package org.apache.hadoop.ozone.om.multitenant;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.om.multitenant.AccessPolicy;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.shaded.com.google.gson.JsonArray;
import org.apache.hadoop.ozone.shaded.com.google.gson.JsonObject;

/* loaded from: input_file:org/apache/hadoop/ozone/om/multitenant/RangerAccessPolicy.class */
public class RangerAccessPolicy implements AccessPolicy {
    private OzoneObj accessObject;
    private final Map<String, List<AccessPolicy.AccessPolicyElem>> policyMap = new ConcurrentHashMap();
    private final HashSet<String> roleList = new HashSet<>();
    private String policyID;
    private String policyJsonString;
    private String policyName;
    private long lastPolicyUpdateTimeEpochMillis;

    public RangerAccessPolicy(String str) {
        this.policyName = str;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public void setPolicyName(String str) {
        this.policyID = str;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public String getPolicyID() {
        return this.policyID;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public String getPolicyName() {
        return this.policyName;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public HashSet<String> getRoleList() {
        return this.roleList;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public void setPolicyLastUpdateTime(long j) {
        this.lastPolicyUpdateTimeEpochMillis = j;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public long getPolicyLastUpdateTime() {
        return this.lastPolicyUpdateTimeEpochMillis;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public String serializePolicyToJsonString() throws IOException {
        updatePolicyJsonString();
        return this.policyJsonString;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public String deserializePolicyFromJsonString(JsonObject jsonObject) {
        setPolicyName(jsonObject.get("id").getAsString());
        try {
            JsonArray asJsonArray = jsonObject.getAsJsonArray("policyItems");
            for (int i = 0; i < asJsonArray.size(); i++) {
                JsonArray asJsonArray2 = asJsonArray.get(i).getAsJsonObject().getAsJsonArray("roles");
                for (int i2 = 0; i2 < asJsonArray2.size(); i2++) {
                    if (!this.roleList.contains(asJsonArray2.get(i2).getAsString())) {
                        this.roleList.add(asJsonArray2.get(i2).getAsString());
                    }
                }
            }
        } catch (Exception e) {
        }
        try {
            setPolicyLastUpdateTime(jsonObject.get("updateTime").getAsLong());
            return null;
        } catch (Exception e2) {
            return null;
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public AccessPolicy.AccessPolicyType getAccessPolicyType() {
        return AccessPolicy.AccessPolicyType.RANGER_POLICY;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public void addAccessPolicyElem(OzoneObj ozoneObj, Principal principal, IAccessAuthorizer.ACLType aCLType, AccessPolicy.AccessGrantType accessGrantType) throws IOException {
        if (this.accessObject == null) {
            this.accessObject = ozoneObj;
        } else if (!ozoneObj.toString().equals(this.accessObject.toString())) {
            throw new IOException("RangerAccessPolicy supports only one object per policy");
        }
        AccessPolicy.AccessPolicyElem accessPolicyElem = new AccessPolicy.AccessPolicyElem(ozoneObj, principal, aCLType, accessGrantType);
        if (!this.policyMap.containsKey(principal.getName())) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(accessPolicyElem);
            this.policyMap.put(principal.getName(), arrayList);
        } else {
            List<AccessPolicy.AccessPolicyElem> list = this.policyMap.get(principal.getName());
            Iterator<AccessPolicy.AccessPolicyElem> it = list.iterator();
            while (it.hasNext()) {
                if (it.next().getAclType() == aCLType) {
                    throw new IOException("RangerAccessPolicy: Principal " + principal.getName() + " already exists with access " + aCLType);
                }
            }
            list.add(accessPolicyElem);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public List<AccessPolicy.AccessPolicyElem> getAccessPolicyElem() {
        ArrayList arrayList = new ArrayList();
        Iterator<Map.Entry<String, List<AccessPolicy.AccessPolicyElem>>> it = this.policyMap.entrySet().iterator();
        while (it.hasNext()) {
            arrayList.addAll(it.next().getValue());
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.AccessPolicy
    public void removeAccessPolicyElem(OzoneObj ozoneObj, Principal principal, IAccessAuthorizer.ACLType aCLType, AccessPolicy.AccessGrantType accessGrantType) throws IOException {
        if (this.accessObject == null) {
            throw new IOException("removeAccessPolicyElem: Invalid Arguments.");
        }
        if (!ozoneObj.toString().equals(this.accessObject.toString())) {
            throw new IOException("removeAccessPolicyElem:  Object not found." + ozoneObj.toString());
        }
        if (!this.policyMap.containsKey(principal.getName())) {
            throw new IOException("removeAccessPolicyElem:  Principal not found." + ozoneObj.toString());
        }
        List<AccessPolicy.AccessPolicyElem> list = this.policyMap.get(principal.getName());
        for (AccessPolicy.AccessPolicyElem accessPolicyElem : list) {
            if (accessPolicyElem.getAclType() == aCLType) {
                list.remove(accessPolicyElem);
            }
        }
        if (list.isEmpty()) {
            this.policyMap.remove(principal.toString());
        }
        throw new IOException("removeAccessPolicyElem:  aclType not found." + ozoneObj.toString());
    }

