package org.apache.ranger.plugin.service;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.audit.provider.AuditHandler;
import org.apache.ranger.audit.provider.AuditProviderFactory;
import org.apache.ranger.audit.provider.StandAloneAuditProviderFactory;
import org.apache.ranger.authorization.hadoop.config.RangerAuditConfig;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.conditionevaluator.RangerScriptExecutionContext;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.DownloadTrigger;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.apache.ranger.plugin.util.PolicyRefresher;
import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.eclipse.persistence.jpa.jpql.parser.Expression;

/* loaded from: input_file:org/apache/ranger/plugin/service/RangerBasePlugin.class */
public class RangerBasePlugin {
    private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
    private final RangerPluginConfig pluginConfig;
    private final RangerPluginContext pluginContext;
    private final Map<String, LogHistory> logHistoryList;
    private final int logInterval = 30000;
    private final DownloadTrigger accessTrigger;
    private PolicyRefresher refresher;
    private RangerPolicyEngine policyEngine;
    private RangerAuthContext currentAuthContext;
    private RangerAccessResultProcessor resultProcessor;
    private RangerRoles roles;
    private final List<RangerChainedPlugin> chainedPlugins;

    /* loaded from: input_file:org/apache/ranger/plugin/service/RangerBasePlugin$LogHistory.class */
    private static final class LogHistory {
        long lastLogTime;
        int counter;

        private LogHistory() {
        }
    }

    public RangerBasePlugin(String str, String str2) {
        this(new RangerPluginConfig(str, null, str2, null, null, null));
    }

    public RangerBasePlugin(String str, String str2, String str3) {
        this(new RangerPluginConfig(str, str2, str3, null, null, null));
    }

    public RangerBasePlugin(RangerPluginConfig rangerPluginConfig) {
        this.logHistoryList = new Hashtable();
        this.logInterval = 30000;
        this.accessTrigger = new DownloadTrigger();
        this.pluginConfig = rangerPluginConfig;
        this.pluginContext = new RangerPluginContext(rangerPluginConfig);
        Set<String> set = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".super.users"));
        Set<String> set2 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".super.groups"));
        Set<String> set3 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".audit.exclude.users"));
        Set<String> set4 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".audit.exclude.groups"));
        Set<String> set5 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".audit.exclude.roles"));
        setSuperUsersAndGroups(set, set2);
        setAuditExcludedUsersGroupsRoles(set3, set4, set5);
        RangerScriptExecutionContext.init(rangerPluginConfig);
        this.chainedPlugins = initChainedPlugins();
    }

    public static AuditHandler getAuditProvider(String str) {
        return getAuditProviderFactory(str).getAuditProvider();
    }

    public String getServiceType() {
        return this.pluginConfig.getServiceType();
    }

    public String getAppId() {
        return this.pluginConfig.getAppId();
    }

    public RangerPluginConfig getConfig() {
        return this.pluginConfig;
    }

    public String getClusterName() {
        return this.pluginConfig.getClusterName();
    }

    public RangerAuthContext getCurrentRangerAuthContext() {
        return this.currentAuthContext;
    }

    public RangerAuthContext createRangerAuthContext() {
        return this.currentAuthContext;
    }

    public RangerRoles getRoles() {
        return this.roles;
    }

    public void setRoles(RangerRoles rangerRoles) {
        this.roles = rangerRoles;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            rangerPolicyEngine.setRoles(rangerRoles);
        }
        this.pluginContext.notifyAuthContextChanged();
    }

    public void setAuditExcludedUsersGroupsRoles(Set<String> set, Set<String> set2, Set<String> set3) {
        this.pluginConfig.setAuditExcludedUsersGroupsRoles(set, set2, set3);
    }

    public void setSuperUsersAndGroups(Set<String> set, Set<String> set2) {
        this.pluginConfig.setSuperUsersGroups(set, set2);
    }

    public RangerServiceDef getServiceDef() {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getServiceDef();
        }
        return null;
    }

    public int getServiceDefId() {
        RangerServiceDef serviceDef = getServiceDef();
        if (serviceDef == null || serviceDef.getId() == null) {
            return -1;
        }
        return serviceDef.getId().intValue();
    }

