package org.apache.ranger.plugin.model.validation;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.errors.ValidationErrorCode;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerValidator;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceTrie;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.class */
public class RangerSecurityZoneValidator extends RangerValidator {
    private static final Logger LOG = LoggerFactory.getLogger(RangerSecurityZoneValidator.class);
    private final SecurityZoneStore securityZoneStore;

    public RangerSecurityZoneValidator(ServiceStore serviceStore, SecurityZoneStore securityZoneStore) {
        super(serviceStore);
        this.securityZoneStore = securityZoneStore;
    }

    public void validate(RangerSecurityZone rangerSecurityZone, RangerValidator.Action action) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.validate(%s, %s)", rangerSecurityZone, action));
        }
        ArrayList arrayList = new ArrayList();
        try {
            if (!isValid(rangerSecurityZone, action, arrayList)) {
                throw new Exception(serializeFailures(arrayList));
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("<== RangerSecurityZoneValidator.validate(%s, %s)", rangerSecurityZone, action));
            }
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("<== RangerSecurityZoneValidator.validate(%s, %s)", rangerSecurityZone, action));
            }
            throw th;
        }
    }

    @Override // org.apache.ranger.plugin.model.validation.RangerValidator
    boolean isValid(String str, RangerValidator.Action action, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.isValid(%s, %s, %s)", str, action, list));
        }
        boolean z = true;
        if (action != RangerValidator.Action.DELETE) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION;
            list.add(new ValidationFailureDetailsBuilder().isAnInternalError().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
            z = false;
        } else if (StringUtils.isEmpty(str)) {
            ValidationErrorCode validationErrorCode2 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
            list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name was null/missing").field("name").isMissing().errorCode(validationErrorCode2.getErrorCode()).becauseOf(validationErrorCode2.getMessage("name")).build());
            z = false;
        } else if (getSecurityZone(str) == null) {
            ValidationErrorCode validationErrorCode3 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
            list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone does not exist").field("name").errorCode(validationErrorCode3.getErrorCode()).becauseOf(validationErrorCode3.getMessage(str)).build());
            z = false;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", str, action, list, Boolean.valueOf(z)));
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.model.validation.RangerValidator
    boolean isValid(Long l, RangerValidator.Action action, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.isValid(%s, %s, %s)", l, action, list));
        }
        boolean z = true;
        if (action != RangerValidator.Action.DELETE) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION;
            list.add(new ValidationFailureDetailsBuilder().isAnInternalError().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
            z = false;
        } else if (l == null) {
            ValidationErrorCode validationErrorCode2 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
            list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone id was null/missing").field("id").isMissing().errorCode(validationErrorCode2.getErrorCode()).becauseOf(validationErrorCode2.getMessage("id")).build());
            z = false;
        } else if (getSecurityZone(l) == null) {
            ValidationErrorCode validationErrorCode3 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
            list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone id does not exist").field("id").errorCode(validationErrorCode3.getErrorCode()).becauseOf(validationErrorCode3.getMessage(l)).build());
            z = false;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", l, action, list, Boolean.valueOf(z)));
        }
        return z;
    }

    private boolean isValid(RangerSecurityZone rangerSecurityZone, RangerValidator.Action action, List<ValidationFailureDetails> list) {
        RangerSecurityZone securityZone;
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.isValid(%s, %s, %s)", rangerSecurityZone, action, list));
        }
        if (action != RangerValidator.Action.CREATE && action != RangerValidator.Action.UPDATE) {
            throw new IllegalArgumentException("isValid(RangerSecurityZone, ...) is only supported for create/update");
        }
        boolean z = true;
        String name = rangerSecurityZone.getName();
        if (StringUtils.isEmpty(StringUtils.trim(name))) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
            list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name was null/missing").field("name").isMissing().errorCode(validationErrorCode.getErrorCode()).becauseOf(validationErrorCode.getMessage("name")).build());
            z = false;
        }
        if (action == RangerValidator.Action.CREATE) {
            rangerSecurityZone.setId(-1L);
            RangerSecurityZone securityZone2 = getSecurityZone(name);
            if (securityZone2 != null) {
                ValidationErrorCode validationErrorCode2 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
                list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name exists").field("name").errorCode(validationErrorCode2.getErrorCode()).becauseOf(validationErrorCode2.getMessage(securityZone2.getId())).build());
                z = false;
            }
        } else {
            Long id = rangerSecurityZone.getId();
            RangerSecurityZone securityZone3 = getSecurityZone(id);
            if (securityZone3 == null) {
                ValidationErrorCode validationErrorCode3 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
                list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone with id does not exist").field("id").errorCode(validationErrorCode3.getErrorCode()).becauseOf(validationErrorCode3.getMessage(id)).build());
                z = false;
            } else if (StringUtils.isNotEmpty(StringUtils.trim(name)) && !StringUtils.equals(name, securityZone3.getName()) && (securityZone = getSecurityZone(name)) != null) {
                ValidationErrorCode validationErrorCode4 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
                list.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name").field("name").errorCode(validationErrorCode4.getErrorCode()).becauseOf(validationErrorCode4.getMessage(securityZone.getId())).build());
                z = false;
            }
        }
        boolean z2 = (z && validateWithinSecurityZone(rangerSecurityZone, action, list)) && validateAgainstAllSecurityZones(rangerSecurityZone, action, list);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", rangerSecurityZone, action, list, Boolean.valueOf(z2)));
        }
        return z2;
    }

