package org.apache.hadoop.hdfs.server.namenode;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.Stack;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.fs.permission.AclEntryScope;
import org.apache.hadoop.fs.permission.AclEntryType;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
import org.apache.hadoop.hdfs.util.ReadOnlyList;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Marker;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:lib/hadoop-hdfs-2.7.0-mapr-1710.jar:org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.class */
public class FSPermissionChecker implements INodeAttributeProvider.AccessControlEnforcer {
    static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
    private final String fsOwner;
    private final String supergroup;
    private final UserGroupInformation callerUgi;
    private final String user;
    private final Set<String> groups;
    private final boolean isSuper;
    private final INodeAttributeProvider attributeProvider;

    private String toAccessControlString(INodeAttributes iNodeAttributes, String str, FsAction fsAction, FsPermission fsPermission) {
        return toAccessControlString(iNodeAttributes, str, fsAction, fsPermission, false);
    }

    private String toAccessControlString(INodeAttributes iNodeAttributes, String str, FsAction fsAction, FsPermission fsPermission, boolean z) {
        StringBuilder append = new StringBuilder("Permission denied: ").append("user=").append(getUser()).append(", ").append("access=").append(fsAction).append(", ").append("inode=\"").append(str).append("\":").append(iNodeAttributes.getUserName()).append(':').append(iNodeAttributes.getGroupName()).append(':').append(iNodeAttributes.isDirectory() ? 'd' : '-').append(fsPermission);
        if (z) {
            append.append(Marker.ANY_NON_NULL_MARKER);
        }
        return append.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FSPermissionChecker(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributeProvider iNodeAttributeProvider) {
        this.fsOwner = str;
        this.supergroup = str2;
        this.callerUgi = userGroupInformation;
        this.groups = Collections.unmodifiableSet(new HashSet(Arrays.asList(userGroupInformation.getGroupNames())));
        this.user = userGroupInformation.getShortUserName();
        this.isSuper = this.user.equals(str) || this.groups.contains(str2);
        this.attributeProvider = iNodeAttributeProvider;
    }

    public boolean containsGroup(String str) {
        return this.groups.contains(str);
    }

    public String getUser() {
        return this.user;
    }

    public Set<String> getGroups() {
        return this.groups;
    }

    public boolean isSuperUser() {
        return this.isSuper;
    }

    public INodeAttributeProvider getAttributesProvider() {
        return this.attributeProvider;
    }

    public void checkSuperuserPrivilege() throws AccessControlException {
        if (!isSuperUser()) {
            throw new AccessControlException("Access denied for user " + getUser() + ". Superuser privilege is required");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v11, types: [byte[], byte[][]] */
    public void checkPermission(INodesInPath iNodesInPath, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ACCESS CHECK: " + this + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2);
        }
        int pathSnapshotId = iNodesInPath.getPathSnapshotId();
        INode[] iNodesArray = iNodesInPath.getINodesArray();
        INodeAttributes[] iNodeAttributesArr = new INodeAttributes[iNodesArray.length];
        ?? r0 = new byte[iNodesArray.length];
        for (int i = 0; i < iNodesArray.length && iNodesArray[i] != null; i++) {
            if (iNodesArray[i] != null) {
                r0[i] = iNodesArray[i].getLocalNameBytes();
                iNodeAttributesArr[i] = getINodeAttrs(r0, i, iNodesArray[i], pathSnapshotId);
            }
        }
        getAttributesProvider().getExternalAccessControlEnforcer(this).checkPermission(this.fsOwner, this.supergroup, this.callerUgi, iNodeAttributesArr, iNodesArray, r0, pathSnapshotId, iNodesInPath.getPath(), iNodesArray.length - 2, z, fsAction, fsAction2, fsAction3, fsAction4, z2);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider.AccessControlEnforcer
    public void checkPermission(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException {
        while (i2 >= 0 && iNodeArr[i2] == null) {
            i2--;
        }
        checkTraverse(iNodeAttributesArr, str3, i2);
        INodeAttributes iNodeAttributes = iNodeAttributesArr[iNodeAttributesArr.length - 1];
        if (fsAction2 != null && fsAction2.implies(FsAction.WRITE) && iNodeAttributesArr.length > 1 && iNodeAttributes != null) {
            checkStickyBit(iNodeAttributesArr[iNodeAttributesArr.length - 2], iNodeAttributes);
        }
        if (fsAction != null && iNodeAttributesArr.length > 1) {
            check(iNodeAttributesArr, str3, i2, fsAction);
        }
        if (fsAction2 != null && iNodeAttributesArr.length > 1) {
            check(iNodeAttributesArr, str3, iNodeAttributesArr.length - 2, fsAction2);
        }
        if (fsAction3 != null) {
            check(iNodeAttributes, str3, fsAction3);
        }
        if (fsAction4 != null) {
            checkSubAccess(bArr, iNodeAttributesArr.length - 1, iNodeArr[iNodeAttributesArr.length - 1], i, fsAction4, z2);
        }
        if (z) {
            checkOwner(iNodeAttributes);
        }
    }

    private INodeAttributes getINodeAttrs(byte[][] bArr, int i, INode iNode, int i2) {
        INodeAttributes snapshotINode = iNode.getSnapshotINode(i2);
        if (getAttributesProvider() != null) {
            String[] strArr = new String[i + 1];
            for (int i3 = 0; i3 < strArr.length; i3++) {
                strArr[i3] = DFSUtil.bytes2String(bArr[i3]);
            }
            snapshotINode = getAttributesProvider().getAttributes(strArr, snapshotINode);
        }
        return snapshotINode;
    }

