package org.apache.sentry.provider.db.generic.service.persistent;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.jdo.PersistenceManager;
import javax.jdo.Query;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.SentryAlreadyExistsException;
import org.apache.sentry.provider.db.SentryGrantDeniedException;
import org.apache.sentry.provider.db.SentryInvalidInputException;
import org.apache.sentry.provider.db.SentryNoSuchObjectException;
import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryGroup;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.provider.db.service.persistent.CommitContext;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.thrift.SentryConfigurationException;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.ServiceConstants;

/* loaded from: input_file:org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.class */
public class DelegateSentryStore implements SentryStoreLayer {
    private SentryStore delegate;
    private Configuration conf;
    private Set<String> adminGroups;
    private PrivilegeOperatePersistence privilegeOperator;

    public DelegateSentryStore(Configuration configuration) throws SentryNoSuchObjectException, SentryAccessDeniedException, SentryConfigurationException, IOException {
        this.privilegeOperator = new PrivilegeOperatePersistence(configuration);
        configuration.set(ServiceConstants.ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL, "false");
        this.conf = configuration;
        this.delegate = new SentryStore(configuration);
        this.adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(configuration.getStrings(ServiceConstants.ServerConfig.ADMIN_GROUPS, new String[0]))));
    }

    private PersistenceManager openTransaction() {
        return this.delegate.openTransaction();
    }

    private CommitContext commitUpdateTransaction(PersistenceManager persistenceManager) {
        return this.delegate.commitUpdateTransaction(persistenceManager);
    }

    private void rollbackTransaction(PersistenceManager persistenceManager) {
        this.delegate.rollbackTransaction(persistenceManager);
    }

    private void commitTransaction(PersistenceManager persistenceManager) {
        this.delegate.commitTransaction(persistenceManager);
    }

    private MSentryRole getRole(String str, PersistenceManager persistenceManager) {
        return this.delegate.getMSentryRole(persistenceManager, str);
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext createRole(String str, String str2, String str3) throws SentryAlreadyExistsException {
        return this.delegate.createSentryRole(str2);
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext dropRole(String str, String str2, String str3) throws SentryNoSuchObjectException {
        String trimmedLower = toTrimmedLower(str2);
        try {
            PersistenceManager openTransaction = openTransaction();
            Query newQuery = openTransaction.newQuery(MSentryRole.class);
            newQuery.setFilter("this.roleName == t");
            newQuery.declareParameters("java.lang.String t");
            newQuery.setUnique(true);
            MSentryRole mSentryRole = (MSentryRole) newQuery.execute(trimmedLower);
            if (mSentryRole == null) {
                throw new SentryNoSuchObjectException("Role: " + trimmedLower + " doesn't exist");
            }
            openTransaction.retrieve(mSentryRole);
            mSentryRole.removeGMPrivileges();
            mSentryRole.removePrivileges();
            openTransaction.deletePersistent(mSentryRole);
            CommitContext commitUpdateTransaction = commitUpdateTransaction(openTransaction);
            if (0 != 0) {
                rollbackTransaction(openTransaction);
            }
            return commitUpdateTransaction;
        } catch (Throwable th) {
            if (1 != 0) {
                rollbackTransaction(null);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<String> getAllRoleNames() {
        return this.delegate.getAllRoleNames();
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext alterRoleAddGroups(String str, String str2, Set<String> set, String str3) throws SentryNoSuchObjectException {
        return this.delegate.alterSentryRoleAddGroups(str3, str2, toTSentryGroups(set));
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext alterRoleDeleteGroups(String str, String str2, Set<String> set, String str3) throws SentryNoSuchObjectException {
        return this.delegate.alterSentryRoleDeleteGroups(str2, toTSentryGroups(set));
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext alterRoleGrantPrivilege(String str, String str2, PrivilegeObject privilegeObject, String str3) throws SentryUserException {
        String trimmedLower = toTrimmedLower(str2);
        try {
            PersistenceManager openTransaction = openTransaction();
            MSentryRole role = getRole(trimmedLower, openTransaction);
            if (role == null) {
                throw new SentryNoSuchObjectException("Role: " + trimmedLower + " doesn't exist");
            }
            grantOptionCheck(privilegeObject, str3, openTransaction);
            this.privilegeOperator.grantPrivilege(privilegeObject, role, openTransaction);
            CommitContext commitUpdateTransaction = this.delegate.commitUpdateTransaction(openTransaction);
            if (0 != 0) {
                rollbackTransaction(openTransaction);
            }
            return commitUpdateTransaction;
        } catch (Throwable th) {
            if (1 != 0) {
                rollbackTransaction(null);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext alterRoleRevokePrivilege(String str, String str2, PrivilegeObject privilegeObject, String str3) throws SentryUserException {
        String trimmedLower = toTrimmedLower(str2);
        try {
            PersistenceManager openTransaction = openTransaction();
            MSentryRole role = getRole(trimmedLower, openTransaction);
            if (role == null) {
                throw new SentryNoSuchObjectException("Role: " + trimmedLower + " doesn't exist");
            }
            grantOptionCheck(privilegeObject, str3, openTransaction);
            this.privilegeOperator.revokePrivilege(privilegeObject, role, openTransaction);
            CommitContext commitUpdateTransaction = commitUpdateTransaction(openTransaction);
            if (0 != 0) {
                rollbackTransaction(openTransaction);
            }
            return commitUpdateTransaction;
        } catch (Throwable th) {
            if (1 != 0) {
                rollbackTransaction(null);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext renamePrivilege(String str, String str2, List<? extends Authorizable> list, List<? extends Authorizable> list2, String str3) throws SentryUserException {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        Preconditions.checkNotNull(list);
        Preconditions.checkNotNull(list2);
        if (list.size() != list2.size()) {
            throw new SentryAccessDeniedException("rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables oldAuthorizables:" + Arrays.toString(list.toArray()) + " newAuthorizables:" + Arrays.toString(list2.toArray()));
        }
        PersistenceManager persistenceManager = null;
        boolean z = true;
        try {
            persistenceManager = openTransaction();
            this.privilegeOperator.renamePrivilege(toTrimmedLower(str), toTrimmedLower(str2), list, list2, str3, persistenceManager);
            CommitContext commitUpdateTransaction = commitUpdateTransaction(persistenceManager);
            z = false;
            if (0 != 0) {
                rollbackTransaction(persistenceManager);
            }
            return commitUpdateTransaction;
        } catch (Throwable th) {
            if (z) {
                rollbackTransaction(persistenceManager);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public CommitContext dropPrivilege(String str, PrivilegeObject privilegeObject, String str2) throws SentryUserException {
        Preconditions.checkNotNull(str2);
        PersistenceManager persistenceManager = null;
        boolean z = true;
        try {
            persistenceManager = openTransaction();
            this.privilegeOperator.dropPrivilege(privilegeObject, persistenceManager);
            CommitContext commitUpdateTransaction = commitUpdateTransaction(persistenceManager);
            z = false;
            if (0 != 0) {
                rollbackTransaction(persistenceManager);
            }
            return commitUpdateTransaction;
        } catch (Throwable th) {
            if (z) {
                rollbackTransaction(persistenceManager);
            }
            throw th;
        }
    }

