package org.apache.ranger.plugin.policyengine;

import io.juicefs.shaded.org.apache.commons.lang.StringUtils;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Stream;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.ListUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil;
import org.apache.ranger.plugin.util.RangerReadWriteLock;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.apache.ranger.plugin.util.StringTokenReplacer;
import org.codehaus.jackson.util.MinimalPrettyPrinter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/policyengine/PolicyEngine.class */
public class PolicyEngine {
    private static final Logger LOG = LoggerFactory.getLogger(PolicyEngine.class);
    private static final Logger PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init");
    private static final Logger PERF_POLICYENGINE_REBALANCE_LOG = RangerPerfTracer.getPerfLogger("policyengine.rebalance");
    private final RangerPolicyRepository policyRepository;
    private final RangerPolicyRepository tagPolicyRepository;
    private final List<RangerContextEnricher> allContextEnrichers;
    private final RangerPluginContext pluginContext;
    private boolean useForwardedIPAddress;
    private String[] trustedProxyAddresses;
    private final RangerReadWriteLock lock;
    private final Map<String, RangerPolicyRepository> zonePolicyRepositories = new HashMap();
    private final Map<String, RangerResourceTrie> resourceZoneTrie = new HashMap();
    private final Map<String, String> zoneTagServiceMap = new HashMap();
    private final Map<String, StringTokenReplacer> tokenReplacers = new HashMap();

    public RangerReadWriteLock.RangerLock getReadLock() {
        return this.lock.getReadLock();
    }

    public RangerReadWriteLock.RangerLock getWriteLock() {
        return this.lock.getWriteLock();
    }

    public boolean getUseForwardedIPAddress() {
        return this.useForwardedIPAddress;
    }

    public void setUseForwardedIPAddress(boolean z) {
        this.useForwardedIPAddress = z;
    }

    public String[] getTrustedProxyAddresses() {
        return this.trustedProxyAddresses;
    }

    public void setTrustedProxyAddresses(String[] strArr) {
        this.trustedProxyAddresses = strArr;
    }

    public long getRoleVersion() {
        return this.pluginContext.getAuthContext().getRoleVersion();
    }

    public void setRoles(RangerRoles rangerRoles) {
        this.pluginContext.getAuthContext().setRoles(rangerRoles);
    }

    public String getServiceName() {
        return this.policyRepository.getServiceName();
    }

    public RangerServiceDef getServiceDef() {
        return this.policyRepository.getServiceDef();
    }

    public long getPolicyVersion() {
        return this.policyRepository.getPolicyVersion();
    }

    public RangerPolicyRepository getPolicyRepository() {
        return this.policyRepository;
    }

    public RangerPolicyRepository getTagPolicyRepository() {
        return this.tagPolicyRepository;
    }

    public Map<String, RangerPolicyRepository> getZonePolicyRepositories() {
        return this.zonePolicyRepositories;
    }

    public List<RangerContextEnricher> getAllContextEnrichers() {
        return this.allContextEnrichers;
    }

    public RangerPluginContext getPluginContext() {
        return this.pluginContext;
    }

    public StringTokenReplacer getStringTokenReplacer(String str) {
        return this.tokenReplacers.get(str);
    }

    public String toString() {
        return toString(new StringBuilder()).toString();
    }

    protected void finalize() throws Throwable {
        try {
            cleanup();
        } finally {
            super.finalize();
        }
    }

    public StringBuilder toString(StringBuilder sb) {
        if (sb == null) {
            sb = new StringBuilder();
        }
        sb.append("PolicyEngine={");
        sb.append("serviceName={").append(getServiceName()).append("} ");
        sb.append("policyRepository={");
        if (this.policyRepository != null) {
            this.policyRepository.toString(sb);
        }
        sb.append("} ");
        sb.append("tagPolicyRepository={");
        if (this.tagPolicyRepository != null) {
            this.tagPolicyRepository.toString(sb);
        }
        sb.append("} ");
        sb.append(this.lock.toString());
        sb.append("}");
        return sb;
    }

    public List<RangerPolicy> getResourcePolicies(String str) {
        RangerPolicyRepository rangerPolicyRepository = this.zonePolicyRepositories.get(str);
        return rangerPolicyRepository == null ? ListUtils.EMPTY_LIST : rangerPolicyRepository.getPolicies();
    }

