package org.apache.ranger.plugin.model.validation;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.errors.ValidationErrorCode;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerValidator;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.service.RangerPolicyService;

/* loaded from: input_file:WEB-INF/lib/ranger-plugins-common-1.0.0.jar:org/apache/ranger/plugin/model/validation/RangerPolicyValidator.class */
public class RangerPolicyValidator extends RangerValidator {
    private static final Log LOG = LogFactory.getLog(RangerPolicyValidator.class);

    public RangerPolicyValidator(ServiceStore serviceStore) {
        super(serviceStore);
    }

    public void validate(RangerPolicy rangerPolicy, RangerValidator.Action action, boolean z) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.validate(%s, %s, %s)", rangerPolicy, action, Boolean.valueOf(z)));
        }
        ArrayList arrayList = new ArrayList();
        boolean isValid = isValid(rangerPolicy, action, z, arrayList);
        try {
            if (!isValid) {
                throw new Exception(serializeFailures(arrayList));
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("<== RangerPolicyValidator.validate(%s, %s, %s): %s, reason[%s]", rangerPolicy, action, Boolean.valueOf(z), Boolean.valueOf(isValid), ""));
            }
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("<== RangerPolicyValidator.validate(%s, %s, %s): %s, reason[%s]", rangerPolicy, action, Boolean.valueOf(z), Boolean.valueOf(isValid), ""));
            }
            throw th;
        }
    }

    @Override // org.apache.ranger.plugin.model.validation.RangerValidator
    boolean isValid(Long l, RangerValidator.Action action, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", l, action, list));
        }
        boolean z = true;
        if (action != RangerValidator.Action.DELETE) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_UNSUPPORTED_ACTION;
            list.add(new ValidationFailureDetailsBuilder().isAnInternalError().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
            z = false;
        } else if (l == null) {
            ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
            list.add(new ValidationFailureDetailsBuilder().becauseOf("policy id was null/missing").field("id").isMissing().errorCode(validationErrorCode2.getErrorCode()).becauseOf(validationErrorCode2.getMessage("id")).build());
            z = false;
        } else if (getPolicy(l) == null && LOG.isDebugEnabled()) {
            LOG.debug("No policy found for id[" + l + "]! ok!");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s): %s", l, action, list, Boolean.valueOf(z)));
        }
        return z;
    }

