package co.cask.cdap.security.authorization.sentry.binding;

import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.DatasetModuleId;
import co.cask.cdap.proto.id.DatasetTypeId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.id.SecureKeyId;
import co.cask.cdap.proto.id.StreamId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.sentry.binding.conf.AuthConf;
import co.cask.cdap.security.authorization.sentry.model.ActionFactory;
import co.cask.cdap.security.authorization.sentry.model.Application;
import co.cask.cdap.security.authorization.sentry.model.Artifact;
import co.cask.cdap.security.authorization.sentry.model.Authorizable;
import co.cask.cdap.security.authorization.sentry.model.Dataset;
import co.cask.cdap.security.authorization.sentry.model.DatasetModule;
import co.cask.cdap.security.authorization.sentry.model.DatasetType;
import co.cask.cdap.security.authorization.sentry.model.Instance;
import co.cask.cdap.security.authorization.sentry.model.Namespace;
import co.cask.cdap.security.authorization.sentry.model.Program;
import co.cask.cdap.security.authorization.sentry.model.SecureKey;
import co.cask.cdap.security.authorization.sentry.model.Stream;
import co.cask.cdap.security.authorization.sentry.policy.ModelAuthorizables;
import co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException;
import co.cask.cdap.security.spi.authorization.RoleNotFoundException;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.Collections2;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.lang.reflect.Constructor;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
import org.apache.shiro.io.ResourceUtils;
import org.apache.tools.ant.taskdefs.XSLTLiaison;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/AuthBinding.class */
public class AuthBinding {
    private static final Logger LOG = LoggerFactory.getLogger(AuthBinding.class);
    private static final String COMPONENT_NAME = "cdap";
    private final AuthConf authConf;
    private final String instanceName;
    private final String sentryAdminGroup;
    private final AuthorizationProvider authProvider = createAuthProvider();
    private final ActionFactory actionFactory = new ActionFactory();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: co.cask.cdap.security.authorization.sentry.binding.AuthBinding$11, reason: invalid class name */
    /* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/AuthBinding$11.class */
    public static /* synthetic */ class AnonymousClass11 {
        static final /* synthetic */ int[] $SwitchMap$co$cask$cdap$proto$element$EntityType = new int[EntityType.values().length];

        static {
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.INSTANCE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.NAMESPACE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.ARTIFACT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.APPLICATION.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET_MODULE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET_TYPE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.STREAM.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.PROGRAM.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.SECUREKEY.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType = new int[Authorizable.AuthorizableType.values().length];
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.INSTANCE.ordinal()] = 1;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.NAMESPACE.ordinal()] = 2;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.ARTIFACT.ordinal()] = 3;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.APPLICATION.ordinal()] = 4;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.PROGRAM.ordinal()] = 5;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.DATASET.ordinal()] = 6;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.DATASET_MODULE.ordinal()] = 7;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.DATASET_TYPE.ordinal()] = 8;
            } catch (NoSuchFieldError e18) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.STREAM.ordinal()] = 9;
            } catch (NoSuchFieldError e19) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.SECUREKEY.ordinal()] = 10;
            } catch (NoSuchFieldError e20) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/AuthBinding$Command.class */
    public interface Command<T> {
        T run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthBinding(String str, String str2, String str3) {
        this.authConf = initAuthzConf(str);
        this.instanceName = str2;
        this.sentryAdminGroup = str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void grant(EntityId entityId, Role role, Set<Action> set) throws RoleNotFoundException {
        grant(entityId, role, set, this.sentryAdminGroup);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void grant(final EntityId entityId, final Role role, Set<Action> set, final String str) throws RoleNotFoundException {
        if (!roleExists(role)) {
            throw new RoleNotFoundException(role);
        }
        LOG.debug("Granting actions {} on entity {} for role {}; Requesting user: {}", set, entityId, role, str);
        for (final Action action : set) {
            execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
                public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                    sentryGenericServiceClient.grantPrivilege(str, role.getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.toTSentryPrivilege(entityId, action));
                    return null;
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void revoke(final EntityId entityId, final Role role, Set<Action> set, final String str) throws RoleNotFoundException {
        if (!roleExists(role)) {
            throw new RoleNotFoundException(role);
        }
        LOG.debug("Revoking actions {} on entity {} from role {}; Requesting user: {}", set, entityId, role, str);
        for (final Action action : set) {
            execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
                public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                    sentryGenericServiceClient.revokePrivilege(str, role.getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.toTSentryPrivilege(entityId, action));
                    return null;
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void revoke(EntityId entityId) {
        revoke(entityId, this.sentryAdminGroup);
    }

