package org.apache.ranger.plugin.policyengine;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.ListUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerReadWriteLock;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.class */
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
    private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyEngineImpl.class);
    private static final Logger PERF_POLICYENGINE_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyengine.request");
    private static final Logger PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit");
    private static final Logger PERF_POLICYENGINE_GET_ACLS_LOG = RangerPerfTracer.getPerfLogger("policyengine.getResourceACLs");
    private final PolicyEngine policyEngine;
    private final RangerAccessRequestProcessor requestProcessor;
    private final ServiceConfig serviceConfig;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl$ServiceConfig.class */
    public static class ServiceConfig {
        private final Set<String> auditExcludedUsers;
        private final Set<String> auditExcludedGroups;
        private final Set<String> auditExcludedRoles;
        private final Set<String> superUsers;
        private final Set<String> superGroups;
        private final Set<String> serviceAdmins;

        public ServiceConfig(Map<String, String> map) {
            if (map != null) {
                this.auditExcludedUsers = StringUtil.toSet(map.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS));
                this.auditExcludedGroups = StringUtil.toSet(map.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS));
                this.auditExcludedRoles = StringUtil.toSet(map.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES));
                this.superUsers = StringUtil.toSet(map.get(RangerPolicyEngine.PLUGIN_SUPER_USERS));
                this.superGroups = StringUtil.toSet(map.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS));
                this.serviceAdmins = StringUtil.toSet(map.get(RangerPolicyEngine.PLUGIN_SERVICE_ADMINS));
                return;
            }
            this.auditExcludedUsers = Collections.emptySet();
            this.auditExcludedGroups = Collections.emptySet();
            this.auditExcludedRoles = Collections.emptySet();
            this.superUsers = Collections.emptySet();
            this.superGroups = Collections.emptySet();
            this.serviceAdmins = Collections.emptySet();
        }

        public ServiceConfig(ServiceConfig serviceConfig) {
            this.auditExcludedUsers = (serviceConfig == null || CollectionUtils.isEmpty(serviceConfig.auditExcludedUsers)) ? Collections.emptySet() : new HashSet<>(serviceConfig.auditExcludedUsers);
            this.auditExcludedGroups = (serviceConfig == null || CollectionUtils.isEmpty(serviceConfig.auditExcludedGroups)) ? Collections.emptySet() : new HashSet<>(serviceConfig.auditExcludedGroups);
            this.auditExcludedRoles = (serviceConfig == null || CollectionUtils.isEmpty(serviceConfig.auditExcludedRoles)) ? Collections.emptySet() : new HashSet<>(serviceConfig.auditExcludedRoles);
            this.superUsers = (serviceConfig == null || CollectionUtils.isEmpty(serviceConfig.superUsers)) ? Collections.emptySet() : new HashSet<>(serviceConfig.superUsers);
            this.superGroups = (serviceConfig == null || CollectionUtils.isEmpty(serviceConfig.superGroups)) ? Collections.emptySet() : new HashSet<>(serviceConfig.superGroups);
            this.serviceAdmins = (serviceConfig == null || CollectionUtils.isEmpty(serviceConfig.serviceAdmins)) ? Collections.emptySet() : new HashSet<>(serviceConfig.serviceAdmins);
        }

        public boolean isAuditExcludedUser(String str) {
            return this.auditExcludedUsers.contains(str);
        }

        public boolean hasAuditExcludedGroup(Set<String> set) {
            return set != null && set.size() > 0 && this.auditExcludedGroups.size() > 0 && CollectionUtils.containsAny(set, this.auditExcludedGroups);
        }

        public boolean hasAuditExcludedRole(Set<String> set) {
            return set != null && set.size() > 0 && this.auditExcludedRoles.size() > 0 && CollectionUtils.containsAny(set, this.auditExcludedRoles);
        }

        public boolean isSuperUser(String str) {
            return this.superUsers.contains(str);
        }

        public boolean hasSuperGroup(Set<String> set) {
            return set != null && set.size() > 0 && this.superGroups.size() > 0 && CollectionUtils.containsAny(set, this.superGroups);
        }

        public boolean isServiceAdmin(String str) {
            return this.serviceAdmins.contains(str);
        }
    }

    public static RangerPolicyEngine getPolicyEngine(RangerPolicyEngineImpl rangerPolicyEngineImpl, ServicePolicies servicePolicies) {
        PolicyEngine cloneWithDelta;
        RangerPolicyEngineImpl rangerPolicyEngineImpl2 = null;
        if (rangerPolicyEngineImpl != null && servicePolicies != null && (cloneWithDelta = rangerPolicyEngineImpl.policyEngine.cloneWithDelta(servicePolicies)) != null) {
            rangerPolicyEngineImpl2 = cloneWithDelta == rangerPolicyEngineImpl.policyEngine ? rangerPolicyEngineImpl : new RangerPolicyEngineImpl(cloneWithDelta, rangerPolicyEngineImpl);
        }
        return rangerPolicyEngineImpl2;
    }

    public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles) {
        boolean z;
        RangerPluginConfig config = rangerPluginContext != null ? rangerPluginContext.getConfig() : null;
        if (config != null) {
            z = config.getBoolean(new StringBuilder().append(rangerPluginContext.getConfig().getPropertyPrefix()).append(".supports.policy.deltas").toString(), false) && config.getBoolean(new StringBuilder().append(rangerPluginContext.getConfig().getPropertyPrefix()).append(".supports.in.place.policy.updates").toString(), false);
        } else {
            z = false;
        }
        this.policyEngine = new PolicyEngine(servicePolicies, rangerPluginContext, rangerRoles, z);
        this.serviceConfig = new ServiceConfig(servicePolicies.getServiceConfig());
        this.requestProcessor = new RangerDefaultRequestProcessor(this.policyEngine);
    }