    boolean isValid(RangerPolicy rangerPolicy, RangerValidator.Action action, boolean z, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s, %s)", rangerPolicy, action, Boolean.valueOf(z), list));
        }
        if (action != RangerValidator.Action.CREATE && action != RangerValidator.Action.UPDATE) {
            throw new IllegalArgumentException("isValid(RangerPolicy, ...) is only supported for create/update");
        }
        boolean z2 = true;
        if (rangerPolicy == null) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_OBJECT;
            list.add(new ValidationFailureDetailsBuilder().field("policy").isMissing().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
            z2 = false;
        } else {
            Long id = rangerPolicy.getId();
            RangerPolicy rangerPolicy2 = null;
            if (action == RangerValidator.Action.UPDATE) {
                if (id == null) {
                    ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
                    list.add(new ValidationFailureDetailsBuilder().field("id").isMissing().becauseOf(validationErrorCode2.getMessage("id")).errorCode(validationErrorCode2.getErrorCode()).build());
                    z2 = false;
                }
                rangerPolicy2 = getPolicy(id);
                if (rangerPolicy2 == null) {
                    ValidationErrorCode validationErrorCode3 = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_POLICY_ID;
                    list.add(new ValidationFailureDetailsBuilder().field("id").isSemanticallyIncorrect().becauseOf(validationErrorCode3.getMessage(id)).errorCode(validationErrorCode3.getErrorCode()).build());
                    z2 = false;
                }
            }
            String name = rangerPolicy.getName();
            String service = rangerPolicy.getService();
            if (StringUtils.isBlank(name)) {
                ValidationErrorCode validationErrorCode4 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
                list.add(new ValidationFailureDetailsBuilder().field("name").isMissing().becauseOf(validationErrorCode4.getMessage("name")).errorCode(validationErrorCode4.getErrorCode()).build());
                z2 = false;
            } else {
                List<RangerPolicy> policies = getPolicies(service, name);
                if (CollectionUtils.isNotEmpty(policies)) {
                    if (policies.size() > 1) {
                        ValidationErrorCode validationErrorCode5 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_MULTIPLE_POLICIES_WITH_SAME_NAME;
                        list.add(new ValidationFailureDetailsBuilder().field("name").isAnInternalError().becauseOf(validationErrorCode5.getMessage(name)).errorCode(validationErrorCode5.getErrorCode()).build());
                        z2 = false;
                    } else if (action == RangerValidator.Action.CREATE) {
                        ValidationErrorCode validationErrorCode6 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
                        list.add(new ValidationFailureDetailsBuilder().field("policy name").isSemanticallyIncorrect().becauseOf(validationErrorCode6.getMessage(policies.iterator().next().getId(), service)).errorCode(validationErrorCode6.getErrorCode()).build());
                        z2 = false;
                    } else if (!policies.iterator().next().getId().equals(id)) {
                        ValidationErrorCode validationErrorCode7 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
                        list.add(new ValidationFailureDetailsBuilder().field("id/name").isSemanticallyIncorrect().becauseOf(validationErrorCode7.getMessage(policies.iterator().next().getId(), service)).errorCode(validationErrorCode7.getErrorCode()).build());
                        z2 = false;
                    }
                }
            }
            RangerService rangerService = null;
            boolean z3 = false;
            if (StringUtils.isBlank(service)) {
                ValidationErrorCode validationErrorCode8 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
                list.add(new ValidationFailureDetailsBuilder().field("service name").isMissing().becauseOf(validationErrorCode8.getMessage("service name")).errorCode(validationErrorCode8.getErrorCode()).build());
                z2 = false;
            } else {
                rangerService = getService(service);
                if (rangerService == null) {
                    ValidationErrorCode validationErrorCode9 = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_SERVICE_NAME;
                    list.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(validationErrorCode9.getMessage(service)).errorCode(validationErrorCode9.getErrorCode()).build());
                    z2 = false;
                } else {
                    z3 = true;
                }
            }
            if (rangerPolicy2 != null) {
                if (!StringUtils.equalsIgnoreCase(rangerPolicy2.getService(), rangerPolicy.getService())) {
                    ValidationErrorCode validationErrorCode10 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED;
                    list.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(validationErrorCode10.getMessage(rangerPolicy.getId(), rangerPolicy2.getService(), rangerPolicy.getService())).errorCode(validationErrorCode10.getErrorCode()).build());
                    z2 = false;
                }
                int intValue = rangerPolicy2.getPolicyType() == null ? 0 : rangerPolicy2.getPolicyType().intValue();
                int intValue2 = rangerPolicy.getPolicyType() == null ? 0 : rangerPolicy.getPolicyType().intValue();
                if (intValue != intValue2) {
                    ValidationErrorCode validationErrorCode11 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED;
                    list.add(new ValidationFailureDetailsBuilder().field("policy type").isSemanticallyIncorrect().becauseOf(validationErrorCode11.getMessage(rangerPolicy.getId(), Integer.valueOf(intValue), Integer.valueOf(intValue2))).errorCode(validationErrorCode11.getErrorCode()).build());
                    z2 = false;
                }
            }
            boolean isAuditEnabled = getIsAuditEnabled(rangerPolicy);
            RangerServiceDef rangerServiceDef = null;
            int i = 0;
            switch (rangerPolicy.getPolicyType() == null ? 0 : rangerPolicy.getPolicyType().intValue()) {
                case 1:
                    if (CollectionUtils.isNotEmpty(rangerPolicy.getDataMaskPolicyItems())) {
                        i = 0 + rangerPolicy.getDataMaskPolicyItems().size();
                        break;
                    }
                    break;
                case 2:
                    if (CollectionUtils.isNotEmpty(rangerPolicy.getRowFilterPolicyItems())) {
                        i = 0 + rangerPolicy.getRowFilterPolicyItems().size();
                        break;
                    }
                    break;
                default:
                    if (CollectionUtils.isNotEmpty(rangerPolicy.getPolicyItems())) {
                        i = 0 + rangerPolicy.getPolicyItems().size();
                    }
                    if (CollectionUtils.isNotEmpty(rangerPolicy.getDenyPolicyItems())) {
                        i += rangerPolicy.getDenyPolicyItems().size();
                        break;
                    }
                    break;
            }
            if (i == 0 && !isAuditEnabled) {
                ValidationErrorCode validationErrorCode12 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_POLICY_ITEMS;
                list.add(new ValidationFailureDetailsBuilder().field("policy items").isMissing().becauseOf(validationErrorCode12.getMessage(new Object[0])).errorCode(validationErrorCode12.getErrorCode()).build());
                z2 = false;
            } else if (rangerService != null) {
                String type = rangerService.getType();
                rangerServiceDef = getServiceDef(type);
                if (rangerServiceDef == null) {
                    ValidationErrorCode validationErrorCode13 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_SERVICE_DEF;
                    list.add(new ValidationFailureDetailsBuilder().field("policy service def").isAnInternalError().becauseOf(validationErrorCode13.getMessage(type, service)).errorCode(validationErrorCode13.getErrorCode()).build());
                    z2 = false;
                } else {
                    z2 = isValidPolicyItems(rangerPolicy.getDenyExceptions(), list, rangerServiceDef) && (isValidPolicyItems(rangerPolicy.getAllowExceptions(), list, rangerServiceDef) && (isValidPolicyItems(rangerPolicy.getDenyPolicyItems(), list, rangerServiceDef) && (isValidPolicyItems(rangerPolicy.getPolicyItems(), list, rangerServiceDef) && z2)));
                }
            }
            if (z3) {
                z2 = isValidAccessTypeDef(rangerPolicy, list, action, z, rangerServiceDef) && (isValidResources(rangerPolicy, list, action, z, rangerServiceDef) && z2);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s, %s): %s", rangerPolicy, action, Boolean.valueOf(z), list, Boolean.valueOf(z2)));
        }
        return z2;
    }

