package org.apache.ranger.rest;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.RoleDBStore;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.service.RangerRoleService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.RangerRoleList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

@Path("roles")
@Scope("request")
@Transactional(propagation = Propagation.REQUIRES_NEW)
@Component
/* loaded from: input_file:WEB-INF/classes/org/apache/ranger/rest/RoleREST.class */
public class RoleREST {
    private static final Log LOG = LogFactory.getLog(RoleREST.class);
    private static List<String> INVALID_USERS = new ArrayList();

    @Autowired
    RESTErrorUtil restErrorUtil;

    @Autowired
    RoleDBStore roleStore;

    @Autowired
    RangerRoleService roleService;

    @Autowired
    XUserService xUserService;

    @Autowired
    ServiceDBStore svcStore;

    @Autowired
    RangerSearchUtil searchUtil;

    @Autowired
    RangerValidatorFactory validatorFactory;

    @Autowired
    RangerBizUtil bizUtil;

    @Autowired
    XUserMgr userMgr;

    @POST
    @Path("/roles")
    public RangerRole createRole(@QueryParam("serviceName") String str, RangerRole rangerRole) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> createRole(" + rangerRole + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            ensureAdminAccess(str, rangerRole.getCreatedByUser());
            if (containsInvalidMember(rangerRole.getUsers())) {
                throw new Exception("Invalid role user(s)");
            }
            RangerRole createRole = this.roleStore.createRole(rangerRole);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== createRole(" + rangerRole + "):" + createRole);
            }
            return createRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("createRole(" + rangerRole + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}")
    @PUT
    public RangerRole updateRole(@PathParam("id") Long l, RangerRole rangerRole) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> updateRole(id=" + l + ", " + rangerRole + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        if (rangerRole.getId() != null && !l.equals(rangerRole.getId())) {
            throw this.restErrorUtil.createRESTException("roleId mismatch!!");
        }
        rangerRole.setId(l);
        try {
            ensureAdminAccess(null, null);
            if (containsInvalidMember(rangerRole.getUsers())) {
                throw new Exception("Invalid role user(s)");
            }
            RangerRole updateRole = this.roleStore.updateRole(rangerRole);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== updateRole(id=" + l + ", " + rangerRole + "):" + updateRole);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("updateRole(" + rangerRole + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/name/{name}")
    @DELETE
    public void deleteRole(@QueryParam("serviceName") String str, @QueryParam("execUser") String str2, @PathParam("name") String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> deleteRole(user=" + str2 + " name=" + str3 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            ensureAdminAccess(str, str2);
            this.roleStore.deleteRole(str3);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== deleteRole(name=" + str3 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("deleteRole(" + str3 + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}")
    @DELETE
    public void deleteRole(@PathParam("id") Long l) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> deleteRole(id=" + l + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            ensureAdminAccess(null, null);
            this.roleStore.deleteRole(l);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== deleteRole(id=" + l + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("deleteRole(" + l + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles/name/{name}")
    public RangerRole getRole(@QueryParam("serviceName") String str, @QueryParam("execUser") String str2, @PathParam("name") String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getRole(name=" + str3 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            RangerRole roleIfAccessible = getRoleIfAccessible(str3, str, str2, this.userMgr.getGroupsForUser(str2));
            if (roleIfAccessible == null) {
                throw this.restErrorUtil.createRESTException("User doesn't have permissions to get details for " + str3);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getRole(name=" + str3 + "):" + roleIfAccessible);
            }
            return roleIfAccessible;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRole(" + str3 + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles/{id}")
    public RangerRole getRole(@PathParam("id") Long l) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getRole(id=" + l + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            RangerRole role = this.roleStore.getRole(l);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getRole(id=" + l + "):" + role);
            }
            return role;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRole(" + l + ") failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles")
    public RangerRoleList getAllRoles(@Context HttpServletRequest httpServletRequest) {
        RangerRoleList rangerRoleList = new RangerRoleList();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getAllRoles()");
        }
        SearchFilter searchFilter = this.searchUtil.getSearchFilter(httpServletRequest, this.roleService.sortFields);
        try {
            ensureAdminAccess(null, null);