    public String getServiceName() {
        return this.pluginConfig.getServiceName();
    }

    public AuditProviderFactory getAuditProviderFactory() {
        return getAuditProviderFactory(getServiceName());
    }

    public void init() {
        cleanup();
        AuditProviderFactory auditProviderFactory = AuditProviderFactory.getInstance();
        if (!auditProviderFactory.isInitDone()) {
            if (this.pluginConfig.getProperties() != null) {
                auditProviderFactory.init(this.pluginConfig.getProperties(), getAppId());
            } else {
                LOG.error("Audit subsystem is not initialized correctly. Please check audit configuration. ");
                LOG.error("No authorization audits will be generated. ");
            }
        }
        this.refresher = new PolicyRefresher(this);
        LOG.info("Created PolicyRefresher Thread(" + this.refresher.getName() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        this.refresher.setDaemon(true);
        this.refresher.startRefresher();
        Iterator<RangerChainedPlugin> it = this.chainedPlugins.iterator();
        while (it.hasNext()) {
            it.next().init();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v55, types: [org.apache.ranger.plugin.policyengine.RangerPolicyEngine] */
    public void setPolicies(ServicePolicies servicePolicies) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> setPolicies(" + servicePolicies + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            ServicePolicies servicePolicies2 = null;
            boolean z = true;
            boolean z2 = false;
            if (servicePolicies == null) {
                servicePolicies = getDefaultSvcPolicies();
                if (servicePolicies == null) {
                    LOG.error("Could not get default Service Policies. Keeping old policy-engine!");
                    z = false;
                }
            } else {
                Boolean hasPolicyDeltas = RangerPolicyDeltaUtil.hasPolicyDeltas(servicePolicies);
                if (hasPolicyDeltas == null) {
                    LOG.warn("Downloaded policies are internally inconsistent!! [" + servicePolicies + "]. Please check server-side code! Keeping old policy-engine!");
                    z = false;
                } else if (hasPolicyDeltas.equals(Boolean.TRUE)) {
                    servicePolicies2 = ServicePolicies.applyDelta(servicePolicies, (RangerPolicyEngineImpl) rangerPolicyEngine);
                    if (servicePolicies2 != null) {
                        z2 = true;
                    } else {
                        LOG.error("Could not apply deltas=" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()));
                        LOG.warn("Keeping old policy-engine!");
                        z = false;
                    }
                } else {
                    z2 = false;
                }
            }
            if (z) {
                RangerPolicyEngineImpl rangerPolicyEngineImpl = null;
                boolean z3 = false;
                if (z2) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("policy-deltas are not null");
                    }
                    if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) || MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Non empty policy-deltas found. Cloning engine using policy-deltas");
                        }
                        if (rangerPolicyEngine != null) {
                            rangerPolicyEngineImpl = RangerPolicyEngineImpl.getPolicyEngine((RangerPolicyEngineImpl) rangerPolicyEngine, servicePolicies);
                        }
                        if (rangerPolicyEngineImpl != null) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Applied policyDeltas=" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
                            }
                            z3 = true;
                        } else {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Failed to apply policyDeltas=" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + "), Creating engine from policies");
                                LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies2 + "]");
                            }
                            rangerPolicyEngineImpl = new RangerPolicyEngineImpl(servicePolicies2, this.pluginContext, this.roles);
                        }
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug("Empty policy-deltas. No need to change policy engine");
                    }
                } else {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Creating engine from policies");
                    }
                    rangerPolicyEngineImpl = new RangerPolicyEngineImpl(servicePolicies, this.pluginContext, this.roles);
                }
                if (rangerPolicyEngineImpl != null) {
                    if (!z3) {
                        rangerPolicyEngineImpl.setUseForwardedIPAddress(this.pluginConfig.isUseForwardedIPAddress());
                        rangerPolicyEngineImpl.setTrustedProxyAddresses(this.pluginConfig.getTrustedProxyAddresses());
                    }
                    this.policyEngine = rangerPolicyEngineImpl;
                    this.currentAuthContext = this.pluginContext.getAuthContext();
                    this.pluginContext.notifyAuthContextChanged();
                    if (rangerPolicyEngine != null) {
                        ((RangerPolicyEngineImpl) rangerPolicyEngine).releaseResources(!z3);
                    }
                    if (this.refresher != null) {
                        this.refresher.saveToCache(z2 ? servicePolicies2 : servicePolicies);
                    }
                }
            } else {
                LOG.warn("Returning without saving policies to cache. Leaving current policy engine as-is");
            }
        } catch (Exception e) {
            LOG.error("setPolicies: policy engine initialization failed!  Leaving current policy engine as-is. Exception : ", e);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== setPolicies(" + servicePolicies + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    public void cleanup() {
        PolicyRefresher policyRefresher = this.refresher;
        this.refresher = null;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        this.policyEngine = null;
        if (policyRefresher != null) {
            policyRefresher.stopRefresher();
        }
        if (rangerPolicyEngine != null) {
            ((RangerPolicyEngineImpl) rangerPolicyEngine).releaseResources(true);
        }
    }