    boolean isValidAccessTypeDef(RangerPolicy rangerPolicy, List<ValidationFailureDetails> list, RangerValidator.Action action, boolean z, RangerServiceDef rangerServiceDef) {
        boolean z2 = true;
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", rangerPolicy, list, action, Boolean.valueOf(z), rangerServiceDef));
        }
        int intValue = rangerPolicy.getPolicyType() == null ? 0 : rangerPolicy.getPolicyType().intValue();
        if (intValue == 2) {
            ArrayList arrayList = new ArrayList();
            if (rangerServiceDef != null && rangerServiceDef.getRowFilterDef() != null && !CollectionUtils.isEmpty(rangerServiceDef.getRowFilterDef().getAccessTypes())) {
                Iterator<RangerServiceDef.RangerAccessTypeDef> it = rangerServiceDef.getRowFilterDef().getAccessTypes().iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getName().toLowerCase());
                }
            }
            if (!CollectionUtils.isEmpty(rangerPolicy.getRowFilterPolicyItems())) {
                for (RangerPolicy.RangerRowFilterPolicyItem rangerRowFilterPolicyItem : rangerPolicy.getRowFilterPolicyItems()) {
                    if (!CollectionUtils.isEmpty(rangerRowFilterPolicyItem.getAccesses())) {
                        for (RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess : rangerRowFilterPolicyItem.getAccesses()) {
                            if (!arrayList.contains(rangerPolicyItemAccess.getType().toLowerCase())) {
                                ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                                list.add(new ValidationFailureDetailsBuilder().field("row filter policy item access type").isSemanticallyIncorrect().becauseOf(validationErrorCode.getMessage(rangerPolicyItemAccess.getType(), arrayList)).errorCode(validationErrorCode.getErrorCode()).build());
                                z2 = false;
                            }
                        }
                    }
                }
            }
        }
        if (intValue == 1) {
            ArrayList arrayList2 = new ArrayList();
            if (rangerServiceDef != null && rangerServiceDef.getDataMaskDef() != null && !CollectionUtils.isEmpty(rangerServiceDef.getDataMaskDef().getAccessTypes())) {
                Iterator<RangerServiceDef.RangerAccessTypeDef> it2 = rangerServiceDef.getDataMaskDef().getAccessTypes().iterator();
                while (it2.hasNext()) {
                    arrayList2.add(it2.next().getName().toLowerCase());
                }
            }
            if (!CollectionUtils.isEmpty(rangerPolicy.getDataMaskPolicyItems())) {
                for (RangerPolicy.RangerDataMaskPolicyItem rangerDataMaskPolicyItem : rangerPolicy.getDataMaskPolicyItems()) {
                    if (!CollectionUtils.isEmpty(rangerDataMaskPolicyItem.getAccesses())) {
                        for (RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess2 : rangerDataMaskPolicyItem.getAccesses()) {
                            if (!arrayList2.contains(rangerPolicyItemAccess2.getType().toLowerCase())) {
                                ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                                list.add(new ValidationFailureDetailsBuilder().field("data masking policy item access type").isSemanticallyIncorrect().becauseOf(validationErrorCode2.getMessage(rangerPolicyItemAccess2.getType(), arrayList2)).errorCode(validationErrorCode2.getErrorCode()).build());
                                z2 = false;
                            }
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValidAccessTypeDef(%s, %s, %s,%s,%s)", rangerPolicy, list, action, Boolean.valueOf(z), rangerServiceDef));
        }
        return z2;
    }

