package org.apache.ranger.plugin.policyevaluator;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.ranger.plugin.model.AuditFilter;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.class */
public class RangerAuditPolicyEvaluator extends RangerDefaultPolicyEvaluator {
    private static final Logger LOG = LoggerFactory.getLogger(RangerAuditPolicyEvaluator.class);
    private final RangerAuditPolicy auditPolicy;
    private final boolean matchAnyResource;
    private final List<RangerAuditPolicyItemEvaluator> auditItemEvaluators = new ArrayList();

    /* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator$RangerAuditPolicy.class */
    public static class RangerAuditPolicy extends RangerPolicy {
        private final List<RangerAuditPolicyItem> auditPolicyItems;

        public RangerAuditPolicy(AuditFilter auditFilter, int i) {
            setId(Long.valueOf(i));
            setResources(auditFilter.getResources());
            setPolicyType(3);
            setPolicyPriority(Integer.valueOf(i));
            this.auditPolicyItems = Collections.singletonList(new RangerAuditPolicyItem(auditFilter));
        }

        public List<RangerAuditPolicyItem> getAuditPolicyItems() {
            return this.auditPolicyItems;
        }
    }

    /* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator$RangerAuditPolicyItem.class */
    public static class RangerAuditPolicyItem extends RangerPolicy.RangerPolicyItem {
        private final AuditFilter.AccessResult accessResult;
        private final Set<String> actions;
        private final Set<String> accessTypes;
        private final Boolean isAudited;

        public RangerAuditPolicyItem(AuditFilter auditFilter) {
            super(getPolicyItemAccesses(auditFilter.getAccessTypes()), auditFilter.getUsers(), auditFilter.getGroups(), auditFilter.getRoles(), null, null);
            this.accessResult = auditFilter.getAccessResult();
            this.actions = auditFilter.getActions() != null ? new HashSet<>(auditFilter.getActions()) : Collections.emptySet();
            this.accessTypes = auditFilter.getAccessTypes() != null ? new HashSet<>(auditFilter.getAccessTypes()) : Collections.emptySet();
            this.isAudited = auditFilter.getIsAudited();
        }

        public Set<String> getActions() {
            return this.actions;
        }

        public Set<String> getAccessTypes() {
            return this.accessTypes;
        }

        public AuditFilter.AccessResult getAccessResult() {
            return this.accessResult;
        }

        public Boolean getIsAudited() {
            return this.isAudited;
        }

        @Override // org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem
        public StringBuilder toString(StringBuilder sb) {
            if (sb == null) {
                sb = new StringBuilder();
            }
            sb.append("RangerAuditPolicyItem={");
            super.toString(sb);
            sb.append(" accessResult={").append(this.accessResult).append("}");
            sb.append(" actions={");
            if (this.actions != null) {
                for (String str : this.actions) {
                    if (str != null) {
                        sb.append(str).append(" ");
                    }
                }
            }
            sb.append("}");
            sb.append(" accessTypes={");
            if (this.accessTypes != null) {
                for (String str2 : this.accessTypes) {
                    if (str2 != null) {
                        sb.append(str2).append(" ");
                    }
                }
            }
            sb.append("}");
            sb.append(" isAudited={").append(this.isAudited).append("}");
            sb.append("}");
            return sb;
        }

        private static List<RangerPolicy.RangerPolicyItemAccess> getPolicyItemAccesses(List<String> list) {
            List<RangerPolicy.RangerPolicyItemAccess> emptyList;
            if (list != null) {
                emptyList = new ArrayList(list.size());
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    emptyList.add(new RangerPolicy.RangerPolicyItemAccess(it.next()));
                }
            } else {
                emptyList = Collections.emptyList();
            }
            return emptyList;
        }
    }

    /* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator$RangerAuditPolicyItemEvaluator.class */
    public static class RangerAuditPolicyItemEvaluator extends RangerDefaultPolicyItemEvaluator {
        private final RangerAuditPolicyItem auditPolicyItem;
        private final boolean matchAnyResult;
        private final boolean matchAnyUser;
        private final boolean matchAnyAction;
        private final boolean hasResourceOwner;