    Map<String, RangerResourceTrie> getResourceZoneTrie() {
        return this.resourceZoneTrie;
    }

    public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext, RangerRoles rangerRoles, boolean z) {
        List<RangerContextEnricher> arrayList;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine(, " + servicePolicies + ", " + rangerPluginContext + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.init(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
            long freeMemory = Runtime.getRuntime().freeMemory();
            PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (Runtime.getRuntime().totalMemory() - freeMemory) + ", Free memory:" + freeMemory);
        }
        this.pluginContext = rangerPluginContext;
        this.lock = new RangerReadWriteLock(z);
        LOG.info("Policy engine will" + (z ? MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR : " not ") + "perform in place update while processing policy-deltas.");
        this.pluginContext.setAuthContext(new RangerAuthContext(null, rangerRoles));
        RangerPolicyEngineOptions policyEngineOptions = rangerPluginContext.getConfig().getPolicyEngineOptions();
        if (StringUtils.isBlank(policyEngineOptions.evaluatorType) || StringUtils.equalsIgnoreCase(policyEngineOptions.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
            policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
        }
        this.policyRepository = new RangerPolicyRepository(servicePolicies, this.pluginContext);
        ServicePolicies.TagPolicies tagPolicies = servicePolicies.getTagPolicies();
        if (policyEngineOptions.disableTagPolicyEvaluation || tagPolicies == null || StringUtils.isEmpty(tagPolicies.getServiceName()) || tagPolicies.getServiceDef() == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("PolicyEngine : No tag-policy-repository for service " + servicePolicies.getServiceName());
            }
            this.tagPolicyRepository = null;
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("PolicyEngine : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName());
            }
            this.tagPolicyRepository = new RangerPolicyRepository(tagPolicies, this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
        }
        List<RangerContextEnricher> contextEnrichers = this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getContextEnrichers();
        List<RangerContextEnricher> contextEnrichers2 = this.policyRepository.getContextEnrichers();
        if (CollectionUtils.isEmpty(contextEnrichers)) {
            arrayList = contextEnrichers2;
        } else if (CollectionUtils.isEmpty(contextEnrichers2)) {
            arrayList = contextEnrichers;
        } else {
            arrayList = new ArrayList(contextEnrichers);
            arrayList.addAll(contextEnrichers2);
        }
        this.allContextEnrichers = arrayList;
        if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
            buildZoneTrie(servicePolicies);
            for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) {
                this.zonePolicyRepositories.put(entry.getKey(), new RangerPolicyRepository(servicePolicies, this.pluginContext, entry.getKey()));
            }
        }
        for (RangerServiceDef.RangerResourceDef rangerResourceDef : getServiceDef().getResources()) {
            Map<String, String> matcherOptions = rangerResourceDef.getMatcherOptions();
            if (RangerAbstractResourceMatcher.getOptionReplaceTokens(matcherOptions)) {
                this.tokenReplacers.put(rangerResourceDef.getName(), new StringTokenReplacer(RangerAbstractResourceMatcher.getOptionDelimiterStart(matcherOptions), RangerAbstractResourceMatcher.getOptionDelimiterEnd(matcherOptions), RangerAbstractResourceMatcher.getOptionDelimiterEscape(matcherOptions), RangerAbstractResourceMatcher.getOptionDelimiterPrefix(matcherOptions)));
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
            long freeMemory2 = Runtime.getRuntime().freeMemory();
            PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (Runtime.getRuntime().totalMemory() - freeMemory2) + ", Free memory:" + freeMemory2);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine()");
        }
    }

