package org.apache.hadoop.crypto.key.kms.server;

import com.google.common.annotations.VisibleForTesting;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.KMS;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/KMSACLs.class */
public class KMSACLs implements Runnable, KeyAuthorizationKeyProvider.KeyACLs {
    private static final Logger LOG = LoggerFactory.getLogger(KMSACLs.class);
    private static final String UNAUTHORIZED_MSG_WITH_KEY = "User:%s not allowed to do '%s' on '%s'";
    private static final String UNAUTHORIZED_MSG_WITHOUT_KEY = "User:%s not allowed to do '%s'";
    public static final String ACL_DEFAULT = "*";
    public static final int RELOADER_SLEEP_MILLIS = 1000;
    private volatile Map<Type, AccessControlList> acls;
    private volatile Map<Type, AccessControlList> blacklistedAcls;

    @VisibleForTesting
    volatile Map<String, HashMap<KeyAuthorizationKeyProvider.KeyOpType, AccessControlList>> keyAcls;

    @VisibleForTesting
    volatile Map<KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> defaultKeyAcls;

    @VisibleForTesting
    volatile Map<KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> whitelistKeyAcls;
    private ScheduledExecutorService executorService;
    private long lastReload;

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/KMSACLs$Type.class */
    public enum Type {
        CREATE,
        DELETE,
        ROLLOVER,
        GET,
        GET_KEYS,
        GET_METADATA,
        SET_KEY_MATERIAL,
        GENERATE_EEK,
        DECRYPT_EEK;

        public String getAclConfigKey() {
            return "hadoop.kms.acl." + toString();
        }

        public String getBlacklistConfigKey() {
            return "hadoop.kms.blacklist." + toString();
        }
    }

    KMSACLs(Configuration configuration) {
        this.defaultKeyAcls = new HashMap();
        this.whitelistKeyAcls = new HashMap();
        configuration = configuration == null ? loadACLs() : configuration;
        setKMSACLs(configuration);
        setKeyACLs(configuration);
    }

    public KMSACLs() {
        this(null);
    }

    private void setKMSACLs(Configuration configuration) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (Type type : Type.values()) {
            String str = configuration.get(type.getAclConfigKey(), ACL_DEFAULT);
            hashMap.put(type, new AccessControlList(str));
            String str2 = configuration.get(type.getBlacklistConfigKey());
            if (str2 != null) {
                hashMap2.put(type, new AccessControlList(str2));
                LOG.info("'{}' Blacklist '{}'", type, str2);
            }
            LOG.info("'{}' ACL '{}'", type, str);
        }
        this.acls = hashMap;
        this.blacklistedAcls = hashMap2;
    }

    @VisibleForTesting
    void setKeyACLs(Configuration configuration) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : configuration.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX).entrySet()) {
            String str = (String) entry.getKey();
            int length = "key.acl.".length();
            int lastIndexOf = str.lastIndexOf(".");
            if (length >= lastIndexOf) {
                LOG.warn("Invalid key name '{}'", str);
            } else {
                String str2 = (String) entry.getValue();
                String substring = str.substring(length, lastIndexOf);
                String substring2 = str.substring(lastIndexOf + 1);
                KeyAuthorizationKeyProvider.KeyOpType keyOpType = null;
                try {
                    keyOpType = KeyAuthorizationKeyProvider.KeyOpType.valueOf(substring2);
                } catch (IllegalArgumentException e) {
                    LOG.warn("Invalid key Operation '{}'", substring2);
                }
                if (keyOpType != null) {
                    HashMap hashMap2 = (HashMap) hashMap.get(substring);
                    if (hashMap2 == null) {
                        hashMap2 = new HashMap();
                        hashMap.put(substring, hashMap2);
                    }
                    hashMap2.put(keyOpType, new AccessControlList(str2));
                    LOG.info("KEY_NAME '{}' KEY_OP '{}' ACL '{}'", new Object[]{substring, keyOpType, str2});
                }
            }
        }
        this.keyAcls = hashMap;
        HashMap hashMap3 = new HashMap();
        HashMap hashMap4 = new HashMap();
        for (KeyAuthorizationKeyProvider.KeyOpType keyOpType2 : KeyAuthorizationKeyProvider.KeyOpType.values()) {
            parseAclsWithPrefix(configuration, KMSConfiguration.DEFAULT_KEY_ACL_PREFIX, keyOpType2, hashMap3);
            parseAclsWithPrefix(configuration, KMSConfiguration.WHITELIST_KEY_ACL_PREFIX, keyOpType2, hashMap4);
        }
        this.defaultKeyAcls = hashMap3;
        this.whitelistKeyAcls = hashMap4;
    }

    private void parseAclsWithPrefix(Configuration configuration, String str, KeyAuthorizationKeyProvider.KeyOpType keyOpType, Map<KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> map) {
        String str2 = configuration.get(str + keyOpType);
        if (str2 != null) {
            if (keyOpType == KeyAuthorizationKeyProvider.KeyOpType.ALL) {
                LOG.warn("Invalid KEY_OP '{}' for {}, ignoring", keyOpType, str);
                return;
            }
            if (str2.equals(ACL_DEFAULT)) {
                LOG.info("{} for KEY_OP '{}' is set to '*'", str, keyOpType);
            }
            map.put(keyOpType, new AccessControlList(str2));
        }
    }