    public void setResultProcessor(RangerAccessResultProcessor rangerAccessResultProcessor) {
        this.resultProcessor = rangerAccessResultProcessor;
    }

    public RangerAccessResultProcessor getResultProcessor() {
        return this.resultProcessor;
    }

    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest) {
        return isAccessAllowed(rangerAccessRequest, this.resultProcessor);
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection) {
        return isAccessAllowed(collection, this.resultProcessor);
    }

    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerAccessResult rangerAccessResult = null;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            rangerAccessResult = rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, 0, (RangerAccessResultProcessor) null);
        }
        if (rangerAccessResult != null) {
            Iterator<RangerChainedPlugin> it = this.chainedPlugins.iterator();
            while (it.hasNext()) {
                RangerAccessResult isAccessAllowed = it.next().isAccessAllowed(rangerAccessRequest);
                if (isAccessAllowed != null) {
                    updateResultFromChainedResult(rangerAccessResult, isAccessAllowed);
                }
            }
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResult(rangerAccessResult);
        }
        return rangerAccessResult;
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection, RangerAccessResultProcessor rangerAccessResultProcessor) {
        Collection<RangerAccessResult> collection2 = null;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            collection2 = rangerPolicyEngine.evaluatePolicies(collection, 0, (RangerAccessResultProcessor) null);
        }
        if (CollectionUtils.isNotEmpty(collection2)) {
            Iterator<RangerChainedPlugin> it = this.chainedPlugins.iterator();
            while (it.hasNext()) {
                Collection<RangerAccessResult> isAccessAllowed = it.next().isAccessAllowed(collection);
                if (CollectionUtils.isNotEmpty(isAccessAllowed)) {
                    Iterator<RangerAccessResult> it2 = collection2.iterator();
                    Iterator<RangerAccessResult> it3 = isAccessAllowed.iterator();
                    while (it2.hasNext() && it3.hasNext()) {
                        RangerAccessResult next = it2.next();
                        RangerAccessResult next2 = it3.next();
                        if (next != null && next2 != null) {
                            updateResultFromChainedResult(next, next2);
                        }
                    }
                }
            }
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResults(collection2);
        }
        return collection2;
    }

    public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, 1, rangerAccessResultProcessor);
        }
        return null;
    }

    public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, 2, rangerAccessResultProcessor);
        }
        return null;
    }

    public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest rangerAccessRequest) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getResourceAccessInfo(rangerAccessRequest);
        }
        return null;
    }