    void revoke(EntityId entityId, final String str) {
        final List<TSentryPrivilege> allPrivileges = getAllPrivileges(listAllRoles());
        final List<TAuthorizable> tAuthorizable = toTAuthorizable(entityId);
        LOG.debug("Revoking all actions for all users from entity {}; Requesting user: {}", entityId, str);
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                for (TSentryPrivilege tSentryPrivilege : allPrivileges) {
                    if (tAuthorizable.equals(tSentryPrivilege.getAuthorizables())) {
                        sentryGenericServiceClient.dropPrivilege(str, AuthBinding.COMPONENT_NAME, tSentryPrivilege);
                    }
                }
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean authorize(EntityId entityId, Principal principal, Set<Action> set) {
        return this.authProvider.hasAccess(new Subject(principal.getName()), toSentryAuthorizables(entityId), Sets.newHashSet(Collections2.transform(set, new Function<Action, ActionFactory.Action>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.4
            @Override // com.google.common.base.Function
            public ActionFactory.Action apply(Action action) {
                return AuthBinding.this.actionFactory.getActionByName(action.name());
            }
        })), ActiveRoleSet.ALL);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Privilege> listPrivileges(Principal principal) {
        Set<Role> roles = getRoles(principal, this.sentryAdminGroup);
        LOG.debug("Listing all privileges for {};", principal);
        return toPrivileges(getAllPrivileges(roles));
    }

    @VisibleForTesting
    Set<Privilege> toPrivileges(List<TSentryPrivilege> list) {
        HashSet hashSet = new HashSet();
        for (TSentryPrivilege tSentryPrivilege : list) {
            List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
            if (!authorizables.isEmpty()) {
                EntityId entityId = null;
                Iterator<TAuthorizable> it = authorizables.iterator();
                while (it.hasNext()) {
                    entityId = toEntityId(it.next(), entityId);
                }
                hashSet.add(new Privilege(entityId, Action.valueOf(tSentryPrivilege.getAction().toUpperCase())));
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createRole(Role role) throws RoleAlreadyExistsException {
        createRole(role, this.sentryAdminGroup);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createRole(final Role role, final String str) throws RoleAlreadyExistsException {
        if (roleExists(role)) {
            throw new RoleAlreadyExistsException(role);
        }
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.createRole(str, role.getName(), AuthBinding.COMPONENT_NAME);
                AuthBinding.LOG.debug("Created role {}; Requesting user: {}", role, str);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dropRole(Role role) throws RoleNotFoundException {
        dropRole(role, this.sentryAdminGroup);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dropRole(final Role role, final String str) throws RoleNotFoundException {
        if (!roleExists(role)) {
            throw new RoleNotFoundException(role);
        }
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.dropRole(str, role.getName(), AuthBinding.COMPONENT_NAME);
                AuthBinding.LOG.debug("Dropped role {}; Requesting user: {}", role, str);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Role> listRolesForGroup(Principal principal, String str) {
        return getRoles(principal, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Role> listAllRoles() {
        return getRoles(null, this.sentryAdminGroup);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addRoleToGroup(Role role, Principal principal) throws RoleNotFoundException {
        addRoleToGroup(role, principal, this.sentryAdminGroup);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addRoleToGroup(final Role role, final Principal principal, final String str) throws RoleNotFoundException {
        if (!roleExists(role)) {
            throw new RoleNotFoundException(role);
        }
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.addRoleToGroups(str, role.getName(), AuthBinding.COMPONENT_NAME, ImmutableSet.of(principal.getName()));
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeRoleFromGroup(final Role role, final Principal principal, final String str) throws RoleNotFoundException {
        if (!roleExists(role)) {
            throw new RoleNotFoundException(role);
        }
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.deleteRoleToGroups(str, role.getName(), AuthBinding.COMPONENT_NAME, ImmutableSet.of(principal.getName()));
                return null;
            }
        });
    }

