package co.cask.cdap.security.authorization.sentry.binding;

import co.cask.cdap.proto.ProgramType;
import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.sentry.binding.conf.AuthConf;
import co.cask.cdap.security.authorization.sentry.model.ActionFactory;
import co.cask.cdap.security.authorization.sentry.model.Application;
import co.cask.cdap.security.authorization.sentry.model.Artifact;
import co.cask.cdap.security.authorization.sentry.model.Authorizable;
import co.cask.cdap.security.authorization.sentry.model.Dataset;
import co.cask.cdap.security.authorization.sentry.model.DatasetModule;
import co.cask.cdap.security.authorization.sentry.model.DatasetType;
import co.cask.cdap.security.authorization.sentry.model.Instance;
import co.cask.cdap.security.authorization.sentry.model.Namespace;
import co.cask.cdap.security.authorization.sentry.model.Program;
import co.cask.cdap.security.authorization.sentry.model.SecureKey;
import co.cask.cdap.security.authorization.sentry.model.Stream;
import co.cask.cdap.security.authorization.sentry.policy.ModelAuthorizables;
import co.cask.cdap.security.spi.authorization.AlreadyExistsException;
import co.cask.cdap.security.spi.authorization.BadRequestException;
import co.cask.cdap.security.spi.authorization.NotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableSet;
import java.lang.reflect.Constructor;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.SentryAlreadyExistsException;
import org.apache.sentry.provider.db.SentryInvalidInputException;
import org.apache.sentry.provider.db.SentryNoSuchObjectException;
import org.apache.sentry.provider.db.SentryThriftAPIMismatchException;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
import org.apache.shiro.io.ResourceUtils;
import org.apache.tools.ant.taskdefs.XSLTLiaison;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/AuthBinding.class */
public class AuthBinding {
    private static final Logger LOG = LoggerFactory.getLogger(AuthBinding.class);
    private static final String COMPONENT_NAME = "cdap";
    private final AuthConf authConf;
    private final AuthorizationProvider authProvider = createAuthProvider();
    private final String instanceName;
    private final String sentryAdminGroup;
    private final LoadingCache<Principal, Set<String>> groupCache;
    private final LoadingCache<String, Set<Role>> roleCache;
    private final LoadingCache<Role, Set<WildcardPolicy>> policyCache;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: co.cask.cdap.security.authorization.sentry.binding.AuthBinding$15, reason: invalid class name */
    /* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/AuthBinding$15.class */
    public static /* synthetic */ class AnonymousClass15 {
        static final /* synthetic */ int[] $SwitchMap$co$cask$cdap$proto$element$EntityType = new int[EntityType.values().length];