    private void checkOwner(INodeAttributes iNodeAttributes) throws AccessControlException {
        if (!getUser().equals(iNodeAttributes.getUserName())) {
            throw new AccessControlException("Permission denied. user=" + getUser() + " is not the owner of inode=" + iNodeAttributes);
        }
    }

    private void checkTraverse(INodeAttributes[] iNodeAttributesArr, String str, int i) throws AccessControlException {
        for (int i2 = 0; i2 <= i; i2++) {
            check(iNodeAttributesArr[i2], str, FsAction.EXECUTE);
        }
    }

    private void checkSubAccess(byte[][] bArr, int i, INode iNode, int i2, FsAction fsAction, boolean z) throws AccessControlException {
        if (iNode == null || !iNode.isDirectory()) {
            return;
        }
        Stack stack = new Stack();
        stack.push(iNode.asDirectory());
        while (!stack.isEmpty()) {
            INodeDirectory iNodeDirectory = (INodeDirectory) stack.pop();
            ReadOnlyList<INode> childrenList = iNodeDirectory.getChildrenList(i2);
            if (!childrenList.isEmpty() || !z) {
                check(getINodeAttrs(bArr, i, iNodeDirectory, i2), iNode.getFullPathName(), fsAction);
            }
            for (INode iNode2 : childrenList) {
                if (iNode2.isDirectory()) {
                    stack.push(iNode2.asDirectory());
                }
            }
        }
    }

    private void check(INodeAttributes[] iNodeAttributesArr, String str, int i, FsAction fsAction) throws AccessControlException {
        check(i >= 0 ? iNodeAttributesArr[i] : null, str, fsAction);
    }

    private void check(INodeAttributes iNodeAttributes, String str, FsAction fsAction) throws AccessControlException {
        if (iNodeAttributes == null) {
            return;
        }
        FsPermission fsPermission = iNodeAttributes.getFsPermission();
        AclFeature aclFeature = iNodeAttributes.getAclFeature();
        if (aclFeature != null && AclEntryStatusFormat.getScope(aclFeature.getEntryAt(0)) == AclEntryScope.ACCESS) {
            checkAccessAcl(iNodeAttributes, str, fsAction, fsPermission, aclFeature);
            return;
        }
        if (getUser().equals(iNodeAttributes.getUserName())) {
            if (fsPermission.getUserAction().implies(fsAction)) {
                return;
            }
        } else if (getGroups().contains(iNodeAttributes.getGroupName())) {
            if (fsPermission.getGroupAction().implies(fsAction)) {
                return;
            }
        } else if (fsPermission.getOtherAction().implies(fsAction)) {
            return;
        }
        throw new AccessControlException(toAccessControlString(iNodeAttributes, str, fsAction, fsPermission));
    }

    private void checkAccessAcl(INodeAttributes iNodeAttributes, String str, FsAction fsAction, FsPermission fsPermission, AclFeature aclFeature) throws AccessControlException {
        boolean z = false;
        if (getUser().equals(iNodeAttributes.getUserName())) {
            if (fsPermission.getUserAction().implies(fsAction)) {
                return;
            } else {
                z = true;
            }
        }
        if (!z) {
            int i = 0;
            while (true) {
                if (i >= aclFeature.getEntriesSize()) {
                    break;
                }
                int entryAt = aclFeature.getEntryAt(i);
                if (AclEntryStatusFormat.getScope(entryAt) == AclEntryScope.DEFAULT) {
                    break;
                }
                AclEntryType type = AclEntryStatusFormat.getType(entryAt);
                String name = AclEntryStatusFormat.getName(entryAt);
                if (type == AclEntryType.USER) {
                    if (getUser().equals(name)) {
                        if (AclEntryStatusFormat.getPermission(entryAt).and(fsPermission.getGroupAction()).implies(fsAction)) {
                            return;
                        } else {
                            z = true;
                        }
                    }
                } else if (type != AclEntryType.GROUP) {
                    continue;
                } else {
                    if (!getGroups().contains(name == null ? iNodeAttributes.getGroupName() : name)) {
                        continue;
                    } else if (AclEntryStatusFormat.getPermission(entryAt).and(fsPermission.getGroupAction()).implies(fsAction)) {
                        return;
                    } else {
                        z = true;
                    }
                }
                i++;
            }
        }
        if (z || !fsPermission.getOtherAction().implies(fsAction)) {
            throw new AccessControlException(toAccessControlString(iNodeAttributes, str, fsAction, fsPermission));
        }
    }

    private void checkStickyBit(INodeAttributes iNodeAttributes, INodeAttributes iNodeAttributes2) throws AccessControlException {
        if (iNodeAttributes.getFsPermission().getStickyBit() && !iNodeAttributes.getUserName().equals(getUser()) && !iNodeAttributes2.getUserName().equals(getUser())) {
            throw new AccessControlException("Permission denied by sticky bit setting: user=" + getUser() + ", inode=" + iNodeAttributes2);
        }
    }

    public void checkPermission(CachePool cachePool, FsAction fsAction) throws AccessControlException {
        FsPermission mode = cachePool.getMode();
        if (isSuperUser()) {
            return;
        }
        if (getUser().equals(cachePool.getOwnerName()) && mode.getUserAction().implies(fsAction)) {
            return;
        }
        if ((!getGroups().contains(cachePool.getGroupName()) || !mode.getGroupAction().implies(fsAction)) && !mode.getOtherAction().implies(fsAction)) {
            throw new AccessControlException("Permission denied while accessing pool " + cachePool.getPoolName() + ": user " + getUser() + " does not have " + fsAction.toString() + " permissions.");
        }
    }
}