    private boolean validateWithinSecurityZone(RangerSecurityZone rangerSecurityZone, RangerValidator.Action action, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.validateWithinSecurityZone(%s, %s, %s)", rangerSecurityZone, action, list));
        }
        boolean z = true;
        if (CollectionUtils.isEmpty(rangerSecurityZone.getAdminUsers()) && CollectionUtils.isEmpty(rangerSecurityZone.getAdminUserGroups()) && CollectionUtils.isEmpty(rangerSecurityZone.getAdminRoles())) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_USER_AND_GROUPS_AND_ROLES;
            list.add(new ValidationFailureDetailsBuilder().field("security zone admin users/user-groups/roles").isMissing().becauseOf(validationErrorCode.getMessage(new Object[0])).errorCode(validationErrorCode.getErrorCode()).build());
            z = false;
        }
        if (CollectionUtils.isEmpty(rangerSecurityZone.getAuditUsers()) && CollectionUtils.isEmpty(rangerSecurityZone.getAuditUserGroups()) && CollectionUtils.isEmpty(rangerSecurityZone.getAuditRoles())) {
            ValidationErrorCode validationErrorCode2 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_USER_AND_GROUPS_AND_ROLES;
            list.add(new ValidationFailureDetailsBuilder().field("security zone audit users/user-groups/roles").isMissing().becauseOf(validationErrorCode2.getMessage(new Object[0])).errorCode(validationErrorCode2.getErrorCode()).build());
            z = false;
        }
        if (MapUtils.isNotEmpty(rangerSecurityZone.getServices())) {
            for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : rangerSecurityZone.getServices().entrySet()) {
                z = validateSecurityZoneService(entry.getKey(), entry.getValue(), list) && z;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.validateWithinSecurityZone(%s, %s, %s) : %s", rangerSecurityZone, action, list, Boolean.valueOf(z)));
        }
        return z;
    }

    private boolean validateAgainstAllSecurityZones(RangerSecurityZone rangerSecurityZone, RangerValidator.Action action, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.validateAgainstAllSecurityZones(%s, %s, %s)", rangerSecurityZone, action, list));
        }
        boolean z = true;
        String name = rangerSecurityZone.getId().longValue() != -1 ? getSecurityZone(rangerSecurityZone.getId()).getName() : rangerSecurityZone.getName();
        for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : rangerSecurityZone.getServices().entrySet()) {
            String key = entry.getKey();
            if (!CollectionUtils.isEmpty(entry.getValue().getResources())) {
                SearchFilter searchFilter = new SearchFilter();
                List<RangerSecurityZone> list2 = null;
                searchFilter.setParam("serviceName", key);
                searchFilter.setParam(SearchFilter.NOT_ZONE_NAME, name);
                try {
                    list2 = this.securityZoneStore.getSecurityZones(searchFilter);
                } catch (Exception e) {
                    LOG.error("Failed to get Security-Zones", e);
                    ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
                    list.add(new ValidationFailureDetailsBuilder().becauseOf(validationErrorCode.getMessage(e.getMessage())).errorCode(validationErrorCode.getErrorCode()).build());
                    z = false;
                }
                if (!CollectionUtils.isEmpty(list2)) {
                    RangerService service = getService(key);
                    RangerServiceDef serviceDef = service != null ? getServiceDef(service.getType()) : null;
                    if (serviceDef == null) {
                        ValidationErrorCode validationErrorCode2 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
                        list.add(new ValidationFailureDetailsBuilder().becauseOf(validationErrorCode2.getMessage(key)).errorCode(validationErrorCode2.getErrorCode()).build());
                        z = false;
                    } else {
                        list2.add(rangerSecurityZone);
                        z = z && validateZoneServiceInAllZones(list2, key, serviceDef, list);
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.validateAgainstAllSecurityZones(%s, %s, %s) : %s", rangerSecurityZone, action, list, Boolean.valueOf(z)));
        }
        return z;
    }

