package org.apache.oozie.service;

import com.google.common.base.Charsets;
import com.google.common.collect.Sets;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URI;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.AccessControlException;
import org.apache.oozie.BundleJobBean;
import org.apache.oozie.BundleJobInfo;
import org.apache.oozie.CoordinatorJobBean;
import org.apache.oozie.CoordinatorJobInfo;
import org.apache.oozie.ErrorCode;
import org.apache.oozie.WorkflowJobBean;
import org.apache.oozie.WorkflowsInfo;
import org.apache.oozie.client.XOozieClient;
import org.apache.oozie.client.rest.RestConstants;
import org.apache.oozie.executor.jpa.BundleJobGetJPAExecutor;
import org.apache.oozie.executor.jpa.BundleJobInfoGetJPAExecutor;
import org.apache.oozie.executor.jpa.CoordJobGetJPAExecutor;
import org.apache.oozie.executor.jpa.CoordJobInfoGetJPAExecutor;
import org.apache.oozie.executor.jpa.JPAExecutorException;
import org.apache.oozie.executor.jpa.WorkflowJobQueryExecutor;
import org.apache.oozie.executor.jpa.WorkflowsJobGetJPAExecutor;
import org.apache.oozie.util.ConfigUtils;
import org.apache.oozie.util.Instrumentation;
import org.apache.oozie.util.XLog;
import org.apache.tools.ant.taskdefs.optional.vss.MSVSSConstants;

/* loaded from: input_file:WEB-INF/lib/oozie-core-5.1.0.0-mapr-1901.jar:org/apache/oozie/service/AuthorizationService.class */
public class AuthorizationService implements Service {
    public static final String CONF_PREFIX = "oozie.service.AuthorizationService.";
    public static final String CONF_SECURITY_ENABLED = "oozie.service.AuthorizationService.security.enabled";
    public static final String CONF_AUTHORIZATION_ENABLED = "oozie.service.AuthorizationService.authorization.enabled";
    public static final String CONF_DEFAULT_GROUP_AS_ACL = "oozie.service.AuthorizationService.default.group.as.acl";
    public static final String CONF_ADMIN_GROUPS = "oozie.service.AuthorizationService.admin.groups";
    public static final String CONF_SYSTEM_INFO_AUTHORIZED_USERS = "oozie.service.AuthorizationService.system.info.authorized.users";
    public static final String CONF_ADMIN_USERS = "oozie.service.AuthorizationService.admin.users";
    public static final String ADMIN_USERS_FILE = "adminusers.txt";
    protected static final String INSTRUMENTATION_GROUP = "authorization";
    protected static final String INSTR_FAILED_AUTH_COUNTER = "authorization.failed";
    private Set<String> adminGroups;
    private Set<String> adminUsers;
    private Set<String> sysInfoAuthUsers;
    private boolean authorizationEnabled;
    private boolean useDefaultGroupAsAcl;
    private boolean authorizedSystemInfo = false;
    private final XLog log = XLog.getLog(getClass());
    private Instrumentation instrumentation;

    private String[] getTrimmedStrings(String str) {
        return (null == str || "".equals(str.trim())) ? new String[0] : str.trim().split("\\s*,\\s*");
    }

    @Override // org.apache.oozie.service.Service
    public void init(Services services) throws ServiceException {
        this.authorizationEnabled = ConfigUtils.getWithDeprecatedCheck(services.getConf(), CONF_AUTHORIZATION_ENABLED, CONF_SECURITY_ENABLED, false);
        String str = ConfigurationService.get(CONF_SYSTEM_INFO_AUTHORIZED_USERS);
        if (!StringUtils.isBlank(str)) {
            this.authorizedSystemInfo = true;
            this.sysInfoAuthUsers = new HashSet();
            for (String str2 : getTrimmedStrings(str)) {
                this.sysInfoAuthUsers.add(str2);
            }
        }
        if (this.authorizationEnabled) {
            this.log.info("Oozie running with authorization enabled");
            this.useDefaultGroupAsAcl = ConfigurationService.getBoolean(CONF_DEFAULT_GROUP_AS_ACL);
            String[] trimmedStrings = getTrimmedStrings(Services.get().getConf().get(CONF_ADMIN_GROUPS));
            if (trimmedStrings.length > 0) {
                this.log.info("Admin users will be checked against the defined admin groups");
                this.adminGroups = new HashSet();
                for (String str3 : trimmedStrings) {
                    this.adminGroups.add(str3.trim());
                }
            } else {
                this.log.info("Admin users will be checked against the 'adminusers.txt' file contents");
                this.adminUsers = new HashSet();
                loadAdminUsersFromFile();
                loadAdminUsersFromConfiguration();
            }
        } else {
            this.log.warn("Oozie running with authorization disabled");
        }
        this.instrumentation = ((InstrumentationService) Services.get().get(InstrumentationService.class)).get();
    }