        public RangerAuditPolicyItemEvaluator(RangerServiceDef rangerServiceDef, RangerPolicy rangerPolicy, RangerAuditPolicyItem rangerAuditPolicyItem, int i, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
            super(rangerServiceDef, rangerPolicy, rangerAuditPolicyItem, 0, i, rangerPolicyEngineOptions);
            this.auditPolicyItem = rangerAuditPolicyItem;
            this.matchAnyResult = rangerAuditPolicyItem.getAccessResult() == null;
            List<String> users = rangerAuditPolicyItem.getUsers();
            List<String> groups = rangerAuditPolicyItem.getGroups();
            this.matchAnyUser = (CollectionUtils.isEmpty(users) && CollectionUtils.isEmpty(groups) && CollectionUtils.isEmpty(rangerAuditPolicyItem.getRoles())) || (CollectionUtils.isNotEmpty(groups) && groups.contains(RangerPolicyEngine.GROUP_PUBLIC)) || (CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.USER_CURRENT));
            this.matchAnyAction = rangerAuditPolicyItem.getActions().isEmpty() && rangerAuditPolicyItem.getAccessTypes().isEmpty();
            this.hasResourceOwner = CollectionUtils.isNotEmpty(users) && users.contains(RangerPolicyEngine.RESOURCE_OWNER);
            if (RangerAuditPolicyEvaluator.LOG.isDebugEnabled()) {
                RangerAuditPolicyEvaluator.LOG.debug("RangerAuditPolicyItemEvaluator(" + this.auditPolicyItem + ", matchAnyUser=" + this.matchAnyUser + ", matchAnyAction=" + this.matchAnyAction + ", hasResourceOwner=" + this.hasResourceOwner + ")");
            }
        }

        public Boolean getIsAudited() {
            return this.auditPolicyItem.getIsAudited();
        }

        public boolean isMatch(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
            boolean z = matchAccessResult(rangerAccessResult) && matchUserGroupRole(rangerAccessRequest) && matchAction(rangerAccessRequest);
            if (RangerAuditPolicyEvaluator.LOG.isDebugEnabled()) {
                RangerAuditPolicyEvaluator.LOG.debug("RangerAuditPolicyItemEvaluator.isMatch(" + rangerAccessRequest + ", " + rangerAccessResult + "): ret=" + z);
            }
            return z;
        }

        private boolean matchAccessResult(RangerAccessResult rangerAccessResult) {
            boolean z = this.matchAnyResult;
            if (!z) {
                switch (this.auditPolicyItem.getAccessResult()) {
                    case DENIED:
                        z = rangerAccessResult.getIsAccessDetermined() && !rangerAccessResult.getIsAllowed();
                        break;
                    case ALLOWED:
                        z = rangerAccessResult.getIsAccessDetermined() && rangerAccessResult.getIsAllowed();
                        break;
                    case NOT_DETERMINED:
                        z = !rangerAccessResult.getIsAccessDetermined();
                        break;
                }
            }
            if (RangerAuditPolicyEvaluator.LOG.isDebugEnabled()) {
                RangerAuditPolicyEvaluator.LOG.debug("RangerAuditPolicyItemEvaluator.matchAccessResult(" + rangerAccessResult + "): ret=" + z);
            }
            return z;
        }

        private boolean matchUserGroupRole(RangerAccessRequest rangerAccessRequest) {
            boolean z = this.matchAnyUser;
            if (!z) {
                if (this.auditPolicyItem.getUsers() != null && rangerAccessRequest.getUser() != null) {
                    z = this.auditPolicyItem.getUsers().contains(rangerAccessRequest.getUser());
                    if (!z && this.hasResourceOwner) {
                        z = rangerAccessRequest.getUser().equals(rangerAccessRequest.getResource() != null ? rangerAccessRequest.getResource().getOwnerUser() : null);
                    }
                }
                if (!z && this.auditPolicyItem.getGroups() != null && rangerAccessRequest.getUserGroups() != null) {
                    z = CollectionUtils.containsAny(this.auditPolicyItem.getGroups(), rangerAccessRequest.getUserGroups());
                }
                if (!z && this.auditPolicyItem.getRoles() != null) {
                    z = CollectionUtils.containsAny(this.auditPolicyItem.getRoles(), RangerAccessRequestUtil.getCurrentUserRolesFromContext(rangerAccessRequest.getContext()));
                }
            }
            if (RangerAuditPolicyEvaluator.LOG.isDebugEnabled()) {
                RangerAuditPolicyEvaluator.LOG.debug("RangerAuditPolicyItemEvaluator.matchUserGroupRole(" + rangerAccessRequest + "): ret=" + z);
            }
            return z;
        }

