package org.apache.sentry.hdfs;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.permission.AclEntry;
import org.apache.hadoop.fs.permission.AclEntryScope;
import org.apache.hadoop.fs.permission.AclEntryType;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.fs.permission.PermissionStatus;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.server.namenode.AclEntryStatusFormat;
import org.apache.hadoop.hdfs.server.namenode.AclFeature;
import org.apache.hadoop.hdfs.server.namenode.INode;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributes;
import org.apache.hadoop.hdfs.server.namenode.INodeDirectory;
import org.apache.hadoop.hdfs.server.namenode.XAttrFeature;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/hdfs/SentryINodeAttributesProvider.class */
public class SentryINodeAttributesProvider extends INodeAttributeProvider implements Configurable {
    private static Logger LOG = LoggerFactory.getLogger(SentryINodeAttributesProvider.class);
    private boolean started;
    private SentryAuthorizationInfo authzInfo;
    private String user;
    private String group;
    private FsPermission permission;
    private boolean originalAuthzAsAcl;
    private Configuration conf;

    /* loaded from: input_file:org/apache/sentry/hdfs/SentryINodeAttributesProvider$SentryAclFeature.class */
    static class SentryAclFeature extends AclFeature {
        public SentryAclFeature(ImmutableList<AclEntry> immutableList) {
            super(AclEntryStatusFormat.toInt(immutableList));
        }
    }

    /* loaded from: input_file:org/apache/sentry/hdfs/SentryINodeAttributesProvider$SentryINodeAttributes.class */
    public class SentryINodeAttributes implements INodeAttributes {
        private final INodeAttributes defaultAttributes;
        private final String[] pathElements;

        public SentryINodeAttributes(INodeAttributes iNodeAttributes, String[] strArr) {
            this.defaultAttributes = iNodeAttributes;
            this.pathElements = strArr;
        }

        public boolean isDirectory() {
            return this.defaultAttributes.isDirectory();
        }

        public byte[] getLocalNameBytes() {
            return this.defaultAttributes.getLocalNameBytes();
        }

        public String getUserName() {
            return SentryINodeAttributesProvider.this.isSentryManaged(this.pathElements) ? SentryINodeAttributesProvider.this.user : this.defaultAttributes.getUserName();
        }

        public String getGroupName() {
            return SentryINodeAttributesProvider.this.isSentryManaged(this.pathElements) ? SentryINodeAttributesProvider.this.group : this.defaultAttributes.getGroupName();
        }

        public FsPermission getFsPermission() {
            FsPermission fsPermission;
            if (SentryINodeAttributesProvider.this.isSentryManaged(this.pathElements)) {
                FsPermission fsPermission2 = SentryINodeAttributesProvider.this.permission;
                String[][] pathPrefixes = SentryINodeAttributesProvider.this.authzInfo.getPathPrefixes();
                int length = pathPrefixes.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (Arrays.equals(pathPrefixes[i], this.pathElements)) {
                        fsPermission2 = FsPermission.createImmutable((short) (fsPermission2.toShort() | 1));
                        break;
                    }
                    i++;
                }
                fsPermission = fsPermission2;
            } else {
                fsPermission = this.defaultAttributes.getFsPermission();
            }
            return fsPermission;
        }

        public short getFsPermissionShort() {
            return getFsPermission().toShort();
        }