    public String toString() {
        return this.policyEngine.toString();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerAccessResult evaluatePolicies(RangerAccessRequest rangerAccessRequest, int i, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + rangerAccessRequest + ", policyType=" + i + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            String str = Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + "_" + i;
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.evaluatePolicies(requestHashCode=" + str + ")");
            LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" + str + ", " + rangerAccessRequest + ")");
        }
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                this.requestProcessor.preProcess(rangerAccessRequest);
                RangerAccessResult zoneAwareAccessEvaluationWithNoAudit = zoneAwareAccessEvaluationWithNoAudit(rangerAccessRequest, i);
                if (rangerAccessResultProcessor != null) {
                    RangerPerfTracer rangerPerfTracer2 = null;
                    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
                        rangerPerfTracer2 = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + (Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + "_" + i) + ")");
                    }
                    rangerAccessResultProcessor.processResult(zoneAwareAccessEvaluationWithNoAudit);
                    RangerPerfTracer.log(rangerPerfTracer2);
                }
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                RangerPerfTracer.log(rangerPerfTracer);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== RangerPolicyEngineImpl.evaluatePolicies(" + rangerAccessRequest + ", policyType=" + i + "): " + zoneAwareAccessEvaluationWithNoAudit);
                }
                return zoneAwareAccessEvaluationWithNoAudit;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> collection, int i, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + collection + ", policyType=" + i + ")");
        }
        ArrayList arrayList = new ArrayList();
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                if (collection != null) {
                    for (RangerAccessRequest rangerAccessRequest : collection) {
                        this.requestProcessor.preProcess(rangerAccessRequest);
                        arrayList.add(zoneAwareAccessEvaluationWithNoAudit(rangerAccessRequest, i));
                    }
                }
                if (rangerAccessResultProcessor != null) {
                    rangerAccessResultProcessor.processResults(arrayList);
                }
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== RangerPolicyEngineImpl.evaluatePolicies(" + collection + ", policyType=" + i + "): " + arrayList);
                }
                return arrayList;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void evaluateAuditPolicies(RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluateAuditPolicies(result=" + rangerAccessResult + ")");
        }
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                LOG.debug("Acquired lock - " + readLock);
            }
            RangerPolicyRepository tagPolicyRepository = this.policyEngine.getTagPolicyRepository();
            RangerPolicyRepository policyRepository = this.policyEngine.getPolicyRepository();
            RangerAccessRequest accessRequest = rangerAccessResult.getAccessRequest();
            boolean isAuditedDetermined = rangerAccessResult.getIsAuditedDetermined();
            boolean isAudited = rangerAccessResult.getIsAudited();
            rangerAccessResult.setIsAudited(false);
            rangerAccessResult.setIsAuditedDetermined(false);
            if (tagPolicyRepository != null) {
                try {
                    evaluateTagAuditPolicies(accessRequest, rangerAccessResult, tagPolicyRepository);
                } catch (Throwable th2) {
                    if (!rangerAccessResult.getIsAuditedDetermined()) {
                        rangerAccessResult.setIsAudited(isAudited);
                        rangerAccessResult.setIsAuditedDetermined(isAuditedDetermined);
                    }
                    throw th2;
                }
            }
            if (!rangerAccessResult.getIsAuditedDetermined() && policyRepository != null) {
                evaluateResourceAuditPolicies(accessRequest, rangerAccessResult, policyRepository);
            }
            if (!rangerAccessResult.getIsAuditedDetermined()) {
                rangerAccessResult.setIsAudited(isAudited);
                rangerAccessResult.setIsAuditedDetermined(isAuditedDetermined);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerPolicyEngineImpl.evaluateAuditPolicies(result=" + rangerAccessResult + ")");
            }
        } finally {
            if (readLock != null) {
                if (0 != 0) {
                    try {
                        readLock.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    readLock.close();
                }
            }
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest) {
        return getResourceACLs(rangerAccessRequest, null);
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest, Integer num) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getResourceACLs(request=" + rangerAccessRequest + ", policyType=" + num + ")");
        }
        RangerResourceACLs rangerResourceACLs = new RangerResourceACLs();
        RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_GET_ACLS_LOG) ? RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_GET_ACLS_LOG, "RangerPolicyEngine.getResourceACLs(requestHashCode=" + rangerAccessRequest.getResource().getAsString() + ")") : null;
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                this.requestProcessor.preProcess(rangerAccessRequest);
                String uniquelyMatchedZoneName = this.policyEngine.getUniquelyMatchedZoneName(rangerAccessRequest.getResource().getAsMap());
                if (LOG.isDebugEnabled()) {
                    LOG.debug("zoneName:[" + uniquelyMatchedZoneName + "]");
                }
                for (int i : num == null ? RangerPolicy.POLICY_TYPES : new int[]{num.intValue()}) {
                    ArrayList arrayList = new ArrayList();
                    HashMap hashMap = new HashMap();
                    HashSet hashSet = new HashSet();
                    getResourceACLEvaluatorsForZone(rangerAccessRequest, uniquelyMatchedZoneName, i, arrayList, hashMap, hashSet);
                    arrayList.sort(RangerPolicyEvaluator.EVAL_ORDER_COMPARATOR);
                    if (!CollectionUtils.isEmpty(arrayList)) {
                        Integer num2 = null;
                        for (RangerPolicyEvaluator rangerPolicyEvaluator : arrayList) {
                            if (num2 == null) {
                                num2 = Integer.valueOf(rangerPolicyEvaluator.getPolicyPriority());
                            }
                            if (num2.intValue() != rangerPolicyEvaluator.getPolicyPriority()) {
                                if (i == 0) {
                                    rangerResourceACLs.finalizeAcls();
                                }
                                num2 = Integer.valueOf(rangerPolicyEvaluator.getPolicyPriority());
                            }
                            RangerPolicyResourceMatcher.MatchType matchType = hashMap.get(Long.valueOf(rangerPolicyEvaluator.getId()));
                            if (matchType == null) {
                                matchType = rangerPolicyEvaluator.getPolicyResourceMatcher().getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getResourceElementMatchingScopes(), rangerAccessRequest.getContext());
                            }
                            if (rangerAccessRequest.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS ? matchType != RangerPolicyResourceMatcher.MatchType.NONE : matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS) {
                                if (i == 0) {
                                    updateFromPolicyACLs(rangerPolicyEvaluator, hashSet, rangerResourceACLs);
                                } else if (i == 2) {
                                    updateRowFiltersFromPolicy(rangerPolicyEvaluator, hashSet, rangerResourceACLs);
                                } else if (i == 1) {
                                    updateDataMasksFromPolicy(rangerPolicyEvaluator, hashSet, rangerResourceACLs);
                                }
                            }
