package org.apache.ranger.plugin.policyevaluator;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;

/* loaded from: input_file:WEB-INF/lib/ranger-plugins-common-2.0.0.jar:org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.class */
public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator {
    private static final Log LOG = LogFactory.getLog(RangerOptimizedPolicyEvaluator.class);
    private Set<String> roles = new HashSet();
    private Set<String> groups = new HashSet();
    private Set<String> users = new HashSet();
    private Set<String> accessPerms = new HashSet();
    private boolean delegateAdmin;
    private boolean hasAllPerms;
    private boolean hasPublicGroup;
    private boolean hasCurrentUser;
    private boolean hasResourceOwner;
    private static final String RANGER_POLICY_EVAL_MATCH_ANY_PATTERN_STRING = "*";
    private static final String RANGER_POLICY_EVAL_MATCH_ONE_CHARACTER_STRING = "?";
    private static final int RANGER_POLICY_EVAL_SCORE_DEFAULT = 10000;
    private static final int RANGER_POLICY_EVAL_SCORE_MAX_DISCOUNT_RESOURCE = 100;
    private static final int RANGER_POLICY_EVAL_SCORE_MAX_DISCOUNT_USERSGROUPS = 25;
    private static final int RANGER_POLICY_EVAL_SCORE_MAX_DISCOUNT_ACCESS_TYPES = 25;
    private static final int RANGER_POLICY_EVAL_SCORE_MAX_DISCOUNT_CUSTOM_CONDITIONS = 25;
    private static final int RANGER_POLICY_EVAL_SCORE_RESOURCE_DISCOUNT_MATCH_ANY_WILDCARD = 25;
    private static final int RANGER_POLICY_EVAL_SCORE_RESOURCE_DISCOUNT_HAS_MATCH_ANY_WILDCARD = 10;
    private static final int RANGER_POLICY_EVAL_SCORE_RESOURCE_DISCOUNT_HAS_MATCH_ONE_CHARACTER_WILDCARD = 5;
    private static final int RANGER_POLICY_EVAL_SCORE_RESOURCE_DISCOUNT_IS_EXCLUDES = 5;
    private static final int RANGER_POLICY_EVAL_SCORE_RESORUCE_DISCOUNT_IS_RECURSIVE = 5;
    private static final int RANGER_POLICY_EVAL_SCORE_CUSTOM_CONDITION_PENALTY = 5;
    private static final int RANGER_POLICY_EVAL_SCORE_DYNAMIC_RESOURCE_EVAL_PENALTY = 20;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/ranger-plugins-common-2.0.0.jar:org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator$LevelResourceNames.class */
    public static class LevelResourceNames implements Comparable<LevelResourceNames> {
        final int level;
        final RangerPolicy.RangerPolicyResource policyResource;

        public LevelResourceNames(int i, RangerPolicy.RangerPolicyResource rangerPolicyResource) {
            this.level = i;
            this.policyResource = rangerPolicyResource;
        }

        @Override // java.lang.Comparable
        public int compareTo(LevelResourceNames levelResourceNames) {
            return Integer.compare(this.level, levelResourceNames.level);
        }

        public boolean equals(Object obj) {
            boolean z = false;
            if (obj != null && (obj instanceof LevelResourceNames)) {
                z = this == obj || compareTo((LevelResourceNames) obj) == 0;
            }
            return z;
        }

