package org.apache.ranger.plugin.policyevaluator;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;

/* loaded from: input_file:WEB-INF/lib/ranger-plugins-common-1.0.0.jar:org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.class */
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
    private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
    private static final Log PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init");
    private static final Log PERF_POLICY_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policy.request");
    private RangerPolicyResourceMatcher resourceMatcher;
    private List<RangerPolicyItemEvaluator> allowEvaluators;
    private List<RangerPolicyItemEvaluator> denyEvaluators;
    private List<RangerPolicyItemEvaluator> allowExceptionEvaluators;
    private List<RangerPolicyItemEvaluator> denyExceptionEvaluators;
    private int customConditionsCount;
    private List<RangerDataMaskPolicyItemEvaluator> dataMaskEvaluators;
    private List<RangerRowFilterPolicyItemEvaluator> rowFilterEvaluators;
    private String perfTag;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean needsDynamicEval() {
        return this.resourceMatcher != null && this.resourceMatcher.getNeedsDynamicEval();
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public int getCustomConditionsCount() {
        return this.customConditionsCount;
    }

    @Override // org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator
    public RangerPolicyResourceMatcher getPolicyResourceMatcher() {
        return this.resourceMatcher;
    }

    @Override // org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator
    public RangerResourceMatcher getResourceMatcher(String str) {
        if (this.resourceMatcher != null) {
            return this.resourceMatcher.getResourceMatcher(str);
        }
        return null;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void init(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
        }
        StringBuilder sb = new StringBuilder();
        if (rangerPolicy != null) {
            sb.append("policyId=").append(rangerPolicy.getId()).append(", policyName=").append(rangerPolicy.getName());
        }
        this.perfTag = sb.toString();
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + this.perfTag + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        super.init(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions);
        preprocessPolicy(rangerPolicy, rangerServiceDef);
        this.resourceMatcher = new RangerDefaultPolicyResourceMatcher();
        this.resourceMatcher.setServiceDef(rangerServiceDef);
        this.resourceMatcher.setPolicy(rangerPolicy);
        this.resourceMatcher.setServiceDefHelper(rangerPolicyEngineOptions.getServiceDefHelper());
        this.resourceMatcher.init();
        if (rangerPolicy != null) {
            this.allowEvaluators = createPolicyItemEvaluators(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions, 0);
            this.denyEvaluators = createPolicyItemEvaluators(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions, 1);
            this.allowExceptionEvaluators = createPolicyItemEvaluators(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions, 2);
            this.denyExceptionEvaluators = createPolicyItemEvaluators(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions, 3);
            this.dataMaskEvaluators = createDataMaskPolicyItemEvaluators(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions, rangerPolicy.getDataMaskPolicyItems());
            this.rowFilterEvaluators = createRowFilterPolicyItemEvaluators(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions, rangerPolicy.getRowFilterPolicyItems());
        } else {
            this.allowEvaluators = Collections.emptyList();
            this.denyEvaluators = Collections.emptyList();
            this.allowExceptionEvaluators = Collections.emptyList();
            this.denyExceptionEvaluators = Collections.emptyList();
            this.dataMaskEvaluators = Collections.emptyList();
            this.rowFilterEvaluators = Collections.emptyList();
        }
        RangerPolicyItemEvaluator.EvalOrderComparator evalOrderComparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
        Collections.sort(this.allowEvaluators, evalOrderComparator);
        Collections.sort(this.denyEvaluators, evalOrderComparator);
        Collections.sort(this.allowExceptionEvaluators, evalOrderComparator);
        Collections.sort(this.denyExceptionEvaluators, evalOrderComparator);
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void evaluate(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyResourceMatcher.MatchType matchType;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + rangerAccessRequest + ", " + rangerAccessResult + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + "," + this.perfTag + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        if (rangerAccessRequest != null && rangerAccessResult != null && (!rangerAccessResult.getIsAccessDetermined() || !rangerAccessResult.getIsAuditedDetermined())) {
            if (RangerTagAccessRequest.class.isInstance(rangerAccessRequest)) {
                matchType = ((RangerTagAccessRequest) rangerAccessRequest).getMatchType();
            } else {
                matchType = this.resourceMatcher != null ? this.resourceMatcher.getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
            }
            if (matchType != RangerPolicyResourceMatcher.MatchType.NONE) {
                if (RangerTagAccessRequest.class.isInstance(rangerAccessRequest) && matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT && !rangerAccessRequest.isAccessTypeAny() && rangerAccessRequest.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
