package org.apache.druid.security.basic.authorization.db.updater;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.druid.common.config.ConfigManager;
import org.apache.druid.concurrent.LifecycleLock;
import org.apache.druid.guice.ManageLifecycle;
import org.apache.druid.guice.annotations.Smile;
import org.apache.druid.java.util.common.ISE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.concurrent.Execs;
import org.apache.druid.java.util.common.concurrent.ScheduledExecutors;
import org.apache.druid.java.util.common.lifecycle.LifecycleStart;
import org.apache.druid.java.util.common.lifecycle.LifecycleStop;
import org.apache.druid.java.util.emitter.EmittingLogger;
import org.apache.druid.metadata.MetadataCASUpdate;
import org.apache.druid.metadata.MetadataStorageConnector;
import org.apache.druid.metadata.MetadataStorageTablesConfig;
import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
import org.apache.druid.security.basic.BasicAuthDBConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDBResourceException;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheNotifier;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingMapBundle;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleMapBundle;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserMapBundle;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
import org.apache.druid.server.security.Resource;
import org.apache.druid.server.security.ResourceAction;
import org.apache.druid.server.security.ResourceType;
import org.joda.time.Duration;

@ManageLifecycle
/* loaded from: input_file:org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.class */
public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAuthorizerMetadataStorageUpdater {
    private static final long UPDATE_RETRY_DELAY = 1000;
    private static final String USERS = "users";
    private static final String GROUP_MAPPINGS = "groupMappings";
    private static final String ROLES = "roles";
    private final AuthorizerMapper authorizerMapper;
    private final MetadataStorageConnector connector;
    private final MetadataStorageTablesConfig connectorConfig;
    private final BasicAuthorizerCacheNotifier cacheNotifier;
    private final BasicAuthCommonCacheConfig commonCacheConfig;
    private final ObjectMapper objectMapper;
    private static final EmittingLogger LOG = new EmittingLogger(CoordinatorBasicAuthorizerMetadataStorageUpdater.class);
    public static final List<ResourceAction> SUPERUSER_PERMISSIONS = makeSuperUserPermissions();
    private final int numRetries = 5;
    private final LifecycleLock lifecycleLock = new LifecycleLock();
    private volatile boolean stopped = false;
    private final ScheduledExecutorService exec = Execs.scheduledSingleThreaded("CoordinatorBasicAuthorizerMetadataStorageUpdater-Exec--%d");
    private final Map<String, BasicAuthorizerUserMapBundle> cachedUserMaps = new ConcurrentHashMap();
    private final Map<String, BasicAuthorizerGroupMappingMapBundle> cachedGroupMappingMaps = new ConcurrentHashMap();
    private final Map<String, BasicAuthorizerRoleMapBundle> cachedRoleMaps = new ConcurrentHashMap();
    private final Set<String> authorizerNames = new HashSet();

    @Inject
    public CoordinatorBasicAuthorizerMetadataStorageUpdater(AuthorizerMapper authorizerMapper, MetadataStorageConnector metadataStorageConnector, MetadataStorageTablesConfig metadataStorageTablesConfig, BasicAuthCommonCacheConfig basicAuthCommonCacheConfig, @Smile ObjectMapper objectMapper, BasicAuthorizerCacheNotifier basicAuthorizerCacheNotifier, ConfigManager configManager) {
        this.authorizerMapper = authorizerMapper;
        this.connector = metadataStorageConnector;
        this.connectorConfig = metadataStorageTablesConfig;
        this.commonCacheConfig = basicAuthCommonCacheConfig;
        this.objectMapper = objectMapper;
        this.cacheNotifier = basicAuthorizerCacheNotifier;
    }