    public PolicyEngine cloneWithDelta(ServicePolicies servicePolicies) {
        PolicyEngine policyEngine;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> cloneWithDelta(" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " + servicePolicies.getPolicyVersion() + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cloneWithDelta()");
        }
        RangerReadWriteLock.RangerLock writeLock = getWriteLock();
        Throwable th = null;
        try {
            if (LOG.isDebugEnabled() && writeLock.isLockingEnabled()) {
                LOG.debug("Acquired lock - " + writeLock);
            }
            RangerServiceDef serviceDef = getServiceDef();
            String name = serviceDef != null ? serviceDef.getName() : "";
            boolean z = false;
            if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) || MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
                z = CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas()) || RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), name);
                if (z && MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
                    Iterator<Map.Entry<String, ServicePolicies.SecurityZoneInfo>> it = servicePolicies.getSecurityZones().entrySet().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Map.Entry<String, ServicePolicies.SecurityZoneInfo> next = it.next();
                        if (!RangerPolicyDeltaUtil.isValidDeltas(next.getValue().getPolicyDeltas(), name)) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Invalid policy-deltas for security zone:[" + next.getKey() + "]");
                            }
                            z = false;
                        }
                    }
                }
            }
            if (!z) {
                policyEngine = null;
            } else if (writeLock.isLockingEnabled()) {
                updatePolicyEngine(servicePolicies);
                policyEngine = this;
            } else {
                policyEngine = new PolicyEngine(this, servicePolicies);
            }
            RangerPerfTracer.log(rangerPerfTracer);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== cloneWithDelta(" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " + servicePolicies.getPolicyVersion() + ")");
            }
            return policyEngine;
        } finally {
            if (writeLock != null) {
                if (0 != 0) {
                    try {
                        writeLock.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    writeLock.close();
                }
            }
        }
    }

    public RangerPolicyRepository getRepositoryForMatchedZone(RangerPolicy rangerPolicy) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine.getRepositoryForMatchedZone(" + rangerPolicy + ")");
        }
        RangerPolicyRepository repositoryForZone = getRepositoryForZone(rangerPolicy.getZoneName());
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine.getRepositoryForMatchedZone(" + rangerPolicy + ")");
        }
        return repositoryForZone;
    }

    public Set<String> getMatchedZonesForResourceAndChildren(RangerAccessResource rangerAccessResource) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine.getMatchedZonesForResourceAndChildren(" + rangerAccessResource + ")");
        }
        Set<String> set = null;
        if (MapUtils.isNotEmpty(this.resourceZoneTrie)) {
            set = getMatchedZonesForResourceAndChildren(rangerAccessResource.getAsMap(), rangerAccessResource);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine.getMatchedZonesForResourceAndChildren(" + rangerAccessResource + ") : " + set);
        }
        return set;
    }

    public String getUniquelyMatchedZoneName(Map<String, ?> map) {
        String str = null;
        Set<String> matchedZonesForResourceAndChildren = getMatchedZonesForResourceAndChildren(map, convertToAccessResource(map));
        if (CollectionUtils.isNotEmpty(matchedZonesForResourceAndChildren) && matchedZonesForResourceAndChildren.size() == 1) {
            String[] strArr = new String[1];
            matchedZonesForResourceAndChildren.toArray(strArr);
            str = strArr[0];
        }
        return str;
    }

    public RangerPolicyRepository getRepositoryForZone(String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + str + "]");
        }
        RangerPolicyRepository policyRepository = StringUtils.isNotEmpty(str) ? getZonePolicyRepositories().get(str) : getPolicyRepository();
        if (policyRepository == null) {
            LOG.error("policyRepository for zoneName:[" + str + "],  serviceName:[" + getServiceName() + "], policyVersion:[" + getPolicyVersion() + "] is null!! ERROR!");
        }
        return policyRepository;
    }

    public boolean hasTagPolicies(RangerPolicyRepository rangerPolicyRepository) {
        return rangerPolicyRepository != null && CollectionUtils.isNotEmpty(rangerPolicyRepository.getPolicies());
    }

    public boolean hasResourcePolicies(RangerPolicyRepository rangerPolicyRepository) {
        return rangerPolicyRepository != null && CollectionUtils.isNotEmpty(rangerPolicyRepository.getPolicies());
    }

    public boolean isResourceZoneAssociatedWithTagService(String str) {
        boolean z;
        if (!StringUtils.isNotEmpty(str) || this.tagPolicyRepository == null || this.zoneTagServiceMap.get(str) == null) {
            z = false;
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Accessed resource is in a zone:[" + str + "] which is associated with the tag-service:[" + this.tagPolicyRepository.getServiceName() + "]");
            }
            z = true;
        }
        return z;
    }