        static {
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.INSTANCE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.NAMESPACE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.ARTIFACT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.APPLICATION.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET_MODULE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.DATASET_TYPE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.STREAM.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.PROGRAM.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.SECUREKEY.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$co$cask$cdap$proto$element$EntityType[EntityType.KERBEROSPRINCIPAL.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType = new int[Authorizable.AuthorizableType.values().length];
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.INSTANCE.ordinal()] = 1;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.NAMESPACE.ordinal()] = 2;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.ARTIFACT.ordinal()] = 3;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.APPLICATION.ordinal()] = 4;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.PROGRAM.ordinal()] = 5;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.DATASET.ordinal()] = 6;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.DATASET_MODULE.ordinal()] = 7;
            } catch (NoSuchFieldError e18) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.DATASET_TYPE.ordinal()] = 8;
            } catch (NoSuchFieldError e19) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.STREAM.ordinal()] = 9;
            } catch (NoSuchFieldError e20) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.SECUREKEY.ordinal()] = 10;
            } catch (NoSuchFieldError e21) {
            }
            try {
                $SwitchMap$co$cask$cdap$security$authorization$sentry$model$Authorizable$AuthorizableType[Authorizable.AuthorizableType.PRINCIPAL.ordinal()] = 11;
            } catch (NoSuchFieldError e22) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/security/authorization/sentry/binding/AuthBinding$Command.class */
    public interface Command<T> {
        T run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthBinding(String str, String str2, String str3, int i, int i2) {
        this.authConf = initAuthzConf(str);
        this.instanceName = str2;
        this.sentryAdminGroup = str3;
        this.groupCache = CacheBuilder.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).maximumSize(i2).build(new CacheLoader<Principal, Set<String>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.1
            @Override // com.google.common.cache.CacheLoader
            public Set<String> load(Principal principal) throws Exception {
                AuthBinding.LOG.trace("Group cache miss for principal {}", principal);
                return AuthBinding.this.fetchGroups(principal);
            }
        });
        this.roleCache = CacheBuilder.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).maximumSize(i2).build(new CacheLoader<String, Set<Role>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.2
            @Override // com.google.common.cache.CacheLoader
            public Set<Role> load(String str4) throws Exception {
                AuthBinding.LOG.trace("Role cache miss for group {}", str4);
                return AuthBinding.this.fetchRoles(str4);
            }
        });
        this.policyCache = CacheBuilder.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).maximumSize(i2).build(new CacheLoader<Role, Set<WildcardPolicy>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.3
            @Override // com.google.common.cache.CacheLoader
            public Set<WildcardPolicy> load(Role role) throws Exception {
                AuthBinding.LOG.trace("Policy cache miss for role {}", role);
                return AuthBinding.this.fetchPolicies(role);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<WildcardPolicy> getPolicies(Principal principal) throws Exception {
        Set<Role> roles = getRoles(principal, this.sentryAdminGroup);
        HashSet hashSet = new HashSet();
        Iterator<Role> it = roles.iterator();
        while (it.hasNext()) {
            hashSet.addAll(this.policyCache.get(it.next()));
        }
        return Collections.unmodifiableSet(hashSet);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void grant(final co.cask.cdap.proto.security.Authorizable authorizable, final Role role, final Set<Action> set, final String str) throws Exception {
        LOG.debug("Granting actions {} on entity {} for role {}; Requesting user: {}", set, authorizable, role, str);
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                Iterator it = set.iterator();
                while (it.hasNext()) {
                    sentryGenericServiceClient.grantPrivilege(str, role.getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.toTSentryPrivilege(authorizable, (Action) it.next()));
                }
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void revoke(final co.cask.cdap.proto.security.Authorizable authorizable, final Role role, final Set<Action> set, final String str) throws Exception {
        LOG.debug("Revoking actions {} on entity {} from role {}; Requesting user: {}", set, authorizable, role, str);
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                Iterator it = set.iterator();
                while (it.hasNext()) {
                    sentryGenericServiceClient.revokePrivilege(str, role.getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.toTSentryPrivilege(authorizable, (Action) it.next()));
                }
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void revoke(co.cask.cdap.proto.security.Authorizable authorizable) throws Exception {
        revoke(authorizable, this.sentryAdminGroup);
    }

    private void revoke(co.cask.cdap.proto.security.Authorizable authorizable, final String str) throws Exception {
        final List<TSentryPrivilege> allPrivileges = getAllPrivileges(listAllRoles());
        final List<TAuthorizable> tAuthorizable = toTAuthorizable(authorizable);
        LOG.debug("Revoking all actions for all users from entity {}; Requesting user: {}", authorizable, str);
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                for (TSentryPrivilege tSentryPrivilege : allPrivileges) {
                    if (tAuthorizable.equals(tSentryPrivilege.getAuthorizables())) {
                        sentryGenericServiceClient.dropPrivilege(str, AuthBinding.COMPONENT_NAME, tSentryPrivilege);
                    }
                }
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Privilege> listPrivileges(Principal principal) throws Exception {
        Set<Role> roles = getRoles(principal, this.sentryAdminGroup);
        LOG.debug("Listing all privileges for {};", principal);
        return toPrivileges(getAllPrivileges(roles));
    }