        public long getPermissionLong() {
            return new INodeDirectory(0L, (byte[]) null, new PermissionStatus(getUserName(), getGroupName(), getFsPermission()), 0L).getPermissionLong();
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v44, types: [org.apache.hadoop.hdfs.server.namenode.AclFeature] */
        /* JADX WARN: Type inference failed for: r0v52, types: [org.apache.hadoop.hdfs.server.namenode.AclFeature] */
        public AclFeature getAclFeature() {
            boolean z;
            SentryAclFeature sentryAclFeature;
            String arrays = Arrays.toString(this.pathElements);
            boolean z2 = false;
            boolean z3 = false;
            HashMap hashMap = null;
            if (!SentryINodeAttributesProvider.this.authzInfo.isUnderPrefix(this.pathElements)) {
                z = false;
                sentryAclFeature = this.defaultAttributes.getAclFeature();
            } else if (SentryINodeAttributesProvider.this.authzInfo.doesBelongToAuthzObject(this.pathElements)) {
                z = true;
                z3 = true;
                hashMap = new HashMap();
                if (SentryINodeAttributesProvider.this.originalAuthzAsAcl) {
                    SentryINodeAttributesProvider.addToACLMap(hashMap, SentryINodeAttributesProvider.createAclEntries(this.defaultAttributes.getUserName(), this.defaultAttributes.getGroupName(), this.defaultAttributes.getFsPermission()));
                } else {
                    SentryINodeAttributesProvider.addToACLMap(hashMap, SentryINodeAttributesProvider.createAclEntries(SentryINodeAttributesProvider.this.user, SentryINodeAttributesProvider.this.group, SentryINodeAttributesProvider.this.permission));
                }
                if (SentryINodeAttributesProvider.this.authzInfo.isStale()) {
                    z2 = true;
                    sentryAclFeature = new SentryAclFeature(ImmutableList.copyOf(hashMap.values()));
                } else {
                    z2 = false;
                    SentryINodeAttributesProvider.addToACLMap(hashMap, SentryINodeAttributesProvider.this.authzInfo.getAclEntries(this.pathElements));
                    sentryAclFeature = new SentryAclFeature(ImmutableList.copyOf(hashMap.values()));
                }
            } else {
                z = true;
                sentryAclFeature = this.defaultAttributes.getAclFeature();
            }
            if (SentryINodeAttributesProvider.LOG.isDebugEnabled()) {
                SentryINodeAttributesProvider.LOG.debug("### getAclEntry \n[" + (arrays == null ? "null" : arrays) + "] : [isPreifxed=" + z + ", isStale=" + z2 + ", hasAuthzObj=" + z3 + ", origAuthzAsAcl=" + SentryINodeAttributesProvider.this.originalAuthzAsAcl + "]\n[" + (hashMap == null ? "null" : hashMap) + "]\n");
            }
            return sentryAclFeature;
        }

        public XAttrFeature getXAttrFeature() {
            return this.defaultAttributes.getXAttrFeature();
        }

        public long getModificationTime() {
            return this.defaultAttributes.getModificationTime();
        }

        public long getAccessTime() {
            return this.defaultAttributes.getAccessTime();
        }
    }

    /* loaded from: input_file:org/apache/sentry/hdfs/SentryINodeAttributesProvider$SentryPermissionEnforcer.class */
    class SentryPermissionEnforcer implements INodeAttributeProvider.AccessControlEnforcer {
        private final INodeAttributeProvider.AccessControlEnforcer ace;

        SentryPermissionEnforcer(INodeAttributeProvider.AccessControlEnforcer accessControlEnforcer) {
            this.ace = accessControlEnforcer;
        }

        /* JADX WARN: Multi-variable type inference failed */
        public void checkPermission(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException {
            String[] pathElems = getPathElems(bArr);
            if (pathElems != null && pathElems.length > 1 && "".equals(pathElems[0])) {
                pathElems = (String[]) Arrays.copyOfRange(pathElems, 1, pathElems.length);
            }
            if (SentryINodeAttributesProvider.LOG.isDebugEnabled()) {
                SentryINodeAttributesProvider.LOG.debug("Enforcing Permission : + " + Lists.newArrayList(new Serializable[]{str, str2, userGroupInformation.getShortUserName(), Arrays.toString(userGroupInformation.getGroupNames()), Arrays.toString(pathElems), fsAction, fsAction2, fsAction3, fsAction4, Boolean.valueOf(z2)}));
            }
            this.ace.checkPermission(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2);
        }

        private String[] getPathElems(byte[][] bArr) {
            String[] strArr = new String[bArr.length];
            for (int i = 0; i < bArr.length; i++) {
                strArr[i] = bArr[i] != null ? DFSUtil.bytes2String(bArr[i]) : "";
            }
            return strArr;
        }
    }

    public SentryINodeAttributesProvider() {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSentryManaged(String[] strArr) {
        return this.authzInfo.isSentryManaged(strArr);
    }

