package org.apache.ranger.plugin.policyengine;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServicePolicies;

/* loaded from: input_file:org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.class */
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
    private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
    private static final Log PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init");
    private static final Log PERF_POLICYENGINE_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyengine.request");
    private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit");
    private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request");
    private static final Log PERF_POLICYENGINE_REBALANCE_LOG = RangerPerfTracer.getPerfLogger("policyengine.rebalance");
    private static final Log PERF_POLICYENGINE_USAGE_LOG = RangerPerfTracer.getPerfLogger("policyengine.usage");
    private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 100;
    private final RangerPolicyRepository policyRepository;
    private final RangerPolicyRepository tagPolicyRepository;
    private List<RangerContextEnricher> allContextEnrichers;
    private final Map<Long, RangerPolicyEvaluator> policyEvaluatorsMap;
    private boolean useForwardedIPAddress = false;
    private String[] trustedProxyAddresses = null;

    public RangerPolicyEngineImpl(String str, ServicePolicies servicePolicies, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        List<RangerContextEnricher> arrayList;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl(" + str + ", " + servicePolicies + ", " + rangerPolicyEngineOptions + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.init(appId=" + str + ",hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
            long freeMemory = Runtime.getRuntime().freeMemory();
            PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (Runtime.getRuntime().totalMemory() - freeMemory) + ", Free memory:" + freeMemory);
        }
        rangerPolicyEngineOptions = rangerPolicyEngineOptions == null ? new RangerPolicyEngineOptions() : rangerPolicyEngineOptions;
        if (StringUtils.isBlank(rangerPolicyEngineOptions.evaluatorType) || StringUtils.equalsIgnoreCase(rangerPolicyEngineOptions.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
            if (servicePolicies.getPolicies().size() + (servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getPolicies().size() : 0) > RangerConfiguration.getInstance().getInt("ranger.plugin." + servicePolicies.getServiceDef().getName() + ".policyengine.evaluator.auto.maximum.policycount.for.cache.type", MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR)) {
                rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
            } else {
                rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
            }
        } else if (StringUtils.equalsIgnoreCase(rangerPolicyEngineOptions.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
            rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
        } else {
            rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
        }
        this.policyRepository = new RangerPolicyRepository(str, servicePolicies, rangerPolicyEngineOptions);
        ServicePolicies.TagPolicies tagPolicies = servicePolicies.getTagPolicies();
        if (rangerPolicyEngineOptions.disableTagPolicyEvaluation || tagPolicies == null || StringUtils.isEmpty(tagPolicies.getServiceName()) || tagPolicies.getServiceDef() == null || CollectionUtils.isEmpty(tagPolicies.getPolicies())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerPolicyEngineImpl : No tag-policy-repository for service " + servicePolicies.getServiceName());
            }
            this.tagPolicyRepository = null;
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerPolicyEngineImpl : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName());
            }
            this.tagPolicyRepository = new RangerPolicyRepository(str, tagPolicies, rangerPolicyEngineOptions, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
        }
        List<RangerContextEnricher> contextEnrichers = this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getContextEnrichers();
        List<RangerContextEnricher> contextEnrichers2 = this.policyRepository.getContextEnrichers();
        if (CollectionUtils.isEmpty(contextEnrichers)) {
            arrayList = contextEnrichers2;
        } else if (CollectionUtils.isEmpty(contextEnrichers2)) {
            arrayList = contextEnrichers;
        } else {
            arrayList = new ArrayList(contextEnrichers);
            arrayList.addAll(contextEnrichers2);
        }
        this.allContextEnrichers = arrayList;
        this.policyEvaluatorsMap = createPolicyEvaluatorsMap();
        RangerPerfTracer.log(rangerPerfTracer);
        if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
            long freeMemory2 = Runtime.getRuntime().freeMemory();
            PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (Runtime.getRuntime().totalMemory() - freeMemory2) + ", Free memory:" + freeMemory2);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl()");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public String getServiceName() {
        return this.policyRepository.getServiceName();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerServiceDef getServiceDef() {
        return this.policyRepository.getServiceDef();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public long getPolicyVersion() {
        return this.policyRepository.getPolicyVersion();
    }

    public RangerPolicyEvaluator getPolicyEvaluator(Long l) {
        return this.policyEvaluatorsMap.get(l);
    }