                    }
                    matchType = RangerPolicyResourceMatcher.MatchType.SELF;
                }
                if (!rangerAccessResult.getIsAuditedDetermined() && isAuditEnabled()) {
                    rangerAccessResult.setIsAudited(true);
                    rangerAccessResult.setAuditPolicyId(getPolicy().getId().longValue());
                }
                if (!rangerAccessResult.getIsAccessDetermined() && hasMatchablePolicyItem(rangerAccessRequest)) {
                    evaluatePolicyItems(rangerAccessRequest, matchType, rangerAccessResult);
                }
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + rangerAccessRequest + ", " + rangerAccessResult + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isMatch(RangerAccessResource rangerAccessResource, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + rangerAccessResource + ", " + map + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isMatch(resource=" + rangerAccessResource.getAsString() + "," + map + "," + this.perfTag + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        if (this.resourceMatcher != null) {
            z = this.resourceMatcher.isMatch(rangerAccessResource, map);
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + rangerAccessResource + ", " + map + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isCompleteMatch(RangerAccessResource rangerAccessResource, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + rangerAccessResource + ", " + map + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        boolean z = this.resourceMatcher != null && this.resourceMatcher.isCompleteMatch(rangerAccessResource, map);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + rangerAccessResource + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isCompleteMatch(Map<String, RangerPolicy.RangerPolicyResource> map, Map<String, Object> map2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + map + ", " + map2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        boolean z = this.resourceMatcher != null && this.resourceMatcher.isCompleteMatch(map, map2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + map + ", " + map2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isAccessAllowed(RangerAccessResource rangerAccessResource, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + set + ", " + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        HashMap hashMap = new HashMap();
        RangerAccessRequestUtil.setCurrentUserInContext(hashMap, str);
        boolean z = isAccessAllowed(str, set, str2) && isMatch(rangerAccessResource, hashMap);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isAccessAllowed(Map<String, RangerPolicy.RangerPolicyResource> map, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        HashMap hashMap = new HashMap();
        RangerAccessRequestUtil.setCurrentUserInContext(hashMap, str);
        boolean z = isAccessAllowed(str, set, str2) && isMatch(map, hashMap);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void getResourceAccessInfo(RangerAccessRequest rangerAccessRequest, RangerResourceAccessInfo rangerResourceAccessInfo) {
        RangerPolicyResourceMatcher.MatchType matchType;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + rangerResourceAccessInfo + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        if (RangerTagAccessRequest.class.isInstance(rangerAccessRequest)) {
            matchType = ((RangerTagAccessRequest) rangerAccessRequest).getMatchType();
        } else {
            matchType = this.resourceMatcher != null ? this.resourceMatcher.getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
        }
        if (matchType != RangerPolicyResourceMatcher.MatchType.NONE) {
            if (CollectionUtils.isNotEmpty(this.allowEvaluators)) {
                Set<String> hashSet = new HashSet<>();
                Set<String> hashSet2 = new HashSet<>();
                getResourceAccessInfo(rangerAccessRequest, this.allowEvaluators, hashSet, hashSet2);
                if (CollectionUtils.isNotEmpty(this.allowExceptionEvaluators)) {
                    Set<String> hashSet3 = new HashSet<>();
                    Set<String> hashSet4 = new HashSet<>();
                    getResourceAccessInfo(rangerAccessRequest, this.allowExceptionEvaluators, hashSet3, hashSet4);
                    hashSet.removeAll(hashSet3);
                    hashSet2.removeAll(hashSet4);
                }
                rangerResourceAccessInfo.getAllowedUsers().addAll(hashSet);
                rangerResourceAccessInfo.getAllowedGroups().addAll(hashSet2);
            }
            if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT && CollectionUtils.isNotEmpty(this.denyEvaluators)) {
                Set<String> hashSet5 = new HashSet<>();
                Set<String> hashSet6 = new HashSet<>();
                getResourceAccessInfo(rangerAccessRequest, this.denyEvaluators, hashSet5, hashSet6);
                if (CollectionUtils.isNotEmpty(this.denyExceptionEvaluators)) {
                    Set<String> hashSet7 = new HashSet<>();
                    Set<String> hashSet8 = new HashSet<>();
                    getResourceAccessInfo(rangerAccessRequest, this.denyExceptionEvaluators, hashSet7, hashSet8);
                    hashSet5.removeAll(hashSet7);
                    hashSet6.removeAll(hashSet8);
                }
                rangerResourceAccessInfo.getDeniedUsers().addAll(hashSet5);
                rangerResourceAccessInfo.getDeniedGroups().addAll(hashSet6);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + rangerResourceAccessInfo + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
    }

