package org.apache.nifi.ranger.authorization;

import java.io.File;
import java.net.MalformedURLException;
import java.util.Date;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.authorization.AuthorizationAuditor;
import org.apache.nifi.authorization.AuthorizationRequest;
import org.apache.nifi.authorization.AuthorizationResult;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.AuthorizerConfigurationContext;
import org.apache.nifi.authorization.AuthorizerInitializationContext;
import org.apache.nifi.authorization.UserContextKeys;
import org.apache.nifi.authorization.annotation.AuthorizerContext;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.util.NiFiProperties;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/ranger/authorization/RangerNiFiAuthorizer.class */
public class RangerNiFiAuthorizer implements Authorizer, AuthorizationAuditor {
    private static final Logger logger = LoggerFactory.getLogger(RangerNiFiAuthorizer.class);
    static final String RANGER_AUDIT_PATH_PROP = "Ranger Audit Config Path";
    static final String RANGER_SECURITY_PATH_PROP = "Ranger Security Config Path";
    static final String RANGER_KERBEROS_ENABLED_PROP = "Ranger Kerberos Enabled";
    static final String RANGER_ADMIN_IDENTITY_PROP = "Ranger Admin Identity";
    static final String RANGER_SERVICE_TYPE_PROP = "Ranger Service Type";
    static final String RANGER_APP_ID_PROP = "Ranger Application Id";
    static final String RANGER_NIFI_RESOURCE_NAME = "nifi-resource";
    static final String DEFAULT_SERVICE_TYPE = "nifi";
    static final String DEFAULT_APP_ID = "nifi";
    static final String RESOURCES_RESOURCE = "/resources";
    static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
    static final String KERBEROS_AUTHENTICATION = "kerberos";
    private final ConcurrentMap<AuthorizationRequest, RangerAccessResult> resultLookup = new ConcurrentHashMap();
    private volatile RangerBasePluginWithPolicies nifiPlugin = null;
    private volatile RangerDefaultAuditHandler defaultAuditHandler = null;
    private volatile String rangerAdminIdentity = null;
    private volatile boolean rangerKerberosEnabled = false;
    private volatile NiFiProperties nifiProperties;

    public void initialize(AuthorizerInitializationContext authorizerInitializationContext) throws AuthorizerCreationException {
    }

    public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws AuthorizerCreationException {
        try {
            if (this.nifiPlugin == null) {
                logger.info("RangerNiFiAuthorizer(): initializing base plugin");
                addRequiredResource(RANGER_SECURITY_PATH_PROP, authorizerConfigurationContext.getProperty(RANGER_SECURITY_PATH_PROP));
                addRequiredResource(RANGER_AUDIT_PATH_PROP, authorizerConfigurationContext.getProperty(RANGER_AUDIT_PATH_PROP));
                this.rangerKerberosEnabled = getConfigValue(authorizerConfigurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString()).equals(Boolean.TRUE.toString());
                if (this.rangerKerberosEnabled) {
                    Configuration configuration = new Configuration();
                    configuration.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
                    UserGroupInformation.setConfiguration(configuration);
                    String kerberosServicePrincipal = this.nifiProperties.getKerberosServicePrincipal();
                    String kerberosServiceKeytabLocation = this.nifiProperties.getKerberosServiceKeytabLocation();
                    if (StringUtils.isBlank(kerberosServicePrincipal) || StringUtils.isBlank(kerberosServiceKeytabLocation)) {
                        throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
                    }
                    UserGroupInformation.loginUserFromKeytab(kerberosServicePrincipal.trim(), kerberosServiceKeytabLocation.trim());
                }
                this.nifiPlugin = createRangerBasePlugin(getConfigValue(authorizerConfigurationContext, RANGER_SERVICE_TYPE_PROP, "nifi"), getConfigValue(authorizerConfigurationContext, RANGER_APP_ID_PROP, "nifi"));
                this.nifiPlugin.init();
                this.defaultAuditHandler = new RangerDefaultAuditHandler();
                this.rangerAdminIdentity = getConfigValue(authorizerConfigurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
            } else {
                logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
            }
        } catch (Throwable th) {
            throw new AuthorizerCreationException("Error creating RangerBasePlugin", th);
        }
    }

    protected RangerBasePluginWithPolicies createRangerBasePlugin(String str, String str2) {
        return new RangerBasePluginWithPolicies(str, str2);
    }