    @VisibleForTesting
    List<org.apache.sentry.core.common.Authorizable> toSentryAuthorizables(EntityId entityId) {
        LinkedList linkedList = new LinkedList();
        toAuthorizables(entityId, linkedList);
        return linkedList;
    }

    private Set<Role> getRoles(@Nullable final Principal principal, final String str) {
        if (principal != null && Principal.PrincipalType.ROLE == principal.getType()) {
            return Collections.singleton(new Role(principal.getName()));
        }
        HashSet hashSet = new HashSet();
        Iterator it = ((Set) execute(new Command<Set<TSentryRole>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Set<TSentryRole> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                if (principal == null) {
                    return sentryGenericServiceClient.listAllRoles(str, AuthBinding.COMPONENT_NAME);
                }
                if (!principal.getType().equals(Principal.PrincipalType.USER)) {
                    if (principal.getType().equals(Principal.PrincipalType.GROUP)) {
                        return sentryGenericServiceClient.listRolesByGroupName(str, principal.getName(), AuthBinding.COMPONENT_NAME);
                    }
                    throw new IllegalArgumentException(String.format("Cannot list roles for %s. Roles can only listed for %s or %s", principal, Principal.PrincipalType.USER, Principal.PrincipalType.GROUP));
                }
                Set<String> groups = AuthBinding.this.authProvider.getGroupMapping().getGroups(principal.getName());
                HashSet hashSet2 = new HashSet();
                Iterator<String> it2 = groups.iterator();
                while (it2.hasNext()) {
                    hashSet2.addAll(sentryGenericServiceClient.listRolesByGroupName(str, it2.next(), AuthBinding.COMPONENT_NAME));
                }
                return ImmutableSet.copyOf((Collection) hashSet2);
            }
        })).iterator();
        while (it.hasNext()) {
            hashSet.add(new Role(((TSentryRole) it.next()).getRoleName()));
        }
        if (principal == null) {
            LOG.debug("Listed all roles {}; Requesting user: {}", hashSet, str);
        } else {
            LOG.debug("Listed roles {} for principal {}; Requesting user: {}", hashSet, principal, str);
        }
        return ImmutableSet.copyOf((Collection) hashSet);
    }

    boolean roleExists(Role role) {
        return listAllRoles().contains(new Role(role.getName().toLowerCase()));
    }

    private AuthConf initAuthzConf(String str) {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException(String.format("The value for %s is null or empty. Please configure it to the absolute path of sentry-site.xml in cdap-site.xml", AuthConf.SENTRY_SITE_URL));
        }
        try {
            return str.startsWith(XSLTLiaison.FILE_PROTOCOL_PREFIX) ? new AuthConf(new URL(str)) : new AuthConf(new URL(XSLTLiaison.FILE_PROTOCOL_PREFIX + str));
        } catch (MalformedURLException e) {
            throw new IllegalArgumentException(String.format("The path provided for sentry-site.xml in property %s is invalid. Please configure it to the absolute path of sentry-site.xml in cdap-site.xml", AuthConf.SENTRY_SITE_URL), e);
        }
    }

