package org.apache.oozie.service;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.HashSet;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.AccessControlException;
import org.apache.oozie.CoordinatorJobBean;
import org.apache.oozie.ErrorCode;
import org.apache.oozie.WorkflowJobBean;
import org.apache.oozie.client.XOozieClient;
import org.apache.oozie.store.CoordinatorStore;
import org.apache.oozie.store.StoreException;
import org.apache.oozie.store.WorkflowStore;
import org.apache.oozie.util.Instrumentation;
import org.apache.oozie.util.XLog;

/* loaded from: input_file:WEB-INF/lib/oozie-core-2.3.0-cdh3u1.jar:org/apache/oozie/service/AuthorizationService.class */
public class AuthorizationService implements Service {
    public static final String CONF_PREFIX = "oozie.service.AuthorizationService.";
    public static final String CONF_SECURITY_ENABLED = "oozie.service.AuthorizationService.security.enabled";
    public static final String ADMIN_USERS_FILE = "adminusers.txt";
    public static final String DEFAULT_GROUP = "users";
    protected static final String INSTRUMENTATION_GROUP = "authorization";
    protected static final String INSTR_FAILED_AUTH_COUNTER = "authorization.failed";
    private Set<String> adminUsers;
    private boolean securityEnabled;
    private final XLog log = XLog.getLog(getClass());
    private Instrumentation instrumentation;

    @Override // org.apache.oozie.service.Service
    public void init(Services services) throws ServiceException {
        this.adminUsers = new HashSet();
        this.securityEnabled = services.getConf().getBoolean(CONF_SECURITY_ENABLED, false);
        this.instrumentation = ((InstrumentationService) Services.get().get(InstrumentationService.class)).get();
        if (!this.securityEnabled) {
            this.log.warn("Oozie running with security disabled");
        } else {
            this.log.info("Oozie running with security enabled");
            loadAdminUsers();
        }
    }

    public boolean isSecurityEnabled() {
        return this.securityEnabled;
    }

    private void loadAdminUsers() throws ServiceException {
        String configDir = ((ConfigurationService) Services.get().get(ConfigurationService.class)).getConfigDir();
        if (configDir == null) {
            this.log.warn("Reading configuration from classpath, running without admin users");
            return;
        }
        File file = new File(configDir, ADMIN_USERS_FILE);
        if (!file.exists()) {
            this.log.warn("Admin users file not available in config dir [{0}], running without admin users", configDir);
            return;
        }
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(file)));
            try {
                for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                    String trim = readLine.trim();
                    if (trim.length() > 0 && !trim.startsWith("#")) {
                        this.adminUsers.add(trim);
                    }
                }
            } catch (IOException e) {
                throw new ServiceException(ErrorCode.E0160, file.getAbsolutePath(), e);
            }
        } catch (FileNotFoundException e2) {
            throw new ServiceException(ErrorCode.E0160, e2);
        }
    }

    @Override // org.apache.oozie.service.Service
    public void destroy() {
    }

    @Override // org.apache.oozie.service.Service
    public Class<? extends Service> getInterface() {
        return AuthorizationService.class;
    }

    protected boolean isUserInGroup(String str, String str2) throws AuthorizationException {
        return true;
    }

    public void authorizeForGroup(String str, String str2) throws AuthorizationException {
        if (this.securityEnabled && !isUserInGroup(str, str2)) {
            throw new AuthorizationException(ErrorCode.E0502, str, str2);
        }
    }

    public String getDefaultGroup(String str) throws AuthorizationException {
        return DEFAULT_GROUP;
    }

    protected boolean isAdmin(String str) {
        return this.adminUsers.contains(str);
    }

    public void authorizeForAdmin(String str, boolean z) throws AuthorizationException {
        if (this.securityEnabled && z && !isAdmin(str)) {
            incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
            throw new AuthorizationException(ErrorCode.E0503, str);
        }
    }

    public void authorizeForApp(String str, String str2, String str3, Configuration configuration) throws AuthorizationException {
        try {
            FileSystem createFileSystem = ((HadoopAccessorService) Services.get().get(HadoopAccessorService.class)).createFileSystem(str, str2, new Path(str3).toUri(), configuration);
            Path path = new Path(str3);
            try {
                if (!createFileSystem.exists(path)) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0504, str3);
                }
                Path path2 = new Path(path, "workflow.xml");
                if (!createFileSystem.exists(path2)) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0505, str3);
                }
                if (createFileSystem.isFile(path2)) {
                    createFileSystem.open(path2).close();
                } else {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0506, str3);
                }
            } catch (AccessControlException e) {
                incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                throw new AuthorizationException(ErrorCode.E0507, str3, e.getMessage(), e);
            }
        } catch (IOException e2) {
            incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
            throw new AuthorizationException(ErrorCode.E0501, e2.getMessage(), e2);
        } catch (HadoopAccessorException e3) {
            throw new AuthorizationException(e3);
        }
    }

