package org.apache.sentry.provider.db.generic.service.persistent;

import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jdo.PersistenceManager;
import javax.jdo.Query;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.BitFieldAction;
import org.apache.sentry.core.common.BitFieldActionFactory;
import org.apache.sentry.core.model.kafka.KafkaActionFactory;
import org.apache.sentry.core.model.search.SearchActionFactory;
import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
import org.apache.sentry.provider.common.AuthorizationComponent;
import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/sentry-provider-db-1.7.0.jar:org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.class */
public class PrivilegeOperatePersistence {
    private static final Logger LOGGER = LoggerFactory.getLogger(PrivilegeOperatePersistence.class);
    private static final Map<String, BitFieldActionFactory> actionFactories = Maps.newHashMap();
    private final Configuration conf;

    public PrivilegeOperatePersistence(Configuration configuration) {
        this.conf = configuration;
    }

    public boolean checkPrivilegeOption(Set<MSentryRole> set, PrivilegeObject privilegeObject, PersistenceManager persistenceManager) {
        MSentryGMPrivilege convertToPrivilege = convertToPrivilege(privilegeObject);
        boolean z = false;
        Query newQuery = persistenceManager.newQuery(MSentryGMPrivilege.class);
        StringBuilder sb = new StringBuilder();
        if (set != null && set.size() > 0) {
            newQuery.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
            LinkedList linkedList = new LinkedList();
            Iterator<MSentryRole> it = set.iterator();
            while (it.hasNext()) {
                linkedList.add("role.roleName == \"" + it.next().getRoleName() + "\" ");
            }
            sb.append("roles.contains(role) && (" + Joiner.on(" || ").join((Iterable<?>) linkedList) + ")");
        }
        newQuery.setFilter(sb.toString());
        Iterator it2 = ((List) newQuery.execute()).iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            MSentryGMPrivilege mSentryGMPrivilege = (MSentryGMPrivilege) it2.next();
            if (mSentryGMPrivilege.getGrantOption().booleanValue() && mSentryGMPrivilege.implies(convertToPrivilege)) {
                z = true;
                break;
            }
        }
        return z;
    }

    public void grantPrivilege(PrivilegeObject privilegeObject, MSentryRole mSentryRole, PersistenceManager persistenceManager) throws SentryUserException {
        grantRolePartial(convertToPrivilege(privilegeObject), mSentryRole, persistenceManager);
    }

    private void grantRolePartial(MSentryGMPrivilege mSentryGMPrivilege, MSentryRole mSentryRole, PersistenceManager persistenceManager) {
        String componentName = mSentryGMPrivilege.getComponentName();
        BitFieldAction action = getAction(componentName, mSentryGMPrivilege.getAction());
        BitFieldAction action2 = getAction(componentName, "*");
        if (action.implies(action2)) {
            Iterator<? extends BitFieldAction> it = getActionFactory(componentName).getActionsByCode(action2.getActionCode()).iterator();
            while (it.hasNext()) {
                mSentryGMPrivilege.setAction(it.next().getValue());
                MSentryGMPrivilege privilege = getPrivilege(mSentryGMPrivilege, persistenceManager);
                if (privilege != null && mSentryRole.getGmPrivileges().contains(privilege)) {
                    persistenceManager.retrieve(privilege);
                    privilege.removeRole(mSentryRole);
                    persistenceManager.makePersistent(privilege);
                }
            }
        } else {
            mSentryGMPrivilege.setAction(action2.getValue());
            MSentryGMPrivilege privilege2 = getPrivilege(mSentryGMPrivilege, persistenceManager);
            if (privilege2 != null && mSentryRole.getGmPrivileges().contains(privilege2)) {
                return;
            }
        }
        mSentryGMPrivilege.setAction(action.getValue());
        MSentryGMPrivilege privilege3 = getPrivilege(mSentryGMPrivilege, persistenceManager);
        if (privilege3 == null) {
            privilege3 = mSentryGMPrivilege;
        }
        privilege3.appendRole(mSentryRole);
        persistenceManager.makePersistent(privilege3);
    }

