package org.apache.impala.authorization;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.net.ntp.TimeStamp;
import org.apache.impala.authorization.ranger.RangerImpalaResourceBuilder;
import org.apache.impala.catalog.CatalogException;
import org.apache.impala.catalog.CatalogObjectCache;
import org.apache.impala.catalog.CatalogObjectVersionSet;
import org.apache.impala.catalog.Principal;
import org.apache.impala.catalog.PrincipalPrivilege;
import org.apache.impala.catalog.Role;
import org.apache.impala.catalog.Type;
import org.apache.impala.common.AnalysisException;
import org.apache.impala.thrift.TColumn;
import org.apache.impala.thrift.TPrincipal;
import org.apache.impala.thrift.TPrincipalType;
import org.apache.impala.thrift.TPrivilege;
import org.apache.impala.thrift.TResultSet;
import org.apache.impala.thrift.TResultSetMetadata;
import org.apache.impala.util.TResultRowBuilder;
import org.apache.log4j.Logger;

/* loaded from: input_file:org/apache/impala/authorization/AuthorizationPolicy.class */
public class AuthorizationPolicy {
    private static final Logger LOG = Logger.getLogger(AuthorizationPolicy.class);
    private final CatalogObjectCache<Role> roleCache_ = new CatalogObjectCache<>();
    private final CatalogObjectCache<org.apache.impala.catalog.User> userCache_ = new CatalogObjectCache<>(false);
    private final Map<Integer, String> principalIds_ = new HashMap();
    Map<String, Set<String>> groupsToRoles_ = new HashMap();

    public synchronized void addPrincipal(Principal principal) {
        Principal principal2 = getPrincipal(principal.getName(), principal.getPrincipalType());
        if (principal2 == null || principal2.getCatalogVersion() < principal.getCatalogVersion()) {
            if (principal2 != null) {
                removePrincipal(principal2.getName(), principal2.getPrincipalType());
                CatalogObjectVersionSet.INSTANCE.removeAll(principal2.getPrivileges());
                if (principal2.getId() == principal.getId()) {
                    Iterator<PrincipalPrivilege> it = principal2.getPrivileges().iterator();
                    while (it.hasNext()) {
                        principal.addPrivilege(it.next());
                    }
                }
            }
            if (principal.getPrincipalType() == TPrincipalType.USER) {
                Preconditions.checkArgument(principal instanceof org.apache.impala.catalog.User);
                this.userCache_.add((org.apache.impala.catalog.User) principal);
            } else {
                Preconditions.checkArgument(principal instanceof Role);
                this.roleCache_.add((Role) principal);
            }
            for (String str : principal.getGrantGroups()) {
                Set<String> set = this.groupsToRoles_.get(str);
                if (set == null) {
                    set = new HashSet();
                    this.groupsToRoles_.put(str, set);
                }
                set.add(principal.getName().toLowerCase());
            }
            this.principalIds_.put(Integer.valueOf(principal.getId()), principal.getName());
        }
    }

    public synchronized void addPrivilege(PrincipalPrivilege principalPrivilege) throws CatalogException {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Adding privilege: " + principalPrivilege.getName() + " " + Principal.toString(principalPrivilege.getPrincipalType()).toLowerCase() + " ID: " + principalPrivilege.getPrincipalId());
        }
        Principal principal = getPrincipal(principalPrivilege.getPrincipalId(), principalPrivilege.getPrincipalType());
        if (principal == null) {
            throw new CatalogException(String.format("Error adding privilege: %s. %s ID '%d' does not exist.", principalPrivilege.getName(), Principal.toString(principalPrivilege.getPrincipalType()), Integer.valueOf(principalPrivilege.getPrincipalId())));
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("Adding privilege: " + principalPrivilege.getName() + " to " + Principal.toString(principalPrivilege.getPrincipalType()).toLowerCase() + ": " + principal.getName() + " with ID: " + principal.getId());
        }
        principal.addPrivilege(principalPrivilege);
    }

    public synchronized List<Role> getAllRoles() {
        return this.roleCache_.getValues();
    }

    public synchronized List<org.apache.impala.catalog.User> getAllUsers() {
        return this.userCache_.getValues();
    }

    public synchronized Set<String> getAllRoleNames() {
        return Sets.newHashSet(this.roleCache_.keySet());
    }

    public synchronized Role getRole(String str) {
        return this.roleCache_.get(str);
    }

    public synchronized Role getRole(int i) {
        String str = this.principalIds_.get(Integer.valueOf(i));
        if (str == null) {
            return null;
        }
        return this.roleCache_.get(str);
    }

    public synchronized Set<String> getAllUserNames() {
        return Sets.newHashSet(this.userCache_.keySet());
    }