    @VisibleForTesting
    Set<Privilege> toPrivileges(Collection<TSentryPrivilege> collection) {
        HashSet hashSet = new HashSet();
        for (TSentryPrivilege tSentryPrivilege : collection) {
            List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
            if (!authorizables.isEmpty()) {
                EntityType entityType = null;
                LinkedHashMap linkedHashMap = new LinkedHashMap();
                Iterator<TAuthorizable> it = authorizables.iterator();
                while (it.hasNext()) {
                    entityType = addToEntityParts(it.next(), linkedHashMap);
                }
                Preconditions.checkNotNull(entityType, "Failed to determine entityType for the sentry authorizable %s", authorizables);
                if (!entityType.equals(EntityType.INSTANCE)) {
                    linkedHashMap.remove(EntityType.INSTANCE);
                }
                hashSet.add(new Privilege(new co.cask.cdap.proto.security.Authorizable(entityType, linkedHashMap), Action.valueOf(tSentryPrivilege.getAction().toUpperCase())));
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createRole(final Role role, final String str) throws Exception {
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.createRole(str, role.getName(), AuthBinding.COMPONENT_NAME);
                AuthBinding.LOG.debug("Created role {}; Requesting user: {}", role, str);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dropRole(final Role role, final String str) throws Exception {
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.dropRole(str, role.getName(), AuthBinding.COMPONENT_NAME);
                AuthBinding.LOG.debug("Dropped role {}; Requesting user: {}", role, str);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Role> listRolesForGroup(Principal principal, String str) throws Exception {
        return getRoles(principal, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Role> listAllRoles() throws Exception {
        return getRoles(null, this.sentryAdminGroup);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addRoleToGroup(final Role role, final Principal principal, final String str) throws Exception {
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.addRoleToGroups(str, role.getName(), AuthBinding.COMPONENT_NAME, ImmutableSet.of(principal.getName()));
                AuthBinding.LOG.debug("Added role {} to group {} for the requested user {}", role, principal, str);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeRoleFromGroup(final Role role, final Principal principal, final String str) throws Exception {
        execute(new Command<Void>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.10
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.deleteRoleToGroups(str, role.getName(), AuthBinding.COMPONENT_NAME, ImmutableSet.of(principal.getName()));
                AuthBinding.LOG.debug("Dropped role {} from group {} for the requested user {}", role, principal, str);
                return null;
            }
        });
    }

    @VisibleForTesting
    List<org.apache.sentry.core.common.Authorizable> toSentryAuthorizables(EntityId entityId) {
        return toSentryAuthorizables(co.cask.cdap.proto.security.Authorizable.fromEntityId(entityId));
    }

    @VisibleForTesting
    private List<org.apache.sentry.core.common.Authorizable> toSentryAuthorizables(co.cask.cdap.proto.security.Authorizable authorizable) {
        LinkedList linkedList = new LinkedList();
        toSentryAuthorizables(authorizable.getEntityType(), authorizable, linkedList);
        return linkedList;
    }

    private Set<Role> getRoles(@Nullable Principal principal, final String str) throws Exception {
        Set<Role> set;
        if (principal != null && Principal.PrincipalType.ROLE == principal.getType()) {
            return Collections.singleton(new Role(principal.getName()));
        }
        if (principal == null) {
            set = new HashSet();
            Iterator it = ((Set) execute(new Command<Set<TSentryRole>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.11
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
                public Set<TSentryRole> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                    return sentryGenericServiceClient.listAllRoles(str, AuthBinding.COMPONENT_NAME);
                }
            })).iterator();
            while (it.hasNext()) {
                set.add(new Role(((TSentryRole) it.next()).getRoleName()));
            }
            LOG.debug("Listed all roles {}; Requesting user: {}", set, str);
        } else {
            if (principal.getType().equals(Principal.PrincipalType.USER)) {
                Set<String> set2 = this.groupCache.get(principal);
                LOG.debug("Got groups {} for principal {}", set2, principal);
                set = new HashSet();
                Iterator<String> it2 = set2.iterator();
                while (it2.hasNext()) {
                    set.addAll(this.roleCache.get(it2.next()));
                }
            } else {
                if (!principal.getType().equals(Principal.PrincipalType.GROUP)) {
                    throw new IllegalArgumentException(String.format("Cannot list roles for %s. Roles can only listed for %s or %s", principal, Principal.PrincipalType.USER, Principal.PrincipalType.GROUP));
                }
                set = this.roleCache.get(principal.getName());
            }
            LOG.debug("Listed roles {} for principal {}; Requesting user: {}", set, principal, str);
        }
        return Collections.unmodifiableSet(set);
    }

