package org.apache.ranger.authorization.hbase;

import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.FilterBase;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.thirdparty.com.google.common.base.MoreObjects;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.class */
public class RangerAuthorizationFilter extends FilterBase {
    private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationFilter.class.getName());
    final Set<String> _familiesAccessAllowed;
    final Set<String> _familiesAccessDenied;
    final Set<String> _familiesAccessIndeterminate;
    final Map<String, Set<String>> _columnsAccessAllowed;
    final Set<String> _familiesFullyAuthorized;
    final AuthorizationSession _session;
    final HbaseAuditHandler _auditHandler = HbaseFactory.getInstance().getAuditHandler();

    public RangerAuthorizationFilter(AuthorizationSession authorizationSession, Set<String> set, Set<String> set2, Set<String> set3, Map<String, Set<String>> map, Set<String> set4) {
        this._familiesAccessAllowed = set;
        this._familiesAccessDenied = set2;
        this._familiesAccessIndeterminate = set3;
        this._columnsAccessAllowed = map;
        this._familiesFullyAuthorized = set4;
        this._session = authorizationSession;
        this._session.auditHandler(this._auditHandler);
    }

    public Filter.ReturnCode filterKeyValue(Cell cell) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> filterKeyValue");
        }
        String str = null;
        byte[] cloneFamily = CellUtil.cloneFamily(cell);
        if (cloneFamily != null && cloneFamily.length > 0) {
            str = Bytes.toString(cloneFamily);
            if (LOG.isDebugEnabled()) {
                LOG.debug("filterKeyValue: evaluating family[" + str + "].");
            }
        }
        String str2 = null;
        byte[] cloneQualifier = CellUtil.cloneQualifier(cell);
        if (cloneQualifier == null || cloneQualifier.length <= 0) {
            LOG.warn("filterKeyValue: empty/null column set! Unexpected!");
        } else {
            str2 = Bytes.toString(cloneQualifier);
            if (LOG.isDebugEnabled()) {
                LOG.debug("filterKeyValue: evaluating column[" + str2 + "].");
            }
        }
        Filter.ReturnCode returnCode = Filter.ReturnCode.NEXT_COL;
        boolean z = false;
        if (str == null) {
            LOG.warn("filterKeyValue: Unexpected - null/empty family! Access denied!");
        } else if (this._familiesAccessDenied.contains(str)) {
            LOG.debug("filterKeyValue: family found in access denied families cache.  Access denied.");
        } else if (this._session.getPropertyIsColumnAuthOptimizationEnabled() && this._familiesFullyAuthorized.contains(str)) {
            LOG.debug("filterKeyValue: ColumnAuthOptimizationEnabled and family found in fully authorized families cache.  Column authorization is not required");
            returnCode = Filter.ReturnCode.INCLUDE;
        } else if (this._columnsAccessAllowed.containsKey(str)) {
            LOG.debug("filterKeyValue: family found in column level access results cache.");
            if (this._columnsAccessAllowed.get(str).contains(str2)) {
                LOG.debug("filterKeyValue: family/column found in column level access results cache. Access allowed.");
                returnCode = Filter.ReturnCode.INCLUDE;
            } else {
                LOG.debug("filterKeyValue: family/column not in column level access results cache. Access denied.");
            }
        } else if (this._familiesAccessAllowed.contains(str)) {
            LOG.debug("filterKeyValue: family found in access allowed families cache.  Must re-authorize for correct audit generation.");
            z = true;
        } else if (this._familiesAccessIndeterminate.contains(str)) {
            LOG.debug("filterKeyValue: family found in indeterminate families cache.  Evaluating access...");
            z = true;
        } else {
            LOG.warn("filterKeyValue: Unexpected - alien family encountered that wasn't seen by pre-hook!  Access Denied.!");
        }
        if (z) {
            LOG.debug("filterKeyValue: Checking authorization...");
            this._session.columnFamily(str).column(str2).buildRequest().authorize();
            AuthzAuditEvent andDiscardMostRecentEvent = this._auditHandler.getAndDiscardMostRecentEvent();
            if (this._session.isAuthorized()) {
                LOG.debug("filterKeyValue: Access granted.");
                returnCode = Filter.ReturnCode.INCLUDE;
                if (andDiscardMostRecentEvent != null) {
                    LOG.debug("filterKeyValue: access is audited.");
                    this._auditHandler.logAuthzAudits(Collections.singletonList(andDiscardMostRecentEvent));
                } else {
                    LOG.debug("filterKeyValue: no audit event returned.  Access not audited.");
                }
            } else {
                LOG.debug("filterKeyValue: Access denied.  Denial not audited.");
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("filterKeyValue: " + returnCode);
        }
        return returnCode;
    }

    public String toString() {
        return MoreObjects.toStringHelper(getClass()).add("familiesAccessAllowed", this._familiesAccessAllowed).add("familiesAccessDenied", this._familiesAccessDenied).add("familiesAccessUnknown", this._familiesAccessIndeterminate).add("columnsAccessAllowed", this._columnsAccessAllowed).toString();
    }
}