    boolean isValidResources(RangerPolicy rangerPolicy, List<ValidationFailureDetails> list, RangerValidator.Action action, boolean z, RangerServiceDef rangerServiceDef) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValidResources(%s, %s, %s, %s, %s)", rangerPolicy, list, action, Boolean.valueOf(z), rangerServiceDef));
        }
        boolean z2 = true;
        Map<String, RangerPolicy.RangerPolicyResource> resources = rangerPolicy.getResources();
        if (resources != null) {
            z2 = isPolicyResourceUnique(rangerPolicy, list, action) && 1 != 0;
            if (rangerServiceDef != null) {
                z2 = isValidResourceFlags(resources, list, rangerServiceDef.getResources(), rangerServiceDef.getName(), rangerPolicy.getName(), z) && (isValidResourceValues(resources, list, rangerServiceDef) && (isValidResourceNames(rangerPolicy, list, rangerServiceDef) && z2));
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValidResources(%s, %s, %s, %s, %s): %s", rangerPolicy, list, action, Boolean.valueOf(z), rangerServiceDef, Boolean.valueOf(z2)));
        }
        return z2;
    }

    boolean isPolicyResourceUnique(RangerPolicy rangerPolicy, List<ValidationFailureDetails> list, RangerValidator.Action action) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isPolicyResourceUnique(%s, %s, %s)", rangerPolicy, list, action));
        }
        boolean z = true;
        if (Boolean.TRUE.equals(rangerPolicy.getIsEnabled())) {
            List<RangerPolicy> policiesForResourceSignature = getPoliciesForResourceSignature(rangerPolicy.getService(), this._factory.createPolicyResourceSignature(rangerPolicy).getSignature());
            if (CollectionUtils.isNotEmpty(policiesForResourceSignature)) {
                ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_DUPLICATE_POLICY_RESOURCE;
                RangerPolicy next = policiesForResourceSignature.iterator().next();
                if (action == RangerValidator.Action.CREATE || (action == RangerValidator.Action.UPDATE && (policiesForResourceSignature.size() > 1 || !next.getId().equals(rangerPolicy.getId())))) {
                    list.add(new ValidationFailureDetailsBuilder().field(RangerPolicyService.POLICY_RESOURCE_CLASS_FIELD_NAME).isSemanticallyIncorrect().becauseOf(validationErrorCode.getMessage(next.getName(), rangerPolicy.getService())).errorCode(validationErrorCode.getErrorCode()).build());
                    z = false;
                }
            }
        } else {
            LOG.debug("Policy is disabled. Skipping resource uniqueness validation.");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isPolicyResourceUnique(%s, %s, %s): %s", rangerPolicy, list, action, Boolean.valueOf(z)));
        }
        return z;
    }

