package org.apache.nifi.ranger.authorization;

import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.nifi.authorization.AccessPolicy;
import org.apache.nifi.authorization.Group;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.User;
import org.apache.nifi.authorization.UserGroupProvider;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.util.StringUtils;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.class */
public class RangerBasePluginWithPolicies extends RangerBasePlugin {
    private static final Logger logger = LoggerFactory.getLogger(RangerBasePluginWithPolicies.class);
    private static final String WILDCARD_ASTERISK = "*";
    private UserGroupProvider userGroupProvider;
    private AtomicReference<PolicyLookup> policies;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies$PolicyLookup.class */
    public static class PolicyLookup {
        private final Map<String, AccessPolicy> policiesByIdentifier;
        private final Map<String, Map<RequestAction, AccessPolicy>> policiesByResource;
        private final Set<AccessPolicy> allPolicies;

        private PolicyLookup() {
            this(null, null);
        }

        private PolicyLookup(Map<String, AccessPolicy> map, Map<String, Map<RequestAction, AccessPolicy>> map2) {
            if (map == null) {
                this.allPolicies = Collections.EMPTY_SET;
            } else {
                this.allPolicies = Collections.unmodifiableSet(new HashSet(map.values()));
            }
            this.policiesByIdentifier = map;
            this.policiesByResource = map2;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
            return this.allPolicies;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AccessPolicy getAccessPolicy(String str) throws AuthorizationAccessException {
            if (this.policiesByIdentifier == null) {
                return null;
            }
            return this.policiesByIdentifier.get(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AccessPolicy getAccessPolicy(String str, RequestAction requestAction) throws AuthorizationAccessException {
            Map<RequestAction, AccessPolicy> map;
            if (this.policiesByResource == null || (map = this.policiesByResource.get(str)) == null) {
                return null;
            }
            return map.get(requestAction);
        }
    }

    public RangerBasePluginWithPolicies(String str, String str2) {
        this(str, str2, null);
    }

    public RangerBasePluginWithPolicies(String str, String str2, UserGroupProvider userGroupProvider) {
        super(str, str2);
        this.policies = new AtomicReference<>(new PolicyLookup());
        this.userGroupProvider = userGroupProvider;
    }

    public void setPolicies(ServicePolicies servicePolicies) {
        super.setPolicies(servicePolicies);
        if (servicePolicies == null || servicePolicies.getPolicies() == null) {
            this.policies.set(new PolicyLookup());
        } else {
            this.policies.set(createPolicyLookup(servicePolicies));
        }
    }

    public boolean doesPolicyExist(String str, RequestAction requestAction) {
        return (str == null || this.policies.get().getAccessPolicy(str, requestAction) == null) ? false : true;
    }

    public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
        return this.policies.get().getAccessPolicies();
    }

    public AccessPolicy getAccessPolicy(String str) throws AuthorizationAccessException {
        return this.policies.get().getAccessPolicy(str);
    }

    public AccessPolicy getAccessPolicy(String str, RequestAction requestAction) throws AuthorizationAccessException {
        return this.policies.get().getAccessPolicy(str, requestAction);
    }

