package com.mapr.baseutils.utils;

import com.google.protobuf.ByteString;
import com.mapr.baseutils.acls.SecurityCommandHelper;
import com.mapr.fs.cldb.proto.CLDBProto;
import com.mapr.fs.proto.Security;
import com.mapr.security.UnixUserGroupHelper;
import java.io.IOException;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/mapr/baseutils/utils/ClusterAce.class */
public class ClusterAce {
    private static final Logger LOG = LogManager.getLogger(ClusterAce.class);
    private CLDBProto.ClusterAces clusterAces;
    private CLDBProto.ClusterAces clusterIamAces;
    private ACL clusterAcls;

    public ClusterAce(ACL acl, CLDBProto.ClusterAces clusterAces, CLDBProto.ClusterAces clusterAces2) {
        this.clusterAces = clusterAces;
        this.clusterIamAces = clusterAces2;
        this.clusterAcls = acl;
    }

    private boolean isPublicAccess(ByteString byteString) {
        try {
            return AceHelper.toInfix(byteString.toStringUtf8()).equals("p");
        } catch (IOException e) {
            LOG.error("Failed to pasrse user expression");
            return false;
        }
    }

    private boolean isCredPresentInUserExpr(ByteString byteString, Security.CredentialsMsg credentialsMsg) {
        try {
            String infix = AceHelper.toInfix(byteString.toStringUtf8());
            LOG.info("Ace Expression: {}", infix);
            LOG.info("Creds: {}", credentialsMsg.toString());
            if (infix == null || infix.isEmpty()) {
                LOG.debug("Ace Expression is Empty");
                return false;
            }
            if (credentialsMsg == null) {
                LOG.debug("Creds are Empty");
                return false;
            }
            if (credentialsMsg.hasUid() && isPartOfExpr(infix, "user", Integer.valueOf(credentialsMsg.getUid()))) {
                return true;
            }
            Iterator<Integer> it = credentialsMsg.getGidsList().iterator();
            while (it.hasNext()) {
                if (isPartOfExpr(infix, "group", it.next())) {
                    return true;
                }
            }
            if (credentialsMsg.hasUserName() && infix.contains("u:" + credentialsMsg.getUserName())) {
                LOG.debug("Username present in ace expression");
                return true;
            }
            for (Integer num : credentialsMsg.getRidsList()) {
                if (infix.contains(num.toString())) {
                    LOG.debug("RID: {} present in ace expression", num.toString());
                    return true;
                }
            }
            return false;
        } catch (IOException e) {
            LOG.error("Failed to parse user expression");
            return false;
        }
    }

    boolean isPartOfExpr(String str, String str2, Integer num) {
        String str3;
        UnixUserGroupHelper unixUserGroupHelper = new UnixUserGroupHelper();
        String num2 = num.toString();
        boolean z = -1;
        switch (str2.hashCode()) {
            case 3599307:
                if (str2.equals("user")) {
                    z = false;
                    break;
                }
                break;
            case 98629247:
                if (str2.equals("group")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str3 = "u:" + num2;
                try {
                    str3 = "u:" + unixUserGroupHelper.getUsername(num.intValue());
                    break;
                } catch (SecurityException e) {
                    LOG.error("Failed to fetch user name from uugh {}", num);
                    break;
                }
            case true:
                str3 = "g:" + num2;
                try {
                    str3 = "g:" + unixUserGroupHelper.getGroupname(num.intValue());
                    break;
                } catch (SecurityException e2) {
                    LOG.error("Failed to fetch user name from uugh {}", num);
                    break;
                }
            default:
                LOG.error("Unsupported user type: " + str2);
                return false;
        }
        return str.contains(str3);
    }

    private boolean isDeniedAccess(List<CLDBProto.ClusterAceEntry> list, CLDBProto.ClusterActions clusterActions, Security.CredentialsMsg credentialsMsg) {
        if (list == null || list.isEmpty()) {
            LOG.debug("DenyAceEntryList is empty so access allowed.");
            return false;
        }
        if (credentialsMsg == null) {
            LOG.debug("Creds are empty so access denied.");
            return true;
        }
        for (CLDBProto.ClusterAceEntry clusterAceEntry : list) {
            if (clusterAceEntry.getClusterAction().equals(clusterActions)) {
                if (isPublicAccess(clusterAceEntry.getExpr())) {
                    LOG.debug("Public access in deny Entry. so access allowed");
                    return false;
                }
                if (isCredPresentInUserExpr(clusterAceEntry.getExpr(), credentialsMsg)) {
                    LOG.debug("Creds: {} are present in deny list.", credentialsMsg.toString());
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isAllowedAccess(List<CLDBProto.ClusterAceEntry> list, CLDBProto.ClusterActions clusterActions, Security.CredentialsMsg credentialsMsg) {
        if (list == null || list.isEmpty()) {
            LOG.debug("AllowAceEntryList is empty so access denied.");
            return false;
        }
        if (credentialsMsg == null) {
            LOG.debug("Creds are null");
            return false;
        }
        for (CLDBProto.ClusterAceEntry clusterAceEntry : list) {
            if (clusterAceEntry.getClusterAction().equals(clusterActions)) {
                if (isPublicAccess(clusterAceEntry.getExpr())) {
                    LOG.debug("Public access in allowed Entry. so access allowed");
                    return true;
                }
                if (isCredPresentInUserExpr(clusterAceEntry.getExpr(), credentialsMsg)) {
                    LOG.debug("Creds: {} are present in allow list.", credentialsMsg.toString());
                    return true;
                }
            }
        }
        return false;
    }