    boolean isValidResourceNames(RangerPolicy rangerPolicy, List<ValidationFailureDetails> list, RangerServiceDef rangerServiceDef) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceNames(%s, %s, %s)", rangerPolicy, list, rangerServiceDef));
        }
        boolean z = true;
        Set<String> policyResources = getPolicyResources(rangerPolicy);
        RangerServiceDefHelper rangerServiceDefHelper = new RangerServiceDefHelper(rangerServiceDef);
        Set<List<RangerServiceDef.RangerResourceDef>> resourceHierarchies = rangerServiceDefHelper.getResourceHierarchies(rangerPolicy.getPolicyType());
        if (resourceHierarchies.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerPolicyValidator.isValidResourceNames: serviceDef does not have any resource hierarchies, possibly due to invalid service def!!");
            }
            ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY;
            list.add(new ValidationFailureDetailsBuilder().field("service def resource hierarchies").subField("incompatible").isSemanticallyIncorrect().becauseOf(validationErrorCode.getMessage(rangerServiceDef.getName(), " does not have any resource hierarchies")).errorCode(validationErrorCode.getErrorCode()).build());
            z = false;
        } else {
            Set<List<RangerServiceDef.RangerResourceDef>> filterHierarchies_hierarchyHasAllPolicyResources = filterHierarchies_hierarchyHasAllPolicyResources(policyResources, resourceHierarchies, rangerServiceDefHelper);
            if (filterHierarchies_hierarchyHasAllPolicyResources.isEmpty()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(String.format("No compatible resource hierarchies found: resource[%s], service-def[%s], valid-resource-hierarchies[%s]", policyResources.toString(), rangerServiceDef.getName(), toStringHierarchies_all(resourceHierarchies, rangerServiceDefHelper)));
                }
                ValidationErrorCode validationErrorCode2 = resourceHierarchies.size() == 1 ? ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE : ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY;
                list.add(new ValidationFailureDetailsBuilder().field("policy resources").subField("incompatible").isSemanticallyIncorrect().becauseOf(validationErrorCode2.getMessage(rangerServiceDef.getName(), toStringHierarchies_all(resourceHierarchies, rangerServiceDefHelper))).errorCode(validationErrorCode2.getErrorCode()).build());
                z = false;
            } else {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("isValidResourceNames: Found [" + filterHierarchies_hierarchyHasAllPolicyResources.size() + "] compatible hierarchies: " + toStringHierarchies_all(filterHierarchies_hierarchyHasAllPolicyResources, rangerServiceDefHelper));
                }
                Set<List<RangerServiceDef.RangerResourceDef>> filterHierarchies_mandatoryResourcesSpecifiedInPolicy = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, filterHierarchies_hierarchyHasAllPolicyResources, rangerServiceDefHelper);
                if (filterHierarchies_mandatoryResourcesSpecifiedInPolicy.isEmpty()) {
                    ValidationErrorCode validationErrorCode3 = filterHierarchies_hierarchyHasAllPolicyResources.size() == 1 ? ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE : ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY;
                    list.add(new ValidationFailureDetailsBuilder().field("policy resources").subField("missing mandatory").isSemanticallyIncorrect().becauseOf(validationErrorCode3.getMessage(rangerServiceDef.getName(), toStringHierarchies_mandatory(filterHierarchies_hierarchyHasAllPolicyResources, rangerServiceDefHelper))).errorCode(validationErrorCode3.getErrorCode()).build());
                    z = false;
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug("isValidResourceNames: Found hierarchies with all mandatory fields specified: " + toStringHierarchies_mandatory(filterHierarchies_mandatoryResourcesSpecifiedInPolicy, rangerServiceDefHelper));
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceNames(%s, %s, %s): %s", rangerPolicy, list, rangerServiceDef, Boolean.valueOf(z)));
        }
        return z;
    }

    String toStringHierarchies_mandatory(Set<List<RangerServiceDef.RangerResourceDef>> set, RangerServiceDefHelper rangerServiceDefHelper) {
        StringBuilder sb = new StringBuilder();
        Iterator<List<RangerServiceDef.RangerResourceDef>> it = set.iterator();
        while (it.hasNext()) {
            sb.append(rangerServiceDefHelper.getMandatoryResourceNames(it.next()));
            sb.append(" ");
        }
        return sb.toString();
    }

    String toStringHierarchies_all(Set<List<RangerServiceDef.RangerResourceDef>> set, RangerServiceDefHelper rangerServiceDefHelper) {
        StringBuilder sb = new StringBuilder();
        Iterator<List<RangerServiceDef.RangerResourceDef>> it = set.iterator();
        while (it.hasNext()) {
            sb.append(rangerServiceDefHelper.getAllResourceNamesOrdered(it.next()));
            sb.append(" ");
        }
        return sb.toString();
    }