            List<RangerRole> roles = this.roleStore.getRoles(searchFilter);
            rangerRoleList.setRoleList(roles);
            if (roles != null) {
                rangerRoleList.setTotalCount(roles.size());
                rangerRoleList.setSortBy(searchFilter.getSortBy());
                rangerRoleList.setSortType(searchFilter.getSortType());
                rangerRoleList.setResultSize(roles.size());
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getAllRoles():" + rangerRoleList);
            }
            return rangerRoleList;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Path("/roles/names")
    public List<String> getAllRoleNames(@QueryParam("serviceName") String str, @QueryParam("execUser") String str2, @Context HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getAllRoleNames()");
        }
        SearchFilter searchFilter = this.searchUtil.getSearchFilter(httpServletRequest, this.roleService.sortFields);
        try {
            ensureAdminAccess(str, str2);
            List<String> roleNames = this.roleStore.getRoleNames(searchFilter);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getAllRoleNames():" + roleNames);
            }
            return roleNames;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getAllRoleNames() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}/addUsersAndGroups")
    @PUT
    public RangerRole addUsersAndGroups(Long l, List<String> list, List<String> list2, Boolean bool) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> addUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ", isAdmin=" + bool + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            ensureAdminAccess(null, null);
            if (containsInvalidUser(list)) {
                throw new Exception("Invalid role user(s)");
            }
            RangerRole role = getRole(l);
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (RangerRole.RoleMember roleMember : role.getUsers()) {
                if (list.contains(roleMember.getName()) && bool == Boolean.TRUE) {
                    roleMember.setIsAdmin(bool.booleanValue());
                    hashSet.add(roleMember);
                }
            }
            Set<String> userNames = getUserNames(role);
            for (String str : list) {
                if (!userNames.contains(str)) {
                    hashSet.add(new RangerRole.RoleMember(str, bool.booleanValue()));
                }
            }
            for (RangerRole.RoleMember roleMember2 : role.getGroups()) {
                if (roleMember2.getIsAdmin() == bool.booleanValue()) {
                    hashSet2.add(roleMember2);
                }
            }
            Iterator<String> it = list2.iterator();
            while (it.hasNext()) {
                hashSet2.add(new RangerRole.RoleMember(it.next(), bool.booleanValue()));
            }
            role.setUsers(new ArrayList(hashSet));
            role.setGroups(new ArrayList(hashSet2));
            RangerRole updateRole = this.roleStore.updateRole(role);
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> addUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + ", isAdmin=" + bool + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("addUsersAndGroups() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}/removeUsersAndGroups")
    @PUT
    public RangerRole removeUsersAndGroups(Long l, List<String> list, List<String> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            ensureAdminAccess(null, null);
            RangerRole role = getRole(l);
            for (String str : list) {
                Iterator<RangerRole.RoleMember> it = role.getUsers().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(it.next().getName(), str)) {
                        it.remove();
                        break;
                    }
                }
            }
            for (String str2 : list2) {
                Iterator<RangerRole.RoleMember> it2 = role.getGroups().iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(it2.next().getName(), str2)) {
                        it2.remove();
                        break;
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(role);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== removeUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeUsersAndGroups() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/{id}/removeAdminFromUsersAndGroups")
    @PUT
    public RangerRole removeAdminFromUsersAndGroups(Long l, List<String> list, List<String> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeAdminFromUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            ensureAdminAccess(null, null);
            RangerRole role = getRole(l);
            for (String str : list) {
                for (RangerRole.RoleMember roleMember : role.getUsers()) {
                    if (StringUtils.equals(roleMember.getName(), str) && roleMember.getIsAdmin()) {
                        roleMember.setIsAdmin(false);
                    }
                }
            }
            for (String str2 : list2) {
                for (RangerRole.RoleMember roleMember2 : role.getGroups()) {
                    if (StringUtils.equals(roleMember2.getName(), str2) && roleMember2.getIsAdmin()) {
                        roleMember2.setIsAdmin(false);
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(role);
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> removeAdminFromUsersAndGroups(id=" + l + ", users=" + Arrays.toString(list.toArray()) + ", groups=" + Arrays.toString(list2.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeAdminFromUsersAndGroups() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/grant/{serviceName}")
