package com.mapr.fs.cldb;

import com.mapr.baseutils.acls.SecurityCommandHelper;
import com.mapr.baseutils.audit.AuditRecord;
import com.mapr.fs.cldb.conf.CLDBConfiguration;
import com.mapr.fs.cldb.conf.CLDBConfigurationHolder;
import com.mapr.fs.cldb.proto.Accesscontrol;
import com.mapr.fs.cldb.proto.CLDBProto;
import com.mapr.fs.cldb.security.ACL;
import com.mapr.fs.cldb.util.Util;
import com.mapr.fs.proto.Common;
import com.mapr.fs.proto.Security;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/mapr/fs/cldb/VolumeAclProcessor.class */
public class VolumeAclProcessor extends VolumeAccessController {
    private Cluster cluster = Cluster.getInstance();
    private CLDBConfiguration conf = CLDBConfigurationHolder.getInstance();
    private CLDBServer cldbServer = CLDBServerHolder.getInstance();
    private ActiveVolumeMap volumeMap = this.cldbServer.getVolumeMap();
    private Volumes volumes = this.cldbServer.getVolumes();
    private static final Log LOG = LogFactory.getLog(VolumeAclProcessor.class);

    @Override // com.mapr.fs.cldb.VolumeAccessController
    public boolean canPerformAction(CLDBProto.VolumeProperties volumeProperties, Security.CredentialsMsg credentialsMsg, int i, StringBuilder sb) {
        if (volumeProperties == null || credentialsMsg == null) {
            return false;
        }
        if (!volumeProperties.hasAcl()) {
            if (sb == null) {
                return false;
            }
            sb.append("ACL Not Present for volume " + volumeProperties.getVolumeName());
            return false;
        }
        if (credentialsMsg.getUid() == 0) {
            if (this.conf.cldbRejectRoot() == 1) {
                if (sb == null) {
                    return false;
                }
                sb.append("Root cannot perform action since reject root is enabled");
                return false;
            }
            if (this.conf.cldbSquashRoot() == 1) {
                credentialsMsg = NobodyCredentials.getInstance();
            }
        }
        return new ACL(volumeProperties.getAcl()).verifyPermissions(credentialsMsg, i, sb);
    }

    @Override // com.mapr.fs.cldb.VolumeAccessController
    public CLDBProto.SecurityModifyAclResponse updateVolumeAcl(Security.CredentialsMsg credentialsMsg, CLDBProto.SecurityModifyAclRequest securityModifyAclRequest) {
        AuditRecord auditRecord = this.cldbServer.getAuditRecord();
        auditRecord.setOp(AuditRecord.Op.aclModify);
        String name = securityModifyAclRequest.getName();
        CLDBProto.VolumeProperties volumePropertiesFromName = this.volumeMap.getVolumePropertiesFromName(name);
        if (volumePropertiesFromName == null) {
            return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(this.cldbServer.getCldbCreds()).setStatus(61).setErrorString("Missing VolumeProperties for the Volume " + name).build();
        }
        Security.AccessControlList accessControlList = null;
        this.volumeMap.volumesLock.lock(volumePropertiesFromName.getVolumeId());
        CLDBProto.VolumeProperties volumePropertiesFromName2 = this.volumeMap.getVolumePropertiesFromName(name);
        if (volumePropertiesFromName2 != null) {
            try {
                accessControlList = volumePropertiesFromName2.getAcl();
            } catch (Throwable th) {
                this.volumeMap.volumesLock.unlock(volumePropertiesFromName2.getVolumeId());
                throw th;
            }
        }
        if (accessControlList == null) {
            CLDBProto.SecurityModifyAclResponse build = CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(this.cldbServer.getCldbCreds()).setStatus(1).setErrorString("Caller does not have permissions to modify the ACL of the volume " + name).build();
            this.volumeMap.volumesLock.unlock(volumePropertiesFromName2.getVolumeId());
            return build;
        }
        if (!this.cldbServer.hasAdminCredentials(credentialsMsg) && !canPerformAction(volumePropertiesFromName2, credentialsMsg, SecurityCommandHelper.VOLUME_EDIT_ACL_MASK, null)) {
            CLDBProto.SecurityModifyAclResponse build2 = CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(this.cldbServer.getCldbCreds()).setStatus(1).setErrorString("Insufficient Perms to Modify Volume ACLs: Need admin(a) Permissions").build();
            this.volumeMap.volumesLock.unlock(volumePropertiesFromName2.getVolumeId());
            return build2;
        }
        Security.AccessControlList build3 = AclUtil.purgeEmptyAclEntries((securityModifyAclRequest.hasEditFlag() && securityModifyAclRequest.getEditFlag()) ? AclUtil.mergeAcls(accessControlList, securityModifyAclRequest.getAcl()) : Security.AccessControlList.newBuilder(securityModifyAclRequest.getAcl())).build();
        this.volumeMap.updateVolume(CLDBProto.VolumeProperties.newBuilder(volumePropertiesFromName2).setAcl(build3).build());
        auditRecord.setKeyValues(Util.getChangedPermissions(accessControlList, build3, true));
        this.volumeMap.volumesLock.unlock(volumePropertiesFromName2.getVolumeId());
        if (LOG.isWarnEnabled()) {
            LOG.warn("ModifyACL request from " + Util.printIPAddress(this.cldbServer.getThreadLocalIPAddress()) + " by uid " + credentialsMsg.getUid() + " on volume " + name + ".Previous ACL " + AclUtil.buildAclString(accessControlList, this.cldbServer.getUserInfo()) + ",New ACL " + AclUtil.buildAclString(build3, this.cldbServer.getUserInfo()));
        }
        return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(this.cldbServer.getCldbCreds()).setStatus(0).setAcl(build3).build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.mapr.fs.cldb.VolumeAccessController
    public Security.AccessControlList getVolumeAcl(String str, Security.CredentialsMsg credentialsMsg, StringBuilder sb) {
        CLDBProto.VolumeProperties volumePropertiesFromName = this.volumes.getVolumePropertiesFromName(str);
        if (volumePropertiesFromName == null) {
            return null;
        }
        if (canPerformAction(volumePropertiesFromName, credentialsMsg, SecurityCommandHelper.VOLUME_FULL_CONTROL_MASK | SecurityCommandHelper.VOLUME_ADMIN_MASK, null) || this.cluster.canPerformAction(credentialsMsg, SecurityCommandHelper.CLUSTER_READ_MASK | SecurityCommandHelper.CLUSTER_FULL_CONTROL_MASK)) {
            return volumePropertiesFromName.getAcl();
        }
        if (!LOG.isDebugEnabled()) {
            return null;
        }
        LOG.debug("Caller is not admin and does not have permissions to read acl for volumes on the cluster");
        return null;
    }

    @Override // com.mapr.fs.cldb.VolumeAccessController
    Accesscontrol.GetVolumeAcesResponse getVolumeAces(String str, Security.CredentialsMsg credentialsMsg) {
        return Accesscontrol.GetVolumeAcesResponse.newBuilder().setStatus(22).setErrorString("ACEs have not yet been enabled in this Version").build();
    }

    @Override // com.mapr.fs.cldb.VolumeAccessController
    Common.VolumeAces getVolumeAces(CLDBProto.VolumeProperties volumeProperties) {
        return null;
    }
}