    public void revokePrivilege(PrivilegeObject privilegeObject, MSentryRole mSentryRole, PersistenceManager persistenceManager) throws SentryUserException {
        MSentryGMPrivilege privilege = getPrivilege(convertToPrivilege(privilegeObject), persistenceManager);
        MSentryGMPrivilege convertToPrivilege = privilege == null ? convertToPrivilege(privilegeObject) : (MSentryGMPrivilege) persistenceManager.detachCopy(privilege);
        HashSet newHashSet = Sets.newHashSet();
        newHashSet.addAll(populateIncludePrivileges(Sets.newHashSet(mSentryRole), convertToPrivilege, persistenceManager));
        Iterator it = newHashSet.iterator();
        while (it.hasNext()) {
            revokeRolePartial(convertToPrivilege, (MSentryGMPrivilege) it.next(), mSentryRole, persistenceManager);
        }
        persistenceManager.makePersistent(mSentryRole);
    }

    private Set<MSentryGMPrivilege> populateIncludePrivileges(Set<MSentryRole> set, MSentryGMPrivilege mSentryGMPrivilege, PersistenceManager persistenceManager) {
        HashSet newHashSet = Sets.newHashSet();
        Query newQuery = persistenceManager.newQuery(MSentryGMPrivilege.class);
        StringBuilder sb = new StringBuilder();
        sb.append(MSentryGMPrivilege.populateIncludePrivilegesQuery(mSentryGMPrivilege));
        if (set != null && set.size() > 0) {
            newQuery.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
            LinkedList linkedList = new LinkedList();
            Iterator<MSentryRole> it = set.iterator();
            while (it.hasNext()) {
                linkedList.add("role.roleName == \"" + it.next().getRoleName() + "\" ");
            }
            sb.append("&& roles.contains(role) && (" + Joiner.on(" || ").join((Iterable<?>) linkedList) + ")");
        }
        newQuery.setFilter(sb.toString());
        newHashSet.addAll((List) newQuery.execute());
        return newHashSet;
    }

    private void revokeRolePartial(MSentryGMPrivilege mSentryGMPrivilege, MSentryGMPrivilege mSentryGMPrivilege2, MSentryRole mSentryRole, PersistenceManager persistenceManager) {
        String componentName = mSentryGMPrivilege.getComponentName();
        BitFieldAction action = getAction(componentName, mSentryGMPrivilege.getAction());
        BitFieldAction action2 = getAction(componentName, mSentryGMPrivilege2.getAction());
        BitFieldAction action3 = getAction(componentName, "*");
        if (action.implies(action3)) {
            mSentryGMPrivilege2.removeRole(mSentryRole);
            persistenceManager.makePersistent(mSentryGMPrivilege2);
            return;
        }
        if (!action2.implies(action3)) {
            if (action.implies(action2)) {
                mSentryGMPrivilege2.removeRole(mSentryRole);
                persistenceManager.makePersistent(mSentryGMPrivilege2);
                return;
            }
            return;
        }
        mSentryGMPrivilege2.removeRole(mSentryRole);
        persistenceManager.makePersistent(mSentryGMPrivilege2);
        for (BitFieldAction bitFieldAction : getActionFactory(componentName).getActionsByCode(action3.getActionCode())) {
            if (bitFieldAction.getActionCode() != action.getActionCode()) {
                MSentryGMPrivilege mSentryGMPrivilege3 = new MSentryGMPrivilege(mSentryGMPrivilege2);
                mSentryGMPrivilege3.setAction(bitFieldAction.getValue());
                MSentryGMPrivilege privilege = getPrivilege(mSentryGMPrivilege3, persistenceManager);
                if (privilege == null) {
                    privilege = mSentryGMPrivilege3;
                    mSentryRole.appendGMPrivilege(privilege);
                }
                privilege.appendRole(mSentryRole);
                persistenceManager.makePersistent(privilege);
            }
        }
    }