    @Consumes({"application/json", "application/xml"})
    @Produces({"application/json", "application/xml"})
    @PUT
    public RESTResponse grantRole(@PathParam("serviceName") String str, GrantRevokeRoleRequest grantRevokeRoleRequest, @Context HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RoleREST.grantRole(" + str + ", " + grantRevokeRoleRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RESTResponse rESTResponse = new RESTResponse();
        try {
            validateUsersGroupsAndRoles(grantRevokeRoleRequest);
            String grantor = grantRevokeRoleRequest.getGrantor();
            for (String str2 : grantRevokeRoleRequest.getTargetRoles()) {
                RangerRole roleIfAccessible = getRoleIfAccessible(str2, str, grantor, CollectionUtils.isNotEmpty(grantRevokeRoleRequest.getGrantorGroups()) ? grantRevokeRoleRequest.getGrantorGroups() : this.userMgr.getGroupsForUser(grantor));
                if (roleIfAccessible == null) {
                    throw this.restErrorUtil.createRESTException("User doesn't have permissions to grant role " + str2);
                }
                addUsersGroupsAndRoles(roleIfAccessible, grantRevokeRoleRequest.getUsers(), grantRevokeRoleRequest.getGroups(), grantRevokeRoleRequest.getRoles(), grantRevokeRoleRequest.getGrantOption());
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> grantRole(serviceName=" + str + ", users=" + Arrays.toString(grantRevokeRoleRequest.getUsers().toArray()) + ", groups=" + Arrays.toString(grantRevokeRoleRequest.getRoles().toArray()) + ", isAdmin=" + grantRevokeRoleRequest.getGrantOption() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            rESTResponse.setStatusCode(0);
            return rESTResponse;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("grantRole() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @Path("/roles/revoke/{serviceName}")
    @Consumes({"application/json", "application/xml"})
    @Produces({"application/json", "application/xml"})
    @PUT
    public RESTResponse revokeRole(@PathParam("serviceName") String str, GrantRevokeRoleRequest grantRevokeRoleRequest, @Context HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RoleREST.revokeRole(" + str + ", " + grantRevokeRoleRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RESTResponse rESTResponse = new RESTResponse();
        try {
            validateUsersGroupsAndRoles(grantRevokeRoleRequest);
            String grantor = grantRevokeRoleRequest.getGrantor();
            for (String str2 : grantRevokeRoleRequest.getTargetRoles()) {
                RangerRole roleIfAccessible = getRoleIfAccessible(str2, str, grantor, CollectionUtils.isNotEmpty(grantRevokeRoleRequest.getGrantorGroups()) ? grantRevokeRoleRequest.getGrantorGroups() : this.userMgr.getGroupsForUser(grantor));
                if (roleIfAccessible == null) {
                    throw this.restErrorUtil.createRESTException("User doesn't have permissions to revoke role " + str2);
                }
                if (grantRevokeRoleRequest.getGrantOption().booleanValue()) {
                    removeAdminFromUsersGroupsAndRoles(roleIfAccessible, grantRevokeRoleRequest.getUsers(), grantRevokeRoleRequest.getGroups(), grantRevokeRoleRequest.getRoles());
                } else {
                    removeUsersGroupsAndRoles(roleIfAccessible, grantRevokeRoleRequest.getUsers(), grantRevokeRoleRequest.getGroups(), grantRevokeRoleRequest.getRoles());
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> revokeRole(serviceName=" + str + ", users=" + Arrays.toString(grantRevokeRoleRequest.getUsers().toArray()) + ", roles=" + Arrays.toString(grantRevokeRoleRequest.getRoles().toArray()) + ", isAdmin=" + grantRevokeRoleRequest.getGrantOption() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            rESTResponse.setStatusCode(0);
            return rESTResponse;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("revokeRole() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    @GET
    @Produces({"application/json", "application/xml"})
    @Path("/roles/user/{user}")
    public List<String> getUserRoles(@PathParam("user") String str, @Context HttpServletRequest httpServletRequest) {
        HashSet hashSet = new HashSet();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getUserRoles()");
        }
        try {
            for (RangerRole rangerRole : this.roleStore.getRoleNames(str, this.userMgr.getGroupsForUser(str))) {
                hashSet.add(rangerRole.getName());
                HashSet hashSet2 = new HashSet();
                getRoleMemberNames(hashSet2, rangerRole);
                hashSet.addAll(hashSet2);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== getUserRoles():" + hashSet);
            }
            return new ArrayList(hashSet);
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("getUserRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private void ensureAdminAccess(String str, String str2) throws Exception {
        String str3;
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        String loginId = currentUserSession != null ? currentUserSession.getLoginId() : null;
        if (StringUtil.equals(str2, loginId)) {
            str3 = loginId;
        } else {
            if (!userIsRangerAdmin(loginId) && !userIsSrvAdmOrSrvUser(str, loginId)) {
                throw new Exception("User does not have permission for this operation");
            }
            str3 = str2 != null ? str2 : loginId;
        }
        if (!userIsRangerAdmin(str3)) {
            throw new Exception("User " + str3 + " does not have permission for this operation");
        }
    }