    public RangerPolicy getPolicy(Long l) {
        RangerPolicyEvaluator policyEvaluator = getPolicyEvaluator(l);
        if (policyEvaluator != null) {
            return policyEvaluator.getPolicy();
        }
        return null;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerAccessResult createAccessResult(RangerAccessRequest rangerAccessRequest) {
        RangerAccessResult rangerAccessResult = new RangerAccessResult(getServiceName(), this.policyRepository.getServiceDef(), rangerAccessRequest);
        switch (this.policyRepository.getAuditModeEnum()) {
            case AUDIT_ALL:
                rangerAccessResult.setIsAudited(true);
                break;
            case AUDIT_NONE:
                rangerAccessResult.setIsAudited(false);
                break;
            default:
                if (CollectionUtils.isEmpty(this.policyRepository.getPolicies()) && this.tagPolicyRepository == null) {
                    rangerAccessResult.setIsAudited(true);
                    break;
                }
                break;
        }
        return rangerAccessResult;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void preProcess(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + rangerAccessRequest + ")");
        }
        setResourceServiceDef(rangerAccessRequest);
        if (rangerAccessRequest instanceof RangerAccessRequestImpl) {
            ((RangerAccessRequestImpl) rangerAccessRequest).extractAndSetClientIPAddress(this.useForwardedIPAddress, this.trustedProxyAddresses);
        }
        RangerAccessRequestUtil.setCurrentUserInContext(rangerAccessRequest.getContext(), rangerAccessRequest.getUser());
        List<RangerContextEnricher> list = this.allContextEnrichers;
        if (!CollectionUtils.isEmpty(list)) {
            for (RangerContextEnricher rangerContextEnricher : list) {
                RangerPerfTracer rangerPerfTracer = null;
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_REQUEST_LOG)) {
                    rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_REQUEST_LOG, "RangerContextEnricher.enrich(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + ", enricherName=" + rangerContextEnricher.getName() + ")");
                }
                rangerContextEnricher.enrich(rangerAccessRequest);
                RangerPerfTracer.log(rangerPerfTracer);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + rangerAccessRequest + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void preProcess(Collection<RangerAccessRequest> collection) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + collection + ")");
        }
        if (CollectionUtils.isNotEmpty(collection)) {
            Iterator<RangerAccessRequest> it = collection.iterator();
            while (it.hasNext()) {
                preProcess(it.next());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + collection + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + rangerAccessRequest + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + ")");
        }
        RangerAccessResult isAccessAllowedNoAudit = isAccessAllowedNoAudit(rangerAccessRequest);
        updatePolicyUsageCounts(rangerAccessRequest, isAccessAllowedNoAudit);
        if (rangerAccessResultProcessor != null) {
            RangerPerfTracer rangerPerfTracer2 = null;
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
                rangerPerfTracer2 = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + ")");
            }
            rangerAccessResultProcessor.processResult(isAccessAllowedNoAudit);
            RangerPerfTracer.log(rangerPerfTracer2);
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + rangerAccessRequest + "): " + isAccessAllowedNoAudit);
        }
        return isAccessAllowedNoAudit;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + collection + ")");
        }
        ArrayList arrayList = new ArrayList();
        if (collection != null) {
            Iterator<RangerAccessRequest> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(isAccessAllowedNoAudit(it.next()));
            }
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResults(arrayList);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + collection + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerDataMaskResult evalDataMaskPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evalDataMaskPolicies(" + rangerAccessRequest + ")");
        }
        RangerDataMaskResult rangerDataMaskResult = new RangerDataMaskResult(getServiceName(), getServiceDef(), rangerAccessRequest);
        if (rangerAccessRequest != null) {
            Iterator<RangerPolicyEvaluator> it = this.policyRepository.getDataMaskPolicyEvaluators(rangerAccessRequest.getResource()).iterator();
            while (it.hasNext()) {
                it.next().evaluate(rangerAccessRequest, rangerDataMaskResult);
                if (rangerDataMaskResult.getIsAccessDetermined() && rangerDataMaskResult.getIsAuditedDetermined()) {
                    if (!StringUtils.equalsIgnoreCase(rangerDataMaskResult.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
                        break;
                    }
                    rangerDataMaskResult.setMaskType(null);
                    rangerDataMaskResult.setIsAccessDetermined(false);
                }
            }
        }
        if (!rangerDataMaskResult.isMaskEnabled()) {
            rangerDataMaskResult.setIsAudited(false);
        }
        updatePolicyUsageCounts(rangerAccessRequest, rangerDataMaskResult);
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResult(rangerDataMaskResult);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evalDataMaskPolicies(" + rangerAccessRequest + "): " + rangerDataMaskResult);
        }
        return rangerDataMaskResult;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerRowFilterResult evalRowFilterPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evalRowFilterPolicies(" + rangerAccessRequest + ")");
        }
        RangerRowFilterResult rangerRowFilterResult = new RangerRowFilterResult(getServiceName(), getServiceDef(), rangerAccessRequest);
