package co.cask.cdap.security.authorization.ranger.binding;

import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.DatasetModuleId;
import co.cask.cdap.proto.id.DatasetTypeId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.KerberosPrincipalId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.id.SecureKeyId;
import co.cask.cdap.proto.id.StreamId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Authorizable;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.ranger.commons.RangerCommon;
import co.cask.cdap.security.spi.authorization.AbstractAuthorizer;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Preconditions;
import java.net.InetAddress;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/ranger/binding/RangerAuthorizer.class */
public class RangerAuthorizer extends AbstractAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizer.class);
    private static volatile RangerBasePlugin rangerPlugin = null;
    private AuthorizationContext context;
    private String instanceName;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: co.cask.cdap.security.authorization.ranger.binding.RangerAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:co/cask/cdap/security/authorization/ranger/binding/RangerAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$co$cask$cdap$proto$element$EntityType = new int[EntityType.values().length];

        static {
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.INSTANCE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.NAMESPACE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.ARTIFACT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.APPLICATION.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET_MODULE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET_TYPE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.STREAM.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.PROGRAM.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.SECUREKEY.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.KERBEROSPRINCIPAL.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
        }
    }

    public synchronized void initialize(AuthorizationContext authorizationContext) throws Exception {
        this.context = authorizationContext;
        Properties extensionProperties = authorizationContext.getExtensionProperties();
        this.instanceName = extensionProperties.containsKey("instance.name") ? extensionProperties.getProperty("instance.name") : "cdap";
        if (rangerPlugin == null) {
            UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
            Preconditions.checkNotNull(loginUser, "Kerberos login information is not available. UserGroupInformation is null");
            MiscUtil.setUGILoginUser(loginUser, null);
            LOG.debug("Initializing Ranger CDAP Plugin with UGI {}", loginUser);
            rangerPlugin = new RangerBasePlugin("cdap", "cdap");
        }
        rangerPlugin.init();
        rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
    }

    public void enforce(EntityId entityId, Principal principal, Action action) throws Exception {
        if (!enforce(entityId, principal, RangerAccessRequest.ResourceMatchingScope.SELF, toRangerAccessType(action))) {
            throw new UnauthorizedException(principal, action, entityId);
        }
    }

    public void enforce(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        LOG.debug("Enforce called on entity {}, principal {}, actions {}", new Object[]{entityId, principal, set});
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            enforce(entityId, principal, it.next());
        }
    }

    public Set<? extends EntityId> isVisible(Set<? extends EntityId> set, Principal principal) throws Exception {
        HashSet hashSet = new HashSet(set.size());
        for (EntityId entityId : set) {
            if (enforce(entityId, principal, RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS, RangerPolicyEngine.ANY_ACCESS)) {
                hashSet.add(entityId);
            }
        }
        return hashSet;
    }

    public void grant(Authorizable authorizable, Principal principal, Set<Action> set) throws Exception {
        throw new UnsupportedOperationException("Please use Ranger Admin UI to grant privileges.");
    }

    public void revoke(Authorizable authorizable, Principal principal, Set<Action> set) throws Exception {
        throw new UnsupportedOperationException("Please use Ranger Admin UI to revoke privileges.");
    }

    public void revoke(Authorizable authorizable) throws Exception {
        throw new UnsupportedOperationException("Please use Ranger Admin UI to revoke privileges.");
    }

    public void createRole(Role role) throws Exception {
        throw new UnsupportedOperationException("Roles are not supported in Ranger plugin.");
    }

    public void dropRole(Role role) throws Exception {
        throw new UnsupportedOperationException("Roles are not supported in Ranger plugin.");
    }

    public void addRoleToPrincipal(Role role, Principal principal) throws Exception {
        throw new UnsupportedOperationException("Roles are not supported in Ranger plugin.");
    }

    public void removeRoleFromPrincipal(Role role, Principal principal) throws Exception {
        throw new UnsupportedOperationException("Roles are not supported in Ranger plugin.");
    }

    public Set<Role> listRoles(Principal principal) throws Exception {
        throw new UnsupportedOperationException("Roles are not supported in Ranger plugin.");
    }

    public Set<Role> listAllRoles() throws Exception {
        throw new UnsupportedOperationException("Roles are not supported in Ranger plugin.");
    }

    public Set<Privilege> listPrivileges(Principal principal) throws Exception {
        throw new UnsupportedOperationException("Please use Ranger Admin UI to list privileges.");
    }