    public void authorizeForApp(String str, String str2, String str3, String str4, Configuration configuration) throws AuthorizationException {
        try {
            FileSystem createFileSystem = ((HadoopAccessorService) Services.get().get(HadoopAccessorService.class)).createFileSystem(str, str2, new Path(str3).toUri(), configuration);
            Path path = new Path(str3);
            try {
                if (!createFileSystem.exists(path)) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0504, str3);
                }
                if (configuration.get(XOozieClient.IS_PROXY_SUBMISSION) == null && !createFileSystem.isFile(path)) {
                    Path path2 = new Path(path, str4);
                    if (!createFileSystem.exists(path2)) {
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0505, str3);
                    }
                    if (!createFileSystem.isFile(path2)) {
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0506, str3);
                    }
                    createFileSystem.open(path2).close();
                }
            } catch (AccessControlException e) {
                incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                throw new AuthorizationException(ErrorCode.E0507, str3, e.getMessage(), e);
            }
        } catch (IOException e2) {
            incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
            throw new AuthorizationException(ErrorCode.E0501, e2.getMessage(), e2);
        } catch (HadoopAccessorException e3) {
            throw new AuthorizationException(e3);
        }
    }

    public void authorizeForJob(String str, String str2, boolean z) throws AuthorizationException {
        if (this.securityEnabled && z && !isAdmin(str)) {
            if (str2.endsWith("-W")) {
                WorkflowStore workflowStore = null;
                try {
                    try {
                        workflowStore = ((WorkflowStoreService) Services.get().get(WorkflowStoreService.class)).create();
                        workflowStore.beginTrx();
                        WorkflowJobBean workflow = workflowStore.getWorkflow(str2, false);
                        workflowStore.commitTrx();
                        if (workflowStore != null) {
                            if (workflowStore.isActive()) {
                                this.log.warn("transaction is not committed or rolled back before closing entitymanager.");
                            } else {
                                try {
                                    workflowStore.closeTrx();
                                } catch (RuntimeException e) {
                                    this.log.warn("Exception while attempting to close store", e);
                                }
                            }
                        }
                        if (workflow == null || workflow.getUser().equals(str) || isUserInGroup(str, workflow.getGroup())) {
                            return;
                        }
                        incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                        throw new AuthorizationException(ErrorCode.E0508, str, str2);
                    } catch (Throwable th) {
                        if (workflowStore != null) {
                            if (workflowStore.isActive()) {
                                this.log.warn("transaction is not committed or rolled back before closing entitymanager.");
                            } else {
                                try {
                                    workflowStore.closeTrx();
                                } catch (RuntimeException e2) {
                                    this.log.warn("Exception while attempting to close store", e2);
                                }
                            }
                        }
                        throw th;
                    }
                } catch (StoreException e3) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    if (workflowStore != null) {
                        workflowStore.rollbackTrx();
                    }
                    throw new AuthorizationException(e3);
                } catch (Exception e4) {
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    this.log.error("Exception, {0}", e4.getMessage(), e4);
                    if (workflowStore != null && workflowStore.isActive()) {
                        try {
                            workflowStore.rollbackTrx();
                        } catch (RuntimeException e5) {
                            this.log.warn("openjpa error, {0}", e5.getMessage(), e5);
                        }
                    }
                    throw new AuthorizationException(ErrorCode.E0501, e4);
                }
            }
            CoordinatorStore coordinatorStore = null;
            try {
                try {
                    coordinatorStore = ((CoordinatorStoreService) Services.get().get(CoordinatorStoreService.class)).create();
                    coordinatorStore.beginTrx();
                    CoordinatorJobBean coordinatorJob = coordinatorStore.getCoordinatorJob(str2, false);
                    coordinatorStore.commitTrx();
                    if (coordinatorStore != null) {
                        if (coordinatorStore.isActive()) {
                            this.log.warn("transaction is not committed or rolled back before closing entitymanager.");
                        } else {
                            try {
                                coordinatorStore.closeTrx();
                            } catch (RuntimeException e6) {
                                this.log.warn("Exception while attempting to close store", e6);
                            }
                        }
                    }
                    if (coordinatorJob == null || coordinatorJob.getUser().equals(str) || isUserInGroup(str, coordinatorJob.getGroup())) {
                        return;
                    }
                    incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                    throw new AuthorizationException(ErrorCode.E0509, str, str2);
                } catch (Throwable th2) {
                    if (coordinatorStore != null) {
                        if (coordinatorStore.isActive()) {
                            this.log.warn("transaction is not committed or rolled back before closing entitymanager.");
                        } else {
                            try {
                                coordinatorStore.closeTrx();
                            } catch (RuntimeException e7) {
                                this.log.warn("Exception while attempting to close store", e7);
                            }
                        }
                    }
                    throw th2;
                }
            } catch (StoreException e8) {
                incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                if (coordinatorStore != null) {
                    coordinatorStore.rollbackTrx();
                }
                throw new AuthorizationException(e8);
            } catch (Exception e9) {
                incrCounter(INSTR_FAILED_AUTH_COUNTER, 1);
                this.log.error("Exception, {0}", e9.getMessage(), e9);
                if (coordinatorStore != null && coordinatorStore.isActive()) {
                    try {
                        coordinatorStore.rollbackTrx();
                    } catch (RuntimeException e10) {
                        this.log.warn("openjpa error, {0}", e10.getMessage(), e10);
                    }
                }
                throw new AuthorizationException(ErrorCode.E0501, e9);
            }
        }
    }

    private void incrCounter(String str, int i) {
        if (this.instrumentation != null) {
            this.instrumentation.incr(INSTRUMENTATION_GROUP, str, i);
        }
    }
}
