package org.apache.ranger.plugin.service;

import java.util.Collection;
import java.util.Hashtable;
import java.util.Map;
import java.util.Timer;
import java.util.TimerTask;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.Priority;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.PolicyRefresher;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.eclipse.persistence.jpa.jpql.parser.Expression;

/* loaded from: input_file:lib/ranger-plugins-common-0.7.0.jar:org/apache/ranger/plugin/service/RangerBasePlugin.class */
public class RangerBasePlugin {
    private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
    public static final char RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR = ',';
    private String serviceType;
    private String appId;
    private Timer policyEngineRefreshTimer;
    private String serviceName = null;
    private PolicyRefresher refresher = null;
    private RangerPolicyEngine policyEngine = null;
    private RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
    private RangerAccessResultProcessor resultProcessor = null;
    private boolean useForwardedIPAddress = false;
    private String[] trustedProxyAddresses = null;
    Map<String, LogHistory> logHistoryList = new Hashtable();
    int logInterval = Priority.WARN_INT;

    /* loaded from: input_file:lib/ranger-plugins-common-0.7.0.jar:org/apache/ranger/plugin/service/RangerBasePlugin$LogHistory.class */
    static class LogHistory {
        long lastLogTime = 0;
        int counter = 0;

        LogHistory() {
        }
    }

    /* loaded from: input_file:lib/ranger-plugins-common-0.7.0.jar:org/apache/ranger/plugin/service/RangerBasePlugin$PolicyEngineRefresher.class */
    private static final class PolicyEngineRefresher extends TimerTask {
        private final RangerBasePlugin plugin;

        PolicyEngineRefresher(RangerBasePlugin rangerBasePlugin) {
            this.plugin = rangerBasePlugin;
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            RangerPolicyEngine rangerPolicyEngine = this.plugin.policyEngine;
            if (rangerPolicyEngine != null) {
                rangerPolicyEngine.reorderPolicyEvaluators();
            }
        }
    }

    public RangerBasePlugin(String str, String str2) {
        this.serviceType = null;
        this.appId = null;
        this.serviceType = str;
        this.appId = str2;
    }

    public String getServiceType() {
        return this.serviceType;
    }

    public RangerServiceDef getServiceDef() {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getServiceDef();
        }
        return null;
    }

    public int getServiceDefId() {
        RangerServiceDef serviceDef = getServiceDef();
        if (serviceDef == null || serviceDef.getId() == null) {
            return -1;
        }
        return serviceDef.getId().intValue();
    }

    public String getAppId() {
        return this.appId;
    }

    public String getServiceName() {
        return this.serviceName;
    }

    public void init() {
        cleanup();
        RangerConfiguration.getInstance().addResourcesForServiceType(this.serviceType);
        RangerConfiguration.getInstance().initAudit(this.appId);
        String str = "ranger.plugin." + this.serviceType;
        long j = RangerConfiguration.getInstance().getLong(str + ".policy.pollIntervalMs", 30000L);
        String str2 = RangerConfiguration.getInstance().get(str + ".policy.cache.dir");
        this.serviceName = RangerConfiguration.getInstance().get(str + ".service.name");
        this.useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean(str + ".use.x-forwarded-for.ipaddress", false);
        String str3 = RangerConfiguration.getInstance().get(str + ".trusted.proxy.ipaddresses");
        this.trustedProxyAddresses = StringUtils.split(str3, ',');
        if (this.trustedProxyAddresses != null) {
            for (int i = 0; i < this.trustedProxyAddresses.length; i++) {
                this.trustedProxyAddresses[i] = this.trustedProxyAddresses[i].trim();
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(str + ".use.x-forwarded-for.ipaddress:" + this.useForwardedIPAddress);
            LOG.debug(str + ".trusted.proxy.ipaddresses:[" + StringUtils.join(this.trustedProxyAddresses, ", ") + "]");
        }
        if (this.useForwardedIPAddress && StringUtils.isBlank(str3)) {
            LOG.warn("Property " + str + ".use.x-forwarded-for.ipaddress is set to true, and Property " + str + ".trusted.proxy.ipaddresses is not set");
            LOG.warn("Ranger plugin will trust RemoteIPAddress and treat first X-Forwarded-Address in the access-request as the clientIPAddress");
        }
        this.policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(str + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO);
        this.policyEngineOptions.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(str + ".policyengine.option.cache.audit.results", true);
        this.policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(str + ".policyengine.option.disable.context.enrichers", false);
        this.policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(str + ".policyengine.option.disable.custom.conditions", false);
        this.policyEngineOptions.disableTagPolicyEvaluation = RangerConfiguration.getInstance().getBoolean(str + ".policyengine.option.disable.tagpolicy.evaluation", false);
        this.policyEngineOptions.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(str + ".policyengine.option.disable.trie.lookup.prefilter", false);
        this.refresher = new PolicyRefresher(this, this.serviceType, this.appId, this.serviceName, createAdminClient(this.serviceName, this.appId, str), j, str2);
        this.refresher.setDaemon(true);
        this.refresher.startRefresher();
        long j2 = RangerConfiguration.getInstance().getLong(str + ".policy.policyReorderInterval", 60000L);
        if (j2 >= 0 && j2 < 15000) {
            j2 = 15000;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(str + ".policy.policyReorderInterval:" + j2);
        }
        if (j2 <= 0) {
            LOG.info("Policies will NOT be reordered based on number of evaluations because " + str + ".policy.policyReorderInterval is set to a negative number[" + j2 + "]");
            return;
        }
        this.policyEngineRefreshTimer = new Timer("PolicyEngineRefreshTimer", true);
        try {
            this.policyEngineRefreshTimer.schedule(new PolicyEngineRefresher(this), j2, j2);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Scheduled PolicyEngineRefresher to reorder policies nbased on number of evaluations in and every " + j2 + " milliseconds");
            }
        } catch (IllegalStateException e) {
            LOG.error("Error scheduling policyEngineRefresher:", e);
            LOG.error("*** PolicyEngine will NOT be reorderd based on number of evaluations every " + j2 + " milliseconds ***");
            this.policyEngineRefreshTimer = null;
        }
    }

