package org.apache.ranger.authorization.kms.authorizer;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.KMS;
import org.apache.hadoop.crypto.key.kms.server.KMSACLsType;
import org.apache.hadoop.crypto.key.kms.server.KMSConfiguration;
import org.apache.hadoop.crypto.key.kms.server.KMSWebApp;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.class */
public class RangerKmsAuthorizer implements Runnable, KeyAuthorizationKeyProvider.KeyACLs {
    private static final String KMS_USER_PRINCIPAL = "ranger.ks.kerberos.principal";
    private static final String KMS_USER_KEYTAB = "ranger.ks.kerberos.keytab";
    private static final String KMS_NAME_RULES = "hadoop.security.auth_to_local";
    private static final String UNAUTHORIZED_MSG_WITH_KEY = "User:%s not allowed to do '%s' on '%s'";
    private static final String UNAUTHORIZED_MSG_WITHOUT_KEY = "User:%s not allowed to do '%s'";
    public static final int RELOADER_SLEEP_MILLIS = 1000;
    private volatile Map<KMSACLsType.Type, AccessControlList> blacklistedAcls;
    private long lastReload;
    private ScheduledExecutorService executorService;
    public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek";
    public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek";
    public static final String ACCESS_TYPE_GET_METADATA = "getmetadata";
    public static final String ACCESS_TYPE_GET_KEYS = "getkeys";
    public static final String ACCESS_TYPE_GET = "get";
    public static final String ACCESS_TYPE_SET_KEY_MATERIAL = "setkeymaterial";
    public static final String ACCESS_TYPE_ROLLOVER = "rollover";
    public static final String ACCESS_TYPE_CREATE = "create";
    public static final String ACCESS_TYPE_DELETE = "delete";
    public static final String TYPE = "kerberos";
    public static final String PRINCIPAL = "kerberos.principal";
    public static final String KEYTAB = "kerberos.keytab";
    private static final Logger LOG = LoggerFactory.getLogger(RangerKmsAuthorizer.class);
    private static final Log PERF_KMSAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("kmsauth.request");
    private static final Map<KMSACLsType.Type, String> ACCESS_TYPE_MAP = new HashMap();
    private static volatile RangerKMSPlugin kmsPlugin = null;

    RangerKmsAuthorizer(Configuration configuration) {
        LOG.info("RangerKmsAuthorizer(conf)...");
        configuration = configuration == null ? loadACLs() : configuration;
        authWithKerberos(configuration);
        setKMSACLs(configuration);
        init(configuration);
    }

    private void authWithKerberos(Configuration configuration) {
        String str = null;
        try {
            str = InetAddress.getLocalHost().getCanonicalHostName();
        } catch (UnknownHostException e) {
            LOG.warn("Error getting local host name : " + e.getMessage());
        }
        String str2 = null;
        try {
            str2 = SecureClientLogin.getPrincipal(configuration.get(KMS_USER_PRINCIPAL), str);
        } catch (IOException e2) {
            LOG.warn("Error getting ranger.ks.kerberos.principal : " + e2.getMessage());
        }
        String str3 = configuration.get(KMS_USER_KEYTAB);
        String str4 = configuration.get(KMS_NAME_RULES);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Ranger KMS Principal : " + str2 + ", Keytab : " + str3 + ", NameRule : " + str4);
        }
        MiscUtil.authWithKerberos(str3, str2, str4);
    }

    public RangerKmsAuthorizer() {
        this(null);
    }

    @Override // java.lang.Runnable
    public void run() {
        try {
            if (KMSConfiguration.isACLsFileNewer(this.lastReload)) {
                setKMSACLs(loadACLs());
            }
        } catch (Exception e) {
            LOG.warn(String.format("Could not reload ACLs file: '%s'", e.toString()), e);
        }
    }

    private Configuration loadACLs() {
        LOG.debug("Loading ACLs file");
        this.lastReload = System.currentTimeMillis();
        Configuration aCLsConf = KMSConfiguration.getACLsConf();
        aCLsConf.get(KMSACLsType.Type.CREATE.getAclConfigKey());
        return aCLsConf;
    }

    public synchronized void startReloader() {
        if (this.executorService == null) {
            this.executorService = Executors.newScheduledThreadPool(1);
            this.executorService.scheduleAtFixedRate(this, 1000L, 1000L, TimeUnit.MILLISECONDS);
        }
    }

    public synchronized void stopReloader() {
        if (this.executorService != null) {
            this.executorService.shutdownNow();
            this.executorService = null;
        }
    }

