package org.apache.impala.authorization.ranger;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.impala.authorization.AuthorizationDelta;
import org.apache.impala.authorization.AuthorizationManager;
import org.apache.impala.authorization.User;
import org.apache.impala.catalog.Type;
import org.apache.impala.common.FileSystemUtil;
import org.apache.impala.common.ImpalaException;
import org.apache.impala.common.InternalException;
import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TColumn;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
import org.apache.impala.thrift.TGrantRevokePrivParams;
import org.apache.impala.thrift.TGrantRevokeRoleParams;
import org.apache.impala.thrift.TPrincipalType;
import org.apache.impala.thrift.TPrivilege;
import org.apache.impala.thrift.TPrivilegeLevel;
import org.apache.impala.thrift.TResultRow;
import org.apache.impala.thrift.TResultSet;
import org.apache.impala.thrift.TResultSetMetadata;
import org.apache.impala.thrift.TShowGrantPrincipalParams;
import org.apache.impala.thrift.TShowRolesParams;
import org.apache.impala.thrift.TShowRolesResult;
import org.apache.impala.util.ClassUtil;
import org.apache.impala.util.TResultRowBuilder;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.class */
public class RangerImpaladAuthorizationManager implements AuthorizationManager {
    private static final Logger LOG = LoggerFactory.getLogger(RangerImpaladAuthorizationManager.class);
    private static final String ANY = "*";
    private final Supplier<RangerImpalaPlugin> plugin_;

    /* loaded from: input_file:org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager$RangerResourceResult.class */
    private static class RangerResourceResult {
        private List<RangerResultRow> server = new ArrayList();
        private List<RangerResultRow> database = new ArrayList();
        private List<RangerResultRow> table = new ArrayList();
        private List<RangerResultRow> column = new ArrayList();

        public RangerResourceResult addServerResult(RangerResultRow rangerResultRow) {
            this.server.add(rangerResultRow);
            return this;
        }

        public RangerResourceResult addDatabaseResult(RangerResultRow rangerResultRow) {
            this.database.add(rangerResultRow);
            return this;
        }

        public RangerResourceResult addTableResult(RangerResultRow rangerResultRow) {
            this.table.add(rangerResultRow);
            return this;
        }

        public RangerResourceResult addColumnResult(RangerResultRow rangerResultRow) {
            this.column.add(rangerResultRow);
            return this;
        }

        public List<RangerResultRow> getResultRows() {
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(filterIfAll(this.server));
            arrayList.addAll(filterIfAll(this.database));
            arrayList.addAll(filterIfAll(this.table));
            arrayList.addAll(filterIfAll(this.column));
            return arrayList;
        }

        private static List<RangerResultRow> filterIfAll(List<RangerResultRow> list) {
            return list.stream().anyMatch(rangerResultRow -> {
                return rangerResultRow.privilege_ == TPrivilegeLevel.ALL;
            }) ? (List) list.stream().filter(rangerResultRow2 -> {
                return rangerResultRow2.privilege_ == TPrivilegeLevel.ALL;
            }).collect(Collectors.toList()) : list;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager$RangerResultRow.class */
    public static class RangerResultRow {
        private final TPrincipalType principalType_;
        private final String principalName_;
        private final String database_;
        private final String table_;
        private final String column_;
        private final String uri_;
        private final String udf_;
        private final TPrivilegeLevel privilege_;
        private final boolean grantOption_;
        private final Long createTime_;

        public RangerResultRow(TPrincipalType tPrincipalType, String str, String str2, String str3, String str4, String str5, String str6, TPrivilegeLevel tPrivilegeLevel, boolean z, Long l) {
            this.principalType_ = tPrincipalType;
            this.principalName_ = str;
            this.database_ = str2;
            this.table_ = str3;
            this.column_ = str4;
            this.uri_ = str5;
            this.udf_ = str6;
            this.privilege_ = tPrivilegeLevel;
            this.grantOption_ = z;
            this.createTime_ = l;
        }

        public static TResultSetMetadata getSchema() {
            TResultSetMetadata tResultSetMetadata = new TResultSetMetadata();
            tResultSetMetadata.addToColumns(new TColumn("principal_type", Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn("principal_name", Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.DATABASE, Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.TABLE, Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.COLUMN, Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn("uri", Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.UDF, Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn("privilege", Type.STRING.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn("grant_option", Type.BOOLEAN.toThrift()));
            tResultSetMetadata.addToColumns(new TColumn("create_time", Type.STRING.toThrift()));
            return tResultSetMetadata;
        }