    @Deprecated
    public boolean isSecurityEnabled() {
        return this.authorizationEnabled;
    }

    public boolean useDefaultGroupAsAcl() {
        return this.useDefaultGroupAsAcl;
    }

    public boolean isAuthorizationEnabled() {
        return isSecurityEnabled();
    }

    /* JADX WARN: Finally extract failed */
    private void loadAdminUsersFromFile() throws ServiceException {
        String configDir = ((ConfigurationService) Services.get().get(ConfigurationService.class)).getConfigDir();
        if (configDir == null) {
            this.log.warn("Reading configuration from classpath, running without admin users");
            return;
        }
        File file = new File(FilenameUtils.getFullPath(configDir) + FilenameUtils.getBaseName(configDir), FilenameUtils.getName(ADMIN_USERS_FILE));
        if (!file.exists()) {
            this.log.warn("Admin users file not available in config dir [{0}]", configDir);
            return;
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(file), Charsets.UTF_8));
            try {
                try {
                    for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                        String trim = readLine.trim();
                        if (trim.length() > 0 && !trim.startsWith("#")) {
                            this.adminUsers.add(trim);
                        }
                    }
                    bufferedReader.close();
                } catch (IOException e) {
                    throw new ServiceException(ErrorCode.E0160, file.getAbsolutePath(), e);
                }
            } catch (Throwable th) {
                bufferedReader.close();
                throw th;
            }
        } catch (IOException e2) {
            throw new ServiceException(ErrorCode.E0160, file.getAbsolutePath(), e2);
        }
    }

    private void loadAdminUsersFromConfiguration() {
        LinkedHashSet newLinkedHashSet = Sets.newLinkedHashSet();
        newLinkedHashSet.addAll(((ConfigurationService) Services.get().get(ConfigurationService.class)).getConf().getStringCollection(CONF_ADMIN_USERS));
        if (newLinkedHashSet.isEmpty()) {
            return;
        }
        this.log.info("{0} admin users found in oozie-site.xml", Integer.valueOf(newLinkedHashSet.size()));
        this.adminUsers.addAll(newLinkedHashSet);
    }

    @Override // org.apache.oozie.service.Service
    public void destroy() {
    }

    @Override // org.apache.oozie.service.Service
    public Class<? extends Service> getInterface() {
        return AuthorizationService.class;
    }

    protected boolean isUserInGroup(String str, String str2) throws AuthorizationException {
        try {
            return ((GroupsService) Services.get().get(GroupsService.class)).getGroups(str).contains(str2);
        } catch (IOException e) {
            throw new AuthorizationException(ErrorCode.E0501, e.getMessage(), e);
        }
    }

    public void authorizeForGroup(String str, String str2) throws AuthorizationException {
        if (this.authorizationEnabled && !isUserInGroup(str, str2)) {
            throw new AuthorizationException(ErrorCode.E0502, str, str2);
        }
    }

    public String getDefaultGroup(String str) throws AuthorizationException {
        try {
            return ((GroupsService) Services.get().get(GroupsService.class)).getGroups(str).get(0);
        } catch (IOException e) {
            throw new AuthorizationException(ErrorCode.E0501, e.getMessage(), e);
        }
    }

    protected boolean isAdmin(String str) {
        boolean z = false;
        if (this.adminUsers != null) {
            z = this.adminUsers.contains(str);
        } else {
            Iterator<String> it = this.adminGroups.iterator();
            while (it.hasNext()) {
                try {
                    z = isUserInGroup(str, it.next());
                    if (z) {
                        break;
                    }
                } catch (AuthorizationException e) {
                    this.log.warn("Admin check failed, " + e.toString(), e);
                }
            }
        }
        return z;
    }

    public void authorizeForSystemInfo(String str, String str2) throws AuthorizationException {
        if (!this.authorizationEnabled || !this.authorizedSystemInfo || this.sysInfoAuthUsers.contains(str) || this.sysInfoAuthUsers.contains(str2) || isAdmin(str) || isAdmin(str2)) {
            return;
        }
        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
        throw new AuthorizationException(ErrorCode.E0503, str);
    }

    public void authorizeForAdmin(String str, boolean z) throws AuthorizationException {
        if (this.authorizationEnabled && z && !isAdmin(str)) {
            incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
            throw new AuthorizationException(ErrorCode.E0503, str);
        }
    }