    @LifecycleStart
    public void start() {
        if (!this.lifecycleLock.canStart()) {
            throw new ISE("can't start.", new Object[0]);
        }
        if (this.authorizerMapper == null || this.authorizerMapper.getAuthorizerMap() == null) {
            return;
        }
        try {
            LOG.info("Starting CoordinatorBasicAuthorizerMetadataStorageUpdater", new Object[0]);
            BasicAuthUtils.maybeInitialize(() -> {
                for (Map.Entry entry : this.authorizerMapper.getAuthorizerMap().entrySet()) {
                    Authorizer authorizer = (Authorizer) entry.getValue();
                    if (authorizer instanceof BasicRoleBasedAuthorizer) {
                        BasicAuthDBConfig dbConfig = ((BasicRoleBasedAuthorizer) authorizer).getDbConfig();
                        String str = (String) entry.getKey();
                        this.authorizerNames.add(str);
                        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
                        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
                        this.cachedUserMaps.put(str, new BasicAuthorizerUserMapBundle(deserializeAuthorizerUserMap, currentUserMapBytes));
                        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
                        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
                        this.cachedGroupMappingMaps.put(str, new BasicAuthorizerGroupMappingMapBundle(deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes));
                        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
                        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
                        this.cachedRoleMaps.put(str, new BasicAuthorizerRoleMapBundle(deserializeAuthorizerRoleMap, currentRoleMapBytes));
                        initSuperUsersAndGroupMapping(str, deserializeAuthorizerUserMap, deserializeAuthorizerRoleMap, deserializeAuthorizerGroupMappingMap, dbConfig.getInitialAdminUser(), dbConfig.getInitialAdminRole(), dbConfig.getInitialAdminGroupMapping());
                    }
                }
                return true;
            });
            ScheduledExecutors.scheduleWithFixedDelay(this.exec, new Duration(this.commonCacheConfig.getPollingPeriod()), new Duration(this.commonCacheConfig.getPollingPeriod()), () -> {
                if (this.stopped) {
                    return ScheduledExecutors.Signal.STOP;
                }
                try {
                    LOG.debug("Scheduled db poll is running", new Object[0]);
                    for (String str : this.authorizerNames) {
                        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
                        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
                        if (currentUserMapBytes != null) {
                            synchronized (this.cachedUserMaps) {
                                this.cachedUserMaps.put(str, new BasicAuthorizerUserMapBundle(deserializeAuthorizerUserMap, currentUserMapBytes));
                            }
                        }
                        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
                        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
                        if (currentGroupMappingMapBytes != null) {
                            synchronized (this.cachedGroupMappingMaps) {
                                this.cachedGroupMappingMaps.put(str, new BasicAuthorizerGroupMappingMapBundle(deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes));
                            }
                        }
                        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
                        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
                        if (currentRoleMapBytes != null) {
                            synchronized (this.cachedRoleMaps) {
                                this.cachedRoleMaps.put(str, new BasicAuthorizerRoleMapBundle(deserializeAuthorizerRoleMap, currentRoleMapBytes));
                            }
                        }
                    }
                    LOG.debug("Scheduled db poll is done", new Object[0]);
                } catch (Throwable th) {
                    LOG.makeAlert(th, "Error occured while polling for cachedUserMaps, cachedGroupMappingMaps, cachedRoleMaps.", new Object[0]).emit();
                }
                return ScheduledExecutors.Signal.REPEAT;
            });
            this.lifecycleLock.started();
        } finally {
            this.lifecycleLock.exitStart();
        }
    }

    @LifecycleStop
    public void stop() {
        if (!this.lifecycleLock.canStop()) {
            throw new ISE("can't stop.", new Object[0]);
        }
        LOG.info("CoordinatorBasicAuthorizerMetadataStorageUpdater is stopping.", new Object[0]);
        this.stopped = true;
        LOG.info("CoordinatorBasicAuthorizerMetadataStorageUpdater is stopped.", new Object[0]);
    }

    private static String getPrefixedKeyColumn(String str, String str2) {
        return StringUtils.format("basic_authorization_%s_%s", new Object[]{str, str2});
    }

