package org.apache.kyuubi.plugin.spark.authz.ranger;

import java.util.Collection;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.util.ShutdownHookManager;
import org.apache.kyuubi.plugin.spark.authz.AccessControlException;
import org.apache.kyuubi.plugin.spark.authz.AccessControlException$;
import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils$;
import org.apache.kyuubi.util.reflect.ReflectUtils$;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.MatchError;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Tuple2;
import scala.collection.Iterable;
import scala.collection.Iterable$;
import scala.collection.IterableLike;
import scala.collection.JavaConverters$;
import scala.collection.Seq;
import scala.collection.TraversableLike;
import scala.collection.TraversableOnce;
import scala.collection.immutable.StringOps;
import scala.collection.mutable.ArrayBuffer;
import scala.collection.mutable.ArrayBuffer$;
import scala.collection.mutable.BufferLike;
import scala.collection.mutable.LinkedHashMap;
import scala.collection.mutable.LinkedHashMap$;
import scala.runtime.BoxesRunTime;

/* compiled from: SparkRangerAdminPlugin.scala */
/* loaded from: input_file:org/apache/kyuubi/plugin/spark/authz/ranger/SparkRangerAdminPlugin$.class */
public final class SparkRangerAdminPlugin$ extends RangerBasePlugin implements RangerConfigProvider {
    public static SparkRangerAdminPlugin$ MODULE$;
    private final Logger LOG;
    private final Configuration getRangerConf;

    static {
        new SparkRangerAdminPlugin$();
    }

    @Override // org.apache.kyuubi.plugin.spark.authz.ranger.RangerConfigProvider
    public Configuration getRangerConf() {
        return this.getRangerConf;
    }

    @Override // org.apache.kyuubi.plugin.spark.authz.ranger.RangerConfigProvider
    public void org$apache$kyuubi$plugin$spark$authz$ranger$RangerConfigProvider$_setter_$getRangerConf_$eq(Configuration configuration) {
        this.getRangerConf = configuration;
    }

    private final Logger LOG() {
        return this.LOG;
    }

    public boolean authorizeInSingleCall() {
        return getRangerConf().getBoolean(new StringBuilder(39).append("ranger.plugin.").append(getServiceType()).append(".authorize.in.single.call").toString(), false);
    }

    public boolean useUserGroupsFromUserStoreEnabled() {
        return getRangerConf().getBoolean(new StringBuilder(52).append("ranger.plugin.").append(getServiceType()).append(".use.usergroups.from.userstore.enabled").toString(), false);
    }

    public void initialize() {
        init();
        registerCleanupShutdownHook(this);
    }

    private void registerCleanupShutdownHook(RangerBasePlugin rangerBasePlugin) {
        ShutdownHookManager.get().addShutdownHook(() -> {
            if (rangerBasePlugin != null) {
                MODULE$.LOG().info(new StringBuilder(31).append("clean up ranger plugin, appId: ").append(rangerBasePlugin.getAppId()).toString());
                rangerBasePlugin.cleanup();
                rangerBasePlugin.getAuditProviderFactory().shutdown();
            }
        }, Integer.MAX_VALUE);
    }

    public Option<String> getFilterExpr(AccessRequest accessRequest) {
        return Option$.MODULE$.apply(evalRowFilterPolicies(accessRequest, null)).filter(rangerAccessResult -> {
            return BoxesRunTime.boxToBoolean(rangerAccessResult.isRowFilterEnabled());
        }).map(rangerAccessResult2 -> {
            return rangerAccessResult2.getFilterExpr();
        }).filter(str -> {
            return BoxesRunTime.boxToBoolean($anonfun$getFilterExpr$3(str));
        });
    }

    public Option<String> getMaskingExpr(AccessRequest accessRequest) {
        String column = accessRequest.getResource().getColumn();
        RangerAccessResult evalDataMaskPolicies = evalDataMaskPolicies(accessRequest, null);
        return Option$.MODULE$.apply(evalDataMaskPolicies).filter(rangerAccessResult -> {
            return BoxesRunTime.boxToBoolean(rangerAccessResult.isMaskEnabled());
        }).map(rangerAccessResult2 -> {
            if ("MASK_NULL".equalsIgnoreCase(rangerAccessResult2.getMaskType())) {
                return "NULL";
            }
            if ("CUSTOM".equalsIgnoreCase(evalDataMaskPolicies.getMaskType())) {
                String maskedValue = rangerAccessResult2.getMaskedValue();
                return maskedValue == null ? "NULL" : String.valueOf(maskedValue.replace("{col}", column));
            }
            if (evalDataMaskPolicies.getMaskTypeDef() == null) {
                return null;
            }
            String name = evalDataMaskPolicies.getMaskTypeDef().getName();
            if ("MASK".equals(name)) {
                return MODULE$.regexp_replace(column, MODULE$.regexp_replace$default$2());
            }
            if ("MASK_SHOW_FIRST_4".equals(name)) {
                return MODULE$.regexp_replace(column, true);
            }
            if ("MASK_SHOW_LAST_4".equals(name)) {
                return new StringBuilder(20).append("concat(").append(MODULE$.regexp_replace(new StringBuilder(20).append("left(").append(column).append(", length(").append(column).append(") - 4)").toString(), MODULE$.regexp_replace$default$2())).append(", right(").append(column).append(", 4))").toString();
            }
            if ("MASK_HASH".equals(name)) {
                return new StringBuilder(21).append("md5(cast(").append(column).append(" as string))").toString();
            }
            if ("MASK_DATE_SHOW_YEAR".equals(name)) {
                return new StringBuilder(20).append("date_trunc('YEAR', ").append(column).append(")").toString();
            }
            String transformer = evalDataMaskPolicies.getMaskTypeDef().getTransformer();
            if (transformer == null || !new StringOps(Predef$.MODULE$.augmentString(transformer)).nonEmpty()) {
                return null;
            }
            return String.valueOf(transformer.replace("{col}", column));
        });
    }