    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getResourceACLs(rangerAccessRequest);
        }
        return null;
    }

    public Set<String> getRolesFromUserAndGroups(String str, Set<String> set) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getRolesFromUserAndGroups(str, set);
        }
        return null;
    }

    public RangerRole createRole(RangerRole rangerRole, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.createRole(" + rangerRole + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerRole createRole = getAdminClient().createRole(rangerRole);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.createRole(" + rangerRole + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        return createRole;
    }

    public void dropRole(String str, String str2, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.dropRole(" + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        getAdminClient().dropRole(str, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.dropRole(" + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    public List<String> getUserRoles(String str, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getUserRoleNames(" + str + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        List<String> userRoles = getAdminClient().getUserRoles(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getUserRoleNames(" + str + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        return userRoles;
    }

    public List<String> getAllRoles(String str, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getAllRoles()");
        }
        List<String> allRoles = getAdminClient().getAllRoles(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getAllRoles()");
        }
        return allRoles;
    }

    public RangerRole getRole(String str, String str2, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getPrincipalsForRole(" + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerRole role = getAdminClient().getRole(str, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getPrincipalsForRole(" + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        return role;
    }

    public void grantRole(GrantRevokeRoleRequest grantRevokeRoleRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.grantRole(" + grantRevokeRoleRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        getAdminClient().grantRole(grantRevokeRoleRequest);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.grantRole(" + grantRevokeRoleRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    public void revokeRole(GrantRevokeRoleRequest grantRevokeRoleRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.revokeRole(" + grantRevokeRoleRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        getAdminClient().revokeRole(grantRevokeRoleRequest);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.revokeRole(" + grantRevokeRoleRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    public void grantAccess(GrantRevokeRequest grantRevokeRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.grantAccess(" + grantRevokeRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean z = false;
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            if (rangerPolicyEngine != null) {
                grantRevokeRequest.setZoneName(rangerPolicyEngine.getUniquelyMatchedZoneName(grantRevokeRequest));
            }
            getAdminClient().grantAccess(grantRevokeRequest);
            z = true;
            auditGrantRevoke(grantRevokeRequest, "grant", true, rangerAccessResultProcessor);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerBasePlugin.grantAccess(" + grantRevokeRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
        } catch (Throwable th) {
            auditGrantRevoke(grantRevokeRequest, "grant", z, rangerAccessResultProcessor);
            throw th;
        }
    }

    public void revokeAccess(GrantRevokeRequest grantRevokeRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.revokeAccess(" + grantRevokeRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean z = false;
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            if (rangerPolicyEngine != null) {
                grantRevokeRequest.setZoneName(rangerPolicyEngine.getUniquelyMatchedZoneName(grantRevokeRequest));
            }
            getAdminClient().revokeAccess(grantRevokeRequest);
            z = true;
            auditGrantRevoke(grantRevokeRequest, "revoke", true, rangerAccessResultProcessor);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerBasePlugin.revokeAccess(" + grantRevokeRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
        } catch (Throwable th) {
            auditGrantRevoke(grantRevokeRequest, "revoke", z, rangerAccessResultProcessor);
            throw th;
        }
    }

    public void registerAuthContextEventListener(RangerAuthContextListener rangerAuthContextListener) {
        this.pluginContext.setAuthContextListener(rangerAuthContextListener);
    }

    public static RangerAdminClient createAdminClient(RangerPluginConfig rangerPluginConfig) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.createAdminClient(" + rangerPluginConfig.getServiceName() + ", " + rangerPluginConfig.getAppId() + ", " + rangerPluginConfig.getPropertyPrefix() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerAdminClient rangerAdminClient = null;
        String str = rangerPluginConfig.getPropertyPrefix() + ".policy.source.impl";
        String str2 = rangerPluginConfig.get(str);
        if (!StringUtils.isEmpty(str2)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Value for property[%s] was [%s].", str, str2));
            }
            try {
                rangerAdminClient = (RangerAdminClient) Class.forName(str2).newInstance();
            } catch (Exception e) {
                LOG.error("failed to instantiate policy source of type '" + str2 + "'. Will use policy source of type '" + RangerAdminRESTClient.class.getName() + Expression.QUOTE, e);
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Value for property[%s] was null or empty. Unexpected! Will use policy source of type[%s]", str, RangerAdminRESTClient.class.getName()));
        }
        if (rangerAdminClient == null) {
            rangerAdminClient = new RangerAdminRESTClient();
        }
        rangerAdminClient.init(rangerPluginConfig.getServiceName(), rangerPluginConfig.getAppId(), rangerPluginConfig.getPropertyPrefix(), rangerPluginConfig);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.createAdminClient(" + rangerPluginConfig.getServiceName() + ", " + rangerPluginConfig.getAppId() + ", " + rangerPluginConfig.getPropertyPrefix() + "): policySourceImpl=" + str2 + ", client=" + rangerAdminClient);
        }
        return rangerAdminClient;
    }

