package com.mapr.fs.cldb;

import com.google.protobuf.ByteString;
import com.mapr.baseutils.audit.AuditRecord;
import com.mapr.baseutils.utils.ACL;
import com.mapr.baseutils.utils.Util;
import com.mapr.fs.RpcCallContext;
import com.mapr.fs.cldb.proto.Accesscontrol;
import com.mapr.fs.cldb.proto.CLDBProto;
import com.mapr.fs.proto.Security;
import com.mapr.login.common.TicketOptionalParams;
import com.mapr.security.MutableInt;
import com.mapr.security.UnixUserGroupHelper;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/mapr/fs/cldb/SecurityManager.class */
public class SecurityManager {
    private static SecurityManager s_instance;
    private Cluster cluster;
    private VolumeManager volumeManager;
    private ActiveVolumeMap volumeMap;
    private CLDBServer cldbServer;
    private static final Log LOG = LogFactory.getLog(SecurityManager.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.mapr.fs.cldb.SecurityManager$1, reason: invalid class name */
    /* loaded from: input_file:com/mapr/fs/cldb/SecurityManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$SecureObjectType = new int[CLDBProto.SecureObjectType.values().length];

        static {
            try {
                $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$SecureObjectType[CLDBProto.SecureObjectType.OBJECT_TYPE_CLUSTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$SecureObjectType[CLDBProto.SecureObjectType.OBJECT_TYPE_VOLUME.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public Accesscontrol.ClientAuthorizationResponse canPerformActions(Accesscontrol.ClientAuthorizationRequest clientAuthorizationRequest) {
        auditRequest(clientAuthorizationRequest);
        StringBuilder sb = new StringBuilder();
        if (!isValidRequest(clientAuthorizationRequest, sb)) {
            return Accesscontrol.ClientAuthorizationResponse.newBuilder().setStatus(22).setErrMsg(sb.toString()).setIsAuthorized(false).build();
        }
        boolean z = true;
        if (clientAuthorizationRequest.getVolumeActions() != 0) {
            if (!clientAuthorizationRequest.hasVolumeName()) {
                return Accesscontrol.ClientAuthorizationResponse.newBuilder().setStatus(22).setErrMsg("Missing Volume Name in the Request").setIsAuthorized(false).build();
            }
            CLDBProto.VolumeProperties volumePropertiesFromName = this.volumeMap.getVolumePropertiesFromName(clientAuthorizationRequest.getVolumeName());
            if (volumePropertiesFromName == null) {
                return Accesscontrol.ClientAuthorizationResponse.newBuilder().setStatus(22).setErrMsg("Missing VolumeProperties for Volume: " + clientAuthorizationRequest.getVolumeName()).setIsAuthorized(false).build();
            }
            z = this.volumeManager.canPerformAction(volumePropertiesFromName, clientAuthorizationRequest.getCreds(), clientAuthorizationRequest.getVolumeActions(), null);
        }
        if (clientAuthorizationRequest.getClusterActions() != 0) {
            z = z && this.cluster.canPerformAction(clientAuthorizationRequest.getCreds(), clientAuthorizationRequest.getClusterActions());
        }
        return Accesscontrol.ClientAuthorizationResponse.newBuilder().setStatus(0).setIsAuthorized(z).build();
    }

    private void auditRequest(Accesscontrol.ClientAuthorizationRequest clientAuthorizationRequest) {
        AuditRecord auditRecord = this.cldbServer.getAuditRecord();
        auditRecord.setCreds(clientAuthorizationRequest.getCreds());
        auditRecord.setOp(AuditRecord.Op.clientAuthorizationRequest);
        StringBuilder sb = new StringBuilder();
        if (clientAuthorizationRequest.hasClusterActions()) {
            sb.append("Cluster Actions: " + clientAuthorizationRequest.getClusterActions());
        }
        if (clientAuthorizationRequest.hasVolumeActions()) {
            sb.append(" Volume Actions: " + clientAuthorizationRequest.getVolumeActions());
        }
        if (clientAuthorizationRequest.hasVolumeName()) {
            sb.append(" Volume Name: " + clientAuthorizationRequest.getVolumeName());
        }
        auditRecord.setResource(sb.toString());
    }

    private boolean isValidRequest(Accesscontrol.ClientAuthorizationRequest clientAuthorizationRequest, StringBuilder sb) {
        if (!clientAuthorizationRequest.hasCreds()) {
            sb.append("Credentials Missing in the Request");
            return false;
        }
        if (clientAuthorizationRequest.getClusterActions() != 0 || clientAuthorizationRequest.getVolumeActions() != 0) {
            return true;
        }
        sb.append("List of Actions missing in the Request");
        return false;
    }