    private String regexp_replace(String str, boolean z) {
        String str2 = z ? ", 5" : "";
        return new StringBuilder(37).append("regexp_replace(").append(new StringBuilder(30).append("regexp_replace(").append(new StringBuilder(30).append("regexp_replace(").append(new StringBuilder(30).append("regexp_replace(").append(str).append(", '[A-Z]', 'X'").append(str2).append(")").toString()).append(", '[a-z]', 'x'").append(str2).append(")").toString()).append(", '[0-9]', 'n'").append(str2).append(")").toString()).append(", '[^A-Za-z0-9]', 'U'").append(str2).append(")").toString();
    }

    private boolean regexp_replace$default$2() {
        return false;
    }

    public void verify(Seq<RangerAccessRequest> seq, SparkRangerAuditHandler sparkRangerAuditHandler) {
        Collection isAccessAllowed;
        if (!seq.nonEmpty() || (isAccessAllowed = isAccessAllowed((Collection) JavaConverters$.MODULE$.seqAsJavaListConverter(seq).asJava(), sparkRangerAuditHandler)) == null) {
            return;
        }
        Iterable iterable = (Iterable) ((TraversableLike) ((TraversableLike) ((IterableLike) JavaConverters$.MODULE$.collectionAsScalaIterableConverter(isAccessAllowed).asScala()).zipWithIndex(Iterable$.MODULE$.canBuildFrom())).filter(tuple2 -> {
            return BoxesRunTime.boxToBoolean($anonfun$verify$1(tuple2));
        })).map(tuple22 -> {
            return BoxesRunTime.boxToInteger(tuple22._2$mcI$sp());
        }, Iterable$.MODULE$.canBuildFrom());
        if (iterable.nonEmpty()) {
            throw new AccessControlException(new StringBuilder(41).append("Permission denied: user [").append(((RangerAccessRequest) seq.head()).getUser()).append("] does not have ").append(((TraversableOnce) ((LinkedHashMap) iterable.foldLeft(LinkedHashMap$.MODULE$.empty(), (linkedHashMap, obj) -> {
                return $anonfun$verify$3(seq, linkedHashMap, BoxesRunTime.unboxToInt(obj));
            })).map(tuple23 -> {
                if (tuple23 == null) {
                    throw new MatchError(tuple23);
                }
                return new StringBuilder(3).append("[").append((String) tuple23._1()).append("] ").append(((ArrayBuffer) tuple23._2()).mkString("privilege on [", ",", "]")).toString();
            }, scala.collection.mutable.Iterable$.MODULE$.canBuildFrom())).mkString(", ")).toString(), AccessControlException$.MODULE$.$lessinit$greater$default$2());
        }
    }

    public static final /* synthetic */ boolean $anonfun$getFilterExpr$3(String str) {
        return str != null && new StringOps(Predef$.MODULE$.augmentString(str)).nonEmpty();
    }

    public static final /* synthetic */ boolean $anonfun$verify$1(Tuple2 tuple2) {
        if (tuple2 == null) {
            throw new MatchError(tuple2);
        }
        RangerAccessResult rangerAccessResult = (RangerAccessResult) tuple2._1();
        return (rangerAccessResult == null || rangerAccessResult.getIsAllowed()) ? false : true;
    }

    public static final /* synthetic */ LinkedHashMap $anonfun$verify$3(Seq seq, LinkedHashMap linkedHashMap, int i) {
        RangerAccessRequest rangerAccessRequest = (RangerAccessRequest) seq.apply(i);
        ((BufferLike) linkedHashMap.getOrElseUpdate(rangerAccessRequest.getAccessType(), () -> {
            return ArrayBuffer$.MODULE$.empty();
        })).append(Predef$.MODULE$.wrapRefArray(new String[]{rangerAccessRequest.getResource().getAsString()}));
        return linkedHashMap;
    }

    private SparkRangerAdminPlugin$() {
        super("spark", "sparkSql");
        MODULE$ = this;
        org$apache$kyuubi$plugin$spark$authz$ranger$RangerConfigProvider$_setter_$getRangerConf_$eq(AuthZUtils$.MODULE$.isRanger21orGreater() ? (Configuration) ReflectUtils$.MODULE$.invokeAs(this, "getConfig", Predef$.MODULE$.wrapRefArray(new Tuple2[0])) : (Configuration) ReflectUtils$.MODULE$.invokeAs("org.apache.ranger.authorization.hadoop.config.RangerConfiguration", "getInstance", Predef$.MODULE$.wrapRefArray(new Tuple2[0])));
        this.LOG = LoggerFactory.getLogger(getClass());
    }
}
