                if (str.equals(KEY_ACL_MANAGEMENT)) {
                    z = 3;
                    break;
                }
                break;
            case -257917471:
                if (str.equals(KEY_ACL_GENERATE_EEK)) {
                    z = 2;
                    break;
                }
                break;
            case 64897:
                if (str.equals(KEY_ACL_ALL)) {
                    z = 11;
                    break;
                }
                break;
            case 70454:
                if (str.equals(KEY_ACL_GET)) {
                    z = 8;
                    break;
                }
                break;
            case 2511254:
                if (str.equals(KEY_ACL_READ)) {
                    z = false;
                    break;
                }
                break;
            case 523314897:
                if (str.equals(KEY_ACL_ROLLOVER)) {
                    z = 6;
                    break;
                }
                break;
            case 1777246681:
                if (str.equals(KEY_ACL_DECRYPT_EEK)) {
                    z = true;
                    break;
                }
                break;
            case 1996002556:
                if (str.equals(KEY_ACL_CREATE)) {
                    z = 4;
                    break;
                }
                break;
            case 2012838315:
                if (str.equals(KEY_ACL_DELETE)) {
                    z = 5;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return READ_PERMISSIONS;
            case true:
                return DECRYPT_EEK_PERMISSIONS;
            case true:
                return GENERATE_EEK_PERMISSIONS;
            case RangerKMSDB.DB_FLAVOR_POSTGRES /* 3 */:
                return ACL_MANAGEMENT_PERMISSIONS;
            case RangerKMSDB.DB_FLAVOR_SQLSERVER /* 4 */:
                return CREATE_PERMISSIONS;
            case RangerKMSDB.DB_FLAVOR_SQLANYWHERE /* 5 */:
                return DELETE_PERMISSIONS;
            case true:
                return ROLLOVER_PERMISSIONS;
            case true:
                return SET_KEY_MATERIAL_PERMISSIONS;
            case true:
                return GET_PERMISSIONS;
            case true:
                return GET_KEYS_PERMISSIONS;
            case true:
                return GET_METADATA_PERMISSIONS;
            case true:
                return ALL_PERMISSIONS;
            default:
                return Collections.emptySet();
        }
    }

    private static void logErrorDetails(String str) {
        LOG.error(str);
        System.err.println(str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void logErrorDetails(String str, Throwable th) {
        LOG.error(str, th);
        System.err.println(str);
        th.printStackTrace();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void logInfoDetails(String str) {
        LOG.info(str);
        System.out.println(str);
    }
}