    private boolean tryUpdateUserMap(String str, Map<String, BasicAuthorizerUser> map, byte[] bArr, byte[] bArr2) {
        try {
            ArrayList arrayList = new ArrayList();
            if (map == null) {
                return false;
            }
            arrayList.add(createMetadataCASUpdate(str, bArr, bArr2, USERS));
            if (!this.connector.compareAndSwap(arrayList)) {
                return false;
            }
            this.cachedUserMaps.put(str, new BasicAuthorizerUserMapBundle(map, bArr2));
            this.cacheNotifier.addUpdateUser(str, getCurrentUserAndRoleMapSerialized(str));
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private boolean tryUpdateGroupMappingMap(String str, Map<String, BasicAuthorizerGroupMapping> map, byte[] bArr, byte[] bArr2) {
        try {
            ArrayList arrayList = new ArrayList();
            if (map == null) {
                return false;
            }
            arrayList.add(createMetadataCASUpdate(str, bArr, bArr2, GROUP_MAPPINGS));
            if (!this.connector.compareAndSwap(arrayList)) {
                return false;
            }
            this.cachedGroupMappingMaps.put(str, new BasicAuthorizerGroupMappingMapBundle(map, bArr2));
            this.cacheNotifier.addUpdateGroupMapping(str, getCurrentGroupMappingAndRoleMapSerialized(str));
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private boolean tryUpdateRoleMap(String str, Map<String, BasicAuthorizerRole> map, byte[] bArr, byte[] bArr2) {
        try {
            ArrayList arrayList = new ArrayList();
            if (map == null) {
                return false;
            }
            arrayList.add(createMetadataCASUpdate(str, bArr, bArr2, ROLES));
            if (!this.connector.compareAndSwap(arrayList)) {
                return false;
            }
            this.cachedRoleMaps.put(str, new BasicAuthorizerRoleMapBundle(map, bArr2));
            this.cacheNotifier.addUpdateUser(str, getCurrentUserAndRoleMapSerialized(str));
            this.cacheNotifier.addUpdateGroupMapping(str, getCurrentGroupMappingAndRoleMapSerialized(str));
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private boolean tryUpdateUserAndRoleMap(String str, Map<String, BasicAuthorizerUser> map, byte[] bArr, byte[] bArr2, Map<String, BasicAuthorizerRole> map2, byte[] bArr3, byte[] bArr4) {
        try {
            ArrayList arrayList = new ArrayList();
            if (map == null || map2 == null) {
                return false;
            }
            arrayList.add(createMetadataCASUpdate(str, bArr, bArr2, USERS));
            arrayList.add(createMetadataCASUpdate(str, bArr3, bArr4, ROLES));
            if (!this.connector.compareAndSwap(arrayList)) {
                return false;
            }
            this.cachedUserMaps.put(str, new BasicAuthorizerUserMapBundle(map, bArr2));
            this.cachedRoleMaps.put(str, new BasicAuthorizerRoleMapBundle(map2, bArr4));
            this.cacheNotifier.addUpdateUser(str, getCurrentUserAndRoleMapSerialized(str));
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private boolean tryUpdateGroupMappingAndRoleMap(String str, Map<String, BasicAuthorizerGroupMapping> map, byte[] bArr, byte[] bArr2, Map<String, BasicAuthorizerRole> map2, byte[] bArr3, byte[] bArr4) {
        try {
            ArrayList arrayList = new ArrayList();
            if (map != null && map2 != null) {
                arrayList.add(createMetadataCASUpdate(str, bArr, bArr2, GROUP_MAPPINGS));
                arrayList.add(createMetadataCASUpdate(str, bArr3, bArr4, ROLES));
            }
            if (!this.connector.compareAndSwap(arrayList)) {
                return false;
            }
            this.cachedGroupMappingMaps.put(str, new BasicAuthorizerGroupMappingMapBundle(map, bArr2));
            this.cachedRoleMaps.put(str, new BasicAuthorizerRoleMapBundle(map2, bArr4));
            this.cacheNotifier.addUpdateGroupMapping(str, getCurrentGroupMappingAndRoleMapSerialized(str));
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Nonnull
    private MetadataCASUpdate createMetadataCASUpdate(String str, byte[] bArr, byte[] bArr2, String str2) {
        return new MetadataCASUpdate(this.connectorConfig.getConfigTable(), "name", "payload", getPrefixedKeyColumn(str, str2), bArr, bArr2);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void createUser(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        createUserInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void deleteUser(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        deleteUserInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void createGroupMapping(String str, BasicAuthorizerGroupMapping basicAuthorizerGroupMapping) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        createGroupMappingInternal(str, basicAuthorizerGroupMapping);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void deleteGroupMapping(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        deleteGroupMappingInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void createRole(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        createRoleInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void deleteRole(String str, String str2) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        deleteRoleInternal(str, str2);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void assignUserRole(String str, String str2, String str3) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        assignUserRoleInternal(str, str2, str3);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void unassignUserRole(String str, String str2, String str3) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        unassignUserRoleInternal(str, str2, str3);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void assignGroupMappingRole(String str, String str2, String str3) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        assignGroupMappingRoleInternal(str, str2, str3);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void unassignGroupMappingRole(String str, String str2, String str3) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        unassignGroupMappingRoleInternal(str, str2, str3);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void setPermissions(String str, String str2, List<ResourceAction> list) {
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        setPermissionsInternal(str, str2, list);
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    @Nullable
    public Map<String, BasicAuthorizerUser> getCachedUserMap(String str) {
        BasicAuthorizerUserMapBundle basicAuthorizerUserMapBundle = this.cachedUserMaps.get(str);
        if (basicAuthorizerUserMapBundle == null) {
            return null;
        }
        return basicAuthorizerUserMapBundle.getUserMap();
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public Map<String, BasicAuthorizerGroupMapping> getCachedGroupMappingMap(String str) {
        BasicAuthorizerGroupMappingMapBundle basicAuthorizerGroupMappingMapBundle = this.cachedGroupMappingMaps.get(str);
        if (basicAuthorizerGroupMappingMapBundle == null) {
            return null;
        }
        return basicAuthorizerGroupMappingMapBundle.getGroupMappingMap();
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    @Nullable
    public Map<String, BasicAuthorizerRole> getCachedRoleMap(String str) {
        BasicAuthorizerRoleMapBundle basicAuthorizerRoleMapBundle = this.cachedRoleMaps.get(str);
        if (basicAuthorizerRoleMapBundle == null) {
            return null;
        }
        return basicAuthorizerRoleMapBundle.getRoleMap();
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public byte[] getCurrentUserMapBytes(String str) {
        return this.connector.lookup(this.connectorConfig.getConfigTable(), "name", "payload", getPrefixedKeyColumn(str, USERS));
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public byte[] getCurrentGroupMappingMapBytes(String str) {
        return this.connector.lookup(this.connectorConfig.getConfigTable(), "name", "payload", getPrefixedKeyColumn(str, GROUP_MAPPINGS));
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public byte[] getCurrentRoleMapBytes(String str) {
        return this.connector.lookup(this.connectorConfig.getConfigTable(), "name", "payload", getPrefixedKeyColumn(str, ROLES));
    }