        private boolean matchAction(RangerAccessRequest rangerAccessRequest) {
            boolean z = this.matchAnyAction;
            if (!z) {
                if (rangerAccessRequest.getAction() != null) {
                    z = this.auditPolicyItem.getActions().contains(rangerAccessRequest.getAction());
                }
                if (!z && rangerAccessRequest.getAccessType() != null) {
                    z = this.auditPolicyItem.getAccessTypes().contains(rangerAccessRequest.getAccessType());
                }
            }
            if (RangerAuditPolicyEvaluator.LOG.isDebugEnabled()) {
                RangerAuditPolicyEvaluator.LOG.debug("RangerAuditPolicyItemEvaluator.matchAction(" + rangerAccessRequest + "): ret=" + z);
            }
            return z;
        }
    }

    public RangerAuditPolicyEvaluator(AuditFilter auditFilter, int i) {
        this.auditPolicy = new RangerAuditPolicy(auditFilter, i);
        this.matchAnyResource = MapUtils.isEmpty(auditFilter.getResources());
        if (LOG.isDebugEnabled()) {
            LOG.debug("RangerAuditPolicyEvaluator(auditFilter=" + auditFilter + ", priority=" + i + ", matchAnyResource=" + this.matchAnyResource + ")");
        }
    }

    public RangerAuditPolicy getAuditPolicy() {
        return this.auditPolicy;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void init(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAuditPolicyEvaluator.init(" + this.auditPolicy.getId() + ")");
        }
        super.init(this.auditPolicy, rangerServiceDef, rangerPolicyEngineOptions);
        int i = 1;
        Iterator<RangerAuditPolicyItem> it = this.auditPolicy.getAuditPolicyItems().iterator();
        while (it.hasNext()) {
            this.auditItemEvaluators.add(new RangerAuditPolicyItemEvaluator(rangerServiceDef, this.auditPolicy, it.next(), i, rangerPolicyEngineOptions));
            i++;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAuditPolicyEvaluator.init(" + this.auditPolicy.getId() + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator, org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator
    public boolean isAncestorOf(RangerServiceDef.RangerResourceDef rangerResourceDef) {
        return this.matchAnyResource || super.isAncestorOf(rangerResourceDef);
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void evaluate(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAuditPolicyEvaluator.evaluate(" + this.auditPolicy.getId() + ", " + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
        if (rangerAccessRequest != null && rangerAccessResult != null && !rangerAccessResult.getIsAuditedDetermined() && matchResource(rangerAccessRequest)) {
            evaluatePolicyItems(rangerAccessRequest, rangerAccessResult);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAuditPolicyEvaluator.evaluate(" + this.auditPolicy.getId() + ", " + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator
    public void preprocessPolicy(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef) {
        super.preprocessPolicy(rangerPolicy, rangerServiceDef);
        Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(rangerServiceDef);
        if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) {
            return;
        }
        preprocessPolicyItems(this.auditPolicy.getAuditPolicyItems(), impliedAccessGrants);
    }

    private boolean matchResource(RangerAccessRequest rangerAccessRequest) {
        boolean z;
        RangerPolicyResourceMatcher.MatchType matchType;
        if (this.matchAnyResource) {
            z = true;
        } else {
            if (RangerTagAccessRequest.class.isInstance(rangerAccessRequest)) {
                matchType = ((RangerTagAccessRequest) rangerAccessRequest).getMatchType();
                if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
                    matchType = RangerPolicyResourceMatcher.MatchType.SELF;
                }
            } else {
                RangerPolicyResourceMatcher policyResourceMatcher = getPolicyResourceMatcher();
                matchType = policyResourceMatcher != null ? policyResourceMatcher.getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
            }
            if (rangerAccessRequest.isAccessTypeAny()) {
                z = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
            } else if (rangerAccessRequest.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                z = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
            } else {
                z = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
            }
        }
        return z;
    }

    private void evaluatePolicyItems(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        Boolean isAudited;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAuditPolicyEvaluator.evaluatePolicyItems(" + this.auditPolicy.getId() + ", " + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
        Iterator<RangerAuditPolicyItemEvaluator> it = this.auditItemEvaluators.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerAuditPolicyItemEvaluator next = it.next();
            if (next.isMatch(rangerAccessRequest, rangerAccessResult) && (isAudited = next.getIsAudited()) != null) {
                rangerAccessResult.setIsAudited(isAudited.booleanValue());
                break;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAuditPolicyEvaluator.evaluatePolicyItems(" + this.auditPolicy.getId() + ", " + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator
    public StringBuilder toString(StringBuilder sb) {
        sb.append("RangerAuditPolicyEvaluator={");
        super.toString(sb);
        sb.append("auditPolicy={");
        this.auditPolicy.toString(sb);
        sb.append("}");
        sb.append(" matchAnyResource={").append(this.matchAnyResource).append("}");
        sb.append("}");
        return sb;
    }
}