    protected void evaluatePolicyItems(RangerAccessRequest rangerAccessRequest, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + rangerAccessRequest + ", " + rangerAccessResult + ", " + matchType + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        RangerPolicyItemEvaluator matchingPolicyItem = getMatchingPolicyItem(rangerAccessRequest, rangerAccessResult);
        if (matchingPolicyItem != null) {
            matchingPolicyItem.updateAccessResult(rangerAccessResult, matchType, getPolicy().getId());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + rangerAccessRequest + ", " + rangerAccessResult + ", " + matchType + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
    }

    protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + str + ", " + set + ", " + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        RangerPolicyItemEvaluator matchingPolicyItem = getMatchingPolicyItem(str, set, str2, this.denyEvaluators, this.denyExceptionEvaluators);
        if (matchingPolicyItem == null) {
            matchingPolicyItem = getMatchingPolicyItem(str, set, str2, this.allowEvaluators, this.allowExceptionEvaluators);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + str + ", " + set + ", " + str2 + "): " + matchingPolicyItem);
        }
        return matchingPolicyItem;
    }

    private void getResourceAccessInfo(RangerAccessRequest rangerAccessRequest, List<? extends RangerPolicyItemEvaluator> list, Set<String> set, Set<String> set2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + list + ", " + set + ", " + set2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        if (CollectionUtils.isNotEmpty(list)) {
            for (RangerPolicyItemEvaluator rangerPolicyItemEvaluator : list) {
                if (rangerPolicyItemEvaluator.matchAccessType(rangerAccessRequest.getAccessType()) && rangerPolicyItemEvaluator.matchCustomConditions(rangerAccessRequest)) {
                    if (CollectionUtils.isNotEmpty(rangerPolicyItemEvaluator.getPolicyItem().getUsers())) {
                        set.addAll(rangerPolicyItemEvaluator.getPolicyItem().getUsers());
                    }
                    if (CollectionUtils.isNotEmpty(rangerPolicyItemEvaluator.getPolicyItem().getGroups())) {
                        set2.addAll(rangerPolicyItemEvaluator.getPolicyItem().getGroups());
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + list + ", " + set + ", " + set2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
    }

    protected boolean isMatch(Map<String, RangerPolicy.RangerPolicyResource> map, Map<String, Object> map2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + map + ", " + map2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        boolean z = this.resourceMatcher != null && this.resourceMatcher.isMatch(map, map2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + map + ", " + map2 + "): " + z);
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAccessAllowed(String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + str + ", " + set + ", " + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + this.perfTag + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        RangerPolicyItemEvaluator determiningPolicyItem = getDeterminingPolicyItem(str, set, str2);
        if (determiningPolicyItem != null && determiningPolicyItem.getPolicyItemType() == 0) {
            z = true;
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator
    public StringBuilder toString(StringBuilder sb) {
        sb.append("RangerDefaultPolicyEvaluator={");
        super.toString(sb);
        sb.append("resourceMatcher={");
        if (this.resourceMatcher != null) {
            this.resourceMatcher.toString(sb);
        }
        sb.append("} ");
        sb.append("}");
        return sb;
    }

    private void preprocessPolicy(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef) {
        Map<String, Collection<String>> impliedAccessGrants;
        if (rangerPolicy != null) {
            if ((!hasAllow() && !hasDeny()) || rangerServiceDef == null || (impliedAccessGrants = getImpliedAccessGrants(rangerServiceDef)) == null || impliedAccessGrants.isEmpty()) {
                return;
            }
            preprocessPolicyItems(rangerPolicy.getPolicyItems(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getDenyPolicyItems(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getAllowExceptions(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getDenyExceptions(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getDataMaskPolicyItems(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getRowFilterPolicyItems(), impliedAccessGrants);
        }
    }

    private void preprocessPolicyItems(List<? extends RangerPolicy.RangerPolicyItem> list, Map<String, Collection<String>> map) {
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem : list) {
            if (!CollectionUtils.isEmpty(rangerPolicyItem.getAccesses())) {
                for (Map.Entry<String, Collection<String>> entry : map.entrySet()) {
                    String key = entry.getKey();
                    Collection<String> value = entry.getValue();
                    RangerPolicy.RangerPolicyItemAccess access = getAccess(rangerPolicyItem, key);
                    if (access != null) {
                        for (String str : value) {
                            RangerPolicy.RangerPolicyItemAccess access2 = getAccess(rangerPolicyItem, str);
                            if (access2 == null) {
                                rangerPolicyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(str, access.getIsAllowed()));
                            } else if (!access2.getIsAllowed().booleanValue()) {
                                access2.setIsAllowed(access.getIsAllowed());
                            }
                        }
                    }
                }
            }
        }
    }