                        }
                        rangerResourceACLs.finalizeAcls();
                    }
                }
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                RangerPerfTracer.logAlways(perfTracer);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== RangerPolicyEngineImpl.getResourceACLs(request=" + rangerAccessRequest + ", policyType=" + num + ") : ret=" + rangerResourceACLs);
                }
                return rangerResourceACLs;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setUseForwardedIPAddress(boolean z) {
        RangerReadWriteLock.RangerLock writeLock = this.policyEngine.getWriteLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && writeLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + writeLock);
                }
                this.policyEngine.setUseForwardedIPAddress(z);
                if (writeLock != null) {
                    if (0 == 0) {
                        writeLock.close();
                        return;
                    }
                    try {
                        writeLock.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (writeLock != null) {
                if (th != null) {
                    try {
                        writeLock.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    writeLock.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setTrustedProxyAddresses(String[] strArr) {
        RangerReadWriteLock.RangerLock writeLock = this.policyEngine.getWriteLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && writeLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + writeLock);
                }
                this.policyEngine.setTrustedProxyAddresses(strArr);
                if (writeLock != null) {
                    if (0 == 0) {
                        writeLock.close();
                        return;
                    }
                    try {
                        writeLock.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (writeLock != null) {
                if (th != null) {
                    try {
                        writeLock.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    writeLock.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerServiceDef getServiceDef() {
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                RangerServiceDef serviceDef = this.policyEngine.getServiceDef();
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                return serviceDef;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public long getPolicyVersion() {
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                long policyVersion = this.policyEngine.getPolicyVersion();
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                return policyVersion;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public long getRoleVersion() {
        return this.policyEngine.getRoleVersion();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setRoles(RangerRoles rangerRoles) {
        RangerReadWriteLock.RangerLock writeLock = this.policyEngine.getWriteLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && writeLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + writeLock);
                }
                this.policyEngine.setRoles(rangerRoles);
                if (writeLock != null) {
                    if (0 == 0) {
                        writeLock.close();
                        return;
                    }
                    try {
                        writeLock.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (writeLock != null) {
                if (th != null) {
                    try {
                        writeLock.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    writeLock.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public Set<String> getRolesFromUserAndGroups(String str, Set<String> set) {
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                Set<String> rolesForUserAndGroups = this.policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(str, set);
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                return rolesForUserAndGroups;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerRoles getRangerRoles() {
        return this.policyEngine.getPluginContext().getAuthContext().getRangerRolesUtil().getRoles();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerPluginContext getPluginContext() {
        return this.policyEngine.getPluginContext();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public String getUniquelyMatchedZoneName(GrantRevokeRequest grantRevokeRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getUniquelyMatchedZoneName(" + grantRevokeRequest + ")");
        }
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                String uniquelyMatchedZoneName = this.policyEngine.getUniquelyMatchedZoneName(grantRevokeRequest.getResource());
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== RangerPolicyEngineImpl.getUniquelyMatchedZoneName(" + grantRevokeRequest + ") : " + uniquelyMatchedZoneName);
                }
                return uniquelyMatchedZoneName;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getResourcePolicies(String str) {
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                List<RangerPolicy> resourcePolicies = this.policyEngine.getResourcePolicies(str);
                List<RangerPolicy> arrayList = CollectionUtils.isNotEmpty(resourcePolicies) ? new ArrayList<>(resourcePolicies) : resourcePolicies;
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                return arrayList;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getResourcePolicies() {
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                RangerPolicyRepository policyRepository = this.policyEngine.getPolicyRepository();
                List<RangerPolicy> policies = policyRepository == null ? ListUtils.EMPTY_LIST : policyRepository.getPolicies();
                List<RangerPolicy> arrayList = CollectionUtils.isNotEmpty(policies) ? new ArrayList<>(policies) : policies;
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                return arrayList;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getTagPolicies() {
        RangerReadWriteLock.RangerLock readLock = this.policyEngine.getReadLock();
        Throwable th = null;
        try {
            try {
                if (LOG.isDebugEnabled() && readLock.isLockingEnabled()) {
                    LOG.debug("Acquired lock - " + readLock);
                }
                RangerPolicyRepository tagPolicyRepository = this.policyEngine.getTagPolicyRepository();
                List<RangerPolicy> policies = tagPolicyRepository == null ? ListUtils.EMPTY_LIST : tagPolicyRepository.getPolicies();
                List<RangerPolicy> arrayList = CollectionUtils.isNotEmpty(policies) ? new ArrayList<>(policies) : policies;
                if (readLock != null) {
                    if (0 != 0) {
                        try {
                            readLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        readLock.close();
                    }
                }
                return arrayList;
            } finally {
            }
        } catch (Throwable th3) {
            if (readLock != null) {
                if (th != null) {
                    try {
                        readLock.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    readLock.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + rangerAccessRequest + ")");
        }
        this.requestProcessor.preProcess(rangerAccessRequest);
        RangerResourceAccessInfo rangerResourceAccessInfo = new RangerResourceAccessInfo(rangerAccessRequest);
        Set<String> matchedZonesForResourceAndChildren = this.policyEngine.getMatchedZonesForResourceAndChildren(rangerAccessRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneNames:[" + matchedZonesForResourceAndChildren + "]");
        }
        if (CollectionUtils.isEmpty(matchedZonesForResourceAndChildren)) {
            getResourceAccessInfoForZone(rangerAccessRequest, rangerResourceAccessInfo, null);
        } else {
            Iterator<String> it = matchedZonesForResourceAndChildren.iterator();
            while (it.hasNext()) {
                getResourceAccessInfoForZone(rangerAccessRequest, rangerResourceAccessInfo, it.next());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + rangerAccessRequest + "): " + rangerResourceAccessInfo);
        }
        return rangerResourceAccessInfo;
    }

