package org.apache.drill.exec.resourcemgr.config.selectors;

import com.typesafe.config.Config;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.drill.exec.ops.QueryContext;
import org.apache.drill.exec.resourcemgr.config.exception.RMConfigException;
import org.apache.drill.exec.resourcemgr.config.selectors.ResourcePoolSelector;
import org.apache.drill.exec.util.ImpersonationUtil;
import org.apache.drill.shaded.guava.com.google.common.annotations.VisibleForTesting;
import org.apache.drill.shaded.guava.com.google.common.collect.Sets;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/resourcemgr/config/selectors/AclSelector.class */
public class AclSelector extends AbstractResourcePoolSelector {
    private static final Logger logger = LoggerFactory.getLogger(AclSelector.class);
    private final Set<String> allowedUsers;
    private final Set<String> allowedGroups;
    private final Set<String> deniedUsers;
    private final Set<String> deniedGroups;
    private final Config aclSelectorValue;
    private static final String ACL_VALUE_GROUPS_KEY = "groups";
    private static final String ACL_VALUE_USERS_KEY = "users";
    private static final String ACL_LONG_SYNTAX_SEPARATOR = ":";
    private static final String ACL_LONG_ALLOWED_IDENTIFIER = "+";
    private static final String ACL_LONG_DISALLOWED_IDENTIFIER = "-";
    private static final String ACL_ALLOW_ALL = "*";

    /* JADX INFO: Access modifiers changed from: package-private */
    public AclSelector(Config config) throws RMConfigException {
        super(ResourcePoolSelector.SelectorType.ACL);
        this.allowedUsers = Sets.newHashSet();
        this.allowedGroups = Sets.newHashSet();
        this.deniedUsers = Sets.newHashSet();
        this.deniedGroups = Sets.newHashSet();
        this.aclSelectorValue = config;
        validateAndParseACL(this.aclSelectorValue);
    }

    @Override // org.apache.drill.exec.resourcemgr.config.selectors.AbstractResourcePoolSelector, org.apache.drill.exec.resourcemgr.config.selectors.ResourcePoolSelector
    public boolean isQuerySelected(QueryContext queryContext) {
        String queryUserName = queryContext.getQueryUserName();
        return checkQueryUserGroups(queryUserName, Sets.newHashSet(ImpersonationUtil.createProxyUgi(queryUserName).getGroupNames()));
    }

    @VisibleForTesting
    public boolean checkQueryUserGroups(String str, Set<String> set) {
        if (this.deniedUsers.contains(str)) {
            logger.debug("Query user is present in configured ACL -ve users list");
            return false;
        }
        if (this.allowedUsers.contains(str)) {
            logger.debug("Query user is present in configured ACL +ve users list");
            return true;
        }
        if (isStarInDisAllowedUsersList()) {
            logger.debug("Query user is absent in configured ACL +ve/-ve users list but * is in -ve users list");
            return false;
        }
        if (isStarInAllowedUsersList()) {
            logger.debug("Query user is absent in configured ACL +ve/-ve users list but * is in +ve users list");
            return true;
        }
        if (Sets.intersection(set, this.deniedGroups).size() > 0) {
            logger.debug("Groups of Query user is present in configured ACL -ve groups list");
            return false;
        }
        if (Sets.intersection(set, this.allowedGroups).size() > 0) {
            logger.debug("Groups of Query user is present in configured ACL +ve groups list");
            return true;
        }
        if (isStarInDisAllowedGroupsList()) {
            logger.debug("Groups of Query user is absent in configured ACL +ve/-ve groups list but * is in -ve groups list");
            return false;
        }
        if (isStarInAllowedGroupsList()) {
            logger.debug("Groups of Query user is absent in configured ACL +ve/-ve groups list but * is in +ve groups list");
            return true;
        }
        logger.debug("Neither query user or group is present in configured ACL users/groups list");
        return false;
    }