    public boolean checkAccessWithAces(CLDBProto.ClusterActions clusterActions, Security.CredentialsMsg credentialsMsg, boolean z) {
        if (this.clusterAces != null && isDeniedAccess(this.clusterAces.getDenyAcesList(), clusterActions, credentialsMsg)) {
            return false;
        }
        if (this.clusterIamAces != null && isDeniedAccess(this.clusterIamAces.getDenyAcesList(), clusterActions, credentialsMsg)) {
            return false;
        }
        if (z) {
            return true;
        }
        return (this.clusterAces != null && isAllowedAccess(this.clusterAces.getAcesList(), clusterActions, credentialsMsg)) || (this.clusterIamAces != null && isAllowedAccess(this.clusterIamAces.getAcesList(), clusterActions, credentialsMsg));
    }

    public boolean checkAccessWithCapabilities(int i, Security.CredentialsMsg credentialsMsg) {
        if (!credentialsMsg.hasCapabilities()) {
            return false;
        }
        CLDBProto.SecureObjectType secureObjectType = CLDBProto.SecureObjectType.OBJECT_TYPE_CLUSTER;
        List<String> formatActionMask = SecurityCommandHelper.formatActionMask((int) credentialsMsg.getCapabilities().getClusterOpsMask(), secureObjectType, true);
        LOG.debug("acl list: {}", formatActionMask.toString());
        int i2 = 0;
        try {
            i2 = SecurityCommandHelper.convertActionsToMask(String.join(",", formatActionMask), ",", secureObjectType);
            LOG.debug("acl list: {} , formatted mask: {}", formatActionMask.toString(), Integer.valueOf(i2));
            return (i2 & i) == i;
        } catch (Exception e) {
            LOG.error("failed to convert acl to mask. acl list: {} ,formatted mask: {}, Exception: {}", formatActionMask.toString(), Integer.valueOf(i2), e.getMessage());
            return false;
        }
    }

    private boolean isBitSet(int i, int i2) {
        return (i & (1 << i2)) != 0;
    }

    private List<CLDBProto.ClusterActions> actionMaskToClusterActions(int i) {
        ArrayList arrayList = new ArrayList();
        EnumSet.allOf(CLDBProto.ClusterActions.class).forEach(clusterActions -> {
            if (isBitSet(i, clusterActions.getNumber())) {
                arrayList.add(clusterActions);
            }
        });
        LOG.debug("action mask to cluster actions list: {}", arrayList.toString());
        return arrayList;
    }

    public boolean checkAccess(int i, Security.CredentialsMsg credentialsMsg) {
        StringBuilder sb = new StringBuilder();
        if (this.clusterAcls != null) {
            if (this.clusterAcls.verifyPermissions(credentialsMsg, i, sb)) {
                LOG.debug("ACL check access success");
                return true;
            }
            LOG.warn("ACL check access failed with error " + sb);
        }
        boolean checkAccessWithCapabilities = checkAccessWithCapabilities(i, credentialsMsg);
        LOG.debug(checkAccessWithCapabilities ? "true" : "false");
        for (CLDBProto.ClusterActions clusterActions : actionMaskToClusterActions(i)) {
            if (!checkAccessWithAces(clusterActions, credentialsMsg, checkAccessWithCapabilities)) {
                LOG.debug("User: {} does not have access for action {}", Util.printCredentials(credentialsMsg), clusterActions.toString());
                return false;
            }
            LOG.debug("User: {} have access for action {}", Util.printCredentials(credentialsMsg), clusterActions.toString());
        }
        LOG.debug("user granted permission for action mask: {}, creds: {}", Integer.valueOf(i), Util.printCredentials(credentialsMsg));
        return true;
    }
}
