package org.apache.ranger.plugin.service;

import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestProcessor;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerMutableResource;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerUserStoreUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.class */
public class RangerDefaultRequestProcessor implements RangerAccessRequestProcessor {
    private static final Logger PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request");
    private static final Logger LOG = LoggerFactory.getLogger(RangerDefaultRequestProcessor.class);
    protected final PolicyEngine policyEngine;
    private final boolean useRangerGroups;
    private final boolean useOnlyRangerGroups;
    private final boolean convertEmailToUser;

    public RangerDefaultRequestProcessor(PolicyEngine policyEngine) {
        this.policyEngine = policyEngine;
        RangerPluginContext pluginContext = policyEngine.getPluginContext();
        RangerPluginConfig config = pluginContext != null ? pluginContext.getConfig() : null;
        if (config != null) {
            this.useRangerGroups = config.isUseRangerGroups();
            this.useOnlyRangerGroups = config.isUseOnlyRangerGroups();
            this.convertEmailToUser = config.isConvertEmailToUsername();
        } else {
            this.useRangerGroups = false;
            this.useOnlyRangerGroups = false;
            this.convertEmailToUser = false;
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerAccessRequestProcessor
    public void preProcess(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> preProcess(" + rangerAccessRequest + ")");
        }
        if (RangerAccessRequestUtil.getIsRequestPreprocessed(rangerAccessRequest.getContext())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preProcess(" + rangerAccessRequest + ")");
                return;
            }
            return;
        }
        setResourceServiceDef(rangerAccessRequest);
        RangerPluginContext pluginContext = this.policyEngine.getPluginContext();
        RangerAccessRequestImpl rangerAccessRequestImpl = null;
        if (rangerAccessRequest instanceof RangerAccessRequestImpl) {
            rangerAccessRequestImpl = (RangerAccessRequestImpl) rangerAccessRequest;
            if (rangerAccessRequestImpl.getClientIPAddress() == null) {
                rangerAccessRequestImpl.extractAndSetClientIPAddress(this.policyEngine.getUseForwardedIPAddress(), this.policyEngine.getTrustedProxyAddresses());
            }
            if (pluginContext != null) {
                if (rangerAccessRequestImpl.getClusterName() == null) {
                    rangerAccessRequestImpl.setClusterName(pluginContext.getClusterName());
                }
                if (rangerAccessRequestImpl.getClusterType() == null) {
                    rangerAccessRequestImpl.setClusterType(pluginContext.getClusterType());
                }
                convertEmailToUsername(rangerAccessRequestImpl);
                updateUserGroups(rangerAccessRequestImpl);
            }
        }
        RangerAccessRequestUtil.setCurrentUserInContext(rangerAccessRequest.getContext(), rangerAccessRequest.getUser());
        String ownerUser = rangerAccessRequest.getResource() != null ? rangerAccessRequest.getResource().getOwnerUser() : null;
        if (StringUtils.isNotEmpty(ownerUser)) {
            RangerAccessRequestUtil.setOwnerInContext(rangerAccessRequest.getContext(), ownerUser);
        }
        Set<String> userRoles = rangerAccessRequest.getUserRoles();
        if (pluginContext != null && CollectionUtils.isEmpty(userRoles)) {
            userRoles = pluginContext.getAuthContext().getRolesForUserAndGroups(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups());
            if (rangerAccessRequestImpl != null && userRoles != null && !userRoles.isEmpty()) {
                rangerAccessRequestImpl.setUserRoles(userRoles);
            }
        }
        if (CollectionUtils.isNotEmpty(userRoles)) {
            RangerAccessRequestUtil.setCurrentUserRolesInContext(rangerAccessRequest.getContext(), userRoles);
        }
        RangerAccessRequestUtil.setResourceZoneNamesInContext(rangerAccessRequest, this.policyEngine.getMatchedZonesForResourceAndChildren(rangerAccessRequest.getResource()));
        enrich(rangerAccessRequest);
        RangerAccessRequestUtil.setIsRequestPreprocessed(rangerAccessRequest.getContext(), Boolean.TRUE);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== preProcess(" + rangerAccessRequest + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerAccessRequestProcessor
    public void enrich(RangerAccessRequest rangerAccessRequest) {
        List<RangerContextEnricher> allContextEnrichers = this.policyEngine.getAllContextEnrichers();
        if (CollectionUtils.isEmpty(allContextEnrichers)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("No context-enrichers!!!");
                return;
            }
            return;
        }
        for (RangerContextEnricher rangerContextEnricher : allContextEnrichers) {
            RangerPerfTracer rangerPerfTracer = null;
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_REQUEST_LOG)) {
                rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_REQUEST_LOG, "RangerContextEnricher.enrich(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + ", enricherName=" + rangerContextEnricher.getName() + ")");
            }
            rangerContextEnricher.enrich(rangerAccessRequest);
            RangerPerfTracer.log(rangerPerfTracer);
        }
    }

    private void setResourceServiceDef(RangerAccessRequest rangerAccessRequest) {
        RangerAccessResource resource = rangerAccessRequest.getResource();
        if (resource.getServiceDef() == null && (resource instanceof RangerMutableResource)) {
            ((RangerMutableResource) resource).setServiceDef(this.policyEngine.getServiceDef());
        }
    }

    private void convertEmailToUsername(RangerAccessRequestImpl rangerAccessRequestImpl) {
        String user;
        int indexOf;
        if (this.convertEmailToUser) {
            RangerPluginContext pluginContext = this.policyEngine.getPluginContext();
            RangerUserStoreUtil userStoreUtil = pluginContext != null ? pluginContext.getAuthContext().getUserStoreUtil() : null;
            if (userStoreUtil == null || (indexOf = StringUtils.indexOf((user = rangerAccessRequestImpl.getUser()), '@')) <= 0) {
                return;
            }
            String userNameFromEmail = userStoreUtil.getUserNameFromEmail(user);
            if (StringUtils.isBlank(userNameFromEmail)) {
                userNameFromEmail = user.substring(0, indexOf);
            }
            LOG.debug("replacing req.user '{}' with '{}'", user, userNameFromEmail);
            rangerAccessRequestImpl.setUser(userNameFromEmail);
        }
    }

    private void updateUserGroups(RangerAccessRequestImpl rangerAccessRequestImpl) {
        if (this.useRangerGroups) {
            RangerPluginContext pluginContext = this.policyEngine.getPluginContext();
            RangerUserStoreUtil userStoreUtil = pluginContext != null ? pluginContext.getAuthContext().getUserStoreUtil() : null;
            String user = rangerAccessRequestImpl.getUser();
            if (userStoreUtil == null || user == null) {
                return;
            }
            Set<String> userGroups = rangerAccessRequestImpl.getUserGroups();
            Set<String> userGroups2 = userStoreUtil.getUserGroups(user);
            if (userGroups2 == null) {
                userGroups2 = Collections.emptySet();
            }
            if (this.useOnlyRangerGroups) {
                HashSet hashSet = new HashSet(userGroups2);
                LOG.debug("replacing req.userGroups '{}' with '{}'", rangerAccessRequestImpl.getUserGroups(), hashSet);
                rangerAccessRequestImpl.setUserGroups(hashSet);
            } else {
                if (userGroups2.isEmpty()) {
                    return;
                }
                HashSet hashSet2 = userGroups != null ? new HashSet(userGroups) : new HashSet();
                hashSet2.addAll(userGroups2);
                LOG.debug("replacing req.userGroups '{}' with '{}'", rangerAccessRequestImpl.getUserGroups(), hashSet2);
                rangerAccessRequestImpl.setUserGroups(hashSet2);
            }
        }
    }
}