    private AuthConf initAuthzConf(String str) {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException(String.format("The value for %s is null or empty. Please configure it to the absolute path of sentry-site.xml in cdap-site.xml", AuthConf.SENTRY_SITE_URL));
        }
        try {
            return str.startsWith(XSLTLiaison.FILE_PROTOCOL_PREFIX) ? new AuthConf(new URL(str)) : new AuthConf(new URL(XSLTLiaison.FILE_PROTOCOL_PREFIX + str));
        } catch (MalformedURLException e) {
            throw new IllegalArgumentException(String.format("The path provided for sentry-site.xml in property %s is invalid. Please configure it to the absolute path of sentry-site.xml in cdap-site.xml", AuthConf.SENTRY_SITE_URL), e);
        }
    }

    private AuthorizationProvider createAuthProvider() {
        String str = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_PROVIDER.getVar(), AuthConf.AuthzConfVars.AUTHZ_PROVIDER.getDefault());
        String str2 = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), AuthConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getDefault());
        String str3 = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), AuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault());
        String str4 = this.authConf.get(AuthConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), AuthConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getDefault());
        LOG.debug("Trying to instantiate authorization provider {}, with provider backend {}, policy engine {} and resource {}", str, str2, str3, str4);
        try {
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            if (str4 != null && str4.startsWith(ResourceUtils.CLASSPATH_PREFIX)) {
                String substring = str4.substring(ResourceUtils.CLASSPATH_PREFIX.length());
                URL resource = contextClassLoader.getResource(substring);
                Preconditions.checkState(resource != null, "Resource %s could not be loaded from authorizer classloader", substring);
                str4 = resource.getPath();
            }
            Constructor<?> declaredConstructor = contextClassLoader.loadClass(str2).getDeclaredConstructor(Configuration.class, String.class);
            declaredConstructor.setAccessible(true);
            ProviderBackend providerBackend = (ProviderBackend) declaredConstructor.newInstance(this.authConf, str4);
            if (providerBackend instanceof SentryGenericProviderBackend) {
                ((SentryGenericProviderBackend) providerBackend).setComponentType(COMPONENT_NAME);
                ((SentryGenericProviderBackend) providerBackend).setServiceName(this.instanceName);
            }
            Constructor<?> declaredConstructor2 = contextClassLoader.loadClass(str3).getDeclaredConstructor(ProviderBackend.class);
            declaredConstructor2.setAccessible(true);
            PolicyEngine policyEngine = (PolicyEngine) declaredConstructor2.newInstance(providerBackend);
            Constructor<?> declaredConstructor3 = contextClassLoader.loadClass(str).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class);
            declaredConstructor3.setAccessible(true);
            return (AuthorizationProvider) declaredConstructor3.newInstance(this.authConf, str4, policyEngine);
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    private List<TSentryPrivilege> getAllPrivileges(final Set<Role> set) throws Exception {
        return (List) execute(new Command<List<TSentryPrivilege>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.12
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public List<TSentryPrivilege> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                ArrayList arrayList = new ArrayList();
                Iterator it = set.iterator();
                while (it.hasNext()) {
                    arrayList.addAll(sentryGenericServiceClient.listPrivilegesByRoleName(AuthBinding.this.sentryAdminGroup, ((Role) it.next()).getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.instanceName));
                }
                return Collections.unmodifiableList(arrayList);
            }
        });
    }

    @VisibleForTesting
    TSentryPrivilege toTSentryPrivilege(EntityId entityId, Action action) {
        return toTSentryPrivilege(co.cask.cdap.proto.security.Authorizable.fromEntityId(entityId), action);
    }

    /* JADX INFO: Access modifiers changed from: private */
    @VisibleForTesting
    public TSentryPrivilege toTSentryPrivilege(co.cask.cdap.proto.security.Authorizable authorizable, Action action) {
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(COMPONENT_NAME, this.instanceName, toTAuthorizable(authorizable), action.name());
        tSentryPrivilege.setGrantOption(TSentryGrantOption.TRUE);
        return tSentryPrivilege;
    }

    private List<TAuthorizable> toTAuthorizable(co.cask.cdap.proto.security.Authorizable authorizable) {
        List<org.apache.sentry.core.common.Authorizable> sentryAuthorizables = toSentryAuthorizables(authorizable);
        ArrayList arrayList = new ArrayList();
        for (org.apache.sentry.core.common.Authorizable authorizable2 : sentryAuthorizables) {
            arrayList.add(new TAuthorizable(authorizable2.getTypeName(), authorizable2.getName()));
        }
        return arrayList;
    }