    public void releaseResources(boolean z) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.releaseResources(isForced=" + z + ")");
        }
        PolicyEngine policyEngine = this.policyEngine;
        if (policyEngine != null) {
            policyEngine.preCleanup(z);
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("Cannot preCleanup policy-engine as it is null!");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.releaseResources(isForced=" + z + ")");
        }
    }

    public boolean isServiceAdmin(String str) {
        boolean isServiceAdmin = this.serviceConfig.isServiceAdmin(str);
        if (!isServiceAdmin) {
            isServiceAdmin = this.policyEngine.getPluginContext().getConfig().isServiceAdmin(str);
        }
        return isServiceAdmin;
    }

    public PolicyEngine getPolicyEngine() {
        return this.policyEngine;
    }

    public RangerAccessRequestProcessor getRequestProcessor() {
        return this.requestProcessor;
    }

    private RangerPolicyEngineImpl(PolicyEngine policyEngine, RangerPolicyEngineImpl rangerPolicyEngineImpl) {
        this.policyEngine = policyEngine;
        this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
        this.serviceConfig = new ServiceConfig(rangerPolicyEngineImpl.serviceConfig);
    }

    private RangerAccessResult zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequest rangerAccessRequest, int i) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + rangerAccessRequest + ", policyType =" + i + ")");
        }
        RangerAccessResult rangerAccessResult = null;
        this.policyEngine.getPolicyRepository();
        RangerPolicyRepository tagPolicyRepository = this.policyEngine.getTagPolicyRepository();
        Set<String> matchedZonesForResourceAndChildren = this.policyEngine.getMatchedZonesForResourceAndChildren(rangerAccessRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneNames:[" + matchedZonesForResourceAndChildren + "]");
        }
        if (CollectionUtils.isEmpty(matchedZonesForResourceAndChildren) || (matchedZonesForResourceAndChildren.size() > 1 && !rangerAccessRequest.isAccessTypeAny())) {
            rangerAccessResult = evaluatePoliciesNoAudit(rangerAccessRequest, i, null, this.policyEngine.getRepositoryForZone(null), tagPolicyRepository);
            rangerAccessResult.setZoneName(null);
        } else if (matchedZonesForResourceAndChildren.size() == 1 || rangerAccessRequest.isAccessTypeAny()) {
            Iterator<String> it = matchedZonesForResourceAndChildren.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                rangerAccessResult = evaluatePoliciesNoAudit(rangerAccessRequest, i, next, this.policyEngine.getRepositoryForZone(next), tagPolicyRepository);
                rangerAccessResult.setZoneName(next);
                if (rangerAccessResult.getIsAllowed()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Zone:[" + next + "] allowed access. Completed processing other zones");
                    }
                }
            }
        }
        if (rangerAccessRequest.isAccessTypeAny() && ((rangerAccessRequest.getResource() == null || CollectionUtils.isEmpty(rangerAccessRequest.getResource().getKeys())) && rangerAccessResult != null && !rangerAccessResult.getIsAllowed() && MapUtils.isNotEmpty(this.policyEngine.getZonePolicyRepositories()))) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Process all security-zones");
            }
            Iterator<Map.Entry<String, RangerPolicyRepository>> it2 = this.policyEngine.getZonePolicyRepositories().entrySet().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Map.Entry<String, RangerPolicyRepository> next2 = it2.next();
                String key = next2.getKey();
                RangerPolicyRepository value = next2.getValue();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Evaluating policies for zone:[" + key + "]");
                }
                if (value != null) {
                    RangerAccessResult evaluatePoliciesNoAudit = evaluatePoliciesNoAudit(rangerAccessRequest, i, key, value, tagPolicyRepository);
                    if (evaluatePoliciesNoAudit.getIsAllowed()) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Zone:[" + key + "] allowed access. Completed processing other zones");
                        }
                        evaluatePoliciesNoAudit.setZoneName(key);
                        rangerAccessResult = evaluatePoliciesNoAudit;
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + rangerAccessRequest + ", policyType =" + i + "): " + rangerAccessResult);
        }
        return rangerAccessResult;
    }

