package com.mapr.baseutils.utils;

import com.mapr.baseutils.acls.SecurityCommandHelper;
import com.mapr.fs.cldb.proto.CLDBProto;
import com.mapr.fs.proto.Common;
import com.mapr.fs.proto.Security;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/mapr/baseutils/utils/PolicyServerPermissionsManager.class */
public class PolicyServerPermissionsManager {
    private ACL clusterAcl;
    private int clusterOwnerUid;
    private boolean rejectRoot;
    private boolean squashRoot;
    private static final Logger LOG = LoggerFactory.getLogger(PolicyServerPermissionsManager.class);
    private static PolicyServerPermissionsManager s_instance = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.mapr.baseutils.utils.PolicyServerPermissionsManager$1, reason: invalid class name */
    /* loaded from: input_file:com/mapr/baseutils/utils/PolicyServerPermissionsManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$UserActions = new int[CLDBProto.UserActions.values().length];

        static {
            try {
                $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$UserActions[CLDBProto.UserActions.SecurityPolicyAclLookup.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$UserActions[CLDBProto.UserActions.SecurityPolicyGenericPropertiesLookup.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$UserActions[CLDBProto.UserActions.SecurityPolicyAclModify.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$UserActions[CLDBProto.UserActions.SecurityPolicyGenericPropertiesModify.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:com/mapr/baseutils/utils/PolicyServerPermissionsManager$PoilicyActionPermission.class */
    public class PoilicyActionPermission {
        public String action;
        public boolean allow;

        PoilicyActionPermission(String str, boolean z) {
            this.action = str;
            this.allow = z;
        }
    }

    private PolicyServerPermissionsManager(Security.AccessControlList accessControlList, int i, boolean z, boolean z2) {
        this.clusterOwnerUid = i;
        updateConfParams(accessControlList, z, z2);
    }

    public static synchronized PolicyServerPermissionsManager getInstance(Security.AccessControlList accessControlList, int i, boolean z, boolean z2) {
        if (s_instance == null) {
            s_instance = new PolicyServerPermissionsManager(accessControlList, i, z, z2);
        }
        return s_instance;
    }

    public void updateConfParams(Security.AccessControlList accessControlList, boolean z, boolean z2) {
        this.clusterAcl = new ACL(accessControlList);
        this.rejectRoot = z;
        this.squashRoot = z2;
    }

    private boolean isRejectRootEnabled() {
        return this.rejectRoot;
    }

    private boolean isSquashRootEnabled() {
        return this.squashRoot;
    }

    private int getClusterOwnerUid() {
        return this.clusterOwnerUid;
    }

    public ACL getClusterAcl() {
        return this.clusterAcl;
    }

    private boolean hasSecurityPolicyAclReadPerms(Common.SecurityPolicyProperties securityPolicyProperties, Security.CredentialsMsg credentialsMsg) {
        return canPerformActionOnSecurityPolicy(securityPolicyProperties, credentialsMsg, SecurityCommandHelper.SECURITY_POLICY_FULL_CONTROL_MASK | SecurityCommandHelper.SECURITY_POLICY_ADMIN_MASK, null) || canPerformActionAtClusterLevel(credentialsMsg, SecurityCommandHelper.CLUSTER_FULL_CONTROL_MASK, null);
    }

    private boolean hasSecurityPolicyGenericReadPerms(Common.SecurityPolicyProperties securityPolicyProperties, Security.CredentialsMsg credentialsMsg) {
        return canPerformActionOnSecurityPolicy(securityPolicyProperties, credentialsMsg, SecurityCommandHelper.SECURITY_POLICY_READ_MASK | SecurityCommandHelper.SECURITY_POLICY_FULL_CONTROL_MASK, null) || canPerformActionAtClusterLevel(credentialsMsg, SecurityCommandHelper.CLUSTER_FULL_CONTROL_MASK, null);
    }

    private boolean hasSecurityPolicyAclModify(Common.SecurityPolicyProperties securityPolicyProperties, Security.CredentialsMsg credentialsMsg) {
        return canPerformActionOnSecurityPolicy(securityPolicyProperties, credentialsMsg, SecurityCommandHelper.SECURITY_POLICY_ADMIN_MASK, null);
    }

    private boolean hasSecurityPolicyGenericPropertiesModify(Common.SecurityPolicyProperties securityPolicyProperties, Security.CredentialsMsg credentialsMsg) {
        return canPerformActionOnSecurityPolicy(securityPolicyProperties, credentialsMsg, SecurityCommandHelper.SECURITY_POLICY_FULL_CONTROL_MASK, null);
    }

