package org.apache.ranger.authorization.nestedstructure.authorizer;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.Optional;
import java.util.Set;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.apache.ranger.plugin.util.ServiceTags;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAuthorizer.class */
public class NestedStructureAuthorizer {
    private static final Logger logger = LoggerFactory.getLogger(NestedStructureAuthorizer.class);
    private static final String RANGER_CMT_SERVICETYPE = "nestedstructure";
    private static final String RANGER_CMT_APPID = "nestedstructure";
    private static volatile NestedStructureAuthorizer instance;
    private final RangerBasePlugin plugin;

    private NestedStructureAuthorizer() {
        this.plugin = new RangerBasePlugin("nestedstructure", "nestedstructure");
        this.plugin.init();
    }

    public NestedStructureAuthorizer(ServicePolicies servicePolicies, ServiceTags serviceTags, RangerRoles rangerRoles) {
        RangerPolicyEngineOptions rangerPolicyEngineOptions = new RangerPolicyEngineOptions();
        rangerPolicyEngineOptions.disablePolicyRefresher = true;
        rangerPolicyEngineOptions.disableUserStoreRetriever = true;
        rangerPolicyEngineOptions.disableTagRetriever = true;
        this.plugin = new RangerBasePlugin(new RangerPluginConfig("nestedstructure", servicePolicies.getServiceName(), "nestedstructure", (String) null, (String) null, rangerPolicyEngineOptions), servicePolicies, serviceTags, rangerRoles);
    }

    public static NestedStructureAuthorizer getInstance() {
        NestedStructureAuthorizer nestedStructureAuthorizer = instance;
        if (nestedStructureAuthorizer == null) {
            synchronized (NestedStructureAuthorizer.class) {
                nestedStructureAuthorizer = instance;
                if (nestedStructureAuthorizer == null) {
                    NestedStructureAuthorizer nestedStructureAuthorizer2 = new NestedStructureAuthorizer();
                    nestedStructureAuthorizer = nestedStructureAuthorizer2;
                    instance = nestedStructureAuthorizer2;
                }
            }
        }
        return nestedStructureAuthorizer;
    }

    public AccessResult authorize(String str, String str2, Set<String> set, String str3, NestedStructureAccessType nestedStructureAccessType) {
        AccessResult addError;
        NestedStructureAuditHandler nestedStructureAuditHandler = new NestedStructureAuditHandler(this.plugin.getConfig());
        try {
            try {
                addError = privateAuthorize(str, str2, set, str3, nestedStructureAccessType, nestedStructureAuditHandler);
                nestedStructureAuditHandler.flushAudit();
            } catch (Exception e) {
                logger.warn("exception during processing, user: " + str2 + "\n json: " + str3, e);
                addError = new AccessResult(false, null).addError(e);
                nestedStructureAuditHandler.flushAudit();
            }
            return addError;
        } catch (Throwable th) {
            nestedStructureAuditHandler.flushAudit();
            throw th;
        }
    }

    private AccessResult privateAuthorize(String str, String str2, Set<String> set, String str3, NestedStructureAccessType nestedStructureAccessType, NestedStructureAuditHandler nestedStructureAuditHandler) {
        AccessResult accessResult;
        if (!hasAccessToSchemaOrAnyField(str, str2, set, nestedStructureAccessType, nestedStructureAuditHandler)) {
            accessResult = new AccessResult(false, null);
        } else if (hasAccessToRecord(str, str2, set, str3, nestedStructureAccessType, nestedStructureAuditHandler)) {
            boolean z = false;
            JsonManipulator jsonManipulator = new JsonManipulator(str3);
            ArrayList arrayList = new ArrayList();
            Iterator<String> it = jsonManipulator.getFields().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                FieldLevelAccess hasFieldAccess = hasFieldAccess(str, str2, set, it.next(), nestedStructureAccessType, nestedStructureAuditHandler);
                arrayList.add(hasFieldAccess);
                if (!hasFieldAccess.hasAccess) {
                    z = true;
                    break;
                }
            }
            if (z) {
                accessResult = new AccessResult(false, null);
            } else {
                jsonManipulator.maskFields(arrayList);
                accessResult = new AccessResult(true, jsonManipulator.getJsonString());
            }
        } else {
            accessResult = new AccessResult(false, null);
        }
        return accessResult;
    }