    public void preCleanup(boolean z) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine.preCleanup(isForced=" + z + ")");
        }
        if (this.policyRepository != null) {
            this.policyRepository.preCleanup(z);
        }
        if (this.tagPolicyRepository != null) {
            this.tagPolicyRepository.preCleanup(z);
        }
        if (MapUtils.isNotEmpty(this.zonePolicyRepositories)) {
            Iterator<Map.Entry<String, RangerPolicyRepository>> it = this.zonePolicyRepositories.entrySet().iterator();
            while (it.hasNext()) {
                it.next().getValue().preCleanup(z);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine.preCleanup(isForced=" + z + ")");
        }
    }

    private Set<String> getMatchedZonesForResourceAndChildren(Map<String, ?> map, RangerAccessResource rangerAccessResource) {
        Set set;
        Set set2;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine.getMatchedZonesForResourceAndChildren(" + map + ", " + rangerAccessResource + ")");
        }
        HashSet hashSet = null;
        if (MapUtils.isNotEmpty(this.resourceZoneTrie)) {
            Set set3 = null;
            List<String> arrayList = map == null ? new ArrayList<>() : this.policyRepository.getOptions().getServiceDefHelper().getOrderedResourceNames(map.keySet());
            for (String str : arrayList) {
                RangerResourceTrie rangerResourceTrie = this.resourceZoneTrie.get(str);
                if (rangerResourceTrie != null) {
                    Object obj = map.get(str);
                    Set evaluatorsForResource = rangerResourceTrie.getEvaluatorsForResource(obj);
                    Set inheritedEvaluators = rangerResourceTrie.getInheritedEvaluators();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("ResourceDefName:[" + str + "], values:[" + obj + "], matched-zones:[" + evaluatorsForResource + "], inherited-zones:[" + inheritedEvaluators + "]");
                    }
                    if (set3 != null) {
                        if (CollectionUtils.isEmpty(inheritedEvaluators) && CollectionUtils.isEmpty(evaluatorsForResource)) {
                            set3 = null;
                        } else if (CollectionUtils.isEmpty(inheritedEvaluators)) {
                            set3.retainAll(evaluatorsForResource);
                        } else if (CollectionUtils.isEmpty(evaluatorsForResource)) {
                            set3.retainAll(inheritedEvaluators);
                        } else {
                            if (evaluatorsForResource.size() < inheritedEvaluators.size()) {
                                set = evaluatorsForResource;
                                set2 = inheritedEvaluators;
                            } else {
                                set = inheritedEvaluators;
                                set2 = evaluatorsForResource;
                            }
                            HashSet hashSet2 = new HashSet();
                            if (set3.size() < set.size()) {
                                Stream stream = set3.stream();
                                Set set4 = set;
                                set4.getClass();
                                Stream filter = stream.filter((v1) -> {
                                    return r1.contains(v1);
                                });
                                hashSet2.getClass();
                                filter.forEach((v1) -> {
                                    r1.add(v1);
                                });
                                Stream stream2 = set3.stream();
                                Set set5 = set2;
                                set5.getClass();
                                Stream filter2 = stream2.filter((v1) -> {
                                    return r1.contains(v1);
                                });
                                hashSet2.getClass();
                                filter2.forEach((v1) -> {
                                    r1.add(v1);
                                });
                            } else {
                                Stream stream3 = set.stream();
                                Set set6 = set3;
                                set6.getClass();
                                Stream filter3 = stream3.filter((v1) -> {
                                    return r1.contains(v1);
                                });
                                hashSet2.getClass();
                                filter3.forEach((v1) -> {
                                    r1.add(v1);
                                });
                                if (set3.size() < set2.size()) {
                                    Stream stream4 = set3.stream();
                                    Set set7 = set2;
                                    set7.getClass();
                                    Stream filter4 = stream4.filter((v1) -> {
                                        return r1.contains(v1);
                                    });
                                    hashSet2.getClass();
                                    filter4.forEach((v1) -> {
                                        r1.add(v1);
                                    });
                                } else {
                                    Stream stream5 = set2.stream();
                                    Set set8 = set3;
                                    set8.getClass();
                                    Stream filter5 = stream5.filter((v1) -> {
                                        return r1.contains(v1);
                                    });
                                    hashSet2.getClass();
                                    filter5.forEach((v1) -> {
                                        r1.add(v1);
                                    });
                                }
                            }
                            set3 = hashSet2;
                        }
                    } else if (CollectionUtils.isEmpty(inheritedEvaluators) || CollectionUtils.isEmpty(evaluatorsForResource)) {
                        Set set9 = CollectionUtils.isEmpty(inheritedEvaluators) ? evaluatorsForResource : inheritedEvaluators;
                        set3 = (arrayList.size() == 1 || CollectionUtils.isEmpty(set9)) ? set9 : new HashSet(set9);
                    } else {
                        set3 = new HashSet(evaluatorsForResource);
                        set3.addAll(inheritedEvaluators);
                    }
                }
            }
            if (CollectionUtils.isNotEmpty(set3)) {
                Set<RangerZoneResourceMatcher> set10 = set3;
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Resource:[" + map + "], matched-zones:[" + set10 + "]");
                }
                if (set10.size() > 0) {
                    hashSet = new HashSet();
                    for (RangerZoneResourceMatcher rangerZoneResourceMatcher : set10) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Trying to match resource:[" + rangerAccessResource + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                        }
                        if (rangerZoneResourceMatcher.getPolicyResourceMatcher().isMatch(rangerAccessResource, RangerPolicyResourceMatcher.MatchScope.ANY, (Map<String, Object>) null)) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Matched resource:[" + rangerAccessResource + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                            }
                            hashSet.add(rangerZoneResourceMatcher.getSecurityZoneName());
                        } else if (LOG.isDebugEnabled()) {
                            LOG.debug("Did not match resource:[" + rangerAccessResource + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                        }
                    }
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("The following zone-names matched resource:[" + rangerAccessResource + "]: " + hashSet);
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine.getMatchedZonesForResourceAndChildren(" + map + ", " + rangerAccessResource + ") : " + hashSet);
        }
        return hashSet;
    }