    public void authorizeForApp(String str, String str2, String str3, Configuration configuration) throws AuthorizationException {
        try {
            HadoopAccessorService hadoopAccessorService = (HadoopAccessorService) Services.get().get(HadoopAccessorService.class);
            URI uri = new Path(str3).toUri();
            FileSystem createFileSystem = hadoopAccessorService.createFileSystem(str, uri, hadoopAccessorService.createConfiguration(uri.getAuthority()));
            Path path = new Path(str3);
            try {
                if (!createFileSystem.exists(path)) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0504, str3);
                }
                Path path2 = new Path(path, "workflow.xml");
                if (!createFileSystem.exists(path2)) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0505, str3);
                }
                if (createFileSystem.isFile(path2)) {
                    createFileSystem.open(path2).close();
                } else {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0506, str3);
                }
            } catch (AccessControlException e) {
                incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                throw new AuthorizationException(ErrorCode.E0507, str3, e.getMessage(), e);
            }
        } catch (IOException e2) {
            incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
            throw new AuthorizationException(ErrorCode.E0501, e2.getMessage(), e2);
        } catch (HadoopAccessorException e3) {
            throw new AuthorizationException(e3);
        }
    }

    public void authorizeForApp(String str, String str2, String str3, String str4, Configuration configuration) throws AuthorizationException {
        try {
            HadoopAccessorService hadoopAccessorService = (HadoopAccessorService) Services.get().get(HadoopAccessorService.class);
            URI uri = new Path(str3).toUri();
            FileSystem createFileSystem = hadoopAccessorService.createFileSystem(str, uri, hadoopAccessorService.createConfiguration(uri.getAuthority()));
            Path path = new Path(str3);
            try {
                if (!createFileSystem.exists(path)) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0504, str3);
                }
                if (configuration.get(XOozieClient.IS_PROXY_SUBMISSION) == null && !createFileSystem.isFile(path)) {
                    Path path2 = new Path(path, str4);
                    if (!createFileSystem.exists(path2)) {
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0505, str3);
                    }
                    if (!createFileSystem.isFile(path2)) {
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0506, str3);
                    }
                    createFileSystem.open(path2).close();
                }
            } catch (AccessControlException e) {
                incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                throw new AuthorizationException(ErrorCode.E0507, str3, e.getMessage(), e);
            }
        } catch (IOException e2) {
            incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
            throw new AuthorizationException(ErrorCode.E0501, e2.getMessage(), e2);
        } catch (HadoopAccessorException e3) {
            throw new AuthorizationException(e3);
        }
    }

    private boolean isUserInAcl(String str, String str2) throws IOException {
        boolean z = false;
        if (str2 != null && str2.trim().length() > 0) {
            GroupsService groupsService = (GroupsService) Services.get().get(GroupsService.class);
            String[] split = str2.split(",");
            for (int i = 0; !z && i < split.length; i++) {
                String trim = split[i].trim();
                z = trim.equals(str) || groupsService.getGroups(str).contains(trim);
            }
        }
        return z;
    }