    private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest rangerAccessRequest, int i, String str, RangerPolicyRepository rangerPolicyRepository, RangerPolicyRepository rangerPolicyRepository2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + ")");
        }
        if (rangerAccessRequest.isAccessTypeAny()) {
            List<RangerServiceDef.RangerAccessTypeDef> accessTypes = getServiceDef().getAccessTypes();
            HashSet hashSet = new HashSet();
            Iterator<RangerServiceDef.RangerAccessTypeDef> it = accessTypes.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getName());
            }
            RangerAccessRequestUtil.setAllRequestedAccessTypes(rangerAccessRequest.getContext(), hashSet, Boolean.TRUE);
        }
        RangerAccessResult evaluatePoliciesForOneAccessTypeNoAudit = evaluatePoliciesForOneAccessTypeNoAudit(rangerAccessRequest, i, str, rangerPolicyRepository, rangerPolicyRepository2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + "): " + evaluatePoliciesForOneAccessTypeNoAudit);
        }
        return evaluatePoliciesForOneAccessTypeNoAudit;
    }

    private RangerAccessResult evaluatePoliciesForOneAccessTypeNoAudit(RangerAccessRequest rangerAccessRequest, int i, String str, RangerPolicyRepository rangerPolicyRepository, RangerPolicyRepository rangerPolicyRepository2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesForOneAccessTypeNoAudit(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + ")");
        }
        boolean isSuperUser = isSuperUser(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups());
        Date accessTime = rangerAccessRequest.getAccessTime() != null ? rangerAccessRequest.getAccessTime() : new Date();
        RangerAccessResult createAccessResult = createAccessResult(rangerAccessRequest, i);
        if (isSuperUser || StringUtils.equals(rangerAccessRequest.getAccessType(), RangerPolicyEngine.SUPER_USER_ACCESS)) {
            createAccessResult.setIsAllowed(isSuperUser);
            createAccessResult.setIsAccessDetermined(true);
            createAccessResult.setPolicyId(-1L);
            createAccessResult.setPolicyPriority(Integer.MAX_VALUE);
            createAccessResult.setReason("superuser");
        }
        evaluateTagPolicies(rangerAccessRequest, i, str, rangerPolicyRepository2, createAccessResult);
        if (LOG.isDebugEnabled() && createAccessResult.getIsAccessDetermined() && createAccessResult.getIsAuditedDetermined()) {
            if (createAccessResult.getIsAllowed()) {
                LOG.debug("RangerPolicyEngineImpl.evaluatePoliciesNoAudit() - audit determined and access allowed by a tag policy. Same or higher priority resource policies will be evaluated to check for deny, request=" + rangerAccessRequest + ", result=" + createAccessResult);
            } else {
                LOG.debug("RangerPolicyEngineImpl.evaluatePoliciesNoAudit() - audit determined and access denied by a tag policy. Higher priority resource policies will be evaluated to check for allow, request=" + rangerAccessRequest + ", result=" + createAccessResult);
            }
        }
        boolean z = createAccessResult.getIsAccessDetermined() && createAccessResult.getIsAllowed();
        boolean z2 = createAccessResult.getIsAccessDetermined() && !createAccessResult.getIsAllowed();
        if (this.policyEngine.hasResourcePolicies(rangerPolicyRepository)) {
            boolean z3 = !createAccessResult.getIsAuditedDetermined();
            boolean z4 = z3 && rangerPolicyRepository.setAuditEnabledFromCache(rangerAccessRequest, createAccessResult);
            createAccessResult.setIsAccessDetermined(false);
            for (RangerPolicyEvaluator rangerPolicyEvaluator : rangerPolicyRepository.getLikelyMatchPolicyEvaluators(rangerAccessRequest, i)) {
                if (rangerPolicyEvaluator.isApplicable(accessTime)) {
                    if (z2) {
                        if (createAccessResult.getPolicyPriority() >= rangerPolicyEvaluator.getPolicyPriority()) {
                            createAccessResult.setIsAccessDetermined(true);
                        }
                    } else if (createAccessResult.getIsAllowed()) {
                        if (i == 0) {
                            if (createAccessResult.getPolicyPriority() > rangerPolicyEvaluator.getPolicyPriority()) {
                                createAccessResult.setIsAccessDetermined(true);
                            }
                        } else if (createAccessResult.getPolicyPriority() >= rangerPolicyEvaluator.getPolicyPriority()) {
                            createAccessResult.setIsAccessDetermined(true);
                        }
                    }
                    createAccessResult.incrementEvaluatedPoliciesCount();
                    rangerPolicyEvaluator.evaluate(rangerAccessRequest, createAccessResult);
                    if (createAccessResult.getIsAllowed() && !rangerPolicyEvaluator.hasDeny()) {
                        createAccessResult.setIsAccessDetermined(true);
                    }
                    if (createAccessResult.getIsAuditedDetermined() && createAccessResult.getIsAccessDetermined()) {
                        break;
                    }
                }
            }
            if (!createAccessResult.getIsAccessDetermined()) {
                if (z2) {
                    createAccessResult.setIsAllowed(false);
                } else if (z) {
                    createAccessResult.setIsAllowed(true);
                }
                if (!createAccessResult.getIsAllowed() && !getIsFallbackSupported()) {
                    createAccessResult.setIsAccessDetermined(true);
                }
            }
            if (createAccessResult.getIsAllowed()) {
                createAccessResult.setIsAccessDetermined(true);
            }
            if (z3 && !z4) {
                rangerPolicyRepository.storeAuditEnabledInCache(rangerAccessRequest, createAccessResult);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesForOneAccessTypeNoAudit(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + "): " + createAccessResult);
        }
        return createAccessResult;
    }