    public void refreshPoliciesAndTags() {
        RangerTagEnricher tagEnricher;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> refreshPoliciesAndTags()");
        }
        try {
            long policyVersion = this.policyEngine.getPolicyVersion();
            this.refresher.syncPoliciesWithAdmin(this.accessTrigger);
            if (policyVersion == this.policyEngine.getPolicyVersion() && (tagEnricher = getTagEnricher()) != null) {
                tagEnricher.syncTagsWithAdmin(this.accessTrigger);
            }
        } catch (InterruptedException e) {
            LOG.error("Failed to update policy-engine, continuing to use old policy-engine and/or tags", e);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== refreshPoliciesAndTags()");
        }
    }

    private void auditGrantRevoke(GrantRevokeRequest grantRevokeRequest, String str, boolean z, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (grantRevokeRequest == null || rangerAccessResultProcessor == null) {
            return;
        }
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRevokeRequest.getResource())));
        rangerAccessRequestImpl.setUser(grantRevokeRequest.getGrantor());
        rangerAccessRequestImpl.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
        rangerAccessRequestImpl.setAction(str);
        rangerAccessRequestImpl.setClientIPAddress(grantRevokeRequest.getClientIPAddress());
        rangerAccessRequestImpl.setClientType(grantRevokeRequest.getClientType());
        rangerAccessRequestImpl.setRequestData(grantRevokeRequest.getRequestData());
        rangerAccessRequestImpl.setSessionId(grantRevokeRequest.getSessionId());
        RangerAccessResult isAccessAllowed = isAccessAllowed(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
        if (isAccessAllowed == null || !isAccessAllowed.getIsAudited()) {
            return;
        }
        rangerAccessRequestImpl.setAccessType(str);
        isAccessAllowed.setIsAllowed(z);
        if (!z) {
            isAccessAllowed.setPolicyId(-1L);
        }
        rangerAccessResultProcessor.processResult(isAccessAllowed);
    }

    private RangerServiceDef getDefaultServiceDef() {
        RangerServiceDef rangerServiceDef = null;
        if (StringUtils.isNotBlank(getServiceType())) {
            try {
                rangerServiceDef = EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(getServiceType());
            } catch (Exception e) {
                LOG.error("Could not get embedded service-def for " + getServiceType());
            }
        }
        return rangerServiceDef;
    }

    private ServicePolicies getDefaultSvcPolicies() {
        ServicePolicies servicePolicies = null;
        RangerServiceDef serviceDef = getServiceDef();
        if (serviceDef == null) {
            serviceDef = getDefaultServiceDef();
        }
        if (serviceDef != null) {
            servicePolicies = new ServicePolicies();
            servicePolicies.setServiceDef(serviceDef);
            servicePolicies.setServiceName(getServiceName());
            servicePolicies.setPolicies(new ArrayList());
        }
        return servicePolicies;
    }

    public boolean logErrorMessage(String str) {
        LogHistory logHistory = this.logHistoryList.get(str);
        if (logHistory == null) {
            logHistory = new LogHistory();
            this.logHistoryList.put(str, logHistory);
        }
        if (System.currentTimeMillis() - logHistory.lastLogTime <= 30000) {
            logHistory.counter++;
            return false;
        }
        logHistory.lastLogTime = System.currentTimeMillis();
        int i = logHistory.counter;
        logHistory.counter = 0;
        if (i > 0) {
            str = str + ". Messages suppressed before: " + i;
        }
        LOG.error(str);
        return true;
    }

    private Set<String> toSet(String str) {
        return StringUtils.isNotBlank(str) ? StringUtil.toSet(str) : Collections.emptySet();
    }