    public void authorizeForJob(String str, String str2, boolean z) throws AuthorizationException {
        if (this.authorizationEnabled && z && !isAdmin(str)) {
            try {
                if (str2.endsWith(MSVSSConstants.FLAG_WRITABLE)) {
                    if (((JPAService) Services.get().get(JPAService.class)) == null) {
                        throw new AuthorizationException(ErrorCode.E0610, new Object[0]);
                    }
                    try {
                        WorkflowJobBean workflowJobBean = WorkflowJobQueryExecutor.getInstance().get(WorkflowJobQueryExecutor.WorkflowJobQuery.GET_WORKFLOW_USER_GROUP, str2);
                        if (workflowJobBean == null || workflowJobBean.getUser().equals(str) || isUserInAcl(str, workflowJobBean.getGroup())) {
                        }
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0508, str, str2);
                    } catch (JPAExecutorException e) {
                        throw new AuthorizationException(e);
                    }
                }
                if (str2.endsWith(MSVSSConstants.FLAG_BRIEF)) {
                    JPAService jPAService = (JPAService) Services.get().get(JPAService.class);
                    if (jPAService == null) {
                        throw new AuthorizationException(ErrorCode.E0610, new Object[0]);
                    }
                    try {
                        BundleJobBean bundleJobBean = (BundleJobBean) jPAService.execute(new BundleJobGetJPAExecutor(str2));
                        if (bundleJobBean == null || bundleJobBean.getUser().equals(str) || isUserInAcl(str, bundleJobBean.getGroup())) {
                        }
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0509, str, str2);
                    } catch (JPAExecutorException e2) {
                        throw new AuthorizationException(e2);
                    }
                }
                JPAService jPAService2 = (JPAService) Services.get().get(JPAService.class);
                if (jPAService2 == null) {
                    throw new AuthorizationException(ErrorCode.E0610, new Object[0]);
                }
                try {
                    CoordinatorJobBean coordinatorJobBean = (CoordinatorJobBean) jPAService2.execute(new CoordJobGetJPAExecutor(str2));
                    if (coordinatorJobBean != null && !coordinatorJobBean.getUser().equals(str) && !isUserInAcl(str, coordinatorJobBean.getGroup())) {
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0509, str, str2);
                    }
                } catch (JPAExecutorException e3) {
                    throw new AuthorizationException(e3);
                }
            } catch (IOException e4) {
                throw new AuthorizationException(ErrorCode.E0501, e4.getMessage(), e4);
            }
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:17:0x0057. Please report as an issue. */
    public void authorizeForJobs(String str, Map<String, List<String>> map, String str2, int i, int i2, boolean z) throws AuthorizationException {
        if (this.authorizationEnabled && z && !isAdmin(str)) {
            try {
                boolean z2 = -1;
                switch (str2.hashCode()) {
                    case -1377881982:
                        if (str2.equals("bundle")) {
                            z2 = true;
                            break;
                        }
                        break;
                    case 3791:
                        if (str2.equals(RestConstants.PURGE_WF_AGE)) {
                            z2 = false;
                            break;
                        }
                        break;
                }
                switch (z2) {
                    case false:
                        JPAService jPAService = (JPAService) Services.get().get(JPAService.class);
                        if (jPAService == null) {
                            throw new AuthorizationException(ErrorCode.E0610, new Object[0]);
                        }
                        try {
                            for (WorkflowJobBean workflowJobBean : ((WorkflowsInfo) jPAService.execute(new WorkflowsJobGetJPAExecutor(map, i, i2))).getWorkflows()) {
                                if (workflowJobBean != null && !workflowJobBean.getUser().equals(str) && !isUserInAcl(str, workflowJobBean.getGroup())) {
                                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                                    throw new AuthorizationException(ErrorCode.E0508, str, workflowJobBean.getId());
                                }
                            }
                            return;
                        } catch (JPAExecutorException e) {
                            throw new AuthorizationException(e);
                        }
                    case true:
                        JPAService jPAService2 = (JPAService) Services.get().get(JPAService.class);
                        if (jPAService2 == null) {
                            throw new AuthorizationException(ErrorCode.E0610, new Object[0]);
                        }
                        try {
                            for (BundleJobBean bundleJobBean : ((BundleJobInfo) jPAService2.execute(new BundleJobInfoGetJPAExecutor(map, i, i2))).getBundleJobs()) {
                                if (bundleJobBean != null && !bundleJobBean.getUser().equals(str) && !isUserInAcl(str, bundleJobBean.getGroup())) {
                                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                                    throw new AuthorizationException(ErrorCode.E0509, str, bundleJobBean.getId());
                                }
                            }
                            return;
                        } catch (JPAExecutorException e2) {
                            throw new AuthorizationException(e2);
                        }
                    default:
                        JPAService jPAService3 = (JPAService) Services.get().get(JPAService.class);
                        if (jPAService3 == null) {
                            throw new AuthorizationException(ErrorCode.E0610, new Object[0]);
                        }
                        try {
                            for (CoordinatorJobBean coordinatorJobBean : ((CoordinatorJobInfo) jPAService3.execute(new CoordJobInfoGetJPAExecutor(map, i, i2))).getCoordJobs()) {
                                if (coordinatorJobBean != null && !coordinatorJobBean.getUser().equals(str) && !isUserInAcl(str, coordinatorJobBean.getGroup())) {
                                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                                    throw new AuthorizationException(ErrorCode.E0509, str, coordinatorJobBean.getId());
                                }
                            }
                            return;
                        } catch (JPAExecutorException e3) {
                            throw new AuthorizationException(e3);
                        }
                }
            } catch (IOException e4) {
                throw new AuthorizationException(ErrorCode.E0501, e4.getMessage(), e4);
            }
        }
    }

    private void incrCounter(String str, int i) {
        if (this.instrumentation != null) {
            this.instrumentation.incr(INSTRUMENTATION_GROUP, str, i);
        }
    }

    public boolean isAuthorizedSystemInfo() {
        return this.authorizedSystemInfo;
    }
}