    Set<List<RangerServiceDef.RangerResourceDef>> filterHierarchies_hierarchyHasAllPolicyResources(Set<String> set, Set<List<RangerServiceDef.RangerResourceDef>> set2, RangerServiceDefHelper rangerServiceDefHelper) {
        HashSet hashSet = new HashSet(set2.size());
        for (List<RangerServiceDef.RangerResourceDef> list : set2) {
            if (rangerServiceDefHelper.hierarchyHasAllResources(list, set)) {
                hashSet.add(list);
            }
        }
        return hashSet;
    }

    Set<List<RangerServiceDef.RangerResourceDef>> filterHierarchies_mandatoryResourcesSpecifiedInPolicy(Set<String> set, Set<List<RangerServiceDef.RangerResourceDef>> set2, RangerServiceDefHelper rangerServiceDefHelper) {
        HashSet hashSet = new HashSet(set2.size());
        for (List<RangerServiceDef.RangerResourceDef> list : set2) {
            if (set.containsAll(rangerServiceDefHelper.getMandatoryResourceNames(list))) {
                hashSet.add(list);
            }
        }
        return hashSet;
    }

    boolean isValidResourceFlags(Map<String, RangerPolicy.RangerPolicyResource> map, List<ValidationFailureDetails> list, List<RangerServiceDef.RangerResourceDef> list2, String str, String str2, boolean z) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceFlags(%s, %s, %s, %s, %s, %s)", map, list, list2, str, str2, Boolean.valueOf(z)));
        }
        boolean z2 = true;
        if (list2 == null) {
            LOG.debug("isValidResourceFlags: service Def is null");
        } else {
            Map<String, RangerPolicy.RangerPolicyResource> policyResourceWithLowerCaseKeys = getPolicyResourceWithLowerCaseKeys(map);
            for (RangerServiceDef.RangerResourceDef rangerResourceDef : list2) {
                if (rangerResourceDef == null) {
                    ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_RESOURCE_DEF;
                    list.add(new ValidationFailureDetailsBuilder().field("resource-def").isAnInternalError().becauseOf(validationErrorCode.getMessage(str)).errorCode(validationErrorCode.getErrorCode()).build());
                    z2 = false;
                } else if (StringUtils.isBlank(rangerResourceDef.getName())) {
                    ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_DEF_NAME;
                    list.add(new ValidationFailureDetailsBuilder().field("resource-def-name").isAnInternalError().becauseOf(validationErrorCode2.getMessage(str)).errorCode(validationErrorCode2.getErrorCode()).build());
                    z2 = false;
                } else {
                    String lowerCase = rangerResourceDef.getName().toLowerCase();
                    RangerPolicy.RangerPolicyResource rangerPolicyResource = policyResourceWithLowerCaseKeys.get(lowerCase);
                    if (rangerPolicyResource != null) {
                        boolean equals = Boolean.TRUE.equals(rangerResourceDef.getExcludesSupported());
                        boolean equals2 = Boolean.TRUE.equals(rangerPolicyResource.getIsExcludes());
                        if (equals2 && !equals) {
                            ValidationErrorCode validationErrorCode3 = ValidationErrorCode.POLICY_VALIDATION_ERR_EXCLUDES_NOT_SUPPORTED;
                            list.add(new ValidationFailureDetailsBuilder().field("isExcludes").subField(lowerCase).isSemanticallyIncorrect().becauseOf(validationErrorCode3.getMessage(lowerCase)).errorCode(validationErrorCode3.getErrorCode()).build());
                            z2 = false;
                        }
                        if (equals2 && !z) {
                            ValidationErrorCode validationErrorCode4 = ValidationErrorCode.POLICY_VALIDATION_ERR_EXCLUDES_REQUIRES_ADMIN;
                            list.add(new ValidationFailureDetailsBuilder().field("isExcludes").subField("isAdmin").isSemanticallyIncorrect().becauseOf(validationErrorCode4.getMessage(new Object[0])).errorCode(validationErrorCode4.getErrorCode()).build());
                            z2 = false;
                        }
                        boolean equals3 = Boolean.TRUE.equals(rangerResourceDef.getRecursiveSupported());
                        if (Boolean.TRUE.equals(rangerPolicyResource.getIsRecursive()) && !equals3) {
                            ValidationErrorCode validationErrorCode5 = ValidationErrorCode.POLICY_VALIDATION_ERR_RECURSIVE_NOT_SUPPORTED;
                            list.add(new ValidationFailureDetailsBuilder().field(SearchFilter.IS_RECURSIVE).subField(lowerCase).isSemanticallyIncorrect().becauseOf(validationErrorCode5.getMessage(lowerCase)).errorCode(validationErrorCode5.getErrorCode()).build());
                            z2 = false;
                        }
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug("a policy-resource object for resource[" + lowerCase + "] on policy [" + str2 + "] was null");
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceFlags(%s, %s, %s, %s, %s, %s): %s", map, list, list2, str, str2, Boolean.valueOf(z), Boolean.valueOf(z2)));
        }
        return z2;
    }