    private RangerRole getRoleIfAccessible(String str, String str2, String str3, Set<String> set) {
        String str4;
        RangerRole role;
        UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
        String loginId = currentUserSession != null ? currentUserSession.getLoginId() : null;
        if (StringUtil.equals(str3, loginId)) {
            str4 = loginId;
        } else {
            if (!userIsRangerAdmin(loginId) && !userIsSrvAdmOrSrvUser(str2, loginId)) {
                LOG.error("User does not have permission for this operation");
                return null;
            }
            str4 = str3 != null ? str3 : loginId;
        }
        try {
            if (userIsRangerAdmin(str4)) {
                role = this.roleStore.getRole(str);
            } else {
                role = this.roleStore.getRole(str);
                ensureRoleAccess(str4, set, role);
            }
            return role;
        } catch (Exception e) {
            LOG.error(e.getMessage());
            return null;
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:8:0x0028, code lost:
    
        if (r0.getUserRoleList().contains(org.apache.ranger.common.RangerConstants.ROLE_SYS_ADMIN) != false) goto L9;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean userIsRangerAdmin(java.lang.String r5) {
        /*
            r4 = this;
            r0 = 0
            r6 = r0
            r0 = r4
            org.apache.ranger.service.XUserService r0 = r0.xUserService     // Catch: java.lang.Exception -> L30
            r1 = r5
            org.apache.ranger.view.VXUser r0 = r0.getXUserByUserName(r1)     // Catch: java.lang.Exception -> L30
            r7 = r0
            r0 = r7
            if (r0 == 0) goto L2d
            r0 = r7
            java.util.Collection r0 = r0.getUserRoleList()     // Catch: java.lang.Exception -> L30
            java.lang.String r1 = "ROLE_ADMIN"
            boolean r0 = r0.contains(r1)     // Catch: java.lang.Exception -> L30
            if (r0 != 0) goto L2b
            r0 = r7
            java.util.Collection r0 = r0.getUserRoleList()     // Catch: java.lang.Exception -> L30
            java.lang.String r1 = "ROLE_SYS_ADMIN"
            boolean r0 = r0.contains(r1)     // Catch: java.lang.Exception -> L30
            if (r0 == 0) goto L2d
        L2b:
            r0 = 1
            r6 = r0
        L2d:
            goto L58
        L30:
            r7 = move-exception
            org.apache.commons.logging.Log r0 = org.apache.ranger.rest.RoleREST.LOG
            java.lang.StringBuilder r1 = new java.lang.StringBuilder
            r2 = r1
            r2.<init>()
            java.lang.String r2 = "User "
            java.lang.StringBuilder r1 = r1.append(r2)
            r2 = r5
            java.lang.StringBuilder r1 = r1.append(r2)
            java.lang.String r2 = " does not have permissions for this operation"
            java.lang.StringBuilder r1 = r1.append(r2)
            r2 = r7
            java.lang.String r2 = r2.getMessage()
            java.lang.StringBuilder r1 = r1.append(r2)
            java.lang.String r1 = r1.toString()
            r0.error(r1)
        L58:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.ranger.rest.RoleREST.userIsRangerAdmin(java.lang.String):boolean");
    }