    public boolean hasAccess(KMSACLsType.Type type, UserGroupInformation userGroupInformation, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + userGroupInformation + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_KMSAUTH_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_KMSAUTH_REQUEST_LOG, "RangerKmsAuthorizer.hasAccess(type=" + type + ")");
        }
        RangerKMSPlugin rangerKMSPlugin = kmsPlugin;
        String rangerAccessType = getRangerAccessType(type);
        AccessControlList accessControlList = this.blacklistedAcls.get(type);
        boolean z = accessControlList == null || !accessControlList.isUserInList(userGroupInformation);
        if (!z) {
            LOG.debug("Operation " + rangerAccessType + " blocked in the blacklist for user " + userGroupInformation.getUserName());
        }
        if (rangerKMSPlugin != null && z) {
            RangerAccessResult isAccessAllowed = rangerKMSPlugin.isAccessAllowed(new RangerKMSAccessRequest("", rangerAccessType, userGroupInformation, str));
            z = isAccessAllowed != null && isAccessAllowed.getIsAllowed();
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + userGroupInformation + "): " + z);
        }
        return z;
    }

    public boolean hasAccess(KMSACLsType.Type type, UserGroupInformation userGroupInformation, String str, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + userGroupInformation + " , " + str + ")");
        }
        RangerKMSPlugin rangerKMSPlugin = kmsPlugin;
        String rangerAccessType = getRangerAccessType(type);
        AccessControlList accessControlList = this.blacklistedAcls.get(type);
        boolean z = accessControlList == null || !accessControlList.isUserInList(userGroupInformation);
        if (!z) {
            LOG.debug("Operation " + rangerAccessType + " blocked in the blacklist for user " + userGroupInformation.getUserName());
        }
        if (rangerKMSPlugin != null && z) {
            RangerAccessResult isAccessAllowed = rangerKMSPlugin.isAccessAllowed(new RangerKMSAccessRequest(str, rangerAccessType, userGroupInformation, str2));
            z = isAccessAllowed != null && isAccessAllowed.getIsAllowed();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerkmsAuthorizer.hasAccess(" + type + ", " + userGroupInformation + " , " + str + "): " + z);
        }
        return z;
    }

    public void assertAccess(KMSACLsType.Type type, UserGroupInformation userGroupInformation, KMS.KMSOp kMSOp, String str, String str2) throws AccessControlException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + str + ", " + userGroupInformation + ", " + type + ")");
        }
        String str3 = str == null ? "" : str;
        if (hasAccess(type, userGroupInformation, str3, str2)) {
            return;
        }
        KMSWebApp.getUnauthorizedCallsMeter().mark();
        KMSWebApp.getKMSAudit().unauthorized(userGroupInformation, kMSOp, str3);
        throw new AuthorizationException(String.format(!str3.equals("") ? UNAUTHORIZED_MSG_WITH_KEY : UNAUTHORIZED_MSG_WITHOUT_KEY, userGroupInformation.getShortUserName(), kMSOp, str3));
    }

    public boolean hasAccessToKey(String str, UserGroupInformation userGroupInformation, KeyAuthorizationKeyProvider.KeyOpType keyOpType) {
        if (!LOG.isDebugEnabled()) {
            return true;
        }
        LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + str + ", " + userGroupInformation + ", " + keyOpType + ")");
        return true;
    }

    public boolean isACLPresent(String str, KeyAuthorizationKeyProvider.KeyOpType keyOpType) {
        return true;
    }

    public void init(Configuration configuration) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerKmsAuthorizer.init()");
        }
        if (kmsPlugin == null) {
            synchronized (RangerKmsAuthorizer.class) {
                if (kmsPlugin == null) {
                    RangerKMSPlugin rangerKMSPlugin = new RangerKMSPlugin();
                    rangerKMSPlugin.init();
                    kmsPlugin = rangerKMSPlugin;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerkmsAuthorizer.init()");
        }
    }

    private void setKMSACLs(Configuration configuration) {
        HashMap hashMap = new HashMap();
        for (KMSACLsType.Type type : KMSACLsType.Type.values()) {
            String str = configuration.get(type.getBlacklistConfigKey());
            if (str != null) {
                hashMap.put(type, new AccessControlList(str));
                LOG.info("'{}' Blacklist '{}'", type, str);
            }
        }
        this.blacklistedAcls = hashMap;
    }

    private static String getRangerAccessType(KMSACLsType.Type type) {
        if (ACCESS_TYPE_MAP.containsKey(type)) {
            return ACCESS_TYPE_MAP.get(type);
        }
        return null;
    }

    static {
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.CREATE, ACCESS_TYPE_CREATE);
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.DELETE, ACCESS_TYPE_DELETE);
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.ROLLOVER, ACCESS_TYPE_ROLLOVER);
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET, "get");
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_KEYS, ACCESS_TYPE_GET_KEYS);
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_METADATA, "getmetadata");
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.SET_KEY_MATERIAL, ACCESS_TYPE_SET_KEY_MATERIAL);
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.GENERATE_EEK, "generateeek");
        ACCESS_TYPE_MAP.put(KMSACLsType.Type.DECRYPT_EEK, "decrypteek");
    }
}