        public int hashCode() {
            return Objects.hashCode(Integer.valueOf(this.level));
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void init(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerOptimizedPolicyEvaluator.init()");
        }
        super.init(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions);
        preprocessPolicyItems(rangerPolicy.getPolicyItems());
        preprocessPolicyItems(rangerPolicy.getDenyPolicyItems());
        preprocessPolicyItems(rangerPolicy.getAllowExceptions());
        preprocessPolicyItems(rangerPolicy.getDenyExceptions());
        preprocessPolicyItems(rangerPolicy.getDataMaskPolicyItems());
        preprocessPolicyItems(rangerPolicy.getRowFilterPolicyItems());
        this.hasAllPerms = checkIfHasAllPerms();
        for (String str : this.users) {
            if (!this.hasCurrentUser && RangerPolicyEngine.USER_CURRENT.equalsIgnoreCase(str)) {
                this.hasCurrentUser = true;
            }
            if (!this.hasResourceOwner && RangerPolicyEngine.RESOURCE_OWNER.equalsIgnoreCase(str)) {
                this.hasResourceOwner = true;
            }
            if (this.hasCurrentUser && this.hasResourceOwner) {
                break;
            }
        }
        if (!rangerPolicy.getIsDenyAllElse().booleanValue()) {
            Iterator<String> it = this.groups.iterator();
            while (true) {
                if (it.hasNext()) {
                    if ("public".equalsIgnoreCase(it.next())) {
                        this.hasPublicGroup = true;
                        break;
                    }
                } else {
                    break;
                }
            }
        } else {
            this.hasPublicGroup = true;
        }
        setEvalOrder(computeEvalOrder());
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerOptimizedPolicyEvaluator.init()");
        }
    }

    public int computeEvalOrder() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerOptimizedPolicyEvaluator.computeEvalOrder()");
        }
        List<RangerServiceDef.RangerResourceDef> resources = getServiceDef().getResources();
        RangerPolicy policy = getPolicy();
        ArrayList<LevelResourceNames> arrayList = new ArrayList();
        for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : policy.getResources().entrySet()) {
            String key = entry.getKey();
            RangerPolicy.RangerPolicyResource value = entry.getValue();
            if (CollectionUtils.isNotEmpty(value.getValues())) {
                Iterator<RangerServiceDef.RangerResourceDef> it = resources.iterator();
                while (true) {
                    if (it.hasNext()) {
                        RangerServiceDef.RangerResourceDef next = it.next();
                        if (key.equals(next.getName())) {
                            arrayList.add(new LevelResourceNames(next.getLevel().intValue(), value));
                            break;
                        }
                    }
                }
            }
        }
        Collections.sort(arrayList);
        int i = 0;
        for (LevelResourceNames levelResourceNames : arrayList) {
            boolean z = false;
            boolean z2 = false;
            boolean z3 = false;
            for (String str : levelResourceNames.policyResource.getValues()) {
                if (str.isEmpty() || "*".equals(str)) {
                    z3 = true;
                    break;
                }
                if (str.contains("*")) {
                    z = true;
                } else if (str.contains("?")) {
                    z2 = true;
                }
            }
            if (z3) {
                i += 25;
            } else {
                if (z) {
                    i += 10;
                } else if (z2) {
                    i += 5;
                }
                RangerPolicy.RangerPolicyResource rangerPolicyResource = levelResourceNames.policyResource;
                if (rangerPolicyResource.getIsExcludes().booleanValue()) {
                    i += 5;
                }
                if (rangerPolicyResource.getIsRecursive().booleanValue()) {
                    i += 5;
                }
            }
        }
        int min = (needsDynamicEval() ? 10000 + 20 : 10000) - Math.min(100, i);
        int min2 = ((this.hasPublicGroup || this.hasCurrentUser) ? min - 25 : min - Math.min(this.groups.size() + this.users.size(), 25)) - Math.round((25.0f * this.accessPerms.size()) / r0.getAccessTypes().size());
        int customConditionsCount = 25 - (5 * getCustomConditionsCount());
        if (customConditionsCount > 0) {
            min2 -= customConditionsCount;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerOptimizedPolicyEvaluator.computeEvalOrder(), policyName:" + policy.getName() + ", priority:" + min2);
        }
        return min2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator
    public boolean isAccessAllowed(String str, Set<String> set, Set<String> set2, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + str + ", " + set + ", " + set2 + ", " + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean z = hasMatchablePolicyItem(str, set, set2, str2) && super.isAccessAllowed(str, set, set2, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + str + ", " + set + ", " + set2 + ", " + str2 + "): " + z);
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator
    public boolean hasMatchablePolicyItem(RangerAccessRequest rangerAccessRequest) {
        boolean z = false;
        if (this.hasPublicGroup || this.hasCurrentUser || isOwnerMatch(rangerAccessRequest) || this.users.contains(rangerAccessRequest.getUser()) || CollectionUtils.containsAny(this.groups, rangerAccessRequest.getUserGroups()) || (CollectionUtils.isNotEmpty(this.roles) && CollectionUtils.containsAny(this.roles, RangerAccessRequestUtil.getCurrentUserRolesFromContext(rangerAccessRequest.getContext())))) {
            if (rangerAccessRequest.isAccessTypeDelegatedAdmin()) {
                z = this.delegateAdmin;
            } else if (this.hasAllPerms) {
                z = true;
            } else {
                z = rangerAccessRequest.isAccessTypeAny() || this.accessPerms.contains(rangerAccessRequest.getAccessType());
            }
        }
        return z;
    }