    private boolean validateZoneServiceInAllZones(List<RangerSecurityZone> list, String str, RangerServiceDef rangerServiceDef, List<ValidationFailureDetails> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.validateZoneServiceInAllZones(%s, %s, %s, %s)", list, str, rangerServiceDef, list2));
        }
        boolean z = true;
        RangerServiceDefHelper rangerServiceDefHelper = new RangerServiceDefHelper(rangerServiceDef);
        ArrayList arrayList = new ArrayList();
        HashSet<String> hashSet = new HashSet();
        for (RangerSecurityZone rangerSecurityZone : list) {
            Map<String, RangerSecurityZone.RangerSecurityZoneService> services = rangerSecurityZone.getServices();
            RangerSecurityZone.RangerSecurityZoneService rangerSecurityZoneService = services != null ? services.get(str) : null;
            List<HashMap<String, List<String>>> resources = rangerSecurityZoneService != null ? rangerSecurityZoneService.getResources() : null;
            if (!CollectionUtils.isEmpty(resources)) {
                for (HashMap<String, List<String>> hashMap : resources) {
                    HashMap hashMap2 = new HashMap();
                    for (Map.Entry<String, List<String>> entry : hashMap.entrySet()) {
                        String key = entry.getKey();
                        hashMap2.put(key, new RangerPolicy.RangerPolicyResource(entry.getValue(), (Boolean) false, Boolean.valueOf(EmbeddedServiceDefsUtil.isRecursiveEnabled(rangerServiceDef, key))));
                    }
                    arrayList.add(new RangerZoneResourceMatcher(rangerSecurityZone.getName(), hashMap2, rangerServiceDefHelper));
                    hashSet.addAll(hashMap2.keySet());
                }
            }
        }
        HashMap hashMap3 = new HashMap();
        for (String str2 : hashSet) {
            hashMap3.put(str2, new RangerResourceTrie(ServiceDefUtil.getResourceDef(rangerServiceDef, str2), arrayList));
        }
        Iterator<RangerSecurityZone> it = list.iterator();
        while (it.hasNext()) {
            Iterator<HashMap<String, List<String>>> it2 = it.next().getServices().get(str).getResources().iterator();
            while (true) {
                if (it2.hasNext()) {
                    HashMap<String, List<String>> next = it2.next();
                    Collection<RangerZoneResourceMatcher> evaluators = RangerResourceEvaluatorsRetriever.getEvaluators(hashMap3, next);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Resource:[" + next + "], matched-zones:[" + evaluators + "]");
                    }
                    if (!CollectionUtils.isEmpty(evaluators) && evaluators.size() != 1) {
                        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
                        rangerAccessResourceImpl.setServiceDef(rangerServiceDef);
                        for (Map.Entry<String, List<String>> entry2 : next.entrySet()) {
                            rangerAccessResourceImpl.setValue(entry2.getKey(), entry2.getValue());
                        }
                        HashSet hashSet2 = new HashSet();
                        for (RangerZoneResourceMatcher rangerZoneResourceMatcher : evaluators) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Trying to match resource:[" + rangerAccessResourceImpl + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                            }
                            if (rangerZoneResourceMatcher.getPolicyResourceMatcher().isMatch(rangerAccessResourceImpl, RangerPolicyResourceMatcher.MatchScope.ANY, (Map<String, Object>) null)) {
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("Matched resource:[" + rangerAccessResourceImpl + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                                }
                                hashSet2.add(rangerZoneResourceMatcher.getSecurityZoneName());
                            } else if (LOG.isDebugEnabled()) {
                                LOG.debug("Did not match resource:[" + rangerAccessResourceImpl + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                            }
                        }
                        LOG.info("The following zone-names matched resource:[" + next + "]: " + hashSet2);
                        if (hashSet2.size() > 1) {
                            ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT;
                            list2.add(new ValidationFailureDetailsBuilder().becauseOf(validationErrorCode.getMessage(hashSet2, next)).errorCode(validationErrorCode.getErrorCode()).build());
                            z = false;
                            break;
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.validateZoneServiceInAllZones(%s, %s, %s, %s) : %s", list, str, rangerServiceDef, list2, Boolean.valueOf(z)));
        }
        return z;
    }