    private String createRangerResourceItems() {
        StringBuilder sb = new StringBuilder();
        sb.append("\"resources\":{\"volume\":{\"values\":[\"");
        sb.append(this.accessObject.getVolumeName());
        sb.append("\"],\"isRecursive\":false,\"isExcludes\":false}");
        if (this.accessObject.getResourceType() == OzoneObj.ResourceType.BUCKET || this.accessObject.getResourceType() == OzoneObj.ResourceType.KEY) {
            sb.append(",\"bucket\":{\"values\":[\"");
            sb.append(this.accessObject.getBucketName());
            sb.append("\"],\"isRecursive\":false,\"isExcludes\":false}");
        }
        if (this.accessObject.getResourceType() == OzoneObj.ResourceType.KEY) {
            sb.append(",\"key\":{\"values\":[\"");
            sb.append(this.accessObject.getKeyName());
            sb.append("\"],\"isRecursive\":true,\"isExcludes\":false}");
        }
        sb.append("},");
        return sb.toString();
    }

    private String createRangerPolicyItems() throws IOException {
        StringBuilder sb = new StringBuilder();
        sb.append("\"policyItems\":[");
        int size = this.policyMap.size();
        for (Map.Entry<String, List<AccessPolicy.AccessPolicyElem>> entry : this.policyMap.entrySet()) {
            size--;
            List<AccessPolicy.AccessPolicyElem> value = entry.getValue();
            if (!value.isEmpty()) {
                sb.append("{");
                if (value.get(0).getPrincipal() instanceof OzoneTenantRolePrincipal) {
                    sb.append("\"roles\":[\"" + entry.getKey() + "\"],");
                } else {
                    sb.append("\"users\":[\"" + entry.getKey() + "\"],");
                }
                sb.append("\"accesses\":[");
                Iterator<AccessPolicy.AccessPolicyElem> it = value.iterator();
                while (it.hasNext()) {
                    AccessPolicy.AccessPolicyElem next = it.next();
                    sb.append("{");
                    sb.append("\"type\":\"");
                    sb.append(getRangerAclString(next.getAclType()));
                    sb.append("\",");
                    if (next.getAccessGrantType() == AccessPolicy.AccessGrantType.ALLOW) {
                        sb.append("\"isAllowed\":true");
                    } else {
                        sb.append("\"isDenied\":true");
                    }
                    sb.append("}");
                    if (it.hasNext()) {
                        sb.append(",");
                    }
                }
                sb.append("]");
                sb.append("}");
                if (size > 0) {
                    sb.append(",");
                }
            }
        }
        sb.append("],");
        return sb.toString();
    }

    private String getRangerAclString(IAccessAuthorizer.ACLType aCLType) throws IOException {
        switch (aCLType) {
            case ALL:
                return "All";
            case LIST:
                return "List";
            case READ:
                return "Read";
            case WRITE:
                return "Write";
            case CREATE:
                return "Create";
            case DELETE:
                return "Delete";
            case READ_ACL:
                return "Read_ACL";
            case WRITE_ACL:
                return "Write_ACL";
            case NONE:
                return "";
            default:
                throw new IOException("Unknown ACLType");
        }
    }

    private void updatePolicyJsonString() throws IOException {
        this.policyJsonString = "{\"policyType\":\"0\",\"name\":\"" + this.policyName + "\",\"isEnabled\":true,\"policyPriority\":0,\"description\":\"Policy created by Ozone for Multi-Tenancy\",\"policyLabels\":[\"" + OzoneConsts.OZONE_TENANT_RANGER_POLICY_LABEL + "\"],\"description\":\"\",\"isAuditEnabled\":true," + createRangerResourceItems() + "\"isDenyAllElse\":false," + createRangerPolicyItems() + "\"allowExceptions\":[],\"denyPolicyItems\":[],\"denyExceptions\":[],\"service\":\"cm_ozone\"}";
    }

    public String toString() {
        return "RangerAccessPolicy{accessObject=" + this.accessObject + ", policyMap=" + this.policyMap + ", roleList=" + this.roleList + ", policyID='" + this.policyID + "', policyJsonString='" + this.policyJsonString + "', policyName='" + this.policyName + "', lastPolicyUpdateTimeEpochMillis=" + this.lastPolicyUpdateTimeEpochMillis + '}';
    }
}
