package org.apache.ranger.plugin.policyevaluator;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.RangerRequestExprResolver;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.apache.ranger.plugin.util.StringTokenReplacer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.class */
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
    private static final Logger LOG = LoggerFactory.getLogger(RangerAbstractPolicyEvaluator.class);
    private static final AtomicLong NEXT_RESOURCE_EVALUATOR_ID = new AtomicLong(1);
    private static final Map<String, Object> WILDCARD_EVAL_CONTEXT = new HashMap<String, Object>() { // from class: org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator.1
        @Override // java.util.HashMap, java.util.AbstractMap, java.util.Map
        public boolean containsKey(Object obj) {
            return true;
        }

        @Override // java.util.HashMap, java.util.AbstractMap, java.util.Map
        public Object get(Object obj) {
            return "*";
        }
    };
    private RangerPolicy policy;
    private RangerServiceDef serviceDef;
    private int evalOrder;
    private boolean needsDynamicEval = false;
    private List<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> resourceEvaluators = Collections.emptyList();
    protected RangerPluginContext pluginContext = null;

    /* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator$RangerDefaultPolicyResourceEvaluator.class */
    public class RangerDefaultPolicyResourceEvaluator implements RangerPolicyEvaluator.RangerPolicyResourceEvaluator {
        private final long id;
        private final Map<String, RangerPolicy.RangerPolicyResource> resource;
        private final RangerDefaultPolicyResourceMatcher resourceMatcher = new RangerDefaultPolicyResourceMatcher();
        private final RangerServiceDef.RangerResourceDef leafResourceDef;
        private volatile RangerDefaultPolicyResourceMatcher macrosReplacedWithWildcardMatcher;

        public RangerDefaultPolicyResourceEvaluator(long j, Map<String, RangerPolicy.RangerPolicyResource> map, int i, RangerServiceDef rangerServiceDef, RangerServiceDefHelper rangerServiceDefHelper) {
            this.id = j;
            this.resource = map;
            this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(rangerServiceDef, map);
            this.resourceMatcher.setPolicyResources(map, i);
            this.resourceMatcher.setServiceDef(rangerServiceDef);
            this.resourceMatcher.setServiceDefHelper(rangerServiceDefHelper);
            this.resourceMatcher.init();
        }

        @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator
        public RangerPolicyEvaluator getPolicyEvaluator() {
            return RangerAbstractPolicyEvaluator.this;
        }

        @Override // org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator
        public long getId() {
            return this.id;
        }

        @Override // org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator
        public RangerPolicyResourceMatcher getPolicyResourceMatcher() {
            return this.resourceMatcher;
        }

        @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator
        public RangerPolicyResourceMatcher getMacrosReplaceWithWildcardMatcher(PolicyEngine policyEngine) {
            RangerDefaultPolicyResourceMatcher rangerDefaultPolicyResourceMatcher = this.macrosReplacedWithWildcardMatcher;
            if (rangerDefaultPolicyResourceMatcher == null) {
                synchronized (this) {
                    rangerDefaultPolicyResourceMatcher = this.macrosReplacedWithWildcardMatcher;
                    if (rangerDefaultPolicyResourceMatcher == null) {
                        if (this.resourceMatcher.getNeedsDynamicEval()) {
                            Map<String, RangerPolicy.RangerPolicyResource> policyResourcesWithMacrosReplaced = RangerAbstractPolicyEvaluator.this.getPolicyResourcesWithMacrosReplaced(this.resource, policyEngine);
                            rangerDefaultPolicyResourceMatcher = new RangerDefaultPolicyResourceMatcher(true);
                            rangerDefaultPolicyResourceMatcher.setPolicyResources(policyResourcesWithMacrosReplaced, this.resourceMatcher.getPolicyType());
                            rangerDefaultPolicyResourceMatcher.setServiceDef(RangerAbstractPolicyEvaluator.this.serviceDef);
                            rangerDefaultPolicyResourceMatcher.setServiceDefHelper(this.resourceMatcher.getServiceDefHelper());
                            rangerDefaultPolicyResourceMatcher.init();
                        } else {
                            rangerDefaultPolicyResourceMatcher = this.resourceMatcher;
                        }
                        this.macrosReplacedWithWildcardMatcher = rangerDefaultPolicyResourceMatcher;
                    }
                }
            }
            return rangerDefaultPolicyResourceMatcher;
        }

        @Override // org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator
        public Map<String, RangerPolicy.RangerPolicyResource> getPolicyResource() {
            return this.resource;
        }