    public void dropPrivilege(PrivilegeObject privilegeObject, PersistenceManager persistenceManager) {
        MSentryGMPrivilege convertToPrivilege = convertToPrivilege(privilegeObject);
        if (Strings.isNullOrEmpty(privilegeObject.getAction())) {
            convertToPrivilege.setAction(getAction(privilegeObject.getComponent(), "*").getValue());
        }
        HashSet<MSentryGMPrivilege> newHashSet = Sets.newHashSet();
        newHashSet.addAll(populateIncludePrivileges(null, convertToPrivilege, persistenceManager));
        for (MSentryGMPrivilege mSentryGMPrivilege : newHashSet) {
            persistenceManager.retrieve(mSentryGMPrivilege);
            Iterator<MSentryRole> it = mSentryGMPrivilege.getRoles().iterator();
            while (it.hasNext()) {
                revokeRolePartial(convertToPrivilege, mSentryGMPrivilege, it.next(), persistenceManager);
            }
        }
    }

    private MSentryGMPrivilege convertToPrivilege(PrivilegeObject privilegeObject) {
        return new MSentryGMPrivilege(privilegeObject.getComponent(), privilegeObject.getService(), privilegeObject.getAuthorizables(), privilegeObject.getAction(), privilegeObject.getGrantOption());
    }

    private MSentryGMPrivilege getPrivilege(MSentryGMPrivilege mSentryGMPrivilege, PersistenceManager persistenceManager) {
        Query newQuery = persistenceManager.newQuery(MSentryGMPrivilege.class);
        newQuery.setFilter(MSentryGMPrivilege.toQuery(mSentryGMPrivilege));
        newQuery.setUnique(true);
        return (MSentryGMPrivilege) newQuery.execute();
    }

    public Set<PrivilegeObject> getPrivilegesByRole(Set<MSentryRole> set, PersistenceManager persistenceManager) {
        HashSet newHashSet = Sets.newHashSet();
        if (set == null || set.size() == 0) {
            return newHashSet;
        }
        Query newQuery = persistenceManager.newQuery(MSentryGMPrivilege.class);
        StringBuilder sb = new StringBuilder();
        newQuery.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
        LinkedList linkedList = new LinkedList();
        Iterator<MSentryRole> it = set.iterator();
        while (it.hasNext()) {
            linkedList.add("role.roleName == \"" + it.next().getRoleName() + "\" ");
        }
        sb.append("roles.contains(role) && (" + Joiner.on(" || ").join((Iterable<?>) linkedList) + ")");
        newQuery.setFilter(sb.toString());
        List<MSentryGMPrivilege> list = (List) newQuery.execute();
        if (list == null || list.isEmpty()) {
            return newHashSet;
        }
        for (MSentryGMPrivilege mSentryGMPrivilege : list) {
            newHashSet.add(new PrivilegeObject.Builder().setComponent(mSentryGMPrivilege.getComponentName()).setService(mSentryGMPrivilege.getServiceName()).setAction(mSentryGMPrivilege.getAction()).setAuthorizables(mSentryGMPrivilege.getAuthorizables()).withGrantOption(mSentryGMPrivilege.getGrantOption()).build());
        }
        return newHashSet;
    }

    public Set<PrivilegeObject> getPrivilegesByProvider(String str, String str2, Set<MSentryRole> set, List<? extends Authorizable> list, PersistenceManager persistenceManager) {
        HashSet newHashSet = Sets.newHashSet();
        if (set == null || set.isEmpty()) {
            return newHashSet;
        }
        MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege(str, str2, list, null, null);
        HashSet<MSentryGMPrivilege> newHashSet2 = Sets.newHashSet();
        newHashSet2.addAll(populateIncludePrivileges(set, mSentryGMPrivilege, persistenceManager));
        for (MSentryGMPrivilege mSentryGMPrivilege2 : newHashSet2) {
            newHashSet.add(new PrivilegeObject.Builder().setComponent(mSentryGMPrivilege2.getComponentName()).setService(mSentryGMPrivilege2.getServiceName()).setAction(mSentryGMPrivilege2.getAction()).setAuthorizables(mSentryGMPrivilege2.getAuthorizables()).withGrantOption(mSentryGMPrivilege2.getGrantOption()).build());
        }
        return newHashSet;
    }