    @Override // org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater
    public void refreshAllNotification() {
        this.authorizerNames.forEach(str -> {
            try {
                this.cacheNotifier.addUpdateUser(str, getCurrentUserAndRoleMapSerialized(str));
                this.cacheNotifier.addUpdateGroupMapping(str, getCurrentGroupMappingAndRoleMapSerialized(str));
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        });
    }

    private byte[] getCurrentUserAndRoleMapSerialized(String str) throws IOException {
        BasicAuthorizerUserMapBundle basicAuthorizerUserMapBundle = this.cachedUserMaps.get(str);
        BasicAuthorizerRoleMapBundle basicAuthorizerRoleMapBundle = this.cachedRoleMaps.get(str);
        return this.objectMapper.writeValueAsBytes(new UserAndRoleMap(basicAuthorizerUserMapBundle == null ? null : basicAuthorizerUserMapBundle.getUserMap(), basicAuthorizerRoleMapBundle == null ? null : basicAuthorizerRoleMapBundle.getRoleMap()));
    }

    private byte[] getCurrentGroupMappingAndRoleMapSerialized(String str) throws IOException {
        BasicAuthorizerGroupMappingMapBundle basicAuthorizerGroupMappingMapBundle = this.cachedGroupMappingMaps.get(str);
        BasicAuthorizerRoleMapBundle basicAuthorizerRoleMapBundle = this.cachedRoleMaps.get(str);
        return this.objectMapper.writeValueAsBytes(new GroupMappingAndRoleMap(basicAuthorizerGroupMappingMapBundle == null ? null : basicAuthorizerGroupMappingMapBundle.getGroupMappingMap(), basicAuthorizerRoleMapBundle == null ? null : basicAuthorizerRoleMapBundle.getRoleMap()));
    }

    private void createUserInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (createUserOnce(str, str2)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not create user [%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void deleteUserInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (deleteUserOnce(str, str2)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not delete user [%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void createGroupMappingInternal(String str, BasicAuthorizerGroupMapping basicAuthorizerGroupMapping) {
        int i = 0;
        while (i < 5) {
            if (createGroupMappingOnce(str, basicAuthorizerGroupMapping)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not create group mapping [%s] due to concurrent update contention.", new Object[]{basicAuthorizerGroupMapping});
    }