    private boolean isOwnerMatch(RangerAccessRequest rangerAccessRequest) {
        boolean z = false;
        if (this.hasResourceOwner) {
            RangerAccessResource resource = rangerAccessRequest.getResource();
            String ownerUser = resource != null ? resource.getOwnerUser() : null;
            String user = rangerAccessRequest.getUser();
            if (user != null && ownerUser != null && user.equals(ownerUser)) {
                z = true;
            }
        }
        return z;
    }

    private boolean hasMatchablePolicyItem(String str, Set<String> set, Set<String> set2, String str2) {
        boolean z = false;
        boolean z2 = false;
        if (CollectionUtils.isNotEmpty(this.roles) && CollectionUtils.isNotEmpty(set2)) {
            z2 = CollectionUtils.containsAny(this.roles, set2);
        }
        if (this.hasPublicGroup || this.hasCurrentUser || this.users.contains(str) || CollectionUtils.containsAny(this.groups, set) || z2) {
            if (StringUtils.equals(str2, RangerPolicyEngine.ADMIN_ACCESS)) {
                z = this.delegateAdmin;
            } else if (this.hasAllPerms) {
                z = true;
            } else {
                z = (StringUtils.isEmpty(str2) || StringUtils.equals(str2, RangerPolicyEngine.ANY_ACCESS)) || this.accessPerms.contains(str2);
            }
        }
        return z;
    }

    private void preprocessPolicyItems(List<? extends RangerPolicy.RangerPolicyItem> list) {
        if (CollectionUtils.isNotEmpty(list)) {
            for (RangerPolicy.RangerPolicyItem rangerPolicyItem : list) {
                this.delegateAdmin = this.delegateAdmin || rangerPolicyItem.getDelegateAdmin().booleanValue();
                for (RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess : rangerPolicyItem.getAccesses()) {
                    if (rangerPolicyItemAccess.getIsAllowed().booleanValue()) {
                        this.accessPerms.add(rangerPolicyItemAccess.getType());
                    }
                }
                this.roles.addAll(rangerPolicyItem.getRoles());
                this.groups.addAll(rangerPolicyItem.getGroups());
                this.users.addAll(rangerPolicyItem.getUsers());
            }
        }
    }

    private boolean checkIfHasAllPerms() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerOptimizedPolicyEvaluator.checkIfHasAllPerms()");
        }
        boolean z = true;
        if (!getPolicy().getIsDenyAllElse().booleanValue()) {
            Iterator<RangerServiceDef.RangerAccessTypeDef> it = getServiceDef().getAccessTypes().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (!this.accessPerms.contains(it.next().getName())) {
                    z = false;
                    break;
                }
            }
        } else {
            this.hasAllPerms = true;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerOptimizedPolicyEvaluator.checkIfHasAllPerms(), " + z);
        }
        return z;
    }
}