    @VisibleForTesting
    SentryINodeAttributesProvider(SentryAuthorizationInfo sentryAuthorizationInfo) {
        this.authzInfo = sentryAuthorizationInfo;
    }

    public void setConf(Configuration configuration) {
        this.conf = configuration;
    }

    public Configuration getConf() {
        return this.conf;
    }

    public void start() {
        if (this.started) {
            throw new IllegalStateException("Provider already started");
        }
        this.started = true;
        try {
            if (!this.conf.getBoolean("dfs.namenode.acls.enabled", false)) {
                throw new RuntimeException("HDFS ACLs must be enabled");
            }
            Configuration configuration = new Configuration(this.conf);
            configuration.addResource(SentryAuthorizationConstants.CONFIG_FILE, true);
            this.user = configuration.get(SentryAuthorizationConstants.HDFS_USER_KEY, "hive");
            this.group = configuration.get(SentryAuthorizationConstants.HDFS_GROUP_KEY, "hive");
            this.permission = FsPermission.createImmutable((short) configuration.getLong(SentryAuthorizationConstants.HDFS_PERMISSION_KEY, 505L));
            this.originalAuthzAsAcl = configuration.getBoolean(SentryAuthorizationConstants.INCLUDE_HDFS_AUTHZ_AS_ACL_KEY, false);
            LOG.info("Starting");
            LOG.info("Config: hdfs-user[{}] hdfs-group[{}] hdfs-permission[{}] include-hdfs-authz-as-acl[{}]", new Object[]{this.user, this.group, this.permission, Boolean.valueOf(this.originalAuthzAsAcl)});
            if (this.authzInfo == null) {
                this.authzInfo = new SentryAuthorizationInfo(configuration);
            }
            this.authzInfo.start();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void stop() {
        LOG.debug(getClass().getSimpleName() + ": Stopping");
        this.authzInfo.stop();
    }

    public INodeAttributes getAttributes(String[] strArr, INodeAttributes iNodeAttributes) {
        Preconditions.checkNotNull(strArr);
        if (strArr.length == 0) {
            return iNodeAttributes;
        }
        String[] strArr2 = (!"".equals(strArr[0]) || strArr.length <= 1) ? strArr : (String[]) Arrays.copyOfRange(strArr, 1, strArr.length);
        return isSentryManaged(strArr2) ? new SentryINodeAttributes(iNodeAttributes, strArr2) : iNodeAttributes;
    }

    public INodeAttributeProvider.AccessControlEnforcer getExternalAccessControlEnforcer(INodeAttributeProvider.AccessControlEnforcer accessControlEnforcer) {
        return new SentryPermissionEnforcer(accessControlEnforcer);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void addToACLMap(Map<String, AclEntry> map, Collection<AclEntry> collection) {
        for (AclEntry aclEntry : collection) {
            String str = (aclEntry.getName() == null ? "" : aclEntry.getName()) + aclEntry.getScope() + aclEntry.getType();
            AclEntry aclEntry2 = map.get(str);
            if (aclEntry2 == null) {
                map.put(str, aclEntry);
            } else {
                map.put(str, new AclEntry.Builder().setName(aclEntry.getName()).setScope(aclEntry.getScope()).setType(aclEntry.getType()).setPermission(aclEntry.getPermission().or(aclEntry2.getPermission())).build());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<AclEntry> createAclEntries(String str, String str2, FsPermission fsPermission) {
        ArrayList arrayList = new ArrayList();
        AclEntry.Builder builder = new AclEntry.Builder();
        FsPermission fsPermission2 = new FsPermission(fsPermission);
        builder.setName(str);
        builder.setType(AclEntryType.USER);
        builder.setScope(AclEntryScope.ACCESS);
        builder.setPermission(fsPermission2.getUserAction());
        arrayList.add(builder.build());
        builder.setName(str2);
        builder.setType(AclEntryType.GROUP);
        builder.setScope(AclEntryScope.ACCESS);
        builder.setPermission(fsPermission2.getGroupAction());
        arrayList.add(builder.build());
        builder.setName((String) null);
        return arrayList;
    }
}