    public synchronized org.apache.impala.catalog.User getUser(String str) {
        return this.userCache_.get(str);
    }

    public synchronized org.apache.impala.catalog.User getUser(int i) {
        String str = this.principalIds_.get(Integer.valueOf(i));
        if (str == null) {
            return null;
        }
        return this.userCache_.get(str);
    }

    public synchronized Principal getPrincipal(String str, TPrincipalType tPrincipalType) {
        return tPrincipalType == TPrincipalType.ROLE ? this.roleCache_.get(str) : this.userCache_.get(str);
    }

    public synchronized Principal getPrincipal(int i, TPrincipalType tPrincipalType) {
        String str = this.principalIds_.get(Integer.valueOf(i));
        if (str == null) {
            return null;
        }
        return getPrincipal(str, tPrincipalType);
    }

    public synchronized List<Role> getGrantedRoles(String str) {
        ArrayList arrayList = new ArrayList();
        Set<String> set = this.groupsToRoles_.get(str);
        if (set != null) {
            for (String str2 : set) {
                if (this.roleCache_.get(str2) != null) {
                    arrayList.add(this.roleCache_.get(str2));
                }
            }
        }
        return arrayList;
    }

    public synchronized Principal removePrincipal(String str, TPrincipalType tPrincipalType) {
        return tPrincipalType == TPrincipalType.ROLE ? removeRole(str) : removeUser(str);
    }

    public synchronized void removePrincipalIfLowerVersion(TPrincipal tPrincipal, long j) {
        Principal principal = getPrincipal(tPrincipal.getPrincipal_name(), tPrincipal.getPrincipal_type());
        if (principal == null || principal.getCatalogVersion() >= j) {
            return;
        }
        removePrincipal(tPrincipal.getPrincipal_name(), tPrincipal.getPrincipal_type());
        CatalogObjectVersionSet.INSTANCE.removeAll(principal.getPrivileges());
    }

    public synchronized void removePrivilegeIfLowerVersion(TPrivilege tPrivilege, long j) {
        String buildPrivilegeName;
        PrincipalPrivilege privilege;
        Principal principal = getPrincipal(tPrivilege.getPrincipal_id(), tPrivilege.getPrincipal_type());
        if (principal == null || (privilege = principal.getPrivilege((buildPrivilegeName = PrincipalPrivilege.buildPrivilegeName(tPrivilege)))) == null || privilege.getCatalogVersion() >= j) {
            return;
        }
        principal.removePrivilege(buildPrivilegeName);
    }

    public synchronized Role removeRole(String str) {
        Role remove = this.roleCache_.remove(str);
        if (remove == null) {
            return null;
        }
        Iterator<String> it = remove.getGrantGroups().iterator();
        while (it.hasNext()) {
            Set<String> set = this.groupsToRoles_.get(it.next());
            if (set != null) {
                set.remove(str.toLowerCase());
            }
        }
        this.principalIds_.remove(Integer.valueOf(remove.getId()));
        return remove;
    }

    public synchronized org.apache.impala.catalog.User removeUser(String str) {
        org.apache.impala.catalog.User remove = this.userCache_.remove(str);
        if (remove == null) {
            return null;
        }
        this.principalIds_.remove(Integer.valueOf(remove.getId()));
        return remove;
    }

    public synchronized Role addRoleGrantGroup(String str, String str2) throws CatalogException {
        Role role = this.roleCache_.get(str);
        if (role == null) {
            throw new CatalogException("Role does not exist: " + str);
        }
        role.addGrantGroup(str2);
        Set<String> set = this.groupsToRoles_.get(str2);
        if (set == null) {
            set = new HashSet();
            this.groupsToRoles_.put(str2, set);
        }
        set.add(str.toLowerCase());
        return role;
    }

    public synchronized Role removeRoleGrantGroup(String str, String str2) throws CatalogException {
        Role role = this.roleCache_.get(str);
        if (role == null) {
            throw new CatalogException("Role does not exist: " + str);
        }
        role.removeGrantGroup(str2);
        Set<String> set = this.groupsToRoles_.get(str2);
        if (set != null) {
            set.remove(str.toLowerCase());
        }
        return role;
    }

    public synchronized TResultSet getRolePrivileges(String str, TPrivilege tPrivilege) {
        TResultSet tResultSet = new TResultSet();
        tResultSet.setSchema(new TResultSetMetadata());
        addColumnOutputColumns(tResultSet.getSchema());
        tResultSet.setRows(new ArrayList());
        Role role = getRole(str);
        if (role != null) {
            Iterator<PrincipalPrivilege> it = role.getPrivileges().iterator();
            while (it.hasNext()) {
                TPrivilege thrift = it.next().toThrift();
                if (tPrivilege == null || !isPrivilegeFiltered(tPrivilege, thrift)) {
                    tResultSet.addToRows(addShowPrincipalOutputResults(thrift, new TResultRowBuilder()).get());
                }
            }
        }
        return tResultSet;
    }