    /* JADX WARN: Finally extract failed */
    private boolean enforce(EntityId entityId, Principal principal, RangerAccessRequest.ResourceMatchingScope resourceMatchingScope, String str) throws Exception {
        LOG.debug("Enforce called on entity {}, principal {}, action {} and match scope {}", new Object[]{entityId, principal, str, resourceMatchingScope});
        if (rangerPlugin == null) {
            throw new RuntimeException("CDAP Ranger Authorizer is not initialized.");
        }
        if (principal.getType() != Principal.PrincipalType.USER) {
            throw new IllegalArgumentException(String.format("The principal type for current enforcement request is '%s'. Authorization enforcement is only supported for '%s'.", principal.getType(), Principal.PrincipalType.USER));
        }
        String name = principal.getName();
        String hostName = InetAddress.getLocalHost().getHostName();
        Set<String> groupsForRequestUser = MiscUtil.getGroupsForRequestUser(name);
        LOG.debug("Requesting user {}, ip {}, requesting user groups {}", new Object[]{name, hostName, groupsForRequestUser});
        Date date = new Date();
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setUser(name);
        rangerAccessRequestImpl.setUserGroups(groupsForRequestUser);
        rangerAccessRequestImpl.setClientIPAddress(hostName);
        rangerAccessRequestImpl.setAccessTime(date);
        rangerAccessRequestImpl.setResourceMatchingScope(resourceMatchingScope);
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessRequestImpl.setResource(rangerAccessResourceImpl);
        rangerAccessRequestImpl.setAccessType(str);
        setAccessResource(entityId, rangerAccessResourceImpl);
        boolean z = false;
        try {
            try {
                RangerAccessResult isAccessAllowed = rangerPlugin.isAccessAllowed(rangerAccessRequestImpl);
                if (isAccessAllowed == null) {
                    LOG.warn("Unauthorized: Ranger Plugin returned null for this authorization enforcement.");
                    z = false;
                } else {
                    z = isAccessAllowed.getIsAllowed();
                }
                LOG.trace("Ranger Request {}, authorization {}.", rangerAccessRequestImpl, z ? "successful" : "failed");
                return z;
            } catch (Throwable th) {
                LOG.warn("Error while calling isAccessAllowed(). request {}", rangerAccessRequestImpl, th);
                throw th;
            }
        } catch (Throwable th2) {
            LOG.trace("Ranger Request {}, authorization {}.", rangerAccessRequestImpl, z ? "successful" : "failed");
            throw th2;
        }
    }

    private String toRangerAccessType(Action action) {
        return action.toString().toLowerCase();
    }

    private void setAccessResource(EntityId entityId, RangerAccessResourceImpl rangerAccessResourceImpl) {
        EntityType entityType = entityId.getEntityType();
        switch (AnonymousClass1.$SwitchMap$co$cask$cdap$proto$element$EntityType[entityType.ordinal()]) {
            case 1:
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_INSTANCE, ((InstanceId) entityId).getInstance());
                return;
            case 2:
                setAccessResource(new InstanceId(this.instanceName), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_NAMESPACE, ((NamespaceId) entityId).getNamespace());
                return;
            case 3:
                ArtifactId artifactId = (ArtifactId) entityId;
                setAccessResource(artifactId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_ARTIFACT, artifactId.getArtifact());
                return;
            case 4:
                ApplicationId applicationId = (ApplicationId) entityId;
                setAccessResource(applicationId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_APPLICATION, applicationId.getApplication());
                return;
            case 5:
                DatasetId datasetId = (DatasetId) entityId;
                setAccessResource(datasetId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_DATASET, datasetId.getDataset());
                return;
            case 6:
                DatasetModuleId datasetModuleId = (DatasetModuleId) entityId;
                setAccessResource(datasetModuleId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_DATASET_MODULE, datasetModuleId.getModule());
                return;
            case 7:
                DatasetTypeId datasetTypeId = (DatasetTypeId) entityId;
                setAccessResource(datasetTypeId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_DATASET_TYPE, datasetTypeId.getType());
                return;
            case 8:
                StreamId streamId = (StreamId) entityId;
                setAccessResource(streamId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_STREAM, streamId.getStream());
                return;
            case 9:
                ProgramId programId = (ProgramId) entityId;
                setAccessResource(programId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_PROGRAM, programId.getType().getPrettyName().toLowerCase() + "." + programId.getProgram());
                return;
            case 10:
                SecureKeyId secureKeyId = (SecureKeyId) entityId;
                setAccessResource(secureKeyId.getParent(), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_SECUREKEY, secureKeyId.getName());
                return;
            case 11:
                setAccessResource(new InstanceId(this.instanceName), rangerAccessResourceImpl);
                rangerAccessResourceImpl.setValue(RangerCommon.KEY_PRINCIPAL, ((KerberosPrincipalId) entityId).getPrincipal());
                return;
            default:
                throw new IllegalArgumentException(String.format("The entity %s is of unknown type %s", entityId, entityType));
        }
    }
}