    public static synchronized SecurityManager getInstance() {
        if (s_instance == null) {
            s_instance = new SecurityManager();
        }
        return s_instance;
    }

    public void init(Cluster cluster, VolumeManager volumeManager, ActiveVolumeMap activeVolumeMap) {
        this.cluster = cluster;
        this.volumeManager = volumeManager;
        this.volumeMap = activeVolumeMap;
        this.cldbServer = CLDBServerHolder.getInstance();
    }

    public CLDBProto.GetClusterTicketResp getClusterTicket(RpcCallContext rpcCallContext, CLDBProto.GetClusterTicketReq getClusterTicketReq) {
        CLDBProto.GetClusterTicketResp.Builder newBuilder = CLDBProto.GetClusterTicketResp.newBuilder();
        Security.CredentialsMsg userCreds = this.cldbServer.getUserCreds(rpcCallContext, getClusterTicketReq.hasCreds() ? getClusterTicketReq.getCreds() : null);
        AuditRecord auditRecord = this.cldbServer.getAuditRecord();
        auditRecord.setCreds(userCreds);
        auditRecord.setOp(AuditRecord.Op.getClusterKey);
        auditRecord.setResource("cluster");
        if (userCreds == null || !this.cldbServer.hasAdminCredentials(userCreds)) {
            return newBuilder.setStatus(1).build();
        }
        if (!getClusterTicketReq.hasClusterUserName()) {
            return newBuilder.setStatus(22).build();
        }
        try {
            Security.CredentialsMsg userCredentials = getUserCredentials(getClusterTicketReq.getClusterUserName());
            if (userCredentials.getUid() < 0) {
                return newBuilder.setStatus(2).build();
            }
            int[] iArr = new int[userCredentials.getGidsCount()];
            for (int i = 0; i < userCredentials.getGidsCount(); i++) {
                iArr[i] = userCredentials.getGids(i);
            }
            MutableInt mutableInt = new MutableInt();
            TicketOptionalParams ticketOptionalParams = new TicketOptionalParams();
            ticketOptionalParams.setIsExternal(true);
            Security.TicketAndKey GenerateTicketAndKey = com.mapr.security.Security.GenerateTicketAndKey(Security.ServerKeyType.ClusterKey, userCredentials.getUserName(), userCredentials.getUid(), iArr, com.mapr.security.Security.MAX_EXPIRY_TIME, 0L, ticketOptionalParams, mutableInt);
            if (GenerateTicketAndKey == null) {
                LOG.error("Failed to generate mapr cluster ticket and key file errorcode " + mutableInt.GetValue());
                newBuilder.setStatus(mutableInt.GetValue());
                return newBuilder.build();
            }
            newBuilder.setClusterTicketAndKey(GenerateTicketAndKey);
            newBuilder.setStatus(0);
            return newBuilder.build();
        } catch (Exception e) {
            return newBuilder.setStatus(2).build();
        }
    }

    public Security.CredentialsMsg getUserCredentials(String str) {
        UnixUserGroupHelper userInfo = this.cldbServer.getUserInfo();
        int userId = userInfo.getUserId(str);
        int[] groups = userInfo.getGroups(str);
        Security.CredentialsMsg.Builder uid = Security.CredentialsMsg.newBuilder().setUid(userId);
        for (int i : groups) {
            uid.addGids(i);
        }
        uid.setUserName(str);
        return uid.build();
    }

    public CLDBProto.ResolveCredsResponse resolveCredentials(String str, String str2) {
        UnixUserGroupHelper userInfo = this.cldbServer.getUserInfo();
        CLDBProto.ResolveCredsResponse.Builder newBuilder = CLDBProto.ResolveCredsResponse.newBuilder();
        if (!Util.isNullOrEmpty(str)) {
            newBuilder.setUid(userInfo.getUserId(str));
        }
        if (!Util.isNullOrEmpty(str2)) {
            newBuilder.setGid(userInfo.getGroupId(str2));
        }
        newBuilder.setStatus(0);
        return newBuilder.build();
    }