    /* JADX WARN: Removed duplicated region for block: B:34:0x0196  */
    /* JADX WARN: Removed duplicated region for block: B:42:0x01f8  */
    /* JADX WARN: Removed duplicated region for block: B:45:0x0207  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void evaluateTagPolicies(org.apache.ranger.plugin.policyengine.RangerAccessRequest r7, int r8, java.lang.String r9, org.apache.ranger.plugin.policyengine.RangerPolicyRepository r10, org.apache.ranger.plugin.policyengine.RangerAccessResult r11) {
        /*
            Method dump skipped, instructions count: 668
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl.evaluateTagPolicies(org.apache.ranger.plugin.policyengine.RangerAccessRequest, int, java.lang.String, org.apache.ranger.plugin.policyengine.RangerPolicyRepository, org.apache.ranger.plugin.policyengine.RangerAccessResult):void");
    }

    private RangerAccessResult createAccessResult(RangerAccessRequest rangerAccessRequest, int i) {
        RangerPolicyRepository policyRepository = this.policyEngine.getPolicyRepository();
        RangerAccessResult rangerAccessResult = new RangerAccessResult(i, policyRepository.getServiceName(), policyRepository.getServiceDef(), rangerAccessRequest);
        switch (policyRepository.getAuditModeEnum()) {
            case AUDIT_ALL:
                rangerAccessResult.setIsAudited(true);
                break;
            case AUDIT_NONE:
                rangerAccessResult.setIsAudited(false);
                break;
            default:
                if (CollectionUtils.isEmpty(policyRepository.getPolicies()) && this.policyEngine.getTagPolicyRepository() == null) {
                    rangerAccessResult.setIsAudited(true);
                    break;
                }
                break;
        }
        if (isAuditExcludedUser(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups(), RangerAccessRequestUtil.getCurrentUserRolesFromContext(rangerAccessRequest.getContext()))) {
            rangerAccessResult.setIsAudited(false);
        }
        return rangerAccessResult;
    }

    private boolean isAuditExcludedUser(String str, Set<String> set, Set<String> set2) {
        boolean isAuditExcludedUser = this.serviceConfig.isAuditExcludedUser(str);
        if (!isAuditExcludedUser) {
            RangerPluginConfig config = this.policyEngine.getPluginContext().getConfig();
            isAuditExcludedUser = config.isAuditExcludedUser(str);
            if (!isAuditExcludedUser && set != null && set.size() > 0) {
                isAuditExcludedUser = this.serviceConfig.hasAuditExcludedGroup(set) || config.hasAuditExcludedGroup(set);
            }
            if (!isAuditExcludedUser && set2 != null && set2.size() > 0) {
                isAuditExcludedUser = this.serviceConfig.hasAuditExcludedRole(set2) || config.hasAuditExcludedRole(set2);
            }
        }
        return isAuditExcludedUser;
    }

    private boolean isSuperUser(String str, Set<String> set) {
        boolean isSuperUser = this.serviceConfig.isSuperUser(str);
        if (!isSuperUser) {
            RangerPluginConfig config = this.policyEngine.getPluginContext().getConfig();
            isSuperUser = config.isSuperUser(str);
            if (!isSuperUser && set != null && set.size() > 0) {
                isSuperUser = this.serviceConfig.hasSuperGroup(set) || config.hasSuperGroup(set);
            }
        }
        return isSuperUser;
    }

    /* JADX WARN: Removed duplicated region for block: B:33:0x0198 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:36:0x00a1 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void getResourceACLEvaluatorsForZone(org.apache.ranger.plugin.policyengine.RangerAccessRequest r7, java.lang.String r8, int r9, java.util.List<org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator> r10, java.util.Map<java.lang.Long, org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType> r11, java.util.Set<java.lang.Long> r12) {
        /*
            Method dump skipped, instructions count: 449
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl.getResourceACLEvaluatorsForZone(org.apache.ranger.plugin.policyengine.RangerAccessRequest, java.lang.String, int, java.util.List, java.util.Map, java.util.Set):void");
    }