    private boolean userIsSrvAdmOrSrvUser(String str, String str2) {
        RangerService serviceByName;
        boolean z = false;
        if (!StringUtil.isEmpty(str)) {
            try {
                z = this.svcStore.isServiceAdminUser(str, str2);
                if (!z && (serviceByName = this.svcStore.getServiceByName(str)) != null) {
                    z = StringUtil.equals(PropertiesUtil.getProperty("ranger.plugins." + serviceByName.getType() + ".serviceuser"), str2);
                }
            } catch (Exception e) {
                LOG.error(e.getMessage());
            }
        }
        return z;
    }

    private boolean containsInvalidMember(List<RangerRole.RoleMember> list) {
        boolean z = false;
        for (RangerRole.RoleMember roleMember : list) {
            Iterator<String> it = INVALID_USERS.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (StringUtils.equals(roleMember.getName(), it.next())) {
                    z = true;
                    break;
                }
            }
            if (z) {
                break;
            }
        }
        return z;
    }

    private boolean containsInvalidUser(List<String> list) {
        return CollectionUtils.isNotEmpty(list) && CollectionUtils.containsAny(list, INVALID_USERS);
    }

    private boolean ensureRoleAccess(String str, Set<String> set, RangerRole rangerRole) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> ensureRoleAccess(" + str + ", " + rangerRole + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        List<RangerRole.RoleMember> users = rangerRole.getUsers();
        RangerRole.RoleMember roleMember = new RangerRole.RoleMember(str, true);
        if (!CollectionUtils.isEmpty(users) && users.contains(roleMember)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("==> ensureRoleAccess(): user " + str + " has permission for role " + rangerRole.getName());
            }
            return true;
        }
        if (!CollectionUtils.isEmpty(set)) {
            for (RangerRole.RoleMember roleMember2 : rangerRole.getGroups()) {
                if (roleMember2.getIsAdmin() && set.contains(roleMember2.getName())) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("==> ensureRoleAccess(): group " + roleMember2.getName() + " has permission for role " + rangerRole.getName());
                    }
                    return true;
                }
            }
        }
        HashSet hashSet = new HashSet();
        getRoleMembers(hashSet, rangerRole);
        for (RangerRole.RoleMember roleMember3 : hashSet) {
            if (roleMember3.getIsAdmin()) {
                RangerRole role = this.roleStore.getRole(roleMember3.getName());
                if (getUserNames(role).contains(str)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("==> ensureRoleAccess(): role " + roleMember3.getName() + " has permission for role " + rangerRole.getName());
                    }
                    return true;
                }
                if (!CollectionUtils.isEmpty(set) && !CollectionUtils.intersection(set, getGroupNames(role)).isEmpty()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("==> ensureRoleAccess(): role " + roleMember3.getName() + " has permission for role " + rangerRole.getName());
                    }
                    return true;
                }
            }
        }
        if (0 == 0) {
            throw this.restErrorUtil.createRESTException("User " + str + " does not have privilege to role " + rangerRole.getName());
        }
        return false;
    }