    private FieldLevelAccess hasFieldAccess(String str, String str2, Set<String> set, String str3, NestedStructureAccessType nestedStructureAccessType, NestedStructureAuditHandler nestedStructureAuditHandler) {
        FieldLevelAccess fieldLevelAccess;
        String replaceAll = str3.replaceAll("\\.\\[\\*\\]\\.'", ".").replaceAll("\\.\\*\\.", ".");
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(new NestedStructureResource(Optional.of(str), Optional.of(replaceAll)), nestedStructureAccessType.getValue(), str2, set, (Set) null);
        RangerAccessResult isAccessAllowed = this.plugin.isAccessAllowed(rangerAccessRequestImpl, nestedStructureAuditHandler);
        if (isAccessAllowed == null) {
            throw new MaskingException("unable to determine access");
        }
        boolean z = isAccessAllowed.getIsAccessDetermined() && isAccessAllowed.getIsAllowed();
        if (logger.isDebugEnabled()) {
            logger.debug("checking at line 123 " + nestedStructureAccessType + " access to " + str + "." + str3 + " as " + replaceAll + " for user: " + str2 + " has access ? " + (z ? "yes" : "no") + " policyId:  " + isAccessAllowed.getPolicyId());
        }
        if (z) {
            RangerAccessResult evalDataMaskPolicies = this.plugin.evalDataMaskPolicies(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
            if (evalDataMaskPolicies == null) {
                throw new MaskingException("unable to determine access");
            }
            boolean isMaskEnabled = evalDataMaskPolicies.isMaskEnabled();
            Long valueOf = Long.valueOf(evalDataMaskPolicies.getPolicyId());
            if (isMaskEnabled) {
                nestedStructureAuditHandler.processResult(evalDataMaskPolicies);
            }
            if (logger.isDebugEnabled()) {
                logger.debug("attribute " + str3 + " as " + replaceAll + " masked ? " + (isMaskEnabled ? "yes" : "no") + (isMaskEnabled ? " policyId:  " + valueOf : ""));
            }
            fieldLevelAccess = new FieldLevelAccess(str3, z, valueOf, isMaskEnabled, evalDataMaskPolicies.getMaskType(), evalDataMaskPolicies.getMaskedValue());
        } else {
            fieldLevelAccess = new FieldLevelAccess(str3, z, -1L, true, null, null);
        }
        return fieldLevelAccess;
    }

    private boolean hasAccessToRecord(String str, String str2, Set<String> set, String str3, NestedStructureAccessType nestedStructureAccessType, NestedStructureAuditHandler nestedStructureAuditHandler) {
        boolean z = true;
        RangerAccessResult evalRowFilterPolicies = this.plugin.evalRowFilterPolicies(new RangerAccessRequestImpl(new NestedStructureResource(Optional.of(str)), nestedStructureAccessType.getValue(), str2, set, (Set) null), (RangerAccessResultProcessor) null);
        if (evalRowFilterPolicies == null) {
            throw new MaskingException("unable to determine access");
        }
        if (evalRowFilterPolicies.isRowFilterEnabled()) {
            String filterExpr = evalRowFilterPolicies.getFilterExpr();
            if (logger.isDebugEnabled()) {
                logger.debug("row level filter enabled with expression: " + filterExpr);
            }
            z = RecordFilterJavaScript.filterRow(str2, filterExpr, str3);
            if (!z) {
                evalRowFilterPolicies.setIsAllowed(false);
                nestedStructureAuditHandler.processResult(evalRowFilterPolicies);
            }
        }
        return z;
    }

    private boolean hasAccessToSchemaOrAnyField(String str, String str2, Set<String> set, NestedStructureAccessType nestedStructureAccessType, NestedStructureAuditHandler nestedStructureAuditHandler) {
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(new NestedStructureResource(Optional.of(str)), nestedStructureAccessType.getValue(), str2, set, (Set) null);
        rangerAccessRequestImpl.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
        RangerAccessResult isAccessAllowed = this.plugin.isAccessAllowed(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
        if (isAccessAllowed == null) {
            throw new MaskingException("unable to determine access");
        }
        boolean z = isAccessAllowed.getIsAccessDetermined() && isAccessAllowed.getIsAllowed();
        if (!z) {
            nestedStructureAuditHandler.processResult(isAccessAllowed);
        }
        if (logger.isDebugEnabled()) {
            logger.debug("checking LINE 202 " + nestedStructureAccessType + " access to " + str + " for user: " + str2 + " has access ? " + (z ? "yes" : "no") + " policyId:  " + isAccessAllowed.getPolicyId());
        }
        return z;
    }
}