    public void setPolicies(ServicePolicies servicePolicies) {
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            if (servicePolicies == null) {
                this.policyEngine = null;
            } else {
                RangerPolicyEngineImpl rangerPolicyEngineImpl = new RangerPolicyEngineImpl(this.appId, servicePolicies, this.policyEngineOptions);
                rangerPolicyEngineImpl.setUseForwardedIPAddress(this.useForwardedIPAddress);
                rangerPolicyEngineImpl.setTrustedProxyAddresses(this.trustedProxyAddresses);
                this.policyEngine = rangerPolicyEngineImpl;
            }
            if (rangerPolicyEngine != null && !rangerPolicyEngine.preCleanup()) {
                LOG.error("preCleanup() failed on the previous policy engine instance !!");
            }
        } catch (Exception e) {
            LOG.error("setPolicies: policy engine initialization failed!  Leaving current policy engine as-is. Exception : ", e);
        }
    }

    public void cleanup() {
        PolicyRefresher policyRefresher = this.refresher;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        Timer timer = this.policyEngineRefreshTimer;
        this.serviceName = null;
        this.policyEngine = null;
        this.refresher = null;
        this.policyEngineRefreshTimer = null;
        if (policyRefresher != null) {
            policyRefresher.stopRefresher();
        }
        if (timer != null) {
            timer.cancel();
        }
        if (rangerPolicyEngine != null) {
            rangerPolicyEngine.cleanup();
        }
    }

    public void setResultProcessor(RangerAccessResultProcessor rangerAccessResultProcessor) {
        this.resultProcessor = rangerAccessResultProcessor;
    }

    public RangerAccessResultProcessor getResultProcessor() {
        return this.resultProcessor;
    }

    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest) {
        return isAccessAllowed(rangerAccessRequest, this.resultProcessor);
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection) {
        return isAccessAllowed(collection, this.resultProcessor);
    }

    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine == null) {
            return null;
        }
        rangerPolicyEngine.preProcess(rangerAccessRequest);
        return rangerPolicyEngine.isAccessAllowed(rangerAccessRequest, rangerAccessResultProcessor);
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine == null) {
            return null;
        }
        rangerPolicyEngine.preProcess(collection);
        return rangerPolicyEngine.isAccessAllowed(collection, rangerAccessResultProcessor);
    }

    public RangerDataMaskResult evalDataMaskPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine == null) {
            return null;
        }
        rangerPolicyEngine.preProcess(rangerAccessRequest);
        return rangerPolicyEngine.evalDataMaskPolicies(rangerAccessRequest, rangerAccessResultProcessor);
    }

    public RangerRowFilterResult evalRowFilterPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine == null) {
            return null;
        }
        rangerPolicyEngine.preProcess(rangerAccessRequest);
        return rangerPolicyEngine.evalRowFilterPolicies(rangerAccessRequest, rangerAccessResultProcessor);
    }

    public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest rangerAccessRequest) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine == null) {
            return null;
        }
        rangerPolicyEngine.preProcess(rangerAccessRequest);
        return rangerPolicyEngine.getResourceAccessInfo(rangerAccessRequest);
    }