    public CLDBProto.GetMapRUserTicketResp getMapRUserTicket(RpcCallContext rpcCallContext, CLDBProto.GetMapRUserTicketReq getMapRUserTicketReq) {
        Security.CredentialsMsg cldbCreds = this.cldbServer.getCldbCreds();
        CLDBProto.GetMapRUserTicketResp.Builder newBuilder = CLDBProto.GetMapRUserTicketResp.newBuilder();
        newBuilder.setCreds(cldbCreds);
        Security.CredentialsMsg userCreds = this.cldbServer.getUserCreds(rpcCallContext, getMapRUserTicketReq.hasCreds() ? getMapRUserTicketReq.getCreds() : null);
        if (userCreds == null) {
            return newBuilder.setStatus(1).build();
        }
        AuditRecord auditRecord = this.cldbServer.getAuditRecord();
        auditRecord.setCreds(userCreds);
        auditRecord.setOp(AuditRecord.Op.getMapRUserTicket);
        auditRecord.setResource("cluster");
        if (!this.cldbServer.hasAdminCredentials(userCreds)) {
            return newBuilder.setStatus(1).build();
        }
        int[] iArr = new int[cldbCreds.getGidsCount()];
        for (int i = 0; i < cldbCreds.getGidsCount(); i++) {
            iArr[i] = cldbCreds.getGids(i);
        }
        MutableInt mutableInt = new MutableInt();
        Security.TicketAndKey GenerateTicketAndKey = com.mapr.security.Security.GenerateTicketAndKey(Security.ServerKeyType.ServerKey, cldbCreds.getUserName(), cldbCreds.getUid(), iArr, com.mapr.security.Security.MAX_EXPIRY_TIME, 0L, (TicketOptionalParams) null, mutableInt);
        if (GenerateTicketAndKey == null) {
            LOG.error("Failed to generate mapr user ticket and key file errorcode " + mutableInt.GetValue());
            newBuilder.setStatus(mutableInt.GetValue());
            return newBuilder.build();
        }
        newBuilder.setMaprUserTicketAndKey(GenerateTicketAndKey);
        newBuilder.setStatus(0);
        return newBuilder.build();
    }