    private PolicyLookup createPolicyLookup(ServicePolicies servicePolicies) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        logger.info("Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI.");
        servicePolicies.getPolicies().stream().forEach(rangerPolicy -> {
            if (Boolean.TRUE.equals(rangerPolicy.getIsEnabled())) {
                Set set = (Set) rangerPolicy.getResources().values().stream().filter(rangerPolicyResource -> {
                    boolean z;
                    boolean anyMatch;
                    if (rangerPolicyResource.getValues() == null) {
                        z = true;
                        anyMatch = false;
                    } else {
                        z = false;
                        anyMatch = rangerPolicyResource.getValues().stream().anyMatch(str -> {
                            return str.contains(WILDCARD_ASTERISK);
                        });
                    }
                    boolean equals = Boolean.TRUE.equals(rangerPolicyResource.getIsExcludes());
                    boolean equals2 = Boolean.TRUE.equals(rangerPolicyResource.getIsRecursive());
                    if (z) {
                        logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions.");
                    }
                    if (anyMatch) {
                        logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. Will still be used for access decisions.", StringUtils.join(rangerPolicyResource.getValues(), ", ")));
                    }
                    if (equals) {
                        logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. Will still be used for access decisions.", StringUtils.join(rangerPolicyResource.getValues(), ", ")));
                    }
                    if (equals2) {
                        logger.warn(String.format("Resources [%s] marked as a recursive policy. Skipping policy for viewing purposes. Will still be used for access decisions.", StringUtils.join(rangerPolicyResource.getValues(), ", ")));
                    }
                    return (z || anyMatch || equals || equals2) ? false : true;
                }).flatMap(rangerPolicyResource2 -> {
                    return rangerPolicyResource2.getValues().stream();
                }).collect(Collectors.toSet());
                rangerPolicy.getPolicyItems().forEach(rangerPolicyItem -> {
                    Set set2 = (Set) rangerPolicyItem.getUsers().stream().map(str -> {
                        return getUser(str);
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).map(user -> {
                        return user.getIdentifier();
                    }).collect(Collectors.toSet());
                    Set set3 = (Set) rangerPolicyItem.getGroups().stream().map(str2 -> {
                        return getGroup(str2);
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).map(group -> {
                        return group.getIdentifier();
                    }).collect(Collectors.toSet());
                    boolean equals = Boolean.TRUE.equals(rangerPolicyItem.getDelegateAdmin());
                    rangerPolicyItem.getAccesses().forEach(rangerPolicyItemAccess -> {
                        try {
                            RequestAction valueOf = RequestAction.valueOf(rangerPolicyItemAccess.getType());
                            Function function = str3 -> {
                                return new AccessPolicy.Builder().identifierGenerateFromSeed(str3 + rangerPolicyItemAccess.getType()).resource(str3).action(valueOf).addUsers(set2).addGroups(set3).build();
                            };
                            set.forEach(str4 -> {
                                AccessPolicy accessPolicy = (AccessPolicy) function.apply(str4);
                                hashMap.put(accessPolicy.getIdentifier(), accessPolicy);
                                ((Map) hashMap2.computeIfAbsent(str4, str4 -> {
                                    return new HashMap();
                                })).put(valueOf, accessPolicy);
                                if (equals) {
                                    String str5 = str4.startsWith("/") ? "/policies" + str4 : "/policies/" + str4;
                                    AccessPolicy accessPolicy2 = (AccessPolicy) function.apply(str5);
                                    hashMap.put(accessPolicy2.getIdentifier(), accessPolicy2);
                                    ((Map) hashMap2.computeIfAbsent(str5, str6 -> {
                                        return new HashMap();
                                    })).put(valueOf, accessPolicy2);
                                }
                            });
                        } catch (IllegalArgumentException e) {
                            logger.warn(String.format("Unrecognized request action '%s'. Skipping policy for viewing purposes. Will still be used for access decisions.", rangerPolicyItemAccess.getType()));
                        }
                    });
                });
            }
        });
        return new PolicyLookup(hashMap, hashMap2);
    }

    private User getUser(String str) {
        if (this.userGroupProvider == null) {
            return new User.Builder().identifierGenerateFromSeed(str).identity(str).build();
        }
        User userByIdentity = this.userGroupProvider.getUserByIdentity(str);
        if (userByIdentity == null) {
            logger.warn(String.format("Cannot find user '%s' in the configured User Group Provider. Skipping user for viewing purposes. Will still be used for access decisions.", str));
        }
        return userByIdentity;
    }

    private Group getGroup(String str) {
        if (this.userGroupProvider == null) {
            return new Group.Builder().identifierGenerateFromSeed(str).name(str).build();
        }
        Group group = (Group) this.userGroupProvider.getGroups().stream().filter(group2 -> {
            return group2.getName().equals(str);
        }).findFirst().orElse(null);
        if (group == null) {
            logger.warn(String.format("Cannot find group '%s' in the configured User Group Provider. Skipping group for viewing purposes. Will still be used for access decisions.", str));
        }
        return group;
    }
}