    private <T> T execute(Command<T> command) throws Exception {
        try {
            SentryGenericServiceClient client = getClient();
            try {
                T run = command.run(client);
                client.close();
                return run;
            } catch (Throwable th) {
                client.close();
                throw th;
            }
        } catch (Exception e) {
            if (e instanceof SentryAccessDeniedException) {
                throw new UnauthorizedException(e.getMessage());
            }
            if (e instanceof SentryNoSuchObjectException) {
                throw new NotFoundException(e.getMessage());
            }
            if (e instanceof SentryAlreadyExistsException) {
                throw new AlreadyExistsException(e.getMessage());
            }
            if ((e instanceof SentryInvalidInputException) || (e instanceof SentryThriftAPIMismatchException)) {
                throw new BadRequestException(e.getMessage());
            }
            throw e;
        }
    }

    private SentryGenericServiceClient getClient() throws Exception {
        return SentryGenericServiceClientFactory.create(this.authConf);
    }

    private EntityType addToEntityParts(TAuthorizable tAuthorizable, Map<EntityType, String> map) {
        Authorizable from = ModelAuthorizables.from(tAuthorizable.getType(), tAuthorizable.getName());
        switch (Authorizable.AuthorizableType.valueOf(tAuthorizable.getType())) {
            case INSTANCE:
                map.put(EntityType.INSTANCE, this.instanceName);
                return EntityType.INSTANCE;
            case NAMESPACE:
                map.put(EntityType.NAMESPACE, ((Namespace) from).getName());
                return EntityType.NAMESPACE;
            case ARTIFACT:
                Artifact artifact = (Artifact) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "Artifact %s must belong to a namespace. Currently known entity parts are %s", artifact, map);
                map.put(EntityType.ARTIFACT, artifact.getName());
                return EntityType.ARTIFACT;
            case APPLICATION:
                Application application = (Application) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "Application %s must belong to a namespace. Currently known entity parts are %s", application, map);
                map.put(EntityType.APPLICATION, application.getName());
                return EntityType.APPLICATION;
            case PROGRAM:
                Program program = (Program) from;
                Preconditions.checkArgument(map.containsKey(EntityType.APPLICATION), "Program %s must belong to a application. Currently known entity parts are %s", program, map);
                StringBuilder sb = new StringBuilder();
                if (program.getProgramType() != null) {
                    sb.append(program.getProgramType().getPrettyName().toLowerCase());
                    sb.append(".");
                }
                sb.append(program.getProgramName());
                map.put(EntityType.PROGRAM, sb.toString());
                return EntityType.PROGRAM;
            case DATASET:
                Dataset dataset = (Dataset) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "Dataset %s must belong to a namespace.  Currently known entity parts are %s", dataset, map);
                map.put(EntityType.DATASET, dataset.getName());
                return EntityType.DATASET;
            case DATASET_MODULE:
                DatasetModule datasetModule = (DatasetModule) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "DatasetModule %s must belong to a namespace. Currently known entity parts are %s", datasetModule, map);
                map.put(EntityType.DATASET_MODULE, datasetModule.getName());
                return EntityType.DATASET_MODULE;
            case DATASET_TYPE:
                DatasetType datasetType = (DatasetType) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "DatasetType %s must belong to a namespace. Currently known entity parts are %s", datasetType, map);
                map.put(EntityType.DATASET_TYPE, datasetType.getName());
                return EntityType.DATASET_TYPE;
            case STREAM:
                Stream stream = (Stream) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "Stream %s must belong to a namespace. Currently known entity parts are %s", stream, map);
                map.put(EntityType.STREAM, stream.getName());
                return EntityType.STREAM;
            case SECUREKEY:
                SecureKey secureKey = (SecureKey) from;
                Preconditions.checkArgument(map.containsKey(EntityType.NAMESPACE), "SecureKey %s must belong to a namespace. Currently known entity parts are %s", secureKey, map);
                map.put(EntityType.SECUREKEY, secureKey.getName());
                return EntityType.SECUREKEY;
            case PRINCIPAL:
                map.put(EntityType.KERBEROSPRINCIPAL, ((co.cask.cdap.security.authorization.sentry.model.Principal) from).getName());
                return EntityType.KERBEROSPRINCIPAL;
            default:
                throw new IllegalArgumentException(String.format("Sentry Authorizable %s has invalid type %s", tAuthorizable.getName(), tAuthorizable.getType()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void toSentryAuthorizables(EntityType entityType, co.cask.cdap.proto.security.Authorizable authorizable, List<? super Authorizable> list) {
        switch (AnonymousClass15.$SwitchMap$co$cask$cdap$proto$element$EntityType[entityType.ordinal()]) {
            case 1:
                list.add(new Instance((String) authorizable.getEntityParts().get(EntityType.INSTANCE)));
                return;
            case 2:
                list.add(new Instance(this.instanceName));
                list.add(new Namespace((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 3:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new Artifact((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 4:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new Application((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 5:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new Dataset((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 6:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new DatasetModule((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 7:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new DatasetType((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 8:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new Stream((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 9:
                toSentryAuthorizables(EntityType.APPLICATION, authorizable, list);
                String[] split = ((String) authorizable.getEntityParts().get(entityType)).split("\\.");
                if (split.length == 1) {
                    list.add(new Program(split[0]));
                    return;
                } else {
                    list.add(new Program(ProgramType.valueOf(split[0].toUpperCase()), split[1]));
                    return;
                }
            case 10:
                toSentryAuthorizables(EntityType.NAMESPACE, authorizable, list);
                list.add(new SecureKey((String) authorizable.getEntityParts().get(entityType)));
                return;
            case 11:
                list.add(new Instance(this.instanceName));
                list.add(new co.cask.cdap.security.authorization.sentry.model.Principal((String) authorizable.getEntityParts().get(entityType)));
                return;
            default:
                throw new IllegalArgumentException(String.format("The entity %s is of unknown type %s", authorizable.getEntityParts(), authorizable.getEntityType()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<ActionFactory.Action> toSentryActions(Set<Action> set) {
        HashSet hashSet = new HashSet(set.size());
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new ActionFactory.Action(it.next().name()));
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private static List<Authorizable> toSentryAuthorizables(List<TAuthorizable> list) {
        ArrayList arrayList = new ArrayList(list.size());
        for (TAuthorizable tAuthorizable : list) {
            arrayList.add(ModelAuthorizables.from(tAuthorizable.getType(), tAuthorizable.getName()));
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<String> fetchGroups(Principal principal) {
        return this.authProvider.getGroupMapping().getGroups(principal.getName());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<Role> fetchRoles(final String str) throws Exception {
        Set set = (Set) execute(new Command<Set<TSentryRole>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.13
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Set<TSentryRole> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                return sentryGenericServiceClient.listRolesByGroupName(AuthBinding.this.sentryAdminGroup, str, AuthBinding.COMPONENT_NAME);
            }
        });
        HashSet hashSet = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new Role(((TSentryRole) it.next()).getRoleName()));
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<WildcardPolicy> fetchPolicies(final Role role) throws Exception {
        Set<TSentryPrivilege> set = (Set) execute(new Command<Set<TSentryPrivilege>>() { // from class: co.cask.cdap.security.authorization.sentry.binding.AuthBinding.14
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // co.cask.cdap.security.authorization.sentry.binding.AuthBinding.Command
            public Set<TSentryPrivilege> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                return sentryGenericServiceClient.listPrivilegesByRoleName(AuthBinding.this.sentryAdminGroup, role.getName(), AuthBinding.COMPONENT_NAME, AuthBinding.this.instanceName);
            }
        });
        if (set == null) {
            LOG.debug("Got empty set of policies for role {}", role);
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(set.size());
        for (TSentryPrivilege tSentryPrivilege : set) {
            hashSet.add(new WildcardPolicy(toSentryAuthorizables(tSentryPrivilege.getAuthorizables()), new ActionFactory.Action(tSentryPrivilege.getAction())));
        }
        LOG.debug("Got policies {} for role {}", hashSet, role);
        return Collections.unmodifiableSet(hashSet);
    }
}
