package org.apache.ranger.authorization.hadoop;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.authorization.utils.JsonUtils;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.services.hdfs.RangerServiceHdfs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* compiled from: RangerHdfsAuthorizer.java */
/* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuditHandler.class */
public class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
    private static final Logger LOG = LoggerFactory.getLogger(RangerHdfsAuditHandler.class);
    private boolean isAuditEnabled = false;
    private AuthzAuditEvent auditEvent = null;
    private final String pathToBeValidated;
    private final boolean auditOnlyIfDenied;
    private final String hadoopModuleName;
    private final Set<String> excludeUsers;
    private final String callerContext;

    public RangerHdfsAuditHandler(String str, boolean z, String str2, Set<String> set, String str3) {
        this.pathToBeValidated = str;
        this.auditOnlyIfDenied = z;
        this.hadoopModuleName = str2;
        this.excludeUsers = set;
        this.callerContext = str3;
    }

    public void processResult(RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuditHandler.logAudit(" + rangerAccessResult + ")");
        }
        if (rangerAccessResult != null) {
            this.isAuditEnabled = rangerAccessResult.getIsAudited();
            if (this.auditEvent == null) {
                this.auditEvent = super.getAuthzEvents(rangerAccessResult);
            }
            if (this.auditEvent != null) {
                RangerAccessRequest accessRequest = rangerAccessResult.getAccessRequest();
                RangerAccessResource resource = accessRequest.getResource();
                String asString = resource != null ? resource.getAsString() : null;
                this.auditEvent.setEventTime(accessRequest.getAccessTime() != null ? accessRequest.getAccessTime() : new Date());
                this.auditEvent.setAccessType(accessRequest.getAction());
                this.auditEvent.setResourcePath(this.pathToBeValidated);
                this.auditEvent.setResultReason(asString);
                this.auditEvent.setAccessResult((short) (rangerAccessResult.getIsAllowed() ? 1 : 0));
                this.auditEvent.setPolicyId(rangerAccessResult.getPolicyId());
                this.auditEvent.setPolicyVersion(rangerAccessResult.getPolicyVersion());
                setRequestData();
                this.auditEvent.setAction(getAccessType(accessRequest.getAccessType()));
                this.auditEvent.setAdditionalInfo(getAdditionalInfo(accessRequest));
                Set tags = getTags(accessRequest);
                if (tags != null) {
                    this.auditEvent.setTags(tags);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuditHandler.logAudit(" + rangerAccessResult + "): " + this.auditEvent);
        }
    }

    public String getAdditionalInfo(RangerAccessRequest rangerAccessRequest) {
        Map jsonToMapStringString = JsonUtils.jsonToMapStringString(super.getAdditionalInfo(rangerAccessRequest));
        if (jsonToMapStringString == null || jsonToMapStringString.isEmpty()) {
            jsonToMapStringString = new HashMap();
        }
        String accessTypesAsString = getAccessTypesAsString(rangerAccessRequest);
        if (jsonToMapStringString != null && accessTypesAsString != null) {
            jsonToMapStringString.put("accessTypes", "[" + accessTypesAsString + "]");
        }
        return JsonUtils.mapToJson(jsonToMapStringString);
    }

    public void logHadoopEvent(String str, FsAction fsAction, boolean z) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuditHandler.logHadoopEvent(" + str + ", " + fsAction + ", " + z + ")");
        }
        if (this.auditEvent != null) {
            this.auditEvent.setResultReason(str);
            this.auditEvent.setAccessResult((short) (z ? 1 : 0));
            this.auditEvent.setAclEnforcer(this.hadoopModuleName);
            this.auditEvent.setPolicyId(-1L);
            String fsAction2 = fsAction == null ? null : fsAction.toString();
            if (StringUtils.isBlank(this.auditEvent.getAccessType())) {
                this.auditEvent.setAccessType(fsAction2);
            }
            if (fsAction2 != null) {
                this.auditEvent.setAction(getAccessType(fsAction2));
            }
            setRequestData();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuditHandler.logHadoopEvent(" + str + ", " + fsAction + ", " + z + "): " + this.auditEvent);
        }
    }

    public void flushAudit() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuditHandler.flushAudit(" + this.isAuditEnabled + ", " + this.auditEvent + ")");
        }
        if (this.isAuditEnabled && this.auditEvent != null && !StringUtils.isEmpty(this.auditEvent.getAccessType())) {
            String user = this.auditEvent.getUser();
            if (!(!(user == null || this.excludeUsers == null || !this.excludeUsers.contains(user)) || (this.auditOnlyIfDenied && this.auditEvent.getAccessResult() != 0) || "monitorHealth".equals(this.auditEvent.getAccessType()))) {
                super.logAuthzAudit(this.auditEvent);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuditHandler.flushAudit(" + this.isAuditEnabled + ", " + this.auditEvent + ")");
        }
    }

    private String getAccessType(String str) {
        String str2 = str;
        boolean z = -1;
        switch (str.hashCode()) {
            case -2115740971:
                if (str.equals("WRITE_EXECUTE")) {
                    z = true;
                    break;
                }
                break;
            case 64897:
                if (str.equals("ALL")) {
                    z = 3;
                    break;
                }
                break;
            case 1247349718:
                if (str.equals("READ_WRITE")) {
                    z = 2;
                    break;
                }
                break;
            case 1779598764:
                if (str.equals("READ_EXECUTE")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str2 = RangerServiceHdfs.ACCESS_TYPE_READ;
                break;
            case true:
            case true:
            case true:
                str2 = "write";
                break;
        }
        return str2.toLowerCase();
    }

    private String getAccessTypesAsString(RangerAccessRequest rangerAccessRequest) {
        String str = null;
        Object obj = rangerAccessRequest.getContext().get("ACCESSTYPES");
        if (obj instanceof Set) {
            try {
                str = getFormattedAccessType((Set) obj);
            } catch (Throwable th) {
                LOG.error("getAccessTypesAsString(): failed to get accessTypes from context", th);
            }
        }
        return str;
    }

    private String getFormattedAccessType(Set<String> set) {
        String str = null;
        if (CollectionUtils.isNotEmpty(set)) {
            str = String.join(", ", set);
        }
        return str;
    }

    private void setRequestData() {
        if (StringUtils.isNotBlank(this.auditEvent.getAccessType()) && StringUtils.isNotBlank(this.callerContext)) {
            this.auditEvent.setRequestData(this.auditEvent.getAccessType() + "/" + this.callerContext);
        }
    }
}