        if (rangerAccessRequest != null) {
            Iterator<RangerPolicyEvaluator> it = this.policyRepository.getRowFilterPolicyEvaluators(rangerAccessRequest.getResource()).iterator();
            while (it.hasNext()) {
                it.next().evaluate(rangerAccessRequest, rangerRowFilterResult);
                if (rangerRowFilterResult.getIsAccessDetermined() && rangerRowFilterResult.getIsAuditedDetermined()) {
                    if (StringUtils.isNotEmpty(rangerRowFilterResult.getFilterExpr())) {
                        break;
                    }
                    rangerRowFilterResult.setIsAccessDetermined(false);
                }
            }
        }
        if (!rangerRowFilterResult.isRowFilterEnabled()) {
            rangerRowFilterResult.setIsAudited(false);
        }
        updatePolicyUsageCounts(rangerAccessRequest, rangerRowFilterResult);
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResult(rangerRowFilterResult);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evalRowFilterPolicies(" + rangerAccessRequest + "): " + rangerRowFilterResult);
        }
        return rangerRowFilterResult;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean isAccessAllowed(RangerAccessResource rangerAccessResource, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + set + ", " + str2 + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + ",accessType=" + str2 + "resource=" + rangerAccessResource.getAsString() + ")");
        }
        boolean z = false;
        Iterator<RangerPolicyEvaluator> it = this.policyRepository.getPolicyEvaluators(rangerAccessResource).iterator();
        while (it.hasNext()) {
            z = it.next().isAccessAllowed(rangerAccessResource, str, set, str2);
            if (z) {
                break;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean isAccessAllowed(Map<String, RangerPolicy.RangerPolicyResource> map, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + "," + set + ",accessType=" + str2 + ")");
        }
        Iterator<RangerPolicyEvaluator> it = this.policyRepository.getPolicyEvaluators().iterator();
        while (it.hasNext()) {
            z = it.next().isAccessAllowed(map, str, set, str2);
            if (z) {
                break;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource rangerAccessResource, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + rangerAccessResource + ", " + map + ")");
        }
        ArrayList arrayList = null;
        for (RangerPolicyEvaluator rangerPolicyEvaluator : this.policyRepository.getPolicyEvaluators()) {
            if (rangerPolicyEvaluator.isCompleteMatch(rangerAccessResource, map)) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.add(rangerPolicyEvaluator.getPolicy());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + rangerAccessResource + ", " + map + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getExactMatchPolicies(Map<String, RangerPolicy.RangerPolicyResource> map, Map<String, Object> map2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + map + ", " + map2 + ")");
        }
        ArrayList arrayList = null;
        for (RangerPolicyEvaluator rangerPolicyEvaluator : this.policyRepository.getPolicyEvaluators()) {
            if (rangerPolicyEvaluator.isCompleteMatch(map, map2)) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.add(rangerPolicyEvaluator.getPolicy());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + map + ", " + map2 + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getAllowedPolicies(String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + str + ", " + set + ", " + str2 + ")");
        }
        ArrayList arrayList = new ArrayList();
        Iterator<RangerPolicyEvaluator> it = this.policyRepository.getPolicyEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicy policy = it.next().getPolicy();
            if (isAccessAllowed(policy.getResources(), str, set, str2)) {
                arrayList.add(policy);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + str + ", " + set + ", " + str2 + "): policyCount=" + arrayList.size());
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + rangerAccessRequest + ")");
        }
        RangerResourceAccessInfo rangerResourceAccessInfo = new RangerResourceAccessInfo(rangerAccessRequest);
        if (CollectionUtils.isNotEmpty(this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getPolicyEvaluators())) {
            Set<RangerTagForEval> requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
            if (CollectionUtils.isNotEmpty(requestTagsFromContext)) {
                Iterator<RangerTagForEval> it = requestTagsFromContext.iterator();
                while (it.hasNext()) {
                    RangerTagAccessRequest rangerTagAccessRequest = new RangerTagAccessRequest(it.next(), this.tagPolicyRepository.getServiceDef(), rangerAccessRequest);
                    Iterator<RangerPolicyEvaluator> it2 = this.tagPolicyRepository.getPolicyEvaluators(rangerTagAccessRequest.getResource()).iterator();
                    while (it2.hasNext()) {
                        it2.next().getResourceAccessInfo(rangerTagAccessRequest, rangerResourceAccessInfo);
                    }
                }
            }
        }
        List<RangerPolicyEvaluator> policyEvaluators = this.policyRepository.getPolicyEvaluators(rangerAccessRequest.getResource());
        if (CollectionUtils.isNotEmpty(policyEvaluators)) {
            Iterator<RangerPolicyEvaluator> it3 = policyEvaluators.iterator();
            while (it3.hasNext()) {
                it3.next().getResourceAccessInfo(rangerAccessRequest, rangerResourceAccessInfo);
            }
        }
        rangerResourceAccessInfo.getAllowedUsers().removeAll(rangerResourceAccessInfo.getDeniedUsers());
        rangerResourceAccessInfo.getAllowedGroups().removeAll(rangerResourceAccessInfo.getDeniedGroups());
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + rangerAccessRequest + "): " + rangerResourceAccessInfo);
        }
        return rangerResourceAccessInfo;
    }

    protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + rangerAccessRequest + ")");
        }
        RangerAccessResult createAccessResult = createAccessResult(rangerAccessRequest);
        if (createAccessResult != null && rangerAccessRequest != null) {
            if (hasTagPolicies()) {
                isAccessAllowedForTagPolicies(rangerAccessRequest, createAccessResult);
                if (LOG.isDebugEnabled() && createAccessResult.getIsAccessDetermined() && createAccessResult.getIsAuditedDetermined()) {
                    LOG.debug("RangerPolicyEngineImpl.isAccessAllowedNoAudit() - access and audit determined by tag policy. No resource policies will be evaluated, request=" + rangerAccessRequest + ", result=" + createAccessResult);
                }
            }
            boolean z = createAccessResult.getIsAccessDetermined() && createAccessResult.getIsAllowed();
            if (hasResourcePolicies() && !((createAccessResult.getIsAccessDetermined() && !createAccessResult.getIsAllowed()) && createAccessResult.getIsAuditedDetermined())) {
                boolean z2 = !createAccessResult.getIsAuditedDetermined();
                boolean auditEnabledFromCache = z2 ? this.policyRepository.setAuditEnabledFromCache(rangerAccessRequest, createAccessResult) : false;
                if (z) {
                    createAccessResult.setIsAccessDetermined(false);
                }
                for (RangerPolicyEvaluator rangerPolicyEvaluator : this.policyRepository.getPolicyEvaluators(rangerAccessRequest.getResource())) {
                    createAccessResult.incrementEvaluatedPoliciesCount();
                    rangerPolicyEvaluator.evaluate(rangerAccessRequest, createAccessResult);
                    if (createAccessResult.getIsAllowed() && !rangerPolicyEvaluator.hasDeny()) {
                        createAccessResult.setIsAccessDetermined(true);
                    }
                    if (createAccessResult.getIsAuditedDetermined() && createAccessResult.getIsAccessDetermined()) {
                        break;
                    }
                }
                if (createAccessResult.getIsAllowed()) {
                    createAccessResult.setIsAccessDetermined(true);
                }
                if (z2 && !auditEnabledFromCache) {
                    this.policyRepository.storeAuditEnabledInCache(rangerAccessRequest, createAccessResult);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + rangerAccessRequest + "): " + createAccessResult);
        }
        return createAccessResult;
    }