    private AuthorizationProvider createAuthProvider() {
        String str = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_PROVIDER.getVar(), AuthConf.AuthzConfVars.AUTHZ_PROVIDER.getDefault());
        String str2 = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), AuthConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getDefault());
        String str3 = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), AuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault());
        String str4 = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), AuthConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getDefault());
        LOG.debug("Trying to instantiate authorization provider {}, with provider backend {}, policy engine {} and resource {}", str, str2, str3, str4);
        try {
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            if (str4 != null && str4.startsWith(ResourceUtils.CLASSPATH_PREFIX)) {
                String substring = str4.substring(ResourceUtils.CLASSPATH_PREFIX.length());
                URL resource = contextClassLoader.getResource(substring);
                Preconditions.checkState(resource != null, "Resource %s could not be loaded from authorizer classloader", substring);
                str4 = resource.getPath();
            }
            Constructor<?> declaredConstructor = contextClassLoader.loadClass(str2).getDeclaredConstructor(Configuration.class, String.class);
            declaredConstructor.setAccessible(true);
            ProviderBackend providerBackend = (ProviderBackend) declaredConstructor.newInstance(this.authConf, str4);
            if (providerBackend instanceof SentryGenericProviderBackend) {
                ((SentryGenericProviderBackend) providerBackend).setComponentType(COMPONENT_NAME);
                ((SentryGenericProviderBackend) providerBackend).setServiceName(this.instanceName);
            }
            Constructor<?> declaredConstructor2 = contextClassLoader.loadClass(str3).getDeclaredConstructor(ProviderBackend.class);
            declaredConstructor2.setAccessible(true);
            PolicyEngine policyEngine = (PolicyEngine) declaredConstructor2.newInstance(providerBackend);
            Constructor<?> declaredConstructor3 = contextClassLoader.loadClass(str).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class);
            declaredConstructor3.setAccessible(true);
            return (AuthorizationProvider) declaredConstructor3.newInstance(this.authConf, str4, policyEngine);
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    private List<TSentryPrivilege> getAllPrivileges(final Set<Role> set) {
        return (List) execute(new Command<List<TSentryPrivilege>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.10
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public List<TSentryPrivilege> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                ArrayList arrayList = new ArrayList();
                Iterator it = set.iterator();
                while (it.hasNext()) {
                    arrayList.addAll(sentryGenericServiceClient.listPrivilegesByRoleName(AuthBinding.this.sentryAdminGroup, ((Role) it.next()).getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.instanceName));
                }
                return ImmutableList.copyOf((Collection) arrayList);
            }
        });
    }

    @VisibleForTesting
    TSentryPrivilege toTSentryPrivilege(EntityId entityId, Action action) {
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(COMPONENT_NAME, this.instanceName, toTAuthorizable(entityId), action.name());
        tSentryPrivilege.setGrantOption(TSentryGrantOption.TRUE);
        return tSentryPrivilege;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void revoke(EntityId entityId, Role role, Set<Action> set) throws RoleNotFoundException {
        revoke(entityId, role, set, this.sentryAdminGroup);
    }

    private List<TAuthorizable> toTAuthorizable(EntityId entityId) {
        List<org.apache.sentry.core.common.Authorizable> sentryAuthorizables = toSentryAuthorizables(entityId);
        ArrayList arrayList = new ArrayList();
        for (org.apache.sentry.core.common.Authorizable authorizable : sentryAuthorizables) {
            arrayList.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
        }
        return arrayList;
    }

    private <T> T execute(Command<T> command) {
        try {
            SentryGenericServiceClient client = getClient();
            try {
                T run = command.run(client);
                client.close();
                return run;
            } catch (Throwable th) {
                client.close();
                throw th;
            }
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    private SentryGenericServiceClient getClient() throws Exception {
        return SentryGenericServiceClientFactory.create(this.authConf);
    }