    private void validateAndParseACL(Config config) throws RMConfigException {
        if (!config.hasPath(ACL_VALUE_GROUPS_KEY) && !config.hasPath(ACL_VALUE_USERS_KEY)) {
            throw new RMConfigException(String.format("ACL Selector config is missing both group and user list information. Please configure either of groups or users list. [Details: aclConfig: %s]", config));
        }
        if (config.hasPath(ACL_VALUE_USERS_KEY)) {
            parseACLInput(this.aclSelectorValue.getStringList(ACL_VALUE_USERS_KEY), this.allowedUsers, this.deniedUsers);
        }
        if (config.hasPath(ACL_VALUE_GROUPS_KEY)) {
            parseACLInput(this.aclSelectorValue.getStringList(ACL_VALUE_GROUPS_KEY), this.allowedGroups, this.deniedGroups);
        }
        if (this.allowedGroups.size() == 0 && this.deniedGroups.size() == 0 && this.deniedUsers.size() == 0 && this.allowedUsers.size() == 0) {
            throw new RMConfigException("No valid users or groups information is configured for this ACL selector. Either use * or valid users/groups");
        }
        Sets.SetView intersection = Sets.intersection(this.allowedUsers, this.deniedUsers);
        if (intersection.size() > 0) {
            logger.warn("These users are configured both in allowed and disallowed list. They will be treated as disallowed. [Details: users: {}]", intersection);
            this.allowedUsers.removeAll(intersection);
        }
        Sets.SetView intersection2 = Sets.intersection(this.allowedGroups, this.deniedGroups);
        if (intersection2.size() > 0) {
            logger.warn("These groups are configured both in allowed and disallowed list. They will be treated as disallowed. [Details: groups: {}]", intersection2);
            this.allowedGroups.removeAll(intersection2);
        }
    }

    public Set<String> getAllowedUsers() {
        return this.allowedUsers;
    }

    public Set<String> getAllowedGroups() {
        return this.allowedGroups;
    }

    public Set<String> getDeniedUsers() {
        return this.deniedUsers;
    }

    public Set<String> getDeniedGroups() {
        return this.deniedGroups;
    }

    private boolean isStarInAllowedUsersList() {
        return this.allowedUsers.contains(ACL_ALLOW_ALL);
    }

    private boolean isStarInAllowedGroupsList() {
        return this.allowedGroups.contains(ACL_ALLOW_ALL);
    }

    private boolean isStarInDisAllowedUsersList() {
        return this.deniedUsers.contains(ACL_ALLOW_ALL);
    }

    private boolean isStarInDisAllowedGroupsList() {
        return this.deniedGroups.contains(ACL_ALLOW_ALL);
    }

    private void parseACLInput(List<String> list, Set<String> set, Set<String> set2) {
        for (String str : list) {
            if (!str.isEmpty()) {
                String[] split = str.split(ACL_LONG_SYNTAX_SEPARATOR);
                if (split.length != 1) {
                    String str2 = split[1];
                    if (str2.equals(ACL_LONG_ALLOWED_IDENTIFIER)) {
                        if (!set.add(split[0])) {
                            logger.info("Duplicate acl identity: {} found in configured list will be ignored", split[0]);
                        }
                    } else if (!str2.equals(ACL_LONG_DISALLOWED_IDENTIFIER)) {
                        logger.error("Invalid long form syntax encountered hence ignoring ACL string {} . Details[Allowed identifiers are `+` and `-`. Encountered: {}]", str, str2);
                    } else if (!set2.add(split[0])) {
                        logger.info("Duplicate acl identity: {} found in configured list will be ignored", split[0]);
                    }
                } else if (!set.add(split[0])) {
                    logger.info("Duplicate acl identity: {} found in configured list will be ignored", split[0]);
                }
            }
        }
    }

    @Override // org.apache.drill.exec.resourcemgr.config.selectors.AbstractResourcePoolSelector
    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("{ SelectorType: ").append(super.toString());
        sb.append(", AllowedUsers: [");
        Iterator<String> it = this.allowedUsers.iterator();
        while (it.hasNext()) {
            sb.append(it.next()).append(", ");
        }
        sb.append("], AllowedGroups: [");
        Iterator<String> it2 = this.allowedGroups.iterator();
        while (it2.hasNext()) {
            sb.append(it2.next()).append(", ");
        }
        sb.append("], DisallowedUsers: [");
        Iterator<String> it3 = this.deniedUsers.iterator();
        while (it3.hasNext()) {
            sb.append(it3.next()).append(", ");
        }
        sb.append("], DisallowedGroups: [");
        Iterator<String> it4 = this.deniedGroups.iterator();
        while (it4.hasNext()) {
            sb.append(it4.next()).append(", ");
        }
        sb.append("]}");
        return sb.toString();
    }
}