    private RangerRole addUsersGroupsAndRoles(RangerRole rangerRole, Set<String> set, Set<String> set2, Set<String> set3, Boolean bool) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> addUsersGroupsAndRoles(name=" + rangerRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ", isAdmin=" + bool + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            for (String str : set3) {
                HashSet hashSet = new HashSet();
                getRoleMemberNames(hashSet, this.roleStore.getRole(str));
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Role members for " + str + " = " + hashSet);
                }
                if (hashSet.contains(rangerRole.getName())) {
                    throw new Exception("Invalid role grant");
                }
            }
            HashSet hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            HashSet hashSet4 = new HashSet();
            for (RangerRole.RoleMember roleMember : rangerRole.getUsers()) {
                if (set.contains(roleMember.getName()) && bool == Boolean.TRUE) {
                    roleMember.setIsAdmin(bool.booleanValue());
                    hashSet2.add(roleMember);
                } else if (!set.contains(roleMember.getName())) {
                    hashSet2.add(roleMember);
                }
            }
            Set<String> userNames = getUserNames(rangerRole);
            for (String str2 : set) {
                if (!userNames.contains(str2)) {
                    hashSet2.add(new RangerRole.RoleMember(str2, bool.booleanValue()));
                }
            }
            for (RangerRole.RoleMember roleMember2 : rangerRole.getGroups()) {
                if (set2.contains(roleMember2.getName()) && bool == Boolean.TRUE) {
                    roleMember2.setIsAdmin(bool.booleanValue());
                    hashSet3.add(roleMember2);
                } else if (!set2.contains(roleMember2.getName())) {
                    hashSet3.add(roleMember2);
                }
            }
            Set<String> groupNames = getGroupNames(rangerRole);
            for (String str3 : set2) {
                if (!groupNames.contains(str3)) {
                    hashSet3.add(new RangerRole.RoleMember(str3, bool.booleanValue()));
                }
            }
            for (RangerRole.RoleMember roleMember3 : rangerRole.getRoles()) {
                if (set3.contains(roleMember3.getName()) && bool == Boolean.TRUE) {
                    roleMember3.setIsAdmin(bool.booleanValue());
                    hashSet4.add(roleMember3);
                } else if (!set3.contains(roleMember3.getName())) {
                    hashSet4.add(roleMember3);
                }
            }
            Set<String> roleNames = getRoleNames(rangerRole);
            for (String str4 : set3) {
                if (!roleNames.contains(str4)) {
                    hashSet4.add(new RangerRole.RoleMember(str4, bool.booleanValue()));
                }
            }
            rangerRole.setUsers(new ArrayList(hashSet2));
            rangerRole.setGroups(new ArrayList(hashSet3));
            rangerRole.setRoles(new ArrayList(hashSet4));
            RangerRole updateRole = this.roleStore.updateRole(rangerRole);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== addUsersGroupsAndRoles(name=" + updateRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + ", isAdmin=" + bool + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("addUsersGroupsAndRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private RangerRole removeUsersGroupsAndRoles(RangerRole rangerRole, Set<String> set, Set<String> set2, Set<String> set3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeUsersGroupsAndRoles(name=" + rangerRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            for (String str : set) {
                Iterator<RangerRole.RoleMember> it = rangerRole.getUsers().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(it.next().getName(), str)) {
                        it.remove();
                        break;
                    }
                }
            }
            for (String str2 : set2) {
                Iterator<RangerRole.RoleMember> it2 = rangerRole.getGroups().iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(it2.next().getName(), str2)) {
                        it2.remove();
                        break;
                    }
                }
            }
            for (String str3 : set3) {
                Iterator<RangerRole.RoleMember> it3 = rangerRole.getRoles().iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    if (StringUtils.equals(it3.next().getName(), str3)) {
                        it3.remove();
                        break;
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(rangerRole);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== removeUsersGroupsAndRoles(name=" + updateRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeUsersGroupsAndRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private RangerRole removeAdminFromUsersGroupsAndRoles(RangerRole rangerRole, Set<String> set, Set<String> set2, Set<String> set3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> removeAdminFromUsersGroupsAndRoles(name=" + rangerRole + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            for (String str : set) {
                for (RangerRole.RoleMember roleMember : rangerRole.getUsers()) {
                    if (StringUtils.equals(roleMember.getName(), str) && roleMember.getIsAdmin()) {
                        roleMember.setIsAdmin(false);
                    }
                }
            }
            for (String str2 : set2) {
                for (RangerRole.RoleMember roleMember2 : rangerRole.getGroups()) {
                    if (StringUtils.equals(roleMember2.getName(), str2) && roleMember2.getIsAdmin()) {
                        roleMember2.setIsAdmin(false);
                    }
                }
            }
            for (String str3 : set3) {
                for (RangerRole.RoleMember roleMember3 : rangerRole.getRoles()) {
                    if (StringUtils.equals(roleMember3.getName(), str3) && roleMember3.getIsAdmin()) {
                        roleMember3.setIsAdmin(false);
                    }
                }
            }
            RangerRole updateRole = this.roleStore.updateRole(rangerRole);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== removeAdminFromUsersGroupsAndRoles(name=" + updateRole.getName() + ", users=" + Arrays.toString(set.toArray()) + ", roles=" + Arrays.toString(set3.toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            return updateRole;
        } catch (WebApplicationException e) {
            throw e;
        } catch (Throwable th) {
            LOG.error("removeAdminFromUsersGroupsAndRoles() failed", th);
            throw this.restErrorUtil.createRESTException(th.getMessage());
        }
    }