    private EntityId toEntityId(TAuthorizable tAuthorizable, @Nullable EntityId entityId) {
        Authorizable from = ModelAuthorizables.from(tAuthorizable.getType(), tAuthorizable.getName());
        switch (Authorizable.AuthorizableType.valueOf(tAuthorizable.getType())) {
            case INSTANCE:
                return new InstanceId(this.instanceName);
            case NAMESPACE:
                return new NamespaceId(((Namespace) from).getName());
            case ARTIFACT:
                Artifact artifact = (Artifact) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.ARTIFACT);
                return ((NamespaceId) entityId).artifact(artifact.getArtifactName(), artifact.getArtifactVersion());
            case APPLICATION:
                Application application = (Application) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.APPLICATION);
                return ((NamespaceId) entityId).app(application.getName());
            case PROGRAM:
                Program program = (Program) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.PROGRAM);
                return ((ApplicationId) entityId).program(program.getProgramType(), program.getProgramName());
            case DATASET:
                Dataset dataset = (Dataset) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.DATASET);
                return ((NamespaceId) entityId).dataset(dataset.getName());
            case DATASET_MODULE:
                DatasetModule datasetModule = (DatasetModule) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.DATASET_MODULE);
                return ((NamespaceId) entityId).datasetModule(datasetModule.getName());
            case DATASET_TYPE:
                DatasetType datasetType = (DatasetType) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.DATASET_TYPE);
                return ((NamespaceId) entityId).datasetType(datasetType.getName());
            case STREAM:
                Stream stream = (Stream) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.STREAM);
                return ((NamespaceId) entityId).stream(stream.getName());
            case SECUREKEY:
                SecureKey secureKey = (SecureKey) from;
                Preconditions.checkNotNull(entityId, "%s must have a parent", Authorizable.AuthorizableType.SECUREKEY);
                return ((NamespaceId) entityId).secureKey(secureKey.getName());
            default:
                throw new IllegalArgumentException(String.format("Sentry Authorizable %s has invalid type %s", tAuthorizable.getName(), tAuthorizable.getType()));
        }
    }

    private void toAuthorizables(EntityId entityId, List<org.apache.sentry.core.common.Authorizable> list) {
        EntityType entity = entityId.getEntity();
        switch (AnonymousClass11.$SwitchMap$co$cask$cdap$proto$element$EntityType[entity.ordinal()]) {
            case 1:
                list.add(new Instance(((InstanceId) entityId).getInstance()));
                return;
            case 2:
                toAuthorizables(new InstanceId(this.instanceName), list);
                list.add(new Namespace(((NamespaceId) entityId).getNamespace()));
                return;
            case 3:
                ArtifactId artifactId = (ArtifactId) entityId;
                toAuthorizables(artifactId.getParent(), list);
                list.add(new Artifact(artifactId.getArtifact(), artifactId.getVersion()));
                return;
            case 4:
                ApplicationId applicationId = (ApplicationId) entityId;
                toAuthorizables(applicationId.getParent(), list);
                list.add(new Application(applicationId.getApplication()));
                return;
            case 5:
                DatasetId datasetId = (DatasetId) entityId;
                toAuthorizables(datasetId.getParent(), list);
                list.add(new Dataset(datasetId.getDataset()));
                return;
            case 6:
                DatasetModuleId datasetModuleId = (DatasetModuleId) entityId;
                toAuthorizables(datasetModuleId.getParent(), list);
                list.add(new DatasetModule(datasetModuleId.getModule()));
                return;
            case 7:
                DatasetTypeId datasetTypeId = (DatasetTypeId) entityId;
                toAuthorizables(datasetTypeId.getParent(), list);
                list.add(new DatasetType(datasetTypeId.getType()));
                return;
            case 8:
                StreamId streamId = (StreamId) entityId;
                toAuthorizables(streamId.getParent(), list);
                list.add(new Stream(streamId.getStream()));
                return;
            case 9:
                ProgramId programId = (ProgramId) entityId;
                toAuthorizables(programId.getParent(), list);
                list.add(new Program(programId.getType(), programId.getProgram()));
                return;
            case 10:
                SecureKeyId secureKeyId = (SecureKeyId) entityId;
                toAuthorizables(secureKeyId.getParent(), list);
                list.add(new SecureKey(secureKeyId.getName()));
                return;
            default:
                throw new IllegalArgumentException(String.format("The entity %s is of unknown type %s", entityId, entity));
        }
    }
}