    boolean isValidResourceValues(Map<String, RangerPolicy.RangerPolicyResource> map, List<ValidationFailureDetails> list, RangerServiceDef rangerServiceDef) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceValues(%s, %s, %s)", map, list, rangerServiceDef));
        }
        boolean z = true;
        Map<String, String> validationRegExes = getValidationRegExes(rangerServiceDef);
        for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : map.entrySet()) {
            String key = entry.getKey();
            RangerPolicy.RangerPolicyResource value = entry.getValue();
            if (value != null) {
                if (CollectionUtils.isNotEmpty(value.getValues())) {
                    for (String str : new HashSet(value.getValues())) {
                        if (StringUtils.isBlank(str)) {
                            value.getValues().remove(str);
                        }
                    }
                }
                if (CollectionUtils.isEmpty(value.getValues())) {
                    ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST;
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("Resource list was empty or contains null: value[%s], resource-name[%s], service-def-name[%s]", value.getValues(), key, rangerServiceDef.getName()));
                    }
                    list.add(new ValidationFailureDetailsBuilder().field("resource-values").subField(key).isMissing().becauseOf(validationErrorCode.getMessage(key)).errorCode(validationErrorCode.getErrorCode()).build());
                    z = false;
                }
                if (validationRegExes.containsKey(key) && CollectionUtils.isNotEmpty(value.getValues())) {
                    String str2 = validationRegExes.get(key);
                    for (String str3 : value.getValues()) {
                        if (!str3.matches(str2)) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug(String.format("Resource failed regex check: value[%s], resource-name[%s], regEx[%s], service-def-name[%s]", str3, key, str2, rangerServiceDef.getName()));
                            }
                            ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX;
                            list.add(new ValidationFailureDetailsBuilder().field("resource-values").subField(key).isSemanticallyIncorrect().becauseOf(validationErrorCode2.getMessage(str3, key)).errorCode(validationErrorCode2.getErrorCode()).build());
                            z = false;
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceValues(%s, %s, %s): %s", map, list, rangerServiceDef, Boolean.valueOf(z)));
        }
        return z;
    }

    boolean isValidPolicyItems(List<RangerPolicy.RangerPolicyItem> list, List<ValidationFailureDetails> list2, RangerServiceDef rangerServiceDef) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", list, list2, rangerServiceDef));
        }
        boolean z = true;
        if (CollectionUtils.isEmpty(list)) {
            LOG.debug("policy items collection was null/empty");
        } else {
            for (RangerPolicy.RangerPolicyItem rangerPolicyItem : list) {
                if (rangerPolicyItem == null) {
                    ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM;
                    list2.add(new ValidationFailureDetailsBuilder().field("policy item").isMissing().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
                    z = false;
                } else {
                    z = isValidPolicyItem(rangerPolicyItem, list2, rangerServiceDef) && z;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s): %s", list, list2, rangerServiceDef, Boolean.valueOf(z)));
        }
        return z;
    }