    protected void isAccessAllowedForTagPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
        if (CollectionUtils.isNotEmpty(this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getPolicyEvaluators())) {
            Set<RangerTagForEval> requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
            if (CollectionUtils.isNotEmpty(requestTagsFromContext)) {
                for (RangerTagForEval rangerTagForEval : requestTagsFromContext) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + rangerTagForEval.getType() + ")");
                    }
                    RangerTagAccessRequest rangerTagAccessRequest = new RangerTagAccessRequest(rangerTagForEval, this.tagPolicyRepository.getServiceDef(), rangerAccessRequest);
                    RangerAccessResult createAccessResult = createAccessResult(rangerTagAccessRequest);
                    if (rangerAccessResult.getIsAllowed()) {
                        createAccessResult.setIsAllowed(rangerAccessResult.getIsAllowed());
                    }
                    createAccessResult.setAuditResultFrom(rangerAccessResult);
                    Iterator<RangerPolicyEvaluator> it = this.tagPolicyRepository.getPolicyEvaluators(rangerTagAccessRequest.getResource()).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        RangerPolicyEvaluator next = it.next();
                        createAccessResult.incrementEvaluatedPoliciesCount();
                        next.evaluate(rangerTagAccessRequest, createAccessResult);
                        if (createAccessResult.getIsAllowed() && !next.hasDeny()) {
                            createAccessResult.setIsAccessDetermined(true);
                        }
                        if (createAccessResult.getIsAuditedDetermined() && createAccessResult.getIsAccessDetermined()) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + rangerTagForEval.getType() + ") with authorization=" + createAccessResult.getIsAllowed());
                            }
                        }
                    }
                    if (createAccessResult.getIsAllowed()) {
                        createAccessResult.setIsAccessDetermined(true);
                    }
                    if (createAccessResult.getIsAudited()) {
                        rangerAccessResult.setIsAudited(true);
                        rangerAccessResult.setAuditPolicyId(createAccessResult.getAuditPolicyId());
                    }
                    if (!rangerAccessResult.getIsAccessDetermined() && createAccessResult.getIsAccessDetermined()) {
                        if (!createAccessResult.getIsAllowed()) {
                            rangerAccessResult.setAccessResultFrom(createAccessResult);
                        } else if (!rangerAccessResult.getIsAllowed()) {
                            rangerAccessResult.setAccessResultFrom(createAccessResult);
                            rangerAccessResult.setIsAccessDetermined(false);
                        }
                    }
                    if (rangerAccessResult.getIsAuditedDetermined() && rangerAccessResult.getIsAccessDetermined()) {
                        break;
                    }
                }
                if (rangerAccessResult.getIsAllowed()) {
                    rangerAccessResult.setIsAccessDetermined(true);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void reorderPolicyEvaluators() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> reorderEvaluators()");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REBALANCE_LOG, "RangerPolicyEngine.reorderEvaluators()");
        }
        if (MapUtils.isNotEmpty(this.policyEvaluatorsMap)) {
            Iterator<Map.Entry<Long, RangerPolicyEvaluator>> it = this.policyEvaluatorsMap.entrySet().iterator();
            while (it.hasNext()) {
                it.next().getValue().setUsageCountImmutable();
            }
        }
        if (this.tagPolicyRepository != null) {
            this.tagPolicyRepository.reorderPolicyEvaluators();
        }
        if (this.policyRepository != null) {
            this.policyRepository.reorderPolicyEvaluators();
        }
        if (MapUtils.isNotEmpty(this.policyEvaluatorsMap)) {
            Iterator<Map.Entry<Long, RangerPolicyEvaluator>> it2 = this.policyEvaluatorsMap.entrySet().iterator();
            while (it2.hasNext()) {
                it2.next().getValue().resetUsageCount();
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== reorderEvaluators()");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean preCleanup() {
        boolean z = true;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.preCleanup()");
        }
        if (CollectionUtils.isNotEmpty(this.allContextEnrichers)) {
            for (RangerContextEnricher rangerContextEnricher : this.allContextEnrichers) {
                if (!rangerContextEnricher.preCleanup()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("contextEnricher.preCleanup() failed for contextEnricher=" + rangerContextEnricher.getName());
                    }
                    z = false;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.preCleanup() : result=" + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void cleanup() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.cleanup()");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
        }
        preCleanup();
        if (CollectionUtils.isNotEmpty(this.allContextEnrichers)) {
            Iterator<RangerContextEnricher> it = this.allContextEnrichers.iterator();
            while (it.hasNext()) {
                it.next().cleanup();
            }
        }
        this.allContextEnrichers = null;
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.cleanup()");
        }
    }

