package org.apache.ranger.raz.processor.adls;

import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerUserStore;
import org.apache.ranger.raz.intg.RangerRazErrorCode;
import org.apache.ranger.raz.intg.RangerRazException;
import org.apache.ranger.raz.model.RangerRazRequest;
import org.apache.ranger.raz.model.RangerRazRequestBase;
import org.apache.ranger.raz.model.RangerRazResult;
import org.apache.ranger.raz.model.RangerRazResultBase;
import org.apache.ranger.raz.processor.RangerDefaultRazProcessor;
import org.apache.ranger.raz.processor.RangerRazContext;
import org.apache.ranger.raz.processor.RangerRazRequestContext;
import org.apache.ranger.raz.processor.abfsutil.AbfsHttpConstants;
import org.apache.ranger.raz.processor.abfsutil.AbfsTokenProvider;
import org.apache.ranger.raz.processor.abfsutil.AbfsUtilConstants;
import org.apache.ranger.raz.processor.abfsutil.DelegationSASGenerator;
import org.apache.ranger.raz.processor.abfsutil.SASGenerator;
import org.apache.ranger.raz.processor.abfsutil.SASTokenConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/raz/processor/adls/AdlsGen2RazProcessor.class */
public class AdlsGen2RazProcessor extends RangerDefaultRazProcessor {
    private static final String SAS_EXPIRY_TIME_IN_SECONDS = "ranger.raz.azure.sas.expiry.time.in.seconds";
    private static final String CONF_PREFIX = "ranger.raz.service-type.adls.";
    private static final String DEFAULT_SERVICE_NAME = "cm_adls";
    private static final String CLOUD_IDENTITY_NAME = "cloud_id";
    private static final String ACCESS_TYPE_READ = "read";
    private static final String ACCESS_TYPE_WRITE = "write";
    private static final String ACCESS_TYPE_EXECUTE = "execute";
    private static final String ACCESS_TYPE_DELETE = "delete";
    private static final String ACCESS_TYPE_DELETE_RECURSIVE = "delete-recursive";
    private static final String ACCESS_TYPE_LIST = "list";
    private static final String ACCESS_TYPE_MOVE = "move";
    private static final String ACCESS_TYPE_MODIFY_PERMISSIONS = "modify-permissions";
    private static final String ADLS_ACCESS_ENFORCER = "azure-acl";
    private AbfsTokenProvider abfsTokenProvider = null;
    private String adlsServiceName = null;
    int sasExpiryTime = 0;
    private static final Logger LOG = LoggerFactory.getLogger(AdlsGen2RazProcessor.class);
    private static final Map<String, Set<String>> OPER_ACCESSTYPES = initOperAccessTypesMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.ranger.raz.processor.adls.AdlsGen2RazProcessor$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/raz/processor/adls/AdlsGen2RazProcessor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult = new int[RangerRazResultBase.AccessResult.values().length];

        static {
            try {
                $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[RangerRazResultBase.AccessResult.ALLOWED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[RangerRazResultBase.AccessResult.NOT_DETERMINED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[RangerRazResultBase.AccessResult.DENIED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/apache/ranger/raz/processor/adls/AdlsGen2RazProcessor$RangerAdlsResource.class */
    private static class RangerAdlsResource extends RangerAccessResourceImpl {
        public RangerAdlsResource(Map<String, String> map, String str) {
            setValue(AbfsUtilConstants.KEY_STORAGE_ACCOUNT, map.get(AbfsUtilConstants.KEY_STORAGE_ACCOUNT));
            setValue(AbfsUtilConstants.KEY_CONTAINER, map.get(AbfsUtilConstants.KEY_CONTAINER));
            String str2 = map.get(AbfsUtilConstants.KEY_RELATIVE_PATH);
            setValue(AbfsUtilConstants.KEY_RELATIVE_PATH, StringUtils.equals(str2, AbfsUtilConstants.ABFS_RELATIVE_PATH_FOR_FILEACLSTATUS_OPERATION) ? "/" : str2);
            setOwnerUser(str);
        }