    private RangerAccessResource convertToAccessResource(Map<String, ?> map) {
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessResourceImpl.setServiceDef(getServiceDef());
        for (Map.Entry<String, ?> entry : map.entrySet()) {
            rangerAccessResourceImpl.setValue(entry.getKey(), entry.getValue());
        }
        return rangerAccessResourceImpl;
    }

    private PolicyEngine(PolicyEngine policyEngine, ServicePolicies servicePolicies) {
        List<RangerContextEnricher> arrayList;
        this.useForwardedIPAddress = policyEngine.useForwardedIPAddress;
        this.trustedProxyAddresses = policyEngine.trustedProxyAddresses;
        this.pluginContext = policyEngine.pluginContext;
        this.lock = policyEngine.lock;
        long longValue = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion().longValue() : -1L;
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        getDeltasSortedByZones(policyEngine, servicePolicies, arrayList2, arrayList3);
        if (policyEngine.policyRepository == null || !CollectionUtils.isNotEmpty(arrayList2)) {
            this.policyRepository = shareWith(policyEngine.policyRepository);
        } else {
            this.policyRepository = new RangerPolicyRepository(policyEngine.policyRepository, arrayList2, longValue);
        }
        if (MapUtils.isEmpty(this.zonePolicyRepositories) && MapUtils.isNotEmpty(policyEngine.zonePolicyRepositories)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Existing engine contains some zonePolicyRepositories and new engine contains no zonePolicyRepositories");
            }
            for (Map.Entry<String, RangerPolicyRepository> entry : policyEngine.zonePolicyRepositories.entrySet()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Copying over zoneRepository for zone :[" + entry.getKey() + "]");
                }
                this.zonePolicyRepositories.put(entry.getKey(), shareWith(entry.getValue()));
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("Existing engine contains no zonePolicyRepositories or new engine contains some zonePolicyRepositories");
            LOG.debug("Not copying zoneRepositories from existing engine, as they are already copied or modified");
        }
        if (servicePolicies.getTagPolicies() == null || !CollectionUtils.isNotEmpty(arrayList3)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Either no associated tag repository or no changes to tag policies");
            }
            this.tagPolicyRepository = shareWith(policyEngine.tagPolicyRepository);
        } else if (policyEngine.tagPolicyRepository == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Current policy-engine does not have any tagPolicyRepository");
            }
            ArrayList arrayList4 = new ArrayList();
            for (RangerPolicyDelta rangerPolicyDelta : arrayList3) {
                if (rangerPolicyDelta.getChangeType().intValue() == 0) {
                    arrayList4.add(rangerPolicyDelta.getPolicy());
                } else {
                    LOG.warn("Expected changeType:[0], found policy-change-delta:[" + rangerPolicyDelta + "]");
                }
            }
            servicePolicies.getTagPolicies().setPolicies(arrayList4);
            this.tagPolicyRepository = new RangerPolicyRepository(servicePolicies.getTagPolicies(), this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Current policy-engine has a tagPolicyRepository");
            }
            this.tagPolicyRepository = new RangerPolicyRepository(policyEngine.tagPolicyRepository, arrayList3, longValue);
        }
        List<RangerContextEnricher> contextEnrichers = this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getContextEnrichers();
        List<RangerContextEnricher> contextEnrichers2 = this.policyRepository == null ? null : this.policyRepository.getContextEnrichers();
        if (CollectionUtils.isEmpty(contextEnrichers)) {
            arrayList = contextEnrichers2;
        } else if (CollectionUtils.isEmpty(contextEnrichers2)) {
            arrayList = contextEnrichers;
        } else {
            arrayList = new ArrayList(contextEnrichers);
            arrayList.addAll(contextEnrichers2);
        }
        this.allContextEnrichers = arrayList;
        reorderPolicyEvaluators();
    }