    public void grantAccess(GrantRevokeRequest grantRevokeRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAdminRESTClient.grantAccess(" + grantRevokeRequest + ")");
        }
        PolicyRefresher policyRefresher = this.refresher;
        RangerAdminClient rangerAdminClient = policyRefresher == null ? null : policyRefresher.getRangerAdminClient();
        try {
            if (rangerAdminClient == null) {
                throw new Exception("ranger-admin client is null");
            }
            rangerAdminClient.grantAccess(grantRevokeRequest);
            auditGrantRevoke(grantRevokeRequest, "grant", true, rangerAccessResultProcessor);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerAdminRESTClient.grantAccess(" + grantRevokeRequest + ")");
            }
        } catch (Throwable th) {
            auditGrantRevoke(grantRevokeRequest, "grant", false, rangerAccessResultProcessor);
            throw th;
        }
    }

    public void revokeAccess(GrantRevokeRequest grantRevokeRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + grantRevokeRequest + ")");
        }
        PolicyRefresher policyRefresher = this.refresher;
        RangerAdminClient rangerAdminClient = policyRefresher == null ? null : policyRefresher.getRangerAdminClient();
        try {
            if (rangerAdminClient == null) {
                throw new Exception("ranger-admin client is null");
            }
            rangerAdminClient.revokeAccess(grantRevokeRequest);
            auditGrantRevoke(grantRevokeRequest, "revoke", true, rangerAccessResultProcessor);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerAdminRESTClient.revokeAccess(" + grantRevokeRequest + ")");
            }
        } catch (Throwable th) {
            auditGrantRevoke(grantRevokeRequest, "revoke", false, rangerAccessResultProcessor);
            throw th;
        }
    }

    public static RangerAdminClient createAdminClient(String str, String str2, String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAdminRESTClient.createAdminClient(" + str + ", " + str2 + ", " + str3 + ")");
        }
        RangerAdminClient rangerAdminClient = null;
        String str4 = str3 + ".policy.source.impl";
        String str5 = RangerConfiguration.getInstance().get(str4);
        if (!StringUtils.isEmpty(str5)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Value for property[%s] was [%s].", str4, str5));
            }
            try {
                rangerAdminClient = (RangerAdminClient) Class.forName(str5).newInstance();
            } catch (Exception e) {
                LOG.error("failed to instantiate policy source of type '" + str5 + "'. Will use policy source of type '" + RangerAdminRESTClient.class.getName() + Expression.QUOTE, e);
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Value for property[%s] was null or empty. Unexpected! Will use policy source of type[%s]", str4, RangerAdminRESTClient.class.getName()));
        }
        if (rangerAdminClient == null) {
            rangerAdminClient = new RangerAdminRESTClient();
        }
        rangerAdminClient.init(str, str2, str3);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAdminRESTClient.createAdminClient(" + str + ", " + str2 + ", " + str3 + "): policySourceImpl=" + str5 + ", client=" + rangerAdminClient);
        }
        return rangerAdminClient;
    }

    private void auditGrantRevoke(GrantRevokeRequest grantRevokeRequest, String str, boolean z, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (grantRevokeRequest == null || rangerAccessResultProcessor == null) {
            return;
        }
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setResource(new RangerAccessResourceImpl(grantRevokeRequest.getResource()));
        rangerAccessRequestImpl.setUser(grantRevokeRequest.getGrantor());
        rangerAccessRequestImpl.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
        rangerAccessRequestImpl.setAction(str);
        rangerAccessRequestImpl.setClientIPAddress(grantRevokeRequest.getClientIPAddress());
        rangerAccessRequestImpl.setClientType(grantRevokeRequest.getClientType());
        rangerAccessRequestImpl.setRequestData(grantRevokeRequest.getRequestData());
        rangerAccessRequestImpl.setSessionId(grantRevokeRequest.getSessionId());
        RangerAccessResult isAccessAllowed = isAccessAllowed(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
        if (isAccessAllowed == null || !isAccessAllowed.getIsAudited()) {
            return;
        }
        rangerAccessRequestImpl.setAccessType(str);
        isAccessAllowed.setIsAllowed(z);
        if (!z) {
            isAccessAllowed.setPolicyId(-1L);
        }
        rangerAccessResultProcessor.processResult(isAccessAllowed);
    }

    public boolean logErrorMessage(String str) {
        LogHistory logHistory = this.logHistoryList.get(str);
        if (logHistory == null) {
            logHistory = new LogHistory();
            this.logHistoryList.put(str, logHistory);
        }
        if (System.currentTimeMillis() - logHistory.lastLogTime <= this.logInterval) {
            logHistory.counter++;
            return false;
        }
        logHistory.lastLogTime = System.currentTimeMillis();
        int i = logHistory.counter;
        logHistory.counter = 0;
        if (i > 0) {
            str = str + ". Messages suppressed before: " + i;
        }
        LOG.error(str);
        return true;
    }
}