        public String getAsString() {
            String stringifiedValue = getStringifiedValue();
            if (stringifiedValue == null) {
                Object value = getValue(AbfsUtilConstants.KEY_STORAGE_ACCOUNT);
                Object value2 = getValue(AbfsUtilConstants.KEY_CONTAINER);
                Object value3 = getValue(AbfsUtilConstants.KEY_RELATIVE_PATH);
                StringBuilder sb = new StringBuilder();
                if (value2 != null) {
                    sb.append(value2.toString());
                }
                sb.append('@');
                if (value != null) {
                    sb.append(value.toString());
                }
                sb.append(':');
                if (value3 != null) {
                    sb.append(value3.toString());
                }
                stringifiedValue = sb.toString();
                setStringifiedValue(stringifiedValue);
            }
            return stringifiedValue;
        }
    }

    public void init(RangerRazContext rangerRazContext) throws RangerRazException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> AdlsGen2RazProcessor.init(context={})", rangerRazContext);
            Iterator it = rangerRazContext.getRazConfig().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                LOG.debug("AdlsGen2RazProcessor: Key = " + ((String) entry.getKey()) + " value = " + ((String) entry.getValue()));
            }
        }
        try {
            Configuration razConfig = rangerRazContext.getRazConfig();
            this.adlsServiceName = razConfig.get("ranger.raz.service-type.adls.default.service.name", DEFAULT_SERVICE_NAME);
            this.sasExpiryTime = razConfig.getInt(SAS_EXPIRY_TIME_IN_SECONDS, SASGenerator.ONE_HOUR_IN_SECONDS);
            this.abfsTokenProvider = new AbfsTokenProvider(razConfig);
        } catch (Throwable th) {
            LOG.error("AdlsGen2RazProcessor.init() failed", th);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== AdlsGen2RazProcessor.init(context={})", rangerRazContext);
        }
    }

    public List<RangerAccessRequest> preProcess(RangerRazRequest rangerRazRequest, RangerRazRequestContext rangerRazRequestContext) throws RangerRazException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> AdlsGen2RazProcessor.preProcess(request={}, context={})", rangerRazRequest, rangerRazRequestContext);
        }
        rangerRazRequest.setServiceName(this.adlsServiceName);
        rangerRazRequest.setUser(rangerRazRequestContext.getRemoteUser());
        rangerRazRequest.setUserGroups(rangerRazRequestContext.getRemoteUserGroups());
        rangerRazRequest.setClientIpAddress(rangerRazRequestContext.getRemoteIpAddress());
        rangerRazRequest.setAccessTime(new Date());
        rangerRazRequest.getOperation().setAccessTypes(getAccessTypes(rangerRazRequest.getOperation().getAction()));
        List<RangerAccessRequest> preProcess = super.preProcess(rangerRazRequest, rangerRazRequestContext);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== AdlsGen2RazProcessor.preProcess(request={}, context={}): ret={}", new Object[]{rangerRazRequest, rangerRazRequestContext, preProcess});
        }
        return preProcess;
    }

    public RangerRazResult postProcess(RangerRazRequest rangerRazRequest, List<RangerAccessResult> list, RangerRazRequestContext rangerRazRequestContext) throws RangerRazException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> AdlsGen2RazProcessor.postProcess(request={}, accessResults={}, context={})", new Object[]{rangerRazRequest, list, rangerRazRequestContext});
        }
        RangerRazResult postProcess = super.postProcess(rangerRazRequest, list, rangerRazRequestContext);
        RangerRazResultBase.ResourceAccessResult operResult = postProcess != null ? postProcess.getOperResult() : null;
        if (operResult != null) {
            switch (AnonymousClass1.$SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[operResult.getResult().ordinal()]) {
                case 1:
                    createRazResult(RangerRazResultBase.AccessResult.ALLOWED, rangerRazRequest, operResult, rangerRazRequestContext);
                    break;
                case 2:
                    createRazResult(RangerRazResultBase.AccessResult.NOT_DETERMINED, rangerRazRequest, operResult, rangerRazRequestContext);
                    break;
                case 3:
                    createRazResult(RangerRazResultBase.AccessResult.DENIED, rangerRazRequest, operResult, rangerRazRequestContext);
                    break;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== AdlsGen2RazProcessor.postProcess(request={}, accessResults={}, context={}): ret={}", new Object[]{rangerRazRequest, list, rangerRazRequestContext, postProcess});
        }
        return postProcess;
    }