    public AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
        String identity = authorizationRequest.getIdentity();
        Set groups = authorizationRequest.getGroups();
        String identifier = authorizationRequest.getResource().getIdentifier();
        if (StringUtils.isNotBlank(this.rangerAdminIdentity) && this.rangerAdminIdentity.equals(identity) && identifier.equals(RESOURCES_RESOURCE)) {
            return AuthorizationResult.approved();
        }
        String str = authorizationRequest.getUserContext() != null ? (String) authorizationRequest.getUserContext().get(UserContextKeys.CLIENT_ADDRESS.name()) : null;
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessResourceImpl.setValue(RANGER_NIFI_RESOURCE_NAME, identifier);
        RangerAccessRequest rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setResource(rangerAccessResourceImpl);
        rangerAccessRequestImpl.setAction(authorizationRequest.getAction().name());
        rangerAccessRequestImpl.setAccessType(authorizationRequest.getAction().name());
        rangerAccessRequestImpl.setUser(identity);
        rangerAccessRequestImpl.setUserGroups(groups);
        rangerAccessRequestImpl.setAccessTime(new Date());
        if (!StringUtils.isBlank(str)) {
            rangerAccessRequestImpl.setClientIPAddress(str);
        }
        RangerAccessResult isAccessAllowed = this.nifiPlugin.isAccessAllowed(rangerAccessRequestImpl);
        if (isAccessAllowed != null && isAccessAllowed.getIsAllowed()) {
            this.resultLookup.put(authorizationRequest, isAccessAllowed);
            return AuthorizationResult.approved();
        }
        if (!this.nifiPlugin.doesPolicyExist(authorizationRequest.getResource().getIdentifier(), authorizationRequest.getAction())) {
            return AuthorizationResult.resourceNotFound();
        }
        String reason = isAccessAllowed == null ? null : isAccessAllowed.getReason();
        if (reason != null) {
            logger.debug(String.format("Unable to authorize %s due to %s", identity, reason));
        }
        this.resultLookup.put(authorizationRequest, isAccessAllowed);
        return AuthorizationResult.denied((String) authorizationRequest.getExplanationSupplier().get());
    }

    public void auditAccessAttempt(AuthorizationRequest authorizationRequest, AuthorizationResult authorizationResult) {
        RangerAccessResult remove = this.resultLookup.remove(authorizationRequest);
        if (remove == null || !remove.getIsAudited()) {
            return;
        }
        AuthzAuditEvent authzEvents = this.defaultAuditHandler.getAuthzEvents(remove);
        authzEvents.setResourceType(RANGER_NIFI_RESOURCE_NAME);
        authzEvents.setResourcePath(authorizationRequest.getRequestedResource().getIdentifier());
        this.defaultAuditHandler.logAuthzAudit(authzEvents);
    }

    public void preDestruction() throws AuthorizerDestructionException {
        if (this.nifiPlugin != null) {
            try {
                this.nifiPlugin.cleanup();
                this.nifiPlugin = null;
            } catch (Throwable th) {
                throw new AuthorizerDestructionException("Error cleaning up RangerBasePlugin", th);
            }
        }
    }

    @AuthorizerContext
    public void setNiFiProperties(NiFiProperties niFiProperties) {
        this.nifiProperties = niFiProperties;
    }

    private void addRequiredResource(String str, PropertyValue propertyValue) {
        if (propertyValue == null || StringUtils.isBlank(propertyValue.getValue())) {
            throw new AuthorizerCreationException(str + " must be specified.");
        }
        File file = new File(propertyValue.getValue());
        if (!file.exists() || !file.canRead()) {
            throw new AuthorizerCreationException(propertyValue + " does not exist, or can not be read");
        }
        try {
            RangerConfiguration.getInstance().addResource(file.toURI().toURL());
        } catch (MalformedURLException e) {
            throw new AuthorizerCreationException("Error creating URI for " + propertyValue, e);
        }
    }

    private String getConfigValue(AuthorizerConfigurationContext authorizerConfigurationContext, String str, String str2) {
        PropertyValue property = authorizerConfigurationContext.getProperty(str);
        String str3 = str2;
        if (property != null && !StringUtils.isBlank(property.getValue())) {
            str3 = property.getValue();
        }
        return str3;
    }
}