    public CLDBProto.SecurityGetAclResponse securityGetAcl(RpcCallContext rpcCallContext, CLDBProto.SecurityGetAclRequest securityGetAclRequest) {
        Security.AccessControlList volumeAcl;
        Security.AccessControlList aclList;
        CLDBProto.SecurityGetAclResponse.Builder newBuilder = CLDBProto.SecurityGetAclResponse.newBuilder();
        newBuilder.setCreds(this.cldbServer.getCldbCreds());
        AuditRecord auditRecord = this.cldbServer.getAuditRecord();
        auditRecord.setOp(AuditRecord.Op.aclShow);
        if (!securityGetAclRequest.hasObjectType()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Object type is missing in the request");
            }
            return newBuilder.setStatus(22).setErrorString("Object type is missing in the request").build();
        }
        CLDBProto.SecureObjectType objectType = securityGetAclRequest.getObjectType();
        if (objectType == CLDBProto.SecureObjectType.OBJECT_TYPE_VOLUME && !securityGetAclRequest.hasName()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Request does not have the name of the volume");
            }
            return newBuilder.setStatus(22).setErrorString("Request does not have the name of the volume").build();
        }
        Security.CredentialsMsg userCreds = this.cldbServer.getUserCreds(rpcCallContext, securityGetAclRequest.hasCreds() ? securityGetAclRequest.getCreds() : null);
        auditRecord.setCreds(userCreds);
        if (userCreds == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Request does not contain credentials of the caller");
            }
            return newBuilder.setStatus(22).setErrorString("Request does not contain credentials of the caller").build();
        }
        StringBuilder sb = new StringBuilder();
        switch (AnonymousClass1.$SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$SecureObjectType[objectType.ordinal()]) {
            case 1:
                auditRecord.setResource("cluster");
                volumeAcl = this.cluster.getAcl(userCreds, sb);
                break;
            case 2:
                auditRecord.setResource(securityGetAclRequest.getName());
                volumeAcl = this.volumeManager.getVolumeAcl(securityGetAclRequest.getName(), userCreds, sb);
                break;
            default:
                String str = "Invalid object type " + objectType.toString();
                if (LOG.isDebugEnabled()) {
                    LOG.debug(str);
                }
                return newBuilder.setStatus(22).setErrorString(str).build();
        }
        if (volumeAcl == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(sb.toString());
            }
            return newBuilder.setStatus(2).setErrorString(sb.toString()).build();
        }
        ACL acl = new ACL(volumeAcl);
        if (securityGetAclRequest.hasPrincipal()) {
            int princId = securityGetAclRequest.getPrincipal().getPrincId();
            aclList = acl.getAclList(princId, ACL.isUid(princId));
        } else {
            aclList = acl.getAclList();
        }
        return newBuilder.setStatus(0).setAcl(aclList).setClusterAdmin(this.cluster.getOwnerUid()).build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CLDBProto.SecurityModifyAclResponse securityModifyAcl(RpcCallContext rpcCallContext, CLDBProto.SecurityModifyAclRequest securityModifyAclRequest) {
        Security.CredentialsMsg cldbCreds = this.cldbServer.getCldbCreds();
        AuditRecord auditRecord = this.cldbServer.getAuditRecord();
        auditRecord.setOp(AuditRecord.Op.aclModify);
        if (!securityModifyAclRequest.hasObjectType()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Object type is missing in the request");
            }
            return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(cldbCreds).setStatus(22).setErrorString("Object type is missing in the request").build();
        }
        Security.CredentialsMsg userCreds = this.cldbServer.getUserCreds(rpcCallContext, securityModifyAclRequest.hasCreds() ? securityModifyAclRequest.getCreds() : null);
        auditRecord.setCreds(userCreds);
        if (userCreds == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Request does not contain credentials of the caller");
            }
            return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(cldbCreds).setStatus(22).setErrorString("Request does not contain credentials of the caller").build();
        }
        if (!securityModifyAclRequest.hasAcl()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Request does not contain the modified ACL");
            }
            return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(cldbCreds).setStatus(22).setErrorString("Request does not contain the modified ACL").build();
        }
        switch (AnonymousClass1.$SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$SecureObjectType[securityModifyAclRequest.getObjectType().ordinal()]) {
            case 1:
                auditRecord.setResource("cluster");
                return this.cluster.updateAcl(userCreds, securityModifyAclRequest);
            case 2:
                if (securityModifyAclRequest.hasName()) {
                    auditRecord.setResource(securityModifyAclRequest.getName());
                    return this.volumeManager.updateVolumeAcl(userCreds, securityModifyAclRequest);
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Request does not have the name of the volume");
                }
                return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(cldbCreds).setStatus(22).setErrorString("Request does not have the name of the volume").build();
            default:
                String str = "The request has an invalid object type " + securityModifyAclRequest.getObjectType().toString();
                if (LOG.isDebugEnabled()) {
                    LOG.debug(str);
                }
                return CLDBProto.SecurityModifyAclResponse.newBuilder().setCreds(cldbCreds).setStatus(22).setErrorString(str).build();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v15, types: [java.util.List] */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.util.List] */
    public Security.CredentialsMsg getImpersonatedCreds(Security.CredentialsMsg credentialsMsg, Security.Ticket ticket, Security.Key key) {
        List gidsList;
        if (ticket == null || credentialsMsg == null || key == null) {
            if (!LOG.isErrorEnabled()) {
                return null;
            }
            LOG.error("Invalid parameters passed to getimpersonationMsg");
            return null;
        }
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        if (ticket.getImpersonatedUidsList().size() > 0 || ticket.getImpersonatedGidsList().size() > 0) {
            arrayList = ticket.getImpersonatedUidsList();
            arrayList2 = ticket.getImpersonatedGidsList();
            if (arrayList != null && arrayList.contains(Integer.valueOf(credentialsMsg.getUid()))) {
                z = true;
            }
            if (!z && arrayList2 != null && arrayList2.size() > 0 && (gidsList = credentialsMsg.getGidsList()) != null && gidsList.size() > 0) {
                Iterator it = arrayList2.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (gidsList.contains((Integer) it.next())) {
                        z = true;
                        break;
                    }
                }
            }
        } else {
            z = true;
        }
        if (!z) {
            if (!LOG.isErrorEnabled()) {
                return null;
            }
            LOG.error("Could not generate impersonated creds for uid " + credentialsMsg.getUid() + " as the ticket is scoped for uids " + arrayList + " gids " + arrayList2);
            return null;
        }
        Security.ImpersonationMsg.Builder newBuilder = Security.ImpersonationMsg.newBuilder();
        newBuilder.setImpersonatingUid(ticket.getUserCreds().getUid());
        newBuilder.setTargetUid(credentialsMsg.getUid());
        Iterator it2 = credentialsMsg.getGidsList().iterator();
        while (it2.hasNext()) {
            newBuilder.addTargetGids(((Integer) it2.next()).intValue());
        }
        newBuilder.setExpiryTime(ticket.getExpiryTime());
        newBuilder.setCreationTime(ticket.getCreationTimeSec());
        MutableInt mutableInt = new MutableInt();
        byte[] Encrypt = com.mapr.security.Security.Encrypt(key, newBuilder.build().toByteArray(), mutableInt);
        if (mutableInt.GetValue() == 0) {
            Security.CredentialsMsg.Builder newBuilder2 = Security.CredentialsMsg.newBuilder(credentialsMsg);
            newBuilder2.setEncryptedImpersonationMsg(ByteString.copyFrom(Encrypt));
            return newBuilder2.build();
        }
        if (!LOG.isErrorEnabled()) {
            return null;
        }
        LOG.error("Could not encrypt the impersonated creds with server key");
        return null;
    }
}