    private RangerTagEnricher getTagEnricher() {
        RangerTagEnricher rangerTagEnricher = null;
        RangerAuthContext currentRangerAuthContext = getCurrentRangerAuthContext();
        if (currentRangerAuthContext != null) {
            Map<RangerContextEnricher, Object> requestContextEnrichers = currentRangerAuthContext.getRequestContextEnrichers();
            if (MapUtils.isNotEmpty(requestContextEnrichers)) {
                Iterator<RangerContextEnricher> it = requestContextEnrichers.keySet().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerContextEnricher next = it.next();
                    if (next instanceof RangerTagEnricher) {
                        rangerTagEnricher = (RangerTagEnricher) next;
                        break;
                    }
                }
            }
        }
        return rangerTagEnricher;
    }

    private RangerAdminClient getAdminClient() throws Exception {
        PolicyRefresher policyRefresher = this.refresher;
        RangerAdminClient rangerAdminClient = policyRefresher == null ? null : policyRefresher.getRangerAdminClient();
        if (rangerAdminClient == null) {
            throw new Exception("ranger-admin client is null");
        }
        return rangerAdminClient;
    }

    private List<RangerChainedPlugin> initChainedPlugins() {
        ArrayList arrayList = new ArrayList();
        String str = this.pluginConfig.getPropertyPrefix() + ".chained.services";
        for (String str2 : StringUtil.toList(this.pluginConfig.get(str))) {
            if (!StringUtils.isBlank(str2)) {
                String str3 = this.pluginConfig.get(str + "." + str2 + ".impl");
                if (StringUtils.isBlank(str3)) {
                    LOG.error("Ignoring chained service " + str2 + ": no impl class specified");
                } else {
                    try {
                        arrayList.add((RangerChainedPlugin) Class.forName(str3).getConstructor(RangerBasePlugin.class, String.class).newInstance(this, str2));
                    } catch (Throwable th) {
                        LOG.error("initChainedPlugins(): error instantiating plugin impl " + str3, th);
                    }
                }
            }
        }
        return arrayList;
    }

    private void updateResultFromChainedResult(RangerAccessResult rangerAccessResult, RangerAccessResult rangerAccessResult2) {
        boolean z = false;
        if (rangerAccessResult2.getIsAccessDetermined()) {
            z = !rangerAccessResult.getIsAccessDetermined() || rangerAccessResult2.getPolicyPriority() > rangerAccessResult.getPolicyPriority();
            if (!z && rangerAccessResult2.getPolicyPriority() == rangerAccessResult.getPolicyPriority() && !rangerAccessResult2.getIsAllowed() && rangerAccessResult.getIsAllowed()) {
                z = true;
            }
        }
        if (z) {
            rangerAccessResult.setIsAllowed(rangerAccessResult2.getIsAllowed());
            rangerAccessResult.setIsAccessDetermined(rangerAccessResult2.getIsAccessDetermined());
            rangerAccessResult.setPolicyId(rangerAccessResult2.getPolicyId());
            rangerAccessResult.setPolicyVersion(rangerAccessResult2.getPolicyVersion());
            rangerAccessResult.setPolicyPriority(rangerAccessResult2.getPolicyPriority());
        }
        if (rangerAccessResult.getIsAuditedDetermined() || !rangerAccessResult2.getIsAuditedDetermined()) {
            return;
        }
        rangerAccessResult.setIsAudited(rangerAccessResult2.getIsAudited());
        rangerAccessResult.setAuditPolicyId(rangerAccessResult2.getAuditPolicyId());
    }

    private static AuditProviderFactory getAuditProviderFactory(String str) {
        AuditProviderFactory auditProviderFactory = AuditProviderFactory.getInstance();
        if (!auditProviderFactory.isInitDone()) {
            LOG.warn("RangerBasePlugin.getAuditProviderFactory(serviceName=" + str + "): audit not initialized yet. Will use stand-alone audit factory");
            auditProviderFactory = StandAloneAuditProviderFactory.getInstance();
            if (!auditProviderFactory.isInitDone()) {
                RangerAuditConfig rangerAuditConfig = new RangerAuditConfig();
                if (rangerAuditConfig.isInitSuccess()) {
                    auditProviderFactory.init(rangerAuditConfig.getProperties(), "StandAlone");
                }
            }
        }
        return auditProviderFactory;
    }
}