    @Override // java.lang.Runnable
    public void run() {
        try {
            if (KMSConfiguration.isACLsFileNewer(this.lastReload)) {
                setKMSACLs(loadACLs());
                setKeyACLs(loadACLs());
            }
        } catch (Exception e) {
            LOG.warn(String.format("Could not reload ACLs file: '%s'", e.toString()), e);
        }
    }

    public synchronized void startReloader() {
        if (this.executorService == null) {
            this.executorService = Executors.newScheduledThreadPool(1);
            this.executorService.scheduleAtFixedRate(this, 1000L, 1000L, TimeUnit.MILLISECONDS);
        }
    }

    public synchronized void stopReloader() {
        if (this.executorService != null) {
            this.executorService.shutdownNow();
            this.executorService = null;
        }
    }

    private Configuration loadACLs() {
        LOG.debug("Loading ACLs file");
        this.lastReload = System.currentTimeMillis();
        Configuration aCLsConf = KMSConfiguration.getACLsConf();
        aCLsConf.get(Type.CREATE.getAclConfigKey());
        return aCLsConf;
    }

    public boolean hasAccess(Type type, UserGroupInformation userGroupInformation) {
        boolean isUserAllowed = this.acls.get(type).isUserAllowed(userGroupInformation);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking user [{}] for: {} {} ", new Object[]{userGroupInformation.getShortUserName(), type.toString(), this.acls.get(type).getAclString()});
        }
        if (isUserAllowed) {
            AccessControlList accessControlList = this.blacklistedAcls.get(type);
            isUserAllowed = accessControlList == null || !accessControlList.isUserInList(userGroupInformation);
            if (LOG.isDebugEnabled()) {
                if (accessControlList == null) {
                    LOG.debug("No blacklist for {}", type.toString());
                } else if (isUserAllowed) {
                    LOG.debug("user is in {}", accessControlList.getAclString());
                } else {
                    LOG.debug("user is not in {}", accessControlList.getAclString());
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("User: [{}], Type: {} Result: {}", new Object[]{userGroupInformation.getShortUserName(), type.toString(), Boolean.valueOf(isUserAllowed)});
        }
        return isUserAllowed;
    }

    public void assertAccess(Type type, UserGroupInformation userGroupInformation, KMS.KMSOp kMSOp, String str) throws AccessControlException {
        if (KMSWebApp.getACLs().hasAccess(type, userGroupInformation)) {
            return;
        }
        KMSWebApp.getUnauthorizedCallsMeter().mark();
        KMSWebApp.getKMSAudit().unauthorized(userGroupInformation, kMSOp, str);
        throw new AuthorizationException(String.format(str != null ? UNAUTHORIZED_MSG_WITH_KEY : UNAUTHORIZED_MSG_WITHOUT_KEY, userGroupInformation.getShortUserName(), kMSOp, str));
    }

    @Override // org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs
    public boolean hasAccessToKey(String str, UserGroupInformation userGroupInformation, KeyAuthorizationKeyProvider.KeyOpType keyOpType) {
        boolean z = checkKeyAccess(str, userGroupInformation, keyOpType) || checkKeyAccess(this.whitelistKeyAcls, userGroupInformation, keyOpType);
        if (!z) {
            KMSWebApp.getKMSAudit().unauthorized(userGroupInformation, keyOpType, str);
        }
        return z;
    }

    private boolean checkKeyAccess(String str, UserGroupInformation userGroupInformation, KeyAuthorizationKeyProvider.KeyOpType keyOpType) {
        Map<KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> map = this.keyAcls.get(str);
        if (map == null) {
            LOG.debug("Key: {} has no ACLs defined, using defaults.", str);
            map = this.defaultKeyAcls;
        }
        boolean checkKeyAccess = checkKeyAccess(map, userGroupInformation, keyOpType);
        if (LOG.isDebugEnabled()) {
            LOG.debug("User: [{}], OpType: {}, KeyName: {} Result: {}", new Object[]{userGroupInformation.getShortUserName(), keyOpType.toString(), str, Boolean.valueOf(checkKeyAccess)});
        }
        return checkKeyAccess;
    }

    private boolean checkKeyAccess(Map<KeyAuthorizationKeyProvider.KeyOpType, AccessControlList> map, UserGroupInformation userGroupInformation, KeyAuthorizationKeyProvider.KeyOpType keyOpType) {
        AccessControlList accessControlList = map.get(keyOpType);
        if (accessControlList == null) {
            LOG.debug("No ACL available for key, denying access for {}", keyOpType);
            return false;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking user [{}] for: {}: {}" + userGroupInformation.getShortUserName(), keyOpType.toString(), accessControlList.getAclString());
        }
        return accessControlList.isUserAllowed(userGroupInformation);
    }

    @Override // org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs
    public boolean isACLPresent(String str, KeyAuthorizationKeyProvider.KeyOpType keyOpType) {
        return this.keyAcls.containsKey(str) || this.defaultKeyAcls.containsKey(keyOpType) || this.whitelistKeyAcls.containsKey(keyOpType);
    }

    @VisibleForTesting
    void forceNextReloadForTesting() {
        this.lastReload = 0L;
    }
}