    private void buildZoneTrie(ServicePolicies servicePolicies) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine.buildZoneTrie()");
        }
        Map<String, ServicePolicies.SecurityZoneInfo> securityZones = servicePolicies.getSecurityZones();
        if (MapUtils.isNotEmpty(securityZones)) {
            RangerServiceDef serviceDef = servicePolicies.getServiceDef();
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : securityZones.entrySet()) {
                String key = entry.getKey();
                ServicePolicies.SecurityZoneInfo value = entry.getValue();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Building matchers for zone:[" + key + "]");
                }
                for (HashMap<String, List<String>> hashMap : value.getResources()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Building matcher for resource:[" + hashMap + "] in zone:[" + key + "]");
                    }
                    HashMap hashMap2 = new HashMap();
                    for (Map.Entry<String, List<String>> entry2 : hashMap.entrySet()) {
                        String key2 = entry2.getKey();
                        List<String> value2 = entry2.getValue();
                        RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
                        rangerPolicyResource.setIsExcludes(false);
                        rangerPolicyResource.setIsRecursive(Boolean.valueOf(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, key2)));
                        rangerPolicyResource.setValues(value2);
                        hashMap2.put(key2, rangerPolicyResource);
                    }
                    arrayList.add(new RangerZoneResourceMatcher(key, hashMap2, serviceDef));
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Built matcher for resource:[" + hashMap + "] in zone:[" + key + "]");
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Built all matchers for zone:[" + key + "]");
                }
                if (value.getContainsAssociatedTagService().booleanValue()) {
                    this.zoneTagServiceMap.put(key, key);
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Built matchers for all Zones");
            }
            for (RangerServiceDef.RangerResourceDef rangerResourceDef : serviceDef.getResources()) {
                this.resourceZoneTrie.put(rangerResourceDef.getName(), new RangerResourceTrie(rangerResourceDef, arrayList));
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine.buildZoneTrie()");
        }
    }

    private RangerPolicyRepository shareWith(RangerPolicyRepository rangerPolicyRepository) {
        if (rangerPolicyRepository != null) {
            rangerPolicyRepository.setShared();
        }
        return rangerPolicyRepository;
    }

    private void reorderPolicyEvaluators() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> reorderEvaluators()");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REBALANCE_LOG, "RangerPolicyEngine.reorderEvaluators()");
        }
        if (this.tagPolicyRepository != null) {
            this.tagPolicyRepository.reorderPolicyEvaluators();
        }
        if (this.policyRepository != null) {
            this.policyRepository.reorderPolicyEvaluators();
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== reorderEvaluators()");
        }
    }

    private void cleanup() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> PolicyEngine.cleanup()");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
        }
        preCleanup(false);
        if (this.policyRepository != null) {
            this.policyRepository.cleanup();
        }
        if (this.tagPolicyRepository != null) {
            this.tagPolicyRepository.cleanup();
        }
        if (MapUtils.isNotEmpty(this.zonePolicyRepositories)) {
            Iterator<Map.Entry<String, RangerPolicyRepository>> it = this.zonePolicyRepositories.entrySet().iterator();
            while (it.hasNext()) {
                it.next().getValue().cleanup();
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== PolicyEngine.cleanup()");
        }
    }