    protected void finalize() throws Throwable {
        try {
            cleanup();
            super.finalize();
        } catch (Throwable th) {
            super.finalize();
            throw th;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setUseForwardedIPAddress(boolean z) {
        this.useForwardedIPAddress = z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setTrustedProxyAddresses(String[] strArr) {
        this.trustedProxyAddresses = strArr;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString(sb);
        return sb.toString();
    }

    public StringBuilder toString(StringBuilder sb) {
        sb.append("RangerPolicyEngineImpl={");
        sb.append("serviceName={").append(getServiceName()).append("} ");
        sb.append(this.policyRepository);
        sb.append("}");
        return sb;
    }

    private void setResourceServiceDef(RangerAccessRequest rangerAccessRequest) {
        RangerAccessResource resource = rangerAccessRequest.getResource();
        if (resource.getServiceDef() == null) {
            if (resource instanceof RangerMutableResource) {
                ((RangerMutableResource) resource).setServiceDef(getServiceDef());
            } else {
                LOG.debug("RangerPolicyEngineImpl.setResourceServiceDef(): Cannot set ServiceDef in RangerTagResourceMap.");
            }
        }
    }

    private boolean hasTagPolicies() {
        return this.tagPolicyRepository != null && CollectionUtils.isNotEmpty(this.tagPolicyRepository.getPolicies());
    }

    private boolean hasResourcePolicies() {
        return this.policyRepository != null && CollectionUtils.isNotEmpty(this.policyRepository.getPolicies());
    }

    private Map<Long, RangerPolicyEvaluator> createPolicyEvaluatorsMap() {
        HashMap hashMap = new HashMap();
        if (this.tagPolicyRepository != null) {
            for (RangerPolicyEvaluator rangerPolicyEvaluator : this.tagPolicyRepository.getPolicyEvaluators()) {
                hashMap.put(rangerPolicyEvaluator.getPolicy().getId(), rangerPolicyEvaluator);
            }
            for (RangerPolicyEvaluator rangerPolicyEvaluator2 : this.tagPolicyRepository.getDataMaskPolicyEvaluators()) {
                hashMap.put(rangerPolicyEvaluator2.getPolicy().getId(), rangerPolicyEvaluator2);
            }
            for (RangerPolicyEvaluator rangerPolicyEvaluator3 : this.tagPolicyRepository.getRowFilterPolicyEvaluators()) {
                hashMap.put(rangerPolicyEvaluator3.getPolicy().getId(), rangerPolicyEvaluator3);
            }
        }
        for (RangerPolicyEvaluator rangerPolicyEvaluator4 : this.policyRepository.getPolicyEvaluators()) {
            hashMap.put(rangerPolicyEvaluator4.getPolicy().getId(), rangerPolicyEvaluator4);
        }
        for (RangerPolicyEvaluator rangerPolicyEvaluator5 : this.policyRepository.getDataMaskPolicyEvaluators()) {
            hashMap.put(rangerPolicyEvaluator5.getPolicy().getId(), rangerPolicyEvaluator5);
        }
        for (RangerPolicyEvaluator rangerPolicyEvaluator6 : this.policyRepository.getRowFilterPolicyEvaluators()) {
            hashMap.put(rangerPolicyEvaluator6.getPolicy().getId(), rangerPolicyEvaluator6);
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private void updatePolicyUsageCounts(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyEvaluator policyEvaluator;
        boolean z = false;
        if (rangerAccessResult.getIsAccessDetermined() && (policyEvaluator = getPolicyEvaluator(Long.valueOf(rangerAccessResult.getPolicyId()))) != null) {
            if (policyEvaluator.getPolicy().getIsAuditEnabled().booleanValue()) {
                updateUsageCount(policyEvaluator, 2);
                rangerAccessResult.setAuditPolicyId(rangerAccessResult.getPolicyId());
                z = true;
            } else {
                updateUsageCount(policyEvaluator, 1);
            }
        }
        if (!z && rangerAccessResult.getIsAuditedDetermined()) {
            long auditPolicyId = rangerAccessResult.getAuditPolicyId();
            updateUsageCount(auditPolicyId == -1 ? null : getPolicyEvaluator(Long.valueOf(auditPolicyId)), 1);
        }
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_USAGE_LOG)) {
            RangerAccessRequestImpl rangerAccessRequestImpl = (RangerAccessRequestImpl) rangerAccessRequest;
            RangerPerfTracer.logAlways(RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_USAGE_LOG, "RangerPolicyEngine.usage(accessingUser=" + rangerAccessRequestImpl.getUser() + ",accessedResource=" + rangerAccessRequestImpl.getResource().getAsString() + ",accessType=" + rangerAccessRequestImpl.getAccessType() + ",evaluatedPoliciesCount=" + rangerAccessResult.getEvaluatedPoliciesCount() + ")"));
        }
    }

    private void updateUsageCount(RangerPolicyEvaluator rangerPolicyEvaluator, int i) {
        if (rangerPolicyEvaluator != null) {
            rangerPolicyEvaluator.incrementUsageCount(i);
        }
    }
}