    public boolean canPerformActionOnSecurityPolicy(Common.SecurityPolicyProperties securityPolicyProperties, Security.CredentialsMsg credentialsMsg, int i, StringBuilder sb) {
        if (securityPolicyProperties == null || credentialsMsg == null) {
            return false;
        }
        if (!securityPolicyProperties.hasAcl()) {
            if (sb == null) {
                return false;
            }
            sb.append("ACL Not Present for security policy " + securityPolicyProperties.getPolicyName());
            return false;
        }
        if (hasAdminCredentials(credentialsMsg)) {
            return true;
        }
        if (credentialsMsg.getUid() == 0) {
            if (isRejectRootEnabled()) {
                if (sb == null) {
                    return false;
                }
                sb.append("Root cannot perform action since reject root is enabled");
                return false;
            }
            if (isSquashRootEnabled()) {
                credentialsMsg = PolicyServerNobodyCredentials.getInstance();
            }
        }
        return new ACL(securityPolicyProperties.getAcl()).verifyPermissions(credentialsMsg, i, sb);
    }

    public boolean canPerformActionAtClusterLevel(Security.CredentialsMsg credentialsMsg, int i, StringBuilder sb) {
        if (credentialsMsg == null) {
            if (LOG.isInfoEnabled()) {
                LOG.info("Credentials missing in the Request");
            }
            if (sb == null || sb.length() != 0) {
                return false;
            }
            sb.append("Credentials missing in the Request");
            return false;
        }
        if (hasAdminCredentials(credentialsMsg)) {
            return true;
        }
        if (getClusterAcl() != null) {
            return getClusterAcl().verifyPermissions(credentialsMsg, i, sb);
        }
        if (sb == null || sb.length() != 0) {
            return false;
        }
        sb.append("Missing Cluster ACLs");
        return false;
    }

    public boolean canPerformSecurityPolicyAction(CLDBProto.UserActions userActions, Security.CredentialsMsg credentialsMsg, Common.SecurityPolicyProperties securityPolicyProperties) {
        if (userActions == null || credentialsMsg == null) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("canPerformSecurityPolicyAction:action or creds is null");
            return false;
        }
        switch (AnonymousClass1.$SwitchMap$com$mapr$fs$cldb$proto$CLDBProto$UserActions[userActions.ordinal()]) {
            case 1:
                return hasSecurityPolicyAclReadPerms(securityPolicyProperties, credentialsMsg);
            case 2:
                return hasSecurityPolicyGenericReadPerms(securityPolicyProperties, credentialsMsg);
            case 3:
                return hasSecurityPolicyAclModify(securityPolicyProperties, credentialsMsg);
            case 4:
                return hasSecurityPolicyGenericPropertiesModify(securityPolicyProperties, credentialsMsg);
            default:
                if (!LOG.isErrorEnabled()) {
                    return false;
                }
                LOG.warn("canPerformSecurityPolicyAction: invalid action: " + userActions);
                return false;
        }
    }

    public boolean hasAdminCredentials(Security.CredentialsMsg credentialsMsg) {
        if (credentialsMsg == null) {
            return false;
        }
        int uid = credentialsMsg.getUid();
        if (uid == 0) {
            if (isRejectRootEnabled()) {
                if (!LOG.isDebugEnabled()) {
                    return false;
                }
                LOG.debug("hasAdminCredentials: root is not admin since reject root is enabled");
                return false;
            }
            if (isSquashRootEnabled()) {
                uid = PolicyServerNobodyCredentials.getInstance().getUid();
            }
        }
        return uid == getClusterOwnerUid();
    }

    public List<PoilicyActionPermission> getUserPermissions(Security.CredentialsMsg credentialsMsg, Common.SecurityPolicyProperties securityPolicyProperties) {
        ArrayList arrayList = new ArrayList(CLDBProto.UserActions.values().length);
        for (CLDBProto.UserActions userActions : CLDBProto.UserActions.values()) {
            String name = userActions.name();
            if (userActions.name().startsWith("SecurityPolicy") && securityPolicyProperties != null) {
                arrayList.add(new PoilicyActionPermission(name, canPerformSecurityPolicyAction(userActions, credentialsMsg, securityPolicyProperties)));
            }
        }
        return arrayList;
    }
}