    public String getFallbackAclEnforcerName() {
        return ADLS_ACCESS_ENFORCER;
    }

    public RangerAccessResource getRangerAccessResource(RangerRazRequestBase.ResourceAccess resourceAccess) {
        return new RangerAdlsResource(resourceAccess.getResource(), resourceAccess.getResourceOwner());
    }

    private void createRazResult(RangerRazResultBase.AccessResult accessResult, RangerRazRequest rangerRazRequest, RangerRazResultBase.ResourceAccessResult resourceAccessResult, RangerRazRequestContext rangerRazRequestContext) throws RangerRazException {
        String generateDSASToken = generateDSASToken(rangerRazRequest, resourceAccessResult, accessResult, rangerRazRequestContext);
        Map additionalInfo = resourceAccessResult.getAdditionalInfo();
        if (additionalInfo == null) {
            additionalInfo = new HashMap();
        }
        additionalInfo.put("ADLS_DSAS", generateDSASToken);
        if (rangerRazRequestContext != null && rangerRazRequestContext.getRangerUserStore() != null && rangerRazRequestContext.getRangerUserStore().getUserStoreVersion() != null) {
            additionalInfo.put("RAZ_ID_MAP_VERSION", rangerRazRequestContext.getRangerUserStore().getUserStoreVersion().toString());
        }
        resourceAccessResult.setAdditionalInfo(additionalInfo);
    }

    private String generateDSASToken(RangerRazRequest rangerRazRequest, RangerRazResultBase.ResourceAccessResult resourceAccessResult, RangerRazResultBase.AccessResult accessResult, RangerRazRequestContext rangerRazRequestContext) throws RangerRazException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> AdlsGen2RazProcessor.generateDSASToken(uri={})", getStorageURI(rangerRazRequest));
        }
        try {
            String user = rangerRazRequest.getUser();
            String action = rangerRazRequest.getOperation().getAction();
            String storageURI = getStorageURI(rangerRazRequest);
            String resource = getResource(rangerRazRequest, AbfsUtilConstants.KEY_STORAGE_ACCOUNT);
            DelegationSASGenerator delegationSASGenerator = this.abfsTokenProvider.getDelegationSASGenerator(resource);
            if (delegationSASGenerator == null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== AdlsGen2RazProcessor.generateDSASToken() request user: " + user + "result: " + accessResult);
                }
                throw new RangerRazException(RangerRazErrorCode.RAZ_CLIENT_INVALID_RESPONSE, new Object[]{"Error fetching UserDelegationKey for StorageAccount: " + resource});
            }
            String str = null;
            String str2 = null;
            switch (AnonymousClass1.$SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[accessResult.ordinal()]) {
                case 1:
                    if (!isOperationModifyOwner(action) && !isOperationModifyPermission(action)) {
                        str = getOidForUser(user, rangerRazRequestContext);
                        break;
                    }
                    break;
                case 2:
                    str2 = getOidForUser(user, rangerRazRequestContext);
                    if (str2 == null) {
                        throw new RangerRazException(RangerRazErrorCode.RAZ_ADLS_UNAUTHORIZED_ACCESS, new Object[]{action, storageURI});
                    }
                    break;
                case 3:
                    throw new RangerRazException(RangerRazErrorCode.RAZ_ADLS_UNAUTHORIZED_ACCESS, new Object[]{action, storageURI});
            }
            String delegationSAS = delegationSASGenerator.getDelegationSAS(getResource(rangerRazRequest, AbfsUtilConstants.KEY_CONTAINER), getResource(rangerRazRequest, AbfsUtilConstants.KEY_RELATIVE_PATH), action, str, str2, CollectionUtils.isNotEmpty(resourceAccessResult.getAuditLogs()) ? ((RangerRazResultBase.AuditInfo) resourceAccessResult.getAuditLogs().get(0)).getAuditId() : null, this.sasExpiryTime);
            if (StringUtils.startsWith(delegationSAS, AbfsHttpConstants.QUESTION_MARK)) {
                delegationSAS = delegationSAS.substring(1);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== AdlsGen2RazProcessor.generateDSASToken() request user: " + user + "result: " + accessResult);
            }
            return delegationSAS;
        } catch (RangerRazException e) {
            throw e;
        } catch (Exception e2) {
            throw new RangerRazException("Unable to generate DSAS Token....", e2);
        }
    }