    private Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef rangerServiceDef) {
        HashMap hashMap = null;
        if (rangerServiceDef != null && !CollectionUtils.isEmpty(rangerServiceDef.getAccessTypes())) {
            for (RangerServiceDef.RangerAccessTypeDef rangerAccessTypeDef : rangerServiceDef.getAccessTypes()) {
                if (!CollectionUtils.isEmpty(rangerAccessTypeDef.getImpliedGrants())) {
                    if (hashMap == null) {
                        hashMap = new HashMap();
                    }
                    Collection<String> collection = hashMap.get(rangerAccessTypeDef.getName());
                    if (collection == null) {
                        collection = new HashSet();
                        hashMap.put(rangerAccessTypeDef.getName(), collection);
                    }
                    collection.addAll(rangerAccessTypeDef.getImpliedGrants());
                }
            }
        }
        return hashMap;
    }

    private RangerPolicy.RangerPolicyItemAccess getAccess(RangerPolicy.RangerPolicyItem rangerPolicyItem, String str) {
        RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess = null;
        if (rangerPolicyItem != null && CollectionUtils.isNotEmpty(rangerPolicyItem.getAccesses())) {
            Iterator<RangerPolicy.RangerPolicyItemAccess> it = rangerPolicyItem.getAccesses().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerPolicy.RangerPolicyItemAccess next = it.next();
                if (StringUtils.equalsIgnoreCase(next.getType(), str)) {
                    rangerPolicyItemAccess = next;
                    break;
                }
            }
        }
        return rangerPolicyItemAccess;
    }

    private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions, int i) {
        List<RangerPolicyItemEvaluator> emptyList;
        List<RangerPolicy.RangerPolicyItem> list = null;
        if (isPolicyItemTypeEnabled(rangerServiceDef, i)) {
            if (i == 0) {
                list = rangerPolicy.getPolicyItems();
            } else if (i == 1) {
                list = rangerPolicy.getDenyPolicyItems();
            } else if (i == 2) {
                list = rangerPolicy.getAllowExceptions();
            } else if (i == 3) {
                list = rangerPolicy.getDenyExceptions();
            }
        }
        if (CollectionUtils.isNotEmpty(list)) {
            emptyList = new ArrayList();
            int i2 = 1;
            Iterator<RangerPolicy.RangerPolicyItem> it = list.iterator();
            while (it.hasNext()) {
                int i3 = i2;
                i2++;
                RangerDefaultPolicyItemEvaluator rangerDefaultPolicyItemEvaluator = new RangerDefaultPolicyItemEvaluator(rangerServiceDef, rangerPolicy, it.next(), i, i3, rangerPolicyEngineOptions);
                rangerDefaultPolicyItemEvaluator.init();
                emptyList.add(rangerDefaultPolicyItemEvaluator);
                if (CollectionUtils.isNotEmpty(rangerDefaultPolicyItemEvaluator.getConditionEvaluators())) {
                    this.customConditionsCount += rangerDefaultPolicyItemEvaluator.getConditionEvaluators().size();
                }
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private List<RangerDataMaskPolicyItemEvaluator> createDataMaskPolicyItemEvaluators(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions, List<RangerPolicy.RangerDataMaskPolicyItem> list) {
        List<RangerDataMaskPolicyItemEvaluator> emptyList;
        if (CollectionUtils.isNotEmpty(list)) {
            emptyList = new ArrayList();
            int i = 1;
            Iterator<RangerPolicy.RangerDataMaskPolicyItem> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                RangerDefaultDataMaskPolicyItemEvaluator rangerDefaultDataMaskPolicyItemEvaluator = new RangerDefaultDataMaskPolicyItemEvaluator(rangerServiceDef, rangerPolicy, it.next(), i2, rangerPolicyEngineOptions);
                rangerDefaultDataMaskPolicyItemEvaluator.init();
                emptyList.add(rangerDefaultDataMaskPolicyItemEvaluator);
                if (CollectionUtils.isNotEmpty(rangerDefaultDataMaskPolicyItemEvaluator.getConditionEvaluators())) {
                    this.customConditionsCount += rangerDefaultDataMaskPolicyItemEvaluator.getConditionEvaluators().size();
                }
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private List<RangerRowFilterPolicyItemEvaluator> createRowFilterPolicyItemEvaluators(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions, List<RangerPolicy.RangerRowFilterPolicyItem> list) {
        List<RangerRowFilterPolicyItemEvaluator> emptyList;
        if (CollectionUtils.isNotEmpty(list)) {
            emptyList = new ArrayList();
            int i = 1;
            Iterator<RangerPolicy.RangerRowFilterPolicyItem> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                RangerDefaultRowFilterPolicyItemEvaluator rangerDefaultRowFilterPolicyItemEvaluator = new RangerDefaultRowFilterPolicyItemEvaluator(rangerServiceDef, rangerPolicy, it.next(), i2, rangerPolicyEngineOptions);
                rangerDefaultRowFilterPolicyItemEvaluator.init();
                emptyList.add(rangerDefaultRowFilterPolicyItemEvaluator);
                if (CollectionUtils.isNotEmpty(rangerDefaultRowFilterPolicyItemEvaluator.getConditionEvaluators())) {
                    this.customConditionsCount += rangerDefaultRowFilterPolicyItemEvaluator.getConditionEvaluators().size();
                }
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private boolean isPolicyItemTypeEnabled(RangerServiceDef rangerServiceDef, int i) {
        boolean z = true;
        if (i == 1 || i == 2 || i == 3) {
            z = ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(rangerServiceDef);
        }
        return z;
    }

    protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyItemEvaluator rangerPolicyItemEvaluator = null;
        Integer policyType = getPolicy().getPolicyType();
        if (policyType == null) {
            policyType = 0;
        }
        switch (policyType.intValue()) {
            case 0:
                rangerPolicyItemEvaluator = getMatchingPolicyItem(rangerAccessRequest, this.denyEvaluators, this.denyExceptionEvaluators);
                if (rangerPolicyItemEvaluator == null && !rangerAccessResult.getIsAllowed()) {
                    rangerPolicyItemEvaluator = getMatchingPolicyItem(rangerAccessRequest, this.allowEvaluators, this.allowExceptionEvaluators);
                    break;
                }
                break;
            case 1:
                rangerPolicyItemEvaluator = getMatchingPolicyItem(rangerAccessRequest, this.dataMaskEvaluators);
                break;
            case 2:
                rangerPolicyItemEvaluator = getMatchingPolicyItem(rangerAccessRequest, this.rowFilterEvaluators);
                break;
        }
        return rangerPolicyItemEvaluator;
    }

    protected <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(RangerAccessRequest rangerAccessRequest, List<T> list) {
        return (T) getMatchingPolicyItem(rangerAccessRequest, list, null);
    }

    private <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(RangerAccessRequest rangerAccessRequest, List<T> list, List<T> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + rangerAccessRequest + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        T t = null;
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator<T> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                T next = it.next();
                if (next.isMatch(rangerAccessRequest)) {
                    t = next;
                    break;
                }
            }
        }
        if (t != null && CollectionUtils.isNotEmpty(list2)) {
            Iterator<T> it2 = list2.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                T next2 = it2.next();
                if (next2.isMatch(rangerAccessRequest)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + rangerAccessRequest + "): found exception policyItem(" + next2.getPolicyItem() + "); ignoring the matchedPolicyItem(" + t.getPolicyItem() + DefaultExpressionEngine.DEFAULT_INDEX_END);
                    }
                    t = null;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + rangerAccessRequest + "): " + t);
        }
        return t;
    }

    private <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(String str, Set<String> set, String str2, List<T> list, List<T> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + str + ", " + set + ", " + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        T t = null;
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator<T> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                T next = it.next();
                if (next.matchUserGroup(str, set) && next.matchAccessType(str2)) {
                    t = next;
                    break;
                }
            }
        }
        if (t != null && CollectionUtils.isNotEmpty(list2)) {
            Iterator<T> it2 = list2.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                T next2 = it2.next();
                if (next2.matchUserGroup(str, set) && next2.matchAccessType(str2)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + str + ", " + set + ", " + str2 + "): found exception policyItem(" + next2.getPolicyItem() + "); ignoring the matchedPolicyItem(" + t.getPolicyItem() + DefaultExpressionEngine.DEFAULT_INDEX_END);
                    }
                    t = null;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + str + ", " + set + ", " + str2 + "): " + t);
        }
        return t;
    }
}
