package org.apache.sentry.provider.common;

import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Model;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.common.exception.SentryConfigurationException;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.policy.common.Privilege;
import org.apache.sentry.policy.common.PrivilegeFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/provider/common/ResourceAuthorizationProvider.class */
public abstract class ResourceAuthorizationProvider implements AuthorizationProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(ResourceAuthorizationProvider.class);
    private static final ThreadLocal<List<String>> lastFailedPrivileges = new ThreadLocal<List<String>>() { // from class: org.apache.sentry.provider.common.ResourceAuthorizationProvider.1
        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public List<String> initialValue() {
            return new ArrayList();
        }
    };
    private final GroupMappingService groupService;
    private final PolicyEngine policy;
    private final PrivilegeFactory privilegeFactory;
    private final Model model;

    public ResourceAuthorizationProvider(PolicyEngine policyEngine, GroupMappingService groupMappingService, Model model) {
        this.policy = policyEngine;
        this.groupService = groupMappingService;
        this.privilegeFactory = policyEngine.getPrivilegeFactory();
        this.model = model;
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public boolean hasAccess(Subject subject, List<? extends Authorizable> list, Set<? extends Action> set, ActiveRoleSet activeRoleSet) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Authorization Request for " + subject + " " + list + " and " + set);
        }
        Preconditions.checkNotNull(subject, "Subject cannot be null");
        Preconditions.checkNotNull(list, "Authorizable cannot be null");
        Preconditions.checkArgument(!list.isEmpty(), "Authorizable cannot be empty");
        Preconditions.checkNotNull(set, "Actions cannot be null");
        Preconditions.checkArgument(!set.isEmpty(), "Actions cannot be empty");
        Preconditions.checkNotNull(activeRoleSet, "ActiveRoleSet cannot be null");
        return doHasAccess(subject, list, set, activeRoleSet);
    }

    private boolean doHasAccess(Subject subject, List<? extends Authorizable> list, Set<? extends Action> set, ActiveRoleSet activeRoleSet) {
        Set<String> groups = getGroups(subject);
        HashSet newHashSet = Sets.newHashSet(new String[]{subject.getName()});
        HashSet hashSet = new HashSet();
        for (Authorizable authorizable : list) {
            hashSet.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(), authorizable.getName(), new Object[0]));
        }
        List<String> buildPermissions = buildPermissions(list, set);
        Iterable<Privilege> privileges = getPrivileges(groups, newHashSet, activeRoleSet, (Authorizable[]) list.toArray(new Authorizable[0]));
        lastFailedPrivileges.get().clear();
        for (String str : buildPermissions) {
            Privilege createPrivilege = this.privilegeFactory.createPrivilege(str);
            for (Privilege privilege : privileges) {
                boolean implies = privilege.implies(createPrivilege, this.model);
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet {}, Result {}", new Object[]{privilege, str, activeRoleSet, Boolean.valueOf(implies)});
                }
                if (implies) {
                    return true;
                }
            }
        }
        lastFailedPrivileges.get().addAll(buildPermissions);
        return false;
    }

    private Iterable<Privilege> getPrivileges(Set<String> set, Set<String> set2, ActiveRoleSet activeRoleSet, Authorizable[] authorizableArr) {
        return Iterables.transform(appendDefaultDBPriv(this.policy.getPrivileges(set, set2, activeRoleSet, authorizableArr), authorizableArr), new Function<String, Privilege>() { // from class: org.apache.sentry.provider.common.ResourceAuthorizationProvider.2
            public Privilege apply(String str) {
                return ResourceAuthorizationProvider.this.privilegeFactory.createPrivilege(str);
            }
        });
    }

    private ImmutableSet<String> appendDefaultDBPriv(ImmutableSet<String> immutableSet, Authorizable[] authorizableArr) {
        return (authorizableArr != null && authorizableArr.length == 4 && authorizableArr[2].getName().equals("+") && immutableSet.size() == 1 && hasOnlyServerPrivilege((String) immutableSet.asList().get(0))) ? ImmutableSet.copyOf(Sets.newHashSet(new String[]{"Server=" + authorizableArr[0].getName() + "->Db=default->Table=*->Column=*->action=select"})) : immutableSet;
    }

    private boolean hasOnlyServerPrivilege(String str) {
        ArrayList newArrayList = Lists.newArrayList(SentryConstants.AUTHORIZABLE_SPLITTER.split(str));
        if (newArrayList.size() == 1 && ((String) newArrayList.get(0)).toLowerCase().startsWith("server")) {
            return ((String) newArrayList.get(0)).toLowerCase().split("=")[1].endsWith("+");
        }
        return false;
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public GroupMappingService getGroupMapping() {
        return this.groupService;
    }

    private Set<String> getGroups(Subject subject) {
        return this.groupService.getGroups(subject.getName());
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public void validateResource(boolean z) throws SentryConfigurationException {
        this.policy.validatePolicy(z);
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
        return this.policy.getPrivileges(getGroups(subject), Sets.newHashSet(new String[]{subject.getName()}), ActiveRoleSet.ALL, (Authorizable[]) null);
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public Set<String> listPrivilegesForGroup(String str) throws SentryConfigurationException {
        return this.policy.getPrivileges(Sets.newHashSet(new String[]{str}), ActiveRoleSet.ALL, new Authorizable[0]);
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public List<String> getLastFailedPrivileges() {
        return lastFailedPrivileges.get();
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public void close() {
        if (this.policy != null) {
            this.policy.close();
        }
    }

    private List<String> buildPermissions(List<? extends Authorizable> list, Set<? extends Action> set) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (Authorizable authorizable : list) {
            arrayList.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(), authorizable.getName(), new Object[0]));
        }
        for (Action action : set) {
            arrayList2.add(SentryConstants.AUTHORIZABLE_JOINER.join(SentryConstants.AUTHORIZABLE_JOINER.join(arrayList), SentryConstants.KV_JOINER.join("action", action.getValue(), new Object[0]), new Object[0]));
        }
        return arrayList2;
    }

    @Override // org.apache.sentry.provider.common.AuthorizationProvider
    public PolicyEngine getPolicyEngine() {
        return this.policy;
    }
}
