package io.juicefs.permission;

import io.juicefs.shaded.com.google.common.collect.Sets;
import io.juicefs.shaded.org.apache.commons.lang.StringUtils;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.security.AccessControlException;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/juicefs/permission/RangerPermissionChecker.class */
public class RangerPermissionChecker {
    private static final Logger LOG = LoggerFactory.getLogger(RangerPermissionChecker.class);
    private static final Map<String, RangerPermissionChecker> pcs = new ConcurrentHashMap();
    private static final Map<String, Set<Long>> runningInstance = new HashMap();
    private final HashMap<FsAction, Set<String>> fsAction2ActionMapper = new HashMap<FsAction, Set<String>>() { // from class: io.juicefs.permission.RangerPermissionChecker.1
        {
            put(FsAction.NONE, new HashSet());
            put(FsAction.ALL, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE, RangerHadoopConstants.WRITE_ACCCESS_TYPE, RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
            put(FsAction.READ, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE));
            put(FsAction.READ_WRITE, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE, RangerHadoopConstants.WRITE_ACCCESS_TYPE));
            put(FsAction.READ_EXECUTE, Sets.newHashSet(RangerHadoopConstants.READ_ACCCESS_TYPE, RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
            put(FsAction.WRITE, Sets.newHashSet(RangerHadoopConstants.WRITE_ACCCESS_TYPE));
            put(FsAction.WRITE_EXECUTE, Sets.newHashSet(RangerHadoopConstants.WRITE_ACCCESS_TYPE, RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
            put(FsAction.EXECUTE, Sets.newHashSet(RangerHadoopConstants.EXECUTE_ACCCESS_TYPE));
        }
    };
    private final FileSystem superGroupFileSystem;
    private final RangerJfsPlugin rangerPlugin;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/juicefs/permission/RangerPermissionChecker$AuthzStatus.class */
    public enum AuthzStatus {
        ALLOW,
        DENY,
        NOT_DETERMINED
    }

    /* loaded from: input_file:io/juicefs/permission/RangerPermissionChecker$PathObj.class */
    public static class PathObj {
        FileStatus ancestor;
        FileStatus parent;
        FileStatus current;

        public PathObj(FileStatus fileStatus, FileStatus fileStatus2, FileStatus fileStatus3) {
            this.ancestor = null;
            this.parent = null;
            this.current = null;
            this.ancestor = fileStatus;
            this.parent = fileStatus2;
            this.current = fileStatus3;
        }
    }

    private RangerPermissionChecker(FileSystem fileSystem, RangerConfig rangerConfig) {
        this.superGroupFileSystem = fileSystem;
        this.rangerPlugin = new RangerJfsPlugin(fileSystem, rangerConfig.getServiceName(), rangerConfig.getRangerRestUrl(), rangerConfig.getPollIntervalMs());
        this.rangerPlugin.getConfig().set("ranger.plugin.hdfs.service.name", rangerConfig.getServiceName());
        this.rangerPlugin.getConfig().set("ranger.plugin.hdfs.policy.rest.url", rangerConfig.getRangerRestUrl());
        if (rangerConfig.getImpl() != null) {
            this.rangerPlugin.getConfig().set("ranger.plugin.hdfs.policy.source.impl", rangerConfig.getImpl());
        }
        this.rangerPlugin.getConfig().setIsFallbackSupported(true);
        this.rangerPlugin.init();
    }

    public static RangerPermissionChecker acquire(String str, long j, FileSystem fileSystem, RangerConfig rangerConfig) throws IOException {
        synchronized (runningInstance) {
            if (runningInstance.containsKey(str)) {
                RangerPermissionChecker rangerPermissionChecker = pcs.get(str);
                if (rangerPermissionChecker == null) {
                    throw new IOException("RangerPermissionChecker for volume: " + str + " is already created, but no instance found.");
                }
                runningInstance.get(str).add(Long.valueOf(j));
                return rangerPermissionChecker;
            }
            if (pcs.containsKey(str)) {
                throw new IOException("RangerPermissionChecker for volume: " + str + " is already created, but no running instance found.");
            }
            RangerPermissionChecker rangerPermissionChecker2 = new RangerPermissionChecker(fileSystem, rangerConfig);
            pcs.put(str, rangerPermissionChecker2);
            HashSet hashSet = new HashSet();
            hashSet.add(Long.valueOf(j));
            runningInstance.put(str, hashSet);
            return rangerPermissionChecker2;
        }
    }

    public static void release(String str, long j) {
        if (j <= 0) {
            return;
        }
        synchronized (runningInstance) {
            if (runningInstance.containsKey(str)) {
                Set<Long> set = runningInstance.get(str);
                if (set.remove(Long.valueOf(j))) {
                    if (set.size() == 0) {
                        pcs.remove(str).cleanUp();
                        runningInstance.remove(str);
                    }
                }
            }
        }
    }