        public TResultRow toResultRow() {
            TResultRowBuilder tResultRowBuilder = new TResultRowBuilder();
            tResultRowBuilder.add(this.principalType_.name().toUpperCase());
            tResultRowBuilder.add(this.principalName_);
            tResultRowBuilder.add(this.database_);
            tResultRowBuilder.add(this.table_);
            tResultRowBuilder.add(this.column_);
            tResultRowBuilder.add(this.uri_);
            tResultRowBuilder.add(this.udf_);
            tResultRowBuilder.add(this.privilege_.name().toLowerCase());
            tResultRowBuilder.add(this.grantOption_);
            if (this.createTime_ == null) {
                tResultRowBuilder.add((String) null);
            } else {
                tResultRowBuilder.add(this.createTime_.longValue());
            }
            return tResultRowBuilder.get();
        }
    }

    public RangerImpaladAuthorizationManager(Supplier<RangerImpalaPlugin> supplier) {
        this.plugin_ = supplier;
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void createRole(User user, TCreateDropRoleParams tCreateDropRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void dropRole(User user, TCreateDropRoleParams tCreateDropRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public TShowRolesResult getRoles(TShowRolesParams tShowRolesParams) throws ImpalaException {
        Set<String> newHashSet;
        Set rolesFromUserAndGroups;
        try {
            TShowRolesResult tShowRolesResult = new TShowRolesResult();
            Set<String> groups = RangerUtil.getGroups(tShowRolesParams.getRequesting_user());
            if ((groups.contains(tShowRolesParams.getGrant_group()) || tShowRolesParams.is_show_current_roles) ? false : true) {
                RangerUtil.validateRangerAdmin(this.plugin_.get(), tShowRolesParams.getRequesting_user());
            }
            if (tShowRolesParams.isIs_show_current_roles() || tShowRolesParams.isSetGrant_group()) {
                if (tShowRolesParams.isIs_show_current_roles()) {
                    newHashSet = groups;
                } else {
                    Preconditions.checkState(tShowRolesParams.isSetGrant_group());
                    newHashSet = Sets.newHashSet(new String[]{tShowRolesParams.getGrant_group()});
                }
                rolesFromUserAndGroups = this.plugin_.get().getRolesFromUserAndGroups(null, newHashSet);
            } else {
                Preconditions.checkState(!tShowRolesParams.isIs_show_current_roles());
                rolesFromUserAndGroups = (Set) this.plugin_.get().getRoles().getRangerRoles().stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toSet());
            }
            tShowRolesResult.setRole_names(Lists.newArrayList(rolesFromUserAndGroups));
            Collections.sort(tShowRolesResult.getRole_names());
            return tShowRolesResult;
        } catch (Exception e) {
            if (tShowRolesParams.is_show_current_roles) {
                LOG.error("Error executing SHOW CURRENT ROLES.", e);
                throw new InternalException("Error executing SHOW CURRENT ROLES. Ranger error message: " + e.getMessage());
            }
            if (tShowRolesParams.isSetGrant_group()) {
                LOG.error("Error executing SHOW ROLE GRANT GROUP " + tShowRolesParams.getGrant_group() + FileSystemUtil.DOT);
                throw new InternalException("Error executing SHOW ROLE GRANT GROUP " + tShowRolesParams.getGrant_group() + ". Ranger error message: " + e.getMessage());
            }
            LOG.error("Error executing SHOW ROLES.");
            throw new InternalException("Error executing SHOW ROLES. Ranger error message: " + e.getMessage());
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantRoleToGroup(User user, TGrantRevokeRoleParams tGrantRevokeRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokeRoleFromGroup(User user, TGrantRevokeRoleParams tGrantRevokeRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantPrivilegeToRole(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokePrivilegeFromRole(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantPrivilegeToUser(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokePrivilegeFromUser(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantPrivilegeToGroup(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }

    private static Optional<String> getResourceName(String str, String str2, RangerResourceACLs.AccessResult accessResult) {
        RangerPolicy.RangerPolicyResource rangerPolicyResource = (RangerPolicy.RangerPolicyResource) accessResult.getPolicy().getResources().get(str);
        return rangerPolicyResource == null ? Optional.empty() : rangerPolicyResource.getValues().contains(str2) ? Optional.of(str2) : Optional.of("*");
    }

    private static boolean isDelegateAdmin(RangerResourceACLs.AccessResult accessResult, String str, String str2, TPrincipalType tPrincipalType) {
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem : accessResult.getPolicy().getPolicyItems()) {
            switch (tPrincipalType) {
                case USER:
                    if (rangerPolicyItem.getUsers().contains(str2) && rangerPolicyItem.getAccesses().stream().anyMatch(rangerPolicyItemAccess -> {
                        return rangerPolicyItemAccess.getType().equals(str);
                    })) {
                        return rangerPolicyItem.getDelegateAdmin().booleanValue();
                    }
                    break;
                case GROUP:
                    if (rangerPolicyItem.getGroups().contains(str2)) {
                        return rangerPolicyItem.getDelegateAdmin().booleanValue();
                    }
                    break;
                case ROLE:
                    if (rangerPolicyItem.getRoles().contains(str2)) {
                        return rangerPolicyItem.getDelegateAdmin().booleanValue();
                    }
                    break;
                default:
                    throw new UnsupportedOperationException(String.format("Unsupported principal type %s", tPrincipalType));
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static RangerResultRow toResultRow(String str, String str2, TPrincipalType tPrincipalType, RangerResourceACLs.AccessResult accessResult, TPrivilege tPrivilege) {
        TPrivilegeLevel tPrivilegeLevel;
        new TPrivilege().setScope(tPrivilege.getScope());
        boolean isDelegateAdmin = isDelegateAdmin(accessResult, str, str2, tPrincipalType);
        try {
            tPrivilegeLevel = TPrivilegeLevel.valueOf(str.toUpperCase());
        } catch (IllegalArgumentException e) {
            if (!str.equals(RangerAuthorizationChecker.UPDATE_ACCESS_TYPE)) {
                return null;
            }
            tPrivilegeLevel = TPrivilegeLevel.INSERT;
        }
        Date createTime = accessResult.getPolicy().getCreateTime();
        return new RangerResultRow(tPrincipalType, str2, getResourceName(RangerImpalaResourceBuilder.DATABASE, tPrivilege.getDb_name(), accessResult).orElse(""), getResourceName(RangerImpalaResourceBuilder.TABLE, tPrivilege.getTable_name(), accessResult).orElse(""), getResourceName(RangerImpalaResourceBuilder.COLUMN, tPrivilege.getColumn_name(), accessResult).orElse(""), getResourceName(RangerImpalaResourceBuilder.URL, tPrivilege.getUri(), accessResult).orElse(""), getResourceName(RangerImpalaResourceBuilder.UDF, "*", accessResult).orElse(""), tPrivilegeLevel, isDelegateAdmin, createTime == null ? null : Long.valueOf(createTime.getTime()));
    }

    private static List<RangerAccessRequest> buildAccessRequests(TPrivilege tPrivilege) {
        ArrayList arrayList = new ArrayList();
        if (tPrivilege == null) {
            throw new UnsupportedOperationException("SHOW GRANT is not supported without a defined resource in Ranger.");
        }
        if (tPrivilege.getColumn_name() != null || tPrivilege.getTable_name() != null) {
            arrayList.add(RangerUtil.createColumnResource(tPrivilege));
        } else if (tPrivilege.getUri() != null) {
            arrayList.add(RangerUtil.createUriResource(tPrivilege));
        } else if (tPrivilege.getDb_name() != null) {
            arrayList.add(RangerUtil.createColumnResource(tPrivilege));
            arrayList.add(RangerUtil.createFunctionResource(tPrivilege));
        } else {
            arrayList.add(RangerUtil.createColumnResource(tPrivilege));
            arrayList.add(RangerUtil.createUriResource(tPrivilege));
            arrayList.add(RangerUtil.createFunctionResource(tPrivilege));
        }
        ArrayList arrayList2 = new ArrayList();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            arrayList2.add(new RangerAccessRequestImpl(new RangerAccessResourceImpl(Collections.unmodifiableMap((Map) it.next())), "_any", (String) null, (Set) null));
        }
        return arrayList2;
    }