    private boolean isPrivilegeFiltered(TPrivilege tPrivilege, TPrivilege tPrivilege2) {
        tPrivilege.setPrivilege_level(tPrivilege2.getPrivilege_level());
        tPrivilege.setHas_grant_opt(tPrivilege2.isHas_grant_opt());
        return !PrincipalPrivilege.buildPrivilegeName(tPrivilege).equalsIgnoreCase(PrincipalPrivilege.buildPrivilegeName(tPrivilege2));
    }

    private void addColumnOutputColumns(TResultSetMetadata tResultSetMetadata) {
        tResultSetMetadata.addToColumns(new TColumn("scope", Type.STRING.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.DATABASE, Type.STRING.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.TABLE, Type.STRING.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn(RangerImpalaResourceBuilder.COLUMN, Type.STRING.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn("uri", Type.STRING.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn("privilege", Type.STRING.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn("grant_option", Type.BOOLEAN.toThrift()));
        tResultSetMetadata.addToColumns(new TColumn("create_time", Type.STRING.toThrift()));
    }

    private TResultRowBuilder addShowPrincipalOutputResults(TPrivilege tPrivilege, TResultRowBuilder tResultRowBuilder) {
        tResultRowBuilder.add(tPrivilege.getScope().toString().toLowerCase());
        tResultRowBuilder.add(Strings.nullToEmpty(tPrivilege.getDb_name()).toLowerCase());
        tResultRowBuilder.add(Strings.nullToEmpty(tPrivilege.getTable_name()).toLowerCase());
        tResultRowBuilder.add(Strings.nullToEmpty(tPrivilege.getColumn_name()).toLowerCase());
        tResultRowBuilder.add(Strings.nullToEmpty(tPrivilege.getUri()));
        tResultRowBuilder.add(tPrivilege.getPrivilege_level().toString().toLowerCase());
        tResultRowBuilder.add(tPrivilege.isHas_grant_opt());
        if (tPrivilege.getCreate_time_ms() == -1) {
            tResultRowBuilder.add((String) null);
        } else {
            tResultRowBuilder.add(TimeStamp.getNtpTime(tPrivilege.getCreate_time_ms()).toDateString());
        }
        return tResultRowBuilder;
    }

    public synchronized TResultSet getUserPrivileges(String str, Set<String> set, TPrivilege tPrivilege) throws AnalysisException {
        TResultSet tResultSet = new TResultSet();
        tResultSet.setSchema(new TResultSetMetadata());
        tResultSet.getSchema().addToColumns(new TColumn("principal_type", Type.STRING.toThrift()));
        tResultSet.getSchema().addToColumns(new TColumn("principal_name", Type.STRING.toThrift()));
        addColumnOutputColumns(tResultSet.getSchema());
        tResultSet.setRows(new ArrayList());
        if (set.isEmpty()) {
            throw new AnalysisException(String.format("User '%s' does not exist.", str));
        }
        org.apache.impala.catalog.User user = getUser(str);
        if (user != null) {
            createShowUserPrivilegesResultRows(tResultSet, user.getPrivileges(), tPrivilege, str, TPrincipalType.USER);
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            arrayList.addAll(getGrantedRoles(it.next()));
        }
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            Role role = getRole(((Role) it2.next()).getName());
            if (role != null) {
                createShowUserPrivilegesResultRows(tResultSet, role.getPrivileges(), tPrivilege, role.getName(), TPrincipalType.ROLE);
            }
        }
        return tResultSet;
    }

    private void createShowUserPrivilegesResultRows(TResultSet tResultSet, List<PrincipalPrivilege> list, TPrivilege tPrivilege, String str, TPrincipalType tPrincipalType) {
        Iterator<PrincipalPrivilege> it = list.iterator();
        while (it.hasNext()) {
            TPrivilege thrift = it.next().toThrift();
            if (tPrivilege == null || !isPrivilegeFiltered(tPrivilege, thrift)) {
                TResultRowBuilder tResultRowBuilder = new TResultRowBuilder();
                tResultRowBuilder.add(Strings.nullToEmpty(tPrincipalType.name().toUpperCase()));
                tResultRowBuilder.add(Strings.nullToEmpty(str));
                tResultSet.addToRows(addShowPrincipalOutputResults(thrift, tResultRowBuilder).get());
            }
        }
    }
}