    public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String str, String str2, Set<MSentryRole> set, List<? extends Authorizable> list, PersistenceManager persistenceManager) {
        HashSet newHashSet = Sets.newHashSet();
        if (set == null || set.isEmpty()) {
            return newHashSet;
        }
        newHashSet.addAll(populateIncludePrivileges(set, new MSentryGMPrivilege(str, str2, list, null, null), persistenceManager));
        return newHashSet;
    }

    public void renamePrivilege(String str, String str2, List<? extends Authorizable> list, List<? extends Authorizable> list2, String str3, PersistenceManager persistenceManager) throws SentryUserException {
        MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege(str, str2, list, null, null);
        mSentryGMPrivilege.setAction(getAction(str, "*").getValue());
        HashSet<MSentryGMPrivilege> newHashSet = Sets.newHashSet();
        newHashSet.addAll(populateIncludePrivileges(null, mSentryGMPrivilege, persistenceManager));
        for (MSentryGMPrivilege mSentryGMPrivilege2 : newHashSet) {
            ArrayList arrayList = new ArrayList(mSentryGMPrivilege2.getAuthorizables());
            for (int i = 0; i < list2.size(); i++) {
                arrayList.set(i, list2.get(i));
            }
            MSentryGMPrivilege mSentryGMPrivilege3 = new MSentryGMPrivilege(str, str2, arrayList, mSentryGMPrivilege2.getAction(), mSentryGMPrivilege2.getGrantOption());
            persistenceManager.retrieve(mSentryGMPrivilege2);
            for (MSentryRole mSentryRole : mSentryGMPrivilege2.getRoles()) {
                revokeRolePartial(mSentryGMPrivilege, mSentryGMPrivilege2, mSentryRole, persistenceManager);
                grantRolePartial(mSentryGMPrivilege3, mSentryRole, persistenceManager);
            }
        }
    }

    private BitFieldAction getAction(String str, String str2) {
        BitFieldAction actionByName = getActionFactory(str).getActionByName(str2);
        if (actionByName == null) {
            throw new RuntimeException("Can not get BitFieldAction for name: " + str2);
        }
        return actionByName;
    }

    private BitFieldActionFactory getActionFactory(String str) {
        String lowerCase = str.toLowerCase();
        if (actionFactories.containsKey(lowerCase)) {
            return actionFactories.get(lowerCase);
        }
        BitFieldActionFactory createActionFactory = createActionFactory(lowerCase);
        actionFactories.put(lowerCase, createActionFactory);
        LOGGER.info("Action factory for component {} is not found in cache. Loaded it from configuration as {}.", str, createActionFactory.getClass().getName());
        return createActionFactory;
    }

    private BitFieldActionFactory createActionFactory(String str) {
        String str2 = this.conf.get(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, str));
        if (str2 == null) {
            throw new RuntimeException("ActionFactory not defined for component " + str + ". Please define the parameter " + ServiceConstants.ServerConfig.SENTRY_DB_PROPERTY_PREFIX + str + ".action.factory in configuration");
        }
        try {
            Class<?> cls = Class.forName(str2);
            if (!BitFieldActionFactory.class.isAssignableFrom(cls)) {
                throw new RuntimeException("ActionFactory class " + str2 + " must extend " + BitFieldActionFactory.class.getName());
            }
            try {
                cls.getDeclaredConstructor(new Class[0]).setAccessible(true);
                return (BitFieldActionFactory) cls.newInstance();
            } catch (IllegalAccessException | InstantiationException | NoSuchMethodException e) {
                throw new RuntimeException("Could not instantiate actionFactory " + str2 + " for component: " + str, e);
            }
        } catch (ClassNotFoundException e2) {
            throw new RuntimeException("ActionFactory class " + str2 + " not found.");
        }
    }

    static {
        actionFactories.put(AuthorizationComponent.Search, new SearchActionFactory());
        actionFactories.put(AuthorizationComponent.SQOOP, new SqoopActionFactory());
        actionFactories.put(AuthorizationComponent.KAFKA, KafkaActionFactory.getInstance());
    }
}