    private void deleteGroupMappingInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (deleteGroupMappingOnce(str, str2)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not delete group mapping [%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void createRoleInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (createRoleOnce(str, str2)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not create role [%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void deleteRoleInternal(String str, String str2) {
        int i = 0;
        while (i < 5) {
            if (deleteRoleOnce(str, str2)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not delete role [%s] due to concurrent update contention.", new Object[]{str2});
    }

    private void assignUserRoleInternal(String str, String str2, String str3) {
        int i = 0;
        while (i < 5) {
            if (assignUserRoleOnce(str, str2, str3)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not assign role [%s] to user [%s] due to concurrent update contention.", new Object[]{str3, str2});
    }

    private void unassignUserRoleInternal(String str, String str2, String str3) {
        int i = 0;
        while (i < 5) {
            if (unassignUserRoleOnce(str, str2, str3)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not unassign role [%s] from user [%s] due to concurrent update contention.", new Object[]{str3, str2});
    }

    private void assignGroupMappingRoleInternal(String str, String str2, String str3) {
        int i = 0;
        while (i < 5) {
            if (assignGroupMappingRoleOnce(str, str2, str3)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not assign role [%s] to group mapping [%s] due to concurrent update contention.", new Object[]{str3, str2});
    }

    private void unassignGroupMappingRoleInternal(String str, String str2, String str3) {
        int i = 0;
        while (i < 5) {
            if (unassignGroupMappingRoleOnce(str, str2, str3)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not unassign role [%s] from group mapping [%s] due to concurrent update contention.", new Object[]{str3, str2});
    }

    private void setPermissionsInternal(String str, String str2, List<ResourceAction> list) {
        int i = 0;
        while (i < 5) {
            if (setPermissionsOnce(str, str2, list)) {
                return;
            }
            i++;
            try {
                Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        throw new ISE("Could not set permissions for role [%s] due to concurrent update contention.", new Object[]{str2});
    }

    private boolean deleteUserOnce(String str, String str2) {
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
        if (deserializeAuthorizerUserMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
        }
        deserializeAuthorizerUserMap.remove(str2);
        return tryUpdateUserMap(str, deserializeAuthorizerUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthorizerUserMap(this.objectMapper, deserializeAuthorizerUserMap));
    }

    private boolean createUserOnce(String str, String str2) {
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
        if (deserializeAuthorizerUserMap.get(str2) != null) {
            throw new BasicSecurityDBResourceException("User [%s] already exists.", str2);
        }
        deserializeAuthorizerUserMap.put(str2, new BasicAuthorizerUser(str2, null));
        return tryUpdateUserMap(str, deserializeAuthorizerUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthorizerUserMap(this.objectMapper, deserializeAuthorizerUserMap));
    }

    private boolean deleteGroupMappingOnce(String str, String str2) {
        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
        if (deserializeAuthorizerGroupMappingMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", str2);
        }
        deserializeAuthorizerGroupMappingMap.remove(str2);
        return tryUpdateGroupMappingMap(str, deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes, BasicAuthUtils.serializeAuthorizerGroupMappingMap(this.objectMapper, deserializeAuthorizerGroupMappingMap));
    }

    private boolean createGroupMappingOnce(String str, BasicAuthorizerGroupMapping basicAuthorizerGroupMapping) {
        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
        if (deserializeAuthorizerGroupMappingMap.get(basicAuthorizerGroupMapping.getName()) != null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] already exists.", basicAuthorizerGroupMapping.getName());
        }
        deserializeAuthorizerGroupMappingMap.put(basicAuthorizerGroupMapping.getName(), basicAuthorizerGroupMapping);
        return tryUpdateGroupMappingMap(str, deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes, BasicAuthUtils.serializeAuthorizerGroupMappingMap(this.objectMapper, deserializeAuthorizerGroupMappingMap));
    }

    private boolean createRoleOnce(String str, String str2) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str2) != null) {
            throw new BasicSecurityDBResourceException("Role [%s] already exists.", str2);
        }
        deserializeAuthorizerRoleMap.put(str2, new BasicAuthorizerRole(str2, null));
        return tryUpdateRoleMap(str, deserializeAuthorizerRoleMap, currentRoleMapBytes, BasicAuthUtils.serializeAuthorizerRoleMap(this.objectMapper, deserializeAuthorizerRoleMap));
    }