        @Override // org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator
        public RangerResourceMatcher getResourceMatcher(String str) {
            return this.resourceMatcher.getResourceMatcher(str);
        }

        @Override // org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator
        public boolean isAncestorOf(RangerServiceDef.RangerResourceDef rangerResourceDef) {
            if (this.resourceMatcher.getPolicyType() == 3 && (this.resource == null || this.resource.isEmpty())) {
                return true;
            }
            return ServiceDefUtil.isAncestorOf(RangerAbstractPolicyEvaluator.this.serviceDef, this.leafResourceDef, rangerResourceDef);
        }
    }

    public void setPluginContext(RangerPluginContext rangerPluginContext) {
        this.pluginContext = rangerPluginContext;
    }

    public RangerPluginContext getPluginContext() {
        return this.pluginContext;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void init(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + rangerPolicy + ", " + rangerServiceDef + ")");
        }
        this.policy = getPrunedPolicy(rangerPolicy);
        this.serviceDef = rangerServiceDef;
        this.needsDynamicEval = false;
        ArrayList arrayList = new ArrayList();
        RangerDefaultPolicyResourceEvaluator rangerDefaultPolicyResourceEvaluator = new RangerDefaultPolicyResourceEvaluator(NEXT_RESOURCE_EVALUATOR_ID.getAndIncrement(), rangerPolicy.getResources(), getPolicyType(), rangerServiceDef, rangerPolicyEngineOptions.getServiceDefHelper());
        arrayList.add(rangerDefaultPolicyResourceEvaluator);
        this.needsDynamicEval = this.needsDynamicEval || rangerDefaultPolicyResourceEvaluator.getPolicyResourceMatcher().getNeedsDynamicEval();
        if (CollectionUtils.isNotEmpty(rangerPolicy.getAdditionalResources())) {
            Iterator<Map<String, RangerPolicy.RangerPolicyResource>> it = rangerPolicy.getAdditionalResources().iterator();
            while (it.hasNext()) {
                RangerDefaultPolicyResourceEvaluator rangerDefaultPolicyResourceEvaluator2 = new RangerDefaultPolicyResourceEvaluator(NEXT_RESOURCE_EVALUATOR_ID.getAndIncrement(), it.next(), getPolicyType(), rangerServiceDef, rangerPolicyEngineOptions.getServiceDefHelper());
                arrayList.add(rangerDefaultPolicyResourceEvaluator2);
                this.needsDynamicEval = this.needsDynamicEval || rangerDefaultPolicyResourceEvaluator2.getPolicyResourceMatcher().getNeedsDynamicEval();
            }
        }
        this.resourceEvaluators = arrayList;
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + this.policy + ", " + rangerServiceDef + ")");
        }
    }

    public int getPolicyType() {
        Integer policyType = this.policy != null ? this.policy.getPolicyType() : null;
        if (policyType != null) {
            return policyType.intValue();
        }
        return 0;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public RangerPolicy getPolicy() {
        return this.policy;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public long getPolicyId() {
        Long id = this.policy != null ? this.policy.getId() : null;
        if (id != null) {
            return id.longValue();
        }
        return -1L;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public int getPolicyPriority() {
        if (this.policy == null || this.policy.getPolicyPriority() == null) {
            return 0;
        }
        return this.policy.getPolicyPriority().intValue();
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public List<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> getResourceEvaluators() {
        return this.resourceEvaluators;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public RangerServiceDef getServiceDef() {
        return this.serviceDef;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean hasAllow() {
        return this.policy != null && CollectionUtils.isNotEmpty(this.policy.getPolicyItems());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasMatchablePolicyItem(RangerAccessRequest rangerAccessRequest) {
        return hasAllow() || hasDeny();
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean hasDeny() {
        return this.policy != null && (this.policy.getIsDenyAllElse().booleanValue() || CollectionUtils.isNotEmpty(this.policy.getDenyPolicyItems()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean needsDynamicEval() {
        return this.needsDynamicEval;
    }