    private Set<String> getUserNames(RangerRole rangerRole) {
        HashSet hashSet = new HashSet();
        Iterator<RangerRole.RoleMember> it = rangerRole.getUsers().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        return hashSet;
    }

    private Set<String> getGroupNames(RangerRole rangerRole) {
        HashSet hashSet = new HashSet();
        Iterator<RangerRole.RoleMember> it = rangerRole.getGroups().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        return hashSet;
    }

    private Set<String> getRoleNames(RangerRole rangerRole) {
        HashSet hashSet = new HashSet();
        Iterator<RangerRole.RoleMember> it = rangerRole.getRoles().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        return hashSet;
    }

    private void getRoleMemberNames(Set<String> set, RangerRole rangerRole) throws Exception {
        for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
            set.add(roleMember.getName());
            getRoleMemberNames(set, this.roleStore.getRole(roleMember.getName()));
        }
    }

    private void getRoleMembers(Set<RangerRole.RoleMember> set, RangerRole rangerRole) throws Exception {
        for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
            set.add(roleMember);
            getRoleMembers(set, this.roleStore.getRole(roleMember.getName()));
        }
    }

    private void validateUsersGroupsAndRoles(GrantRevokeRoleRequest grantRevokeRoleRequest) {
        if (grantRevokeRoleRequest == null) {
            throw this.restErrorUtil.createRESTException("Invalid grant/revoke role request");
        }
        if (CollectionUtils.isEmpty(grantRevokeRoleRequest.getUsers()) && CollectionUtils.isEmpty(grantRevokeRoleRequest.getGroups()) && CollectionUtils.isEmpty(grantRevokeRoleRequest.getRoles())) {
            throw this.restErrorUtil.createRESTException("Grantee users/groups/roles list is empty");
        }
        if (grantRevokeRoleRequest.getUsers() == null) {
            grantRevokeRoleRequest.setUsers(new HashSet());
        }
        if (grantRevokeRoleRequest.getGroups() == null) {
            grantRevokeRoleRequest.setGroups(new HashSet());
        }
        if (grantRevokeRoleRequest.getRoles() == null) {
            grantRevokeRoleRequest.setRoles(new HashSet());
        }
    }

    static {
        INVALID_USERS.add(RangerPolicyEngine.USER_CURRENT);
        INVALID_USERS.add(RangerPolicyEngine.RESOURCE_OWNER);
    }
}