    private boolean validateSecurityZoneService(String str, RangerSecurityZone.RangerSecurityZoneService rangerSecurityZoneService, List<ValidationFailureDetails> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("==> RangerSecurityZoneValidator.validateSecurityZoneService(%s, %s, %s)", str, rangerSecurityZoneService, list));
        }
        boolean z = true;
        RangerService service = getService(str);
        if (service == null) {
            ValidationErrorCode validationErrorCode = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_SERVICE_NAME;
            list.add(new ValidationFailureDetailsBuilder().field("security zone resource service-name").becauseOf(validationErrorCode.getMessage(str)).errorCode(validationErrorCode.getErrorCode()).build());
            z = false;
        } else {
            RangerServiceDef serviceDef = getServiceDef(service.getType());
            if (serviceDef == null) {
                ValidationErrorCode validationErrorCode2 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_SERVICE_TYPE;
                list.add(new ValidationFailureDetailsBuilder().field("security zone resource service-type").becauseOf(validationErrorCode2.getMessage(service.getType())).errorCode(validationErrorCode2.getErrorCode()).build());
                z = false;
            } else if (CollectionUtils.isNotEmpty(rangerSecurityZoneService.getResources())) {
                HashSet hashSet = new HashSet();
                for (HashMap<String, List<String>> hashMap : rangerSecurityZoneService.getResources()) {
                    Set<String> keySet = hashMap.keySet();
                    RangerServiceDefHelper rangerServiceDefHelper = new RangerServiceDefHelper(serviceDef);
                    boolean z2 = false;
                    for (int i : RangerPolicy.POLICY_TYPES) {
                        Set<List<RangerServiceDef.RangerResourceDef>> resourceHierarchies = rangerServiceDefHelper.getResourceHierarchies(Integer.valueOf(i), keySet);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Size of resourceHierarchies for resourceDefNames:[" + keySet + ", policyType=" + i + "] = " + resourceHierarchies.size());
                        }
                        Iterator<List<RangerServiceDef.RangerResourceDef>> it = resourceHierarchies.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (RangerDefaultPolicyResourceMatcher.isHierarchyValidForResources(it.next(), hashMap)) {
                                z2 = true;
                                break;
                            }
                            LOG.info("gaps found in resource, skipping hierarchy:[" + resourceHierarchies + "]");
                        }
                    }
                    if (!z2) {
                        ValidationErrorCode validationErrorCode3 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_RESOURCE_HIERARCHY;
                        list.add(new ValidationFailureDetailsBuilder().field("security zone resource hierarchy").becauseOf(validationErrorCode3.getMessage(str, keySet)).errorCode(validationErrorCode3.getErrorCode()).build());
                        z = false;
                    }
                    for (Map.Entry<String, List<String>> entry : hashMap.entrySet()) {
                        String key = entry.getKey();
                        if (CollectionUtils.isEmpty(entry.getValue())) {
                            ValidationErrorCode validationErrorCode4 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
                            list.add(new ValidationFailureDetailsBuilder().field("security zone resources").subField("resources").isMissing().becauseOf(validationErrorCode4.getMessage(key)).errorCode(validationErrorCode4.getErrorCode()).build());
                            z = false;
                        }
                    }
                    if (!hashSet.add(RangerPolicyResourceSignature.from(hashMap).getSignature())) {
                        ValidationErrorCode validationErrorCode5 = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_DUPLICATE_RESOURCE_ENTRY;
                        list.add(new ValidationFailureDetailsBuilder().field("security zone resources").subField("resources").becauseOf(validationErrorCode5.getMessage(hashMap, str)).errorCode(validationErrorCode5.getErrorCode()).build());
                        z = false;
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("<== RangerSecurityZoneValidator.validateSecurityZoneService(%s, %s, %s) : %s", str, rangerSecurityZoneService, list, Boolean.valueOf(z)));
        }
        return z;
    }
}