    private String getStorageURI(RangerRazRequest rangerRazRequest) {
        StringBuilder sb = new StringBuilder("abfs://");
        Map resource = rangerRazRequest.getOperation().getResource();
        String str = ((String) resource.get(AbfsUtilConstants.KEY_STORAGE_ACCOUNT)) + AbfsUtilConstants.ABFS_RESOURCE_DOMAIN;
        String str2 = (String) resource.get(AbfsUtilConstants.KEY_CONTAINER);
        String str3 = (String) resource.get(AbfsUtilConstants.KEY_RELATIVE_PATH);
        sb.append(str2);
        sb.append("@");
        sb.append(str);
        sb.append(str3);
        return sb.toString();
    }

    private String getResource(RangerRazRequest rangerRazRequest, String str) {
        return (String) rangerRazRequest.getOperation().getResource().get(str);
    }

    private static Map<String, Set<String>> initOperAccessTypesMap() {
        HashMap hashMap = new HashMap();
        hashMap.put(SASTokenConstants.CHECK_ACCESS_OPERATION, Collections.singleton(ACCESS_TYPE_EXECUTE));
        hashMap.put(SASTokenConstants.CREATE_FILE_OPERATION, Collections.singleton("write"));
        hashMap.put("delete", Collections.singleton("delete"));
        hashMap.put("delete-recursive", Collections.singleton("delete-recursive"));
        hashMap.put(SASTokenConstants.GET_ACL_OPERATION, Collections.singleton(ACCESS_TYPE_EXECUTE));
        hashMap.put(SASTokenConstants.GET_STATUS_OPERATION, Collections.singleton("_any"));
        hashMap.put(SASTokenConstants.GET_PROPERTIES_OPERATION, Collections.singleton("read"));
        hashMap.put("list", Collections.singleton("list"));
        hashMap.put(SASTokenConstants.CREATE_DIRECTORY_OPERATION, Collections.singleton("write"));
        hashMap.put("read", Collections.singleton("read"));
        hashMap.put(SASTokenConstants.RENAME_SOURCE_OPERATION, Collections.singleton(ACCESS_TYPE_MOVE));
        hashMap.put(SASTokenConstants.RENAME_DESTINATION_OPERATION, Collections.singleton(ACCESS_TYPE_MOVE));
        hashMap.put(SASTokenConstants.SET_ACL_OPERATION, Collections.singleton(ACCESS_TYPE_MODIFY_PERMISSIONS));
        hashMap.put(SASTokenConstants.SET_OWNER_OPERATION, Collections.singleton("_super_user"));
        hashMap.put(SASTokenConstants.SET_PERMISSION_OPERATION, Collections.singleton(ACCESS_TYPE_MODIFY_PERMISSIONS));
        hashMap.put(SASTokenConstants.SET_PROPERTIES_OPERATION, Collections.singleton("write"));
        hashMap.put("write", Collections.singleton("write"));
        return hashMap;
    }

    private Set<String> getAccessTypes(String str) {
        Set<String> set = OPER_ACCESSTYPES.get(str);
        if (set == null) {
            LOG.error("Unknown operation:[" + str + "]");
            set = Collections.singleton(str);
        }
        return set;
    }

    private String getOidForUser(String str, RangerRazRequestContext rangerRazRequestContext) {
        String str2 = null;
        RangerUserStore rangerUserStore = rangerRazRequestContext.getRangerUserStore();
        if (rangerUserStore != null) {
            Map userAttrMapping = rangerUserStore.getUserAttrMapping();
            if (MapUtils.isNotEmpty(userAttrMapping)) {
                Map map = (Map) userAttrMapping.get(str);
                if (MapUtils.isNotEmpty(map)) {
                    str2 = (String) map.get(CLOUD_IDENTITY_NAME);
                }
            }
        }
        return str2;
    }

    private boolean isOperationModifyOwner(String str) {
        return SASTokenConstants.SET_OWNER_OPERATION.equals(str);
    }

    private boolean isOperationModifyPermission(String str) {
        return SASTokenConstants.SET_PERMISSION_OPERATION.equals(str);
    }
}