    private void getResourceAccessInfoForZone(RangerAccessRequest rangerAccessRequest, RangerResourceAccessInfo rangerResourceAccessInfo, String str) {
        RangerPolicyRepository repositoryForZone = this.policyEngine.getRepositoryForZone(str);
        if (repositoryForZone == null) {
            LOG.error("policyRepository for zoneName:[" + str + "],  serviceName:[" + this.policyEngine.getPolicyRepository().getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
            return;
        }
        if (CollectionUtils.isNotEmpty(this.policyEngine.getTagPolicyRepository() == null ? null : this.policyEngine.getTagPolicyRepository().getPolicyEvaluators())) {
            Set<RangerTagForEval> requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
            if (CollectionUtils.isNotEmpty(requestTagsFromContext)) {
                boolean z = !this.policyEngine.isResourceZoneAssociatedWithTagService(str);
                Iterator<RangerTagForEval> it = requestTagsFromContext.iterator();
                while (it.hasNext()) {
                    RangerTagAccessRequest rangerTagAccessRequest = new RangerTagAccessRequest(it.next(), this.policyEngine.getTagPolicyRepository().getServiceDef(), rangerAccessRequest);
                    for (RangerPolicyEvaluator rangerPolicyEvaluator : this.policyEngine.getTagPolicyRepository().getLikelyMatchPolicyEvaluators(rangerTagAccessRequest, 0)) {
                        String zoneName = rangerPolicyEvaluator.getPolicy().getZoneName();
                        if (z) {
                            if (!StringUtils.isNotEmpty(zoneName)) {
                                rangerPolicyEvaluator.getResourceAccessInfo(rangerTagAccessRequest, rangerResourceAccessInfo);
                            } else if (LOG.isDebugEnabled()) {
                                LOG.debug("Tag policy [zone:" + zoneName + "] does not belong to default zone. Not evaluating this policy:[" + rangerPolicyEvaluator.getPolicy() + "]");
                            }
                        } else if (StringUtils.equals(str, zoneName)) {
                            rangerPolicyEvaluator.getResourceAccessInfo(rangerTagAccessRequest, rangerResourceAccessInfo);
                        } else if (LOG.isDebugEnabled()) {
                            LOG.debug("Tag policy [zone:" + zoneName + "] does not belong to the zone:[" + str + "] of the accessed resource. Not evaluating this policy:[" + rangerPolicyEvaluator.getPolicy() + "]");
                        }
                    }
                }
            }
        }
        List<RangerPolicyEvaluator> likelyMatchPolicyEvaluators = repositoryForZone.getLikelyMatchPolicyEvaluators(rangerAccessRequest, 0);
        if (CollectionUtils.isNotEmpty(likelyMatchPolicyEvaluators)) {
            Iterator<RangerPolicyEvaluator> it2 = likelyMatchPolicyEvaluators.iterator();
            while (it2.hasNext()) {
                it2.next().getResourceAccessInfo(rangerAccessRequest, rangerResourceAccessInfo);
            }
        }
        rangerResourceAccessInfo.getAllowedUsers().removeAll(rangerResourceAccessInfo.getDeniedUsers());
        rangerResourceAccessInfo.getAllowedGroups().removeAll(rangerResourceAccessInfo.getDeniedGroups());
    }

    private void evaluateTagAuditPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult, RangerPolicyRepository rangerPolicyRepository) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluateTagAuditPolicies(request=" + rangerAccessRequest + ", result=" + rangerAccessResult + ")");
        }
        Set<RangerTagForEval> requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
        if (CollectionUtils.isNotEmpty(requestTagsFromContext)) {
            List<PolicyEvaluatorForTag> likelyMatchPolicyEvaluators = rangerPolicyRepository.getLikelyMatchPolicyEvaluators(rangerAccessRequest, requestTagsFromContext, 3, rangerAccessRequest.getAccessTime() != null ? rangerAccessRequest.getAccessTime() : new Date());
            if (CollectionUtils.isNotEmpty(likelyMatchPolicyEvaluators)) {
                Iterator<PolicyEvaluatorForTag> it = likelyMatchPolicyEvaluators.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    PolicyEvaluatorForTag next = it.next();
                    RangerPolicyEvaluator evaluator = next.getEvaluator();
                    RangerTagForEval tag = next.getTag();
                    RangerTagAccessRequest rangerTagAccessRequest = new RangerTagAccessRequest(tag, rangerPolicyRepository.getServiceDef(), rangerAccessRequest);
                    RangerAccessResult createAccessResult = createAccessResult(rangerTagAccessRequest, 3);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerPolicyEngineImpl.evaluateTagAuditPolicies: Evaluating Audit policies for tag (" + tag.getType() + ")Tag Evaluator: " + next);
                    }
                    createAccessResult.setAccessResultFrom(rangerAccessResult);
                    rangerAccessResult.incrementEvaluatedPoliciesCount();
                    evaluator.evaluate(rangerTagAccessRequest, createAccessResult);
                    if (createAccessResult.getIsAuditedDetermined()) {
                        rangerAccessResult.setIsAudited(createAccessResult.getIsAudited());
                        break;
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluateTagAuditPolicies(request=" + rangerAccessRequest + ", result=" + rangerAccessResult + ")");
        }
    }

    private boolean evaluateResourceAuditPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult, RangerPolicyRepository rangerPolicyRepository) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluateResourceAuditPolicies(request=" + rangerAccessRequest + ", result=" + rangerAccessResult + ")");
        }
        boolean z = false;
        List<RangerPolicyEvaluator> likelyMatchAuditPolicyEvaluators = rangerPolicyRepository.getLikelyMatchAuditPolicyEvaluators(rangerAccessRequest);
        if (CollectionUtils.isNotEmpty(likelyMatchAuditPolicyEvaluators)) {
            Iterator<RangerPolicyEvaluator> it = likelyMatchAuditPolicyEvaluators.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerPolicyEvaluator next = it.next();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("==> RangerPolicyEngineImpl.evaluateResourceAuditPolicies(): Evaluating RangerPolicyEvaluator...: " + next);
                }
                rangerAccessResult.incrementEvaluatedPoliciesCount();
                next.evaluate(rangerAccessRequest, rangerAccessResult);
                if (rangerAccessResult.getIsAuditedDetermined()) {
                    z = true;
                    break;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluateResourceAuditPolicies(request=" + rangerAccessRequest + ", result=" + rangerAccessResult + "): ret=" + z);
        }
        return z;
    }

    private boolean getIsFallbackSupported() {
        return this.policyEngine.getPluginContext().getConfig().getIsFallbackSupported();
    }