    private static List<RangerResultRow> aclToPrivilege(Map<String, RangerResourceACLs.AccessResult> map, String str, TPrivilege tPrivilege, TPrincipalType tPrincipalType) {
        return (List) map.entrySet().stream().map(entry -> {
            return toResultRow((String) entry.getKey(), str, tPrincipalType, (RangerResourceACLs.AccessResult) entry.getValue(), tPrivilege);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public TResultSet getPrivileges(TShowGrantPrincipalParams tShowGrantPrincipalParams) throws ImpalaException {
        ArrayList<RangerResultRow> arrayList;
        List<RangerAccessRequest> buildAccessRequests = buildAccessRequests(tShowGrantPrincipalParams.privilege);
        TreeSet treeSet = new TreeSet();
        TResultSet tResultSet = new TResultSet();
        tResultSet.setSchema(RangerResultRow.getSchema());
        tResultSet.setRows(new ArrayList());
        Iterator<RangerAccessRequest> it = buildAccessRequests.iterator();
        while (it.hasNext()) {
            RangerResourceACLs resourceACLs = this.plugin_.get().getResourceACLs(it.next());
            switch (tShowGrantPrincipalParams.principal_type) {
                case USER:
                    arrayList = new ArrayList(aclToPrivilege((Map) resourceACLs.getUserACLs().getOrDefault(tShowGrantPrincipalParams.name, Collections.emptyMap()), tShowGrantPrincipalParams.name, tShowGrantPrincipalParams.privilege, TPrincipalType.USER));
                    Iterator<String> it2 = RangerUtil.getGroups(tShowGrantPrincipalParams.name).iterator();
                    while (it2.hasNext()) {
                        arrayList.addAll(aclToPrivilege((Map) resourceACLs.getGroupACLs().getOrDefault(it2.next(), Collections.emptyMap()), tShowGrantPrincipalParams.name, tShowGrantPrincipalParams.privilege, TPrincipalType.GROUP));
                    }
                    break;
                case GROUP:
                    arrayList = new ArrayList(aclToPrivilege((Map) resourceACLs.getGroupACLs().getOrDefault(tShowGrantPrincipalParams.name, Collections.emptyMap()), tShowGrantPrincipalParams.name, tShowGrantPrincipalParams.privilege, TPrincipalType.GROUP));
                    break;
                case ROLE:
                    arrayList = new ArrayList(aclToPrivilege((Map) resourceACLs.getRoleACLs().getOrDefault(tShowGrantPrincipalParams.name, Collections.emptyMap()), tShowGrantPrincipalParams.name, tShowGrantPrincipalParams.privilege, TPrincipalType.ROLE));
                    break;
                default:
                    throw new UnsupportedOperationException(String.format("Unsupported principal type %s.", tShowGrantPrincipalParams.principal_type));
            }
            RangerResourceResult rangerResourceResult = new RangerResourceResult();
            for (RangerResultRow rangerResultRow : arrayList) {
                if (!rangerResultRow.column_.equals("*") && !rangerResultRow.column_.isEmpty()) {
                    rangerResourceResult.addColumnResult(rangerResultRow);
                } else if (!rangerResultRow.table_.equals("*") && !rangerResultRow.table_.isEmpty()) {
                    rangerResourceResult.addTableResult(rangerResultRow);
                } else if (rangerResultRow.database_.equals("*") || rangerResultRow.database_.isEmpty()) {
                    rangerResourceResult.addServerResult(rangerResultRow);
                } else {
                    rangerResourceResult.addDatabaseResult(rangerResultRow);
                }
            }
            rangerResourceResult.getResultRows().forEach(rangerResultRow2 -> {
                treeSet.add(rangerResultRow2.toResultRow());
            });
        }
        tResultSet.getClass();
        treeSet.forEach(tResultSet::addToRows);
        return tResultSet;
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void updateDatabaseOwnerPrivilege(String str, String str2, String str3, PrincipalType principalType, String str4, PrincipalType principalType2, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void updateTableOwnerPrivilege(String str, String str2, String str3, String str4, PrincipalType principalType, String str5, PrincipalType principalType2, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public AuthorizationDelta refreshAuthorization(boolean z) {
        throw new UnsupportedOperationException(String.format("%s is not supported in Impalad", ClassUtil.getMethodName()));
    }
}