    private boolean deleteRoleOnce(String str, String str2) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str2);
        }
        deserializeAuthorizerRoleMap.remove(str2);
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
        Iterator<BasicAuthorizerUser> it = deserializeAuthorizerUserMap.values().iterator();
        while (it.hasNext()) {
            it.next().getRoles().remove(str2);
        }
        byte[] serializeAuthorizerUserMap = BasicAuthUtils.serializeAuthorizerUserMap(this.objectMapper, deserializeAuthorizerUserMap);
        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
        Iterator<BasicAuthorizerGroupMapping> it2 = deserializeAuthorizerGroupMappingMap.values().iterator();
        while (it2.hasNext()) {
            it2.next().getRoles().remove(str2);
        }
        byte[] serializeAuthorizerGroupMappingMap = BasicAuthUtils.serializeAuthorizerGroupMappingMap(this.objectMapper, deserializeAuthorizerGroupMappingMap);
        byte[] serializeAuthorizerRoleMap = BasicAuthUtils.serializeAuthorizerRoleMap(this.objectMapper, deserializeAuthorizerRoleMap);
        return tryUpdateUserAndRoleMap(str, deserializeAuthorizerUserMap, currentUserMapBytes, serializeAuthorizerUserMap, deserializeAuthorizerRoleMap, currentRoleMapBytes, serializeAuthorizerRoleMap) && tryUpdateGroupMappingAndRoleMap(str, deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes, serializeAuthorizerGroupMappingMap, deserializeAuthorizerRoleMap, serializeAuthorizerRoleMap, serializeAuthorizerRoleMap);
    }

    private boolean assignUserRoleOnce(String str, String str2, String str3) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str3) == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str3);
        }
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
        BasicAuthorizerUser basicAuthorizerUser = deserializeAuthorizerUserMap.get(str2);
        if (deserializeAuthorizerUserMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
        }
        if (basicAuthorizerUser.getRoles().contains(str3)) {
            throw new BasicSecurityDBResourceException("User [%s] already has role [%s].", str2, str3);
        }
        basicAuthorizerUser.getRoles().add(str3);
        return tryUpdateUserAndRoleMap(str, deserializeAuthorizerUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthorizerUserMap(this.objectMapper, deserializeAuthorizerUserMap), deserializeAuthorizerRoleMap, currentRoleMapBytes, currentRoleMapBytes);
    }

    private boolean unassignUserRoleOnce(String str, String str2, String str3) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str3) == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str3);
        }
        byte[] currentUserMapBytes = getCurrentUserMapBytes(str);
        Map<String, BasicAuthorizerUser> deserializeAuthorizerUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(this.objectMapper, currentUserMapBytes);
        BasicAuthorizerUser basicAuthorizerUser = deserializeAuthorizerUserMap.get(str2);
        if (deserializeAuthorizerUserMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", str2);
        }
        if (!basicAuthorizerUser.getRoles().contains(str3)) {
            throw new BasicSecurityDBResourceException("User [%s] does not have role [%s].", str2, str3);
        }
        basicAuthorizerUser.getRoles().remove(str3);
        return tryUpdateUserAndRoleMap(str, deserializeAuthorizerUserMap, currentUserMapBytes, BasicAuthUtils.serializeAuthorizerUserMap(this.objectMapper, deserializeAuthorizerUserMap), deserializeAuthorizerRoleMap, currentRoleMapBytes, currentRoleMapBytes);
    }

    private boolean assignGroupMappingRoleOnce(String str, String str2, String str3) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str3) == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str3);
        }
        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
        BasicAuthorizerGroupMapping basicAuthorizerGroupMapping = deserializeAuthorizerGroupMappingMap.get(str2);
        if (deserializeAuthorizerGroupMappingMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", str2);
        }
        if (basicAuthorizerGroupMapping.getRoles().contains(str3)) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] already has role [%s].", str2, str3);
        }
        basicAuthorizerGroupMapping.getRoles().add(str3);
        return tryUpdateGroupMappingAndRoleMap(str, deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes, BasicAuthUtils.serializeAuthorizerGroupMappingMap(this.objectMapper, deserializeAuthorizerGroupMappingMap), deserializeAuthorizerRoleMap, currentRoleMapBytes, currentRoleMapBytes);
    }