    private void updateFromPolicyACLs(RangerPolicyEvaluator rangerPolicyEvaluator, Set<Long> set, RangerResourceACLs rangerResourceACLs) {
        Integer valueOf;
        Integer valueOf2;
        Integer valueOf3;
        RangerPolicyEvaluator.PolicyACLSummary policyACLSummary = rangerPolicyEvaluator.getPolicyACLSummary();
        if (policyACLSummary == null) {
            return;
        }
        boolean z = set.contains(Long.valueOf(rangerPolicyEvaluator.getId())) || rangerPolicyEvaluator.getValidityScheduleEvaluatorsCount() != 0;
        for (Map.Entry<String, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> entry : policyACLSummary.getUsersAccessInfo().entrySet()) {
            String key = entry.getKey();
            for (Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> entry2 : entry.getValue().entrySet()) {
                if (z) {
                    valueOf3 = RangerPolicyEvaluator.ACCESS_CONDITIONAL;
                } else {
                    valueOf3 = Integer.valueOf(entry2.getValue().getResult());
                    if (valueOf3.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
                        valueOf3 = RangerPolicyEvaluator.ACCESS_DENIED;
                    }
                }
                rangerResourceACLs.setUserAccessInfo(key, entry2.getKey(), valueOf3, rangerPolicyEvaluator.getPolicy());
            }
        }
        for (Map.Entry<String, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> entry3 : policyACLSummary.getGroupsAccessInfo().entrySet()) {
            String key2 = entry3.getKey();
            for (Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> entry4 : entry3.getValue().entrySet()) {
                if (z) {
                    valueOf2 = RangerPolicyEvaluator.ACCESS_CONDITIONAL;
                } else {
                    valueOf2 = Integer.valueOf(entry4.getValue().getResult());
                    if (valueOf2.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
                        valueOf2 = RangerPolicyEvaluator.ACCESS_DENIED;
                    }
                }
                rangerResourceACLs.setGroupAccessInfo(key2, entry4.getKey(), valueOf2, rangerPolicyEvaluator.getPolicy());
            }
        }
        for (Map.Entry<String, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> entry5 : policyACLSummary.getRolesAccessInfo().entrySet()) {
            String key3 = entry5.getKey();
            for (Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> entry6 : entry5.getValue().entrySet()) {
                if (z) {
                    valueOf = RangerPolicyEvaluator.ACCESS_CONDITIONAL;
                } else {
                    valueOf = Integer.valueOf(entry6.getValue().getResult());
                    if (valueOf.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
                        valueOf = RangerPolicyEvaluator.ACCESS_DENIED;
                    }
                }
                rangerResourceACLs.setRoleAccessInfo(key3, entry6.getKey(), valueOf, rangerPolicyEvaluator.getPolicy());
            }
        }
    }

    private void updateRowFiltersFromPolicy(RangerPolicyEvaluator rangerPolicyEvaluator, Set<Long> set, RangerResourceACLs rangerResourceACLs) {
        RangerPolicyEvaluator.PolicyACLSummary policyACLSummary = rangerPolicyEvaluator.getPolicyACLSummary();
        if (policyACLSummary != null) {
            boolean z = set.contains(Long.valueOf(rangerPolicyEvaluator.getId())) || rangerPolicyEvaluator.getValidityScheduleEvaluatorsCount() != 0;
            Iterator<RangerResourceACLs.RowFilterResult> it = policyACLSummary.getRowFilters().iterator();
            while (it.hasNext()) {
                RangerResourceACLs.RowFilterResult copyRowFilter = copyRowFilter(it.next());
                if (z) {
                    copyRowFilter.setIsConditional(true);
                }
                rangerResourceACLs.getRowFilters().add(copyRowFilter);
            }
        }
    }

    private void updateDataMasksFromPolicy(RangerPolicyEvaluator rangerPolicyEvaluator, Set<Long> set, RangerResourceACLs rangerResourceACLs) {
        RangerPolicyEvaluator.PolicyACLSummary policyACLSummary = rangerPolicyEvaluator.getPolicyACLSummary();
        if (policyACLSummary != null) {
            boolean z = set.contains(Long.valueOf(rangerPolicyEvaluator.getId())) || rangerPolicyEvaluator.getValidityScheduleEvaluatorsCount() != 0;
            Iterator<RangerResourceACLs.DataMaskResult> it = policyACLSummary.getDataMasks().iterator();
            while (it.hasNext()) {
                RangerResourceACLs.DataMaskResult copyDataMask = copyDataMask(it.next());
                if (z) {
                    copyDataMask.setIsConditional(true);
                }
                rangerResourceACLs.getDataMasks().add(copyDataMask);
            }
        }
    }

    private RangerResourceACLs.DataMaskResult copyDataMask(RangerResourceACLs.DataMaskResult dataMaskResult) {
        RangerResourceACLs.DataMaskResult dataMaskResult2 = new RangerResourceACLs.DataMaskResult(copyStrings(dataMaskResult.getUsers()), copyStrings(dataMaskResult.getGroups()), copyStrings(dataMaskResult.getRoles()), copyStrings(dataMaskResult.getAccessTypes()), new RangerPolicy.RangerPolicyItemDataMaskInfo(dataMaskResult.getMaskInfo()));
        dataMaskResult2.setIsConditional(dataMaskResult.getIsConditional());
        return dataMaskResult2;
    }

    private RangerResourceACLs.RowFilterResult copyRowFilter(RangerResourceACLs.RowFilterResult rowFilterResult) {
        RangerResourceACLs.RowFilterResult rowFilterResult2 = new RangerResourceACLs.RowFilterResult(copyStrings(rowFilterResult.getUsers()), copyStrings(rowFilterResult.getGroups()), copyStrings(rowFilterResult.getRoles()), copyStrings(rowFilterResult.getAccessTypes()), new RangerPolicy.RangerPolicyItemRowFilterInfo(rowFilterResult.getFilterInfo()));
        rowFilterResult2.setIsConditional(rowFilterResult.getIsConditional());
        return rowFilterResult2;
    }

    private Set<String> copyStrings(Set<String> set) {
        if (set != null) {
            return new HashSet(set);
        }
        return null;
    }
}
