package org.apache.kyuubi.plugin.spark.authz.ranger;

import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kyuubi.plugin.spark.authz.AccessControlException;
import org.apache.kyuubi.plugin.spark.authz.AccessControlException$;
import org.apache.kyuubi.plugin.spark.authz.ObjectType$;
import org.apache.kyuubi.plugin.spark.authz.OperationType$;
import org.apache.kyuubi.plugin.spark.authz.PrivilegeObject;
import org.apache.kyuubi.plugin.spark.authz.PrivilegesBuilder$;
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils$;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.spark.sql.SparkSession;
import org.apache.spark.sql.catalyst.plans.logical.LogicalPlan;
import org.apache.spark.sql.catalyst.trees.TreeNodeTag;
import scala.Enumeration;
import scala.MatchError;
import scala.Tuple2;
import scala.collection.Seq;
import scala.collection.mutable.ArrayBuffer;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;

/* compiled from: RuleAuthorization.scala */
/* loaded from: input_file:org/apache/kyuubi/plugin/spark/authz/ranger/RuleAuthorization$.class */
public final class RuleAuthorization$ {
    public static RuleAuthorization$ MODULE$;
    private final TreeNodeTag<Object> KYUUBI_AUTHZ_TAG;

    static {
        new RuleAuthorization$();
    }

    public TreeNodeTag<Object> KYUUBI_AUTHZ_TAG() {
        return this.KYUUBI_AUTHZ_TAG;
    }

    public void checkPrivileges(SparkSession sparkSession, LogicalPlan logicalPlan) {
        SparkRangerAuditHandler sparkRangerAuditHandler = new SparkRangerAuditHandler();
        UserGroupInformation authzUgi = AuthZUtils$.MODULE$.getAuthzUgi(sparkSession.sparkContext());
        Enumeration.Value apply = OperationType$.MODULE$.apply(logicalPlan.nodeName());
        Tuple2<Seq<PrivilegeObject>, Seq<PrivilegeObject>> build = PrivilegesBuilder$.MODULE$.build(logicalPlan, sparkSession);
        if (build == null) {
            throw new MatchError(build);
        }
        Tuple2 tuple2 = new Tuple2((Seq) build._1(), (Seq) build._2());
        Seq seq = (Seq) tuple2._1();
        Seq seq2 = (Seq) tuple2._2();
        ArrayBuffer arrayBuffer = new ArrayBuffer();
        if (seq.isEmpty()) {
            Enumeration.Value SHOWDATABASES = OperationType$.MODULE$.SHOWDATABASES();
            if (apply != null ? apply.equals(SHOWDATABASES) : SHOWDATABASES == null) {
                arrayBuffer.$plus$eq(AccessRequest$.MODULE$.apply(AccessResource$.MODULE$.apply(ObjectType$.MODULE$.DATABASE(), (String) null), authzUgi, apply, AccessType$.MODULE$.USE()));
                addAccessRequest$1(seq, true, apply, arrayBuffer, authzUgi);
                addAccessRequest$1(seq2, false, apply, arrayBuffer, authzUgi);
                arrayBuffer.foreach(accessRequest -> {
                    $anonfun$checkPrivileges$3(authzUgi, apply, sparkRangerAuditHandler, accessRequest);
                    return BoxedUnit.UNIT;
                });
            }
        }
        BoxedUnit boxedUnit = BoxedUnit.UNIT;
        addAccessRequest$1(seq, true, apply, arrayBuffer, authzUgi);
        addAccessRequest$1(seq2, false, apply, arrayBuffer, authzUgi);
        arrayBuffer.foreach(accessRequest2 -> {
            $anonfun$checkPrivileges$3(authzUgi, apply, sparkRangerAuditHandler, accessRequest2);
            return BoxedUnit.UNIT;
        });
    }

    private void verify(AccessRequest accessRequest, SparkRangerAuditHandler sparkRangerAuditHandler) {
        RangerAccessResult isAccessAllowed = SparkRangerAdminPlugin$.MODULE$.isAccessAllowed(accessRequest, sparkRangerAuditHandler);
        if (isAccessAllowed != null && !isAccessAllowed.getIsAllowed()) {
            throw new AccessControlException(new StringBuilder(59).append("Permission denied: user [").append(accessRequest.getUser()).append("] does not have [").append(accessRequest.getAccessType()).append("] privilege").append(" on [").append(accessRequest.getResource().getAsString()).append("]").toString(), AccessControlException$.MODULE$.$lessinit$greater$default$2());
        }
    }

    public static final /* synthetic */ boolean $anonfun$checkPrivileges$2(Enumeration.Value value, AccessResource accessResource, AccessRequest accessRequest) {
        Enumeration.Value accessType = accessRequest.accessType();
        if (accessType != null ? accessType.equals(value) : value == null) {
            RangerAccessResource resource = accessRequest.getResource();
            if (resource != null ? resource.equals(accessResource) : accessResource == null) {
                return true;
            }
        }
        return false;
    }

    private static final void addAccessRequest$1(Seq seq, boolean z, Enumeration.Value value, ArrayBuffer arrayBuffer, UserGroupInformation userGroupInformation) {
        seq.foreach(privilegeObject -> {
            AccessResource apply = AccessResource$.MODULE$.apply(privilegeObject, value);
            Enumeration.Value apply2 = AccessType$.MODULE$.apply(privilegeObject, value, z);
            Enumeration.Value NONE = AccessType$.MODULE$.NONE();
            if (apply2 != null ? !apply2.equals(NONE) : NONE != null) {
                if (!arrayBuffer.exists(accessRequest -> {
                    return BoxesRunTime.boxToBoolean($anonfun$checkPrivileges$2(apply2, apply, accessRequest));
                })) {
                    return arrayBuffer.$plus$eq(AccessRequest$.MODULE$.apply(apply, userGroupInformation, value, apply2));
                }
            }
            return BoxedUnit.UNIT;
        });
    }

    public static final /* synthetic */ void $anonfun$checkPrivileges$4(AccessResource accessResource, UserGroupInformation userGroupInformation, Enumeration.Value value, AccessRequest accessRequest, SparkRangerAuditHandler sparkRangerAuditHandler, String str) {
        MODULE$.verify(AccessRequest$.MODULE$.apply(AccessResource$.MODULE$.apply(ObjectType$.MODULE$.COLUMN(), accessResource.getDatabase(), accessResource.getTable(), str), userGroupInformation, value, accessRequest.accessType()), sparkRangerAuditHandler);
    }

    public static final /* synthetic */ void $anonfun$checkPrivileges$3(UserGroupInformation userGroupInformation, Enumeration.Value value, SparkRangerAuditHandler sparkRangerAuditHandler, AccessRequest accessRequest) {
        AccessResource resource = accessRequest.getResource();
        Enumeration.Value objectType = resource.objectType();
        Enumeration.Value COLUMN = ObjectType$.MODULE$.COLUMN();
        if (COLUMN != null ? COLUMN.equals(objectType) : objectType == null) {
            if (resource.getColumns().nonEmpty()) {
                resource.getColumns().foreach(str -> {
                    $anonfun$checkPrivileges$4(resource, userGroupInformation, value, accessRequest, sparkRangerAuditHandler, str);
                    return BoxedUnit.UNIT;
                });
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
                return;
            }
        }
        MODULE$.verify(accessRequest, sparkRangerAuditHandler);
        BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
    }

    private RuleAuthorization$() {
        MODULE$ = this;
        this.KYUUBI_AUTHZ_TAG = new TreeNodeTag<>("__KYUUBI_AUTHZ_TAG");
    }
}