    public boolean checkPermission(Path path, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, String str, String str2, Set<String> set) throws IOException {
        RangerPermissionContext rangerPermissionContext = new RangerPermissionContext(str2, set, str);
        PathObj path2Obj = path2Obj(path);
        AuthzStatus authzStatus = AuthzStatus.ALLOW;
        if (fsAction3 != null && fsAction2 != null && fsAction2.implies(FsAction.WRITE) && path2Obj.parent != null && path2Obj.current != null && path2Obj.parent.getPermission().getStickyBit() && !StringUtils.equals(path2Obj.parent.getOwner(), str2) && !StringUtils.equals(path2Obj.current.getOwner(), str2)) {
            authzStatus = AuthzStatus.NOT_DETERMINED;
        }
        if (authzStatus == AuthzStatus.ALLOW && fsAction != null && path2Obj.ancestor != null) {
            authzStatus = isAccessAllowed(path2Obj.ancestor, fsAction, rangerPermissionContext);
            if (checkResult(authzStatus, str2, fsAction.toString(), toPathString(path2Obj.ancestor.getPath()))) {
                return true;
            }
        }
        if (authzStatus == AuthzStatus.ALLOW && fsAction2 != null && path2Obj.parent != null) {
            authzStatus = isAccessAllowed(path2Obj.parent, fsAction2, rangerPermissionContext);
            if (checkResult(authzStatus, str2, fsAction2.toString(), toPathString(path2Obj.parent.getPath()))) {
                return true;
            }
        }
        if (authzStatus == AuthzStatus.ALLOW && fsAction3 != null && path2Obj.current != null && checkResult(isAccessAllowed(path2Obj.current, fsAction3, rangerPermissionContext), str2, fsAction3.toString(), toPathString(path2Obj.current.getPath()))) {
            return true;
        }
        if (z) {
            String str3 = null;
            if (path2Obj.current != null) {
                str3 = path2Obj.current.getOwner();
            }
            if (!str2.equals(str3)) {
                throw new AccessControlException(assembleExceptionMessage(str2, getFirstNonNullAccess(fsAction, fsAction2, fsAction3), toPathString(path2Obj.current.getPath())));
            }
        }
        return 1 == 0;
    }

    public void cleanUp() {
        try {
            this.rangerPlugin.cleanup();
        } catch (Exception e) {
            LOG.warn("Error when clean up ranger plugin threads.", e);
        }
        try {
            this.superGroupFileSystem.close();
        } catch (Exception e2) {
            LOG.warn("Error when close super group file system.", e2);
        }
    }

    private static boolean checkResult(AuthzStatus authzStatus, String str, String str2, String str3) throws AccessControlException {
        if (authzStatus == AuthzStatus.DENY) {
            throw new AccessControlException(assembleExceptionMessage(str, str2, str3));
        }
        return authzStatus == AuthzStatus.NOT_DETERMINED;
    }

    private static String assembleExceptionMessage(String str, String str2, String str3) {
        return "Permission denied: user=" + str + ", access=" + str2 + ", path=\"" + str3 + "\"";
    }

    private static String getFirstNonNullAccess(FsAction fsAction, FsAction fsAction2, FsAction fsAction3) {
        return fsAction3 != null ? fsAction3.toString() : fsAction2 != null ? fsAction2.toString() : fsAction != null ? fsAction.toString() : FsAction.EXECUTE.toString();
    }

    private AuthzStatus isAccessAllowed(FileStatus fileStatus, FsAction fsAction, RangerPermissionContext rangerPermissionContext) {
        String pathString = toPathString(fileStatus.getPath());
        Set<String> orDefault = this.fsAction2ActionMapper.getOrDefault(fsAction, new HashSet());
        String owner = fileStatus.getOwner();
        AuthzStatus authzStatus = null;
        Iterator<String> it = orDefault.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerJfsAccessRequest rangerJfsAccessRequest = new RangerJfsAccessRequest(pathString, owner, it.next(), rangerPermissionContext.operationName, rangerPermissionContext.user, rangerPermissionContext.userGroups);
            LOG.debug(rangerJfsAccessRequest.toString());
            RangerAccessResult isAccessAllowed = this.rangerPlugin.isAccessAllowed(rangerJfsAccessRequest);
            if (isAccessAllowed != null) {
                LOG.debug(isAccessAllowed.toString());
            }
            if (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined()) {
                authzStatus = AuthzStatus.NOT_DETERMINED;
            } else {
                if (!isAccessAllowed.getIsAllowed()) {
                    authzStatus = AuthzStatus.DENY;
                    break;
                }
                if (!AuthzStatus.NOT_DETERMINED.equals(authzStatus)) {
                    authzStatus = AuthzStatus.ALLOW;
                }
            }
        }
        if (authzStatus == null) {
            authzStatus = AuthzStatus.NOT_DETERMINED;
        }
        return authzStatus;
    }

    private static String toPathString(Path path) {
        return path.toUri().getPath();
    }

    private PathObj path2Obj(Path path) throws IOException {
        FileStatus ifExist = getIfExist(path);
        return new PathObj(getAncestor(path), getIfExist(path.getParent()), ifExist);
    }

    private FileStatus getIfExist(Path path) throws IOException {
        if (path == null) {
            return null;
        }
        try {
            return this.superGroupFileSystem.getFileStatus(path);
        } catch (FileNotFoundException e) {
            return null;
        }
    }

    public FileStatus getAncestor(Path path) throws IOException {
        if (path.getParent() != null) {
            return getIfExist(path.getParent());
        }
        FileStatus fileStatus = null;
        for (Path parent = path.getParent(); parent != null && fileStatus == null; parent = parent.getParent()) {
            fileStatus = getIfExist(parent);
        }
        return fileStatus;
    }
}