    private boolean unassignGroupMappingRoleOnce(String str, String str2, String str3) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str3) == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str3);
        }
        byte[] currentGroupMappingMapBytes = getCurrentGroupMappingMapBytes(str);
        Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(this.objectMapper, currentGroupMappingMapBytes);
        BasicAuthorizerGroupMapping basicAuthorizerGroupMapping = deserializeAuthorizerGroupMappingMap.get(str2);
        if (deserializeAuthorizerGroupMappingMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", str2);
        }
        if (!basicAuthorizerGroupMapping.getRoles().contains(str3)) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not have role [%s].", str2, str3);
        }
        basicAuthorizerGroupMapping.getRoles().remove(str3);
        return tryUpdateGroupMappingAndRoleMap(str, deserializeAuthorizerGroupMappingMap, currentGroupMappingMapBytes, BasicAuthUtils.serializeAuthorizerGroupMappingMap(this.objectMapper, deserializeAuthorizerGroupMappingMap), deserializeAuthorizerRoleMap, currentRoleMapBytes, currentRoleMapBytes);
    }

    private boolean setPermissionsOnce(String str, String str2, List<ResourceAction> list) {
        byte[] currentRoleMapBytes = getCurrentRoleMapBytes(str);
        Map<String, BasicAuthorizerRole> deserializeAuthorizerRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(this.objectMapper, currentRoleMapBytes);
        if (deserializeAuthorizerRoleMap.get(str2) == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", str2);
        }
        deserializeAuthorizerRoleMap.put(str2, new BasicAuthorizerRole(str2, BasicAuthorizerPermission.makePermissionList(list)));
        return tryUpdateRoleMap(str, deserializeAuthorizerRoleMap, currentRoleMapBytes, BasicAuthUtils.serializeAuthorizerRoleMap(this.objectMapper, deserializeAuthorizerRoleMap));
    }

    private void initSuperUsersAndGroupMapping(String str, Map<String, BasicAuthorizerUser> map, Map<String, BasicAuthorizerRole> map2, Map<String, BasicAuthorizerGroupMapping> map3, String str2, String str3, String str4) {
        if (!map2.containsKey(BasicAuthUtils.ADMIN_NAME)) {
            createRoleInternal(str, BasicAuthUtils.ADMIN_NAME);
            setPermissionsInternal(str, BasicAuthUtils.ADMIN_NAME, SUPERUSER_PERMISSIONS);
        }
        if (!map2.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
            createRoleInternal(str, BasicAuthUtils.INTERNAL_USER_NAME);
            setPermissionsInternal(str, BasicAuthUtils.INTERNAL_USER_NAME, SUPERUSER_PERMISSIONS);
        }
        if (!map.containsKey(BasicAuthUtils.ADMIN_NAME)) {
            createUserInternal(str, BasicAuthUtils.ADMIN_NAME);
            assignUserRoleInternal(str, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME);
        }
        if (!map.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
            createUserInternal(str, BasicAuthUtils.INTERNAL_USER_NAME);
            assignUserRoleInternal(str, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME);
        }
        if (str3 != null && !str3.equals(BasicAuthUtils.ADMIN_NAME) && !str3.equals(BasicAuthUtils.INTERNAL_USER_NAME) && !map2.containsKey(str3)) {
            createRoleInternal(str, str3);
            setPermissionsInternal(str, str3, SUPERUSER_PERMISSIONS);
        }
        if (str2 != null && !str2.equals(BasicAuthUtils.ADMIN_NAME) && !str2.equals(BasicAuthUtils.INTERNAL_USER_NAME) && !map.containsKey(str2)) {
            createUserInternal(str, str2);
            assignUserRoleInternal(str, str2, str3 == null ? BasicAuthUtils.ADMIN_NAME : str3);
        }
        if (str4 == null || map3.containsKey(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME)) {
            return;
        }
        createGroupMappingInternal(str, new BasicAuthorizerGroupMapping(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME, str4, new HashSet(Collections.singletonList(str3 == null ? BasicAuthUtils.ADMIN_NAME : str3))));
    }

    private static List<ResourceAction> makeSuperUserPermissions() {
        return Lists.newArrayList(new ResourceAction[]{new ResourceAction(new Resource(".*", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(".*", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource(".*", ResourceType.CONFIG), Action.READ), new ResourceAction(new Resource(".*", ResourceType.CONFIG), Action.WRITE), new ResourceAction(new Resource(".*", ResourceType.STATE), Action.READ), new ResourceAction(new Resource(".*", ResourceType.STATE), Action.WRITE)});
    }
}