    private RangerPolicy getPrunedPolicy(RangerPolicy rangerPolicy) {
        List<RangerPolicy.RangerPolicyItem> list;
        List<RangerPolicy.RangerPolicyItem> list2;
        List<RangerPolicy.RangerPolicyItem> list3;
        List<RangerPolicy.RangerPolicyItem> list4;
        boolean z;
        RangerPolicy rangerPolicy2;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAbstractPolicyEvaluator.getPrunedPolicy(" + rangerPolicy + ")");
        }
        RangerPluginContext pluginContext = getPluginContext();
        if (pluginContext == null || !pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) {
            list = null;
            list2 = null;
            list3 = null;
            list4 = null;
            z = false;
        } else {
            list = (List) rangerPolicy.getPolicyItems().stream().filter((v0) -> {
                return v0.getDelegateAdmin();
            }).collect(Collectors.toList());
            list2 = (List) rangerPolicy.getDenyPolicyItems().stream().filter((v0) -> {
                return v0.getDelegateAdmin();
            }).collect(Collectors.toList());
            list3 = (List) rangerPolicy.getAllowExceptions().stream().filter((v0) -> {
                return v0.getDelegateAdmin();
            }).collect(Collectors.toList());
            list4 = (List) rangerPolicy.getDenyExceptions().stream().filter((v0) -> {
                return v0.getDelegateAdmin();
            }).collect(Collectors.toList());
            z = (list.size() == rangerPolicy.getPolicyItems().size() && list2.size() == rangerPolicy.getDenyPolicyItems().size() && list3.size() == rangerPolicy.getAllowExceptions().size() && list4.size() == rangerPolicy.getDenyExceptions().size()) ? false : true;
        }
        if (z) {
            rangerPolicy2 = new RangerPolicy();
            rangerPolicy2.updateFrom(rangerPolicy);
            rangerPolicy2.setId(rangerPolicy.getId());
            rangerPolicy2.setGuid(rangerPolicy.getGuid());
            rangerPolicy2.setVersion(rangerPolicy.getVersion());
            rangerPolicy2.setServiceType(rangerPolicy.getServiceType());
            rangerPolicy2.setPolicyItems(list);
            rangerPolicy2.setDenyPolicyItems(list2);
            rangerPolicy2.setAllowExceptions(list3);
            rangerPolicy2.setDenyExceptions(list4);
        } else {
            rangerPolicy2 = rangerPolicy;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAbstractPolicyEvaluator.getPrunedPolicy(isPruningNeeded=" + z + ") : " + rangerPolicy2);
        }
        return rangerPolicy2;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public int getEvalOrder() {
        return this.evalOrder;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isAuditEnabled() {
        return this.policy != null && this.policy.getIsAuditEnabled().booleanValue();
    }

    public void setEvalOrder(int i) {
        this.evalOrder = i;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public RangerPolicyEvaluator.PolicyACLSummary getPolicyACLSummary() {
        return null;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString(sb);
        return sb.toString();
    }

    public StringBuilder toString(StringBuilder sb) {
        sb.append("RangerAbstractPolicyEvaluator={");
        sb.append("policy={");
        if (this.policy != null) {
            this.policy.toString(sb);
        }
        sb.append("} ");
        sb.append("}");
        return sb;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Map<String, RangerPolicy.RangerPolicyResource> getPolicyResourcesWithMacrosReplaced(Map<String, RangerPolicy.RangerPolicyResource> map, PolicyEngine policyEngine) {
        Map<String, RangerPolicy.RangerPolicyResource> map2;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAbstractPolicyEvaluator.getPolicyResourcesWithMacrosReplaced(" + map + ")");
        }
        Set<String> keySet = map == null ? null : map.keySet();
        if (CollectionUtils.isNotEmpty(keySet)) {
            map2 = new HashMap();
            for (String str : keySet) {
                RangerPolicy.RangerPolicyResource rangerPolicyResource = map.get(str);
                List<String> values = rangerPolicyResource == null ? null : rangerPolicyResource.getValues();
                if (CollectionUtils.isNotEmpty(values)) {
                    StringTokenReplacer stringTokenReplacer = policyEngine.getStringTokenReplacer(str);
                    ArrayList arrayList = new ArrayList();
                    Iterator<String> it = values.iterator();
                    while (it.hasNext()) {
                        String resolveExpressions = new RangerRequestExprResolver(it.next(), this.serviceDef.getName()).resolveExpressions(WILDCARD_EVAL_CONTEXT);
                        if (stringTokenReplacer != null) {
                            resolveExpressions = stringTokenReplacer.replaceTokens(resolveExpressions, WILDCARD_EVAL_CONTEXT);
                        }
                        arrayList.add(resolveExpressions);
                    }
                    map2.put(str, new RangerPolicy.RangerPolicyResource(arrayList, rangerPolicyResource.getIsExcludes(), rangerPolicyResource.getIsRecursive()));
                } else {
                    map2.put(str, rangerPolicyResource);
                }
            }
        } else {
            map2 = map;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAbstractPolicyEvaluator.getPolicyResourcesWithMacrosReplaced(" + map + "): " + map2);
        }
        return map2;
    }

    static {
        WILDCARD_EVAL_CONTEXT.put("*", "*");
    }
}