    void updatePolicyEngine(ServicePolicies servicePolicies) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        getDeltasSortedByZones(this, servicePolicies, arrayList, arrayList2);
        if (this.policyRepository != null && CollectionUtils.isNotEmpty(arrayList)) {
            this.policyRepository.reinit(arrayList);
        }
        if (servicePolicies.getTagPolicies() != null && CollectionUtils.isNotEmpty(arrayList2)) {
            if (this.tagPolicyRepository != null) {
                this.tagPolicyRepository.reinit(arrayList2);
            } else {
                LOG.error("No previous tagPolicyRepository to update! Should not have come here!!");
            }
        }
        reorderPolicyEvaluators();
    }

    private void getDeltasSortedByZones(PolicyEngine policyEngine, ServicePolicies servicePolicies, List<RangerPolicyDelta> list, List<RangerPolicyDelta> list2) {
        RangerPolicyRepository shareWith;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getDeltasSortedByZones()");
        }
        long longValue = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion().longValue() : -1L;
        if (CollectionUtils.isNotEmpty(list)) {
            LOG.warn("Emptying out defaultZoneDeltas!");
            list.clear();
        }
        if (CollectionUtils.isNotEmpty(list2)) {
            LOG.warn("Emptying out defaultZoneDeltasForTagPolicies!");
            list2.clear();
        }
        if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
            buildZoneTrie(servicePolicies);
            HashMap hashMap = new HashMap();
            for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) {
                String key = entry.getKey();
                List<RangerPolicyDelta> policyDeltas = entry.getValue().getPolicyDeltas();
                ArrayList arrayList = new ArrayList();
                if (StringUtils.isNotEmpty(key)) {
                    hashMap.put(key, arrayList);
                    Iterator<RangerPolicyDelta> it = policyDeltas.iterator();
                    while (it.hasNext()) {
                        ((List) hashMap.get(key)).add(it.next());
                    }
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Security zones found in the service-policies:[" + hashMap.keySet() + "]");
            }
            for (Map.Entry entry2 : hashMap.entrySet()) {
                String str = (String) entry2.getKey();
                List<RangerPolicyDelta> list3 = (List) entry2.getValue();
                RangerPolicyRepository rangerPolicyRepository = policyEngine.zonePolicyRepositories.get(str);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("zoneName:[" + str + "], zoneDeltas:[" + Arrays.toString(list3.toArray()) + "], doesOtherRepositoryExist:[" + (rangerPolicyRepository != null) + "]");
                }
                if (!CollectionUtils.isNotEmpty(list3)) {
                    shareWith = shareWith(rangerPolicyRepository);
                } else if (rangerPolicyRepository == null) {
                    ArrayList arrayList2 = new ArrayList();
                    for (RangerPolicyDelta rangerPolicyDelta : list3) {
                        if (rangerPolicyDelta.getChangeType().intValue() == 0) {
                            arrayList2.add(rangerPolicyDelta.getPolicy());
                        } else {
                            LOG.warn("Expected changeType:[0], found policy-change-delta:[" + rangerPolicyDelta + "]");
                        }
                    }
                    servicePolicies.getSecurityZones().get(str).setPolicies(arrayList2);
                    shareWith = new RangerPolicyRepository(servicePolicies, policyEngine.pluginContext, str);
                } else {
                    shareWith = new RangerPolicyRepository(rangerPolicyRepository, (List<RangerPolicyDelta>) list3, longValue);
                }
                this.zonePolicyRepositories.put(str, shareWith);
            }
        }
        List<RangerPolicyDelta> policyDeltas2 = servicePolicies.getPolicyDeltas();
        if (LOG.isDebugEnabled()) {
            LOG.debug("ServicePolicies.policyDeltas:[" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + "]");
        }
        for (RangerPolicyDelta rangerPolicyDelta2 : policyDeltas2) {
            if (servicePolicies.getServiceDef().getName().equals(rangerPolicyDelta2.getServiceType())) {
                list.add(rangerPolicyDelta2);
            } else {
                list2.add(rangerPolicyDelta2);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("defaultZoneDeltas:[" + Arrays.toString(list.toArray()) + "]");
            LOG.debug("defaultZoneDeltasForTagPolicies:[" + Arrays.toString(list2.toArray()) + "]");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== getDeltasSortedByZones()");
        }
    }
}