    boolean isValidPolicyItem(RangerPolicy.RangerPolicyItem rangerPolicyItem, List<ValidationFailureDetails> list, RangerServiceDef rangerServiceDef) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", rangerPolicyItem, list, rangerServiceDef));
        }
        boolean z = true;
        if (rangerPolicyItem == null) {
            LOG.debug("policy item was null!");
        } else {
            if (!CollectionUtils.isEmpty(rangerPolicyItem.getAccesses())) {
                z = isValidItemAccesses(rangerPolicyItem.getAccesses(), list, rangerServiceDef) && 1 != 0;
            } else if (Boolean.TRUE.equals(rangerPolicyItem.getDelegateAdmin())) {
                LOG.debug("policy item collection was null but delegated admin is true. Ok");
            } else {
                ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
                list.add(new ValidationFailureDetailsBuilder().field("policy item accesses").isMissing().becauseOf(validationErrorCode.getMessage("policy item accesses")).errorCode(validationErrorCode.getErrorCode()).build());
                z = false;
            }
            if (CollectionUtils.isEmpty(rangerPolicyItem.getUsers()) && CollectionUtils.isEmpty(rangerPolicyItem.getGroups())) {
                ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_USER_AND_GROUPS;
                list.add(new ValidationFailureDetailsBuilder().field("policy item users/user-groups").isMissing().becauseOf(validationErrorCode2.getMessage(new Object[0])).errorCode(validationErrorCode2.getErrorCode()).build());
                z = false;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s): %s", rangerPolicyItem, list, rangerServiceDef, Boolean.valueOf(z)));
        }
        return z;
    }

    boolean isValidItemAccesses(List<RangerPolicy.RangerPolicyItemAccess> list, List<ValidationFailureDetails> list2, RangerServiceDef rangerServiceDef) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", list, list2, rangerServiceDef));
        }
        boolean z = true;
        if (CollectionUtils.isEmpty(list)) {
            LOG.debug("policy item accesses collection was null/empty!");
        } else {
            Set<String> accessTypes = getAccessTypes(rangerServiceDef);
            for (RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess : list) {
                if (rangerPolicyItemAccess == null) {
                    ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS;
                    list2.add(new ValidationFailureDetailsBuilder().field("policy item access").isMissing().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
                    z = false;
                } else {
                    z = isValidPolicyItemAccess(rangerPolicyItemAccess, list2, accessTypes) && z;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s): %b", list, list2, rangerServiceDef, Boolean.valueOf(z)));
        }
        return z;
    }

    boolean isValidPolicyItemAccess(RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess, List<ValidationFailureDetails> list, Set<String> set) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerPolicyValidator.isValidPolicyItemAccess(%s, %s, %s)", rangerPolicyItemAccess, list, set));
        }
        boolean z = true;
        if (CollectionUtils.isEmpty(set)) {
            LOG.debug("isValidPolicyItemAccess: accessTypes was null!");
        } else if (rangerPolicyItemAccess == null) {
            LOG.debug("isValidPolicyItemAccess: policy item access was null!");
        } else {
            String type = rangerPolicyItemAccess.getType();
            if (StringUtils.isBlank(type)) {
                ValidationErrorCode validationErrorCode = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
                list.add(new ValidationFailureDetailsBuilder().field("policy item access type").isMissing().becauseOf(validationErrorCode.getMessage("policy item access type")).errorCode(validationErrorCode.getErrorCode()).build());
                z = false;
            } else if (!set.contains(type.toLowerCase())) {
                ValidationErrorCode validationErrorCode2 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_INVALID;
                list.add(new ValidationFailureDetailsBuilder().field("policy item access type").isSemanticallyIncorrect().becauseOf(validationErrorCode2.getMessage(type, set)).errorCode(validationErrorCode2.getErrorCode()).build());
                z = false;
            }
            Boolean isAllowed = rangerPolicyItemAccess.getIsAllowed();
            if (isAllowed != null && !isAllowed.booleanValue()) {
                ValidationErrorCode validationErrorCode3 = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY;
                list.add(new ValidationFailureDetailsBuilder().field("policy item access type allowed").isSemanticallyIncorrect().becauseOf(validationErrorCode3.getMessage(new Object[0])).errorCode(validationErrorCode3.getErrorCode()).build());
                z = false;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerPolicyValidator.isValidPolicyItemAccess(%s, %s, %s): %s", rangerPolicyItemAccess, list, set, Boolean.valueOf(z)));
        }
        return z;
    }
}