    private void grantOptionCheck(PrivilegeObject privilegeObject, String str, PersistenceManager persistenceManager) throws SentryUserException {
        if (Strings.isNullOrEmpty(str)) {
            throw new SentryInvalidInputException("grantorPrincipal should not be null or empty");
        }
        Set<String> requestorGroups = getRequestorGroups(str);
        if (requestorGroups == null || requestorGroups.isEmpty()) {
            throw new SentryGrantDeniedException(str + " has no grant!");
        }
        if (Sets.intersection(this.adminGroups, toTrimmed(requestorGroups)).isEmpty()) {
            if (!this.privilegeOperator.checkPrivilegeOption(this.delegate.getRolesForGroups(persistenceManager, requestorGroups), privilegeObject, persistenceManager)) {
                throw new SentryGrantDeniedException(str + " has no grant!");
            }
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<String> getRolesByGroups(String str, Set<String> set) throws SentryUserException {
        HashSet newHashSet = Sets.newHashSet();
        if (set == null) {
            return newHashSet;
        }
        Iterator<TSentryRole> it = this.delegate.getTSentryRolesByGroupName(set, true).iterator();
        while (it.hasNext()) {
            newHashSet.add(it.next().getRoleName());
        }
        return newHashSet;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<String> getGroupsByRoles(String str, Set<String> set) throws SentryUserException {
        Set<String> trimmedLower = toTrimmedLower(set);
        HashSet newHashSet = Sets.newHashSet();
        if (trimmedLower.size() == 0) {
            return newHashSet;
        }
        PersistenceManager persistenceManager = null;
        try {
            persistenceManager = openTransaction();
            Query newQuery = persistenceManager.newQuery(MSentryGroup.class);
            StringBuilder sb = new StringBuilder();
            newQuery.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
            LinkedList linkedList = new LinkedList();
            Iterator<String> it = trimmedLower.iterator();
            while (it.hasNext()) {
                linkedList.add("role.roleName == \"" + it.next() + "\" ");
            }
            sb.append("roles.contains(role) && (" + Joiner.on(" || ").join(linkedList) + ")");
            newQuery.setFilter(sb.toString());
            List list = (List) newQuery.execute();
            if (list == null) {
                if (persistenceManager != null) {
                    commitTransaction(persistenceManager);
                }
                return newHashSet;
            }
            Iterator it2 = list.iterator();
            while (it2.hasNext()) {
                newHashSet.add(((MSentryGroup) it2.next()).getGroupName());
            }
            if (persistenceManager != null) {
                commitTransaction(persistenceManager);
            }
            return newHashSet;
        } catch (Throwable th) {
            if (persistenceManager != null) {
                commitTransaction(persistenceManager);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<PrivilegeObject> getPrivilegesByRole(String str, Set<String> set) throws SentryUserException {
        Preconditions.checkNotNull(set);
        HashSet newHashSet = Sets.newHashSet();
        if (set.isEmpty()) {
            return newHashSet;
        }
        PersistenceManager persistenceManager = null;
        try {
            persistenceManager = openTransaction();
            HashSet newHashSet2 = Sets.newHashSet();
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                MSentryRole role = getRole(toTrimmedLower(it.next()), persistenceManager);
                if (role != null) {
                    newHashSet2.add(role);
                }
            }
            newHashSet.addAll(this.privilegeOperator.getPrivilegesByRole(newHashSet2, persistenceManager));
            if (persistenceManager != null) {
                commitTransaction(persistenceManager);
            }
            return newHashSet;
        } catch (Throwable th) {
            if (persistenceManager != null) {
                commitTransaction(persistenceManager);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<PrivilegeObject> getPrivilegesByProvider(String str, String str2, Set<String> set, Set<String> set2, List<? extends Authorizable> list) throws SentryUserException {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        String trimmedLower = toTrimmedLower(str);
        String trimmedLower2 = toTrimmedLower(str2);
        HashSet newHashSet = Sets.newHashSet();
        PersistenceManager persistenceManager = null;
        try {
            persistenceManager = openTransaction();
            Set<String> trimmedLower3 = toTrimmedLower(set);
            if (set2 != null) {
                trimmedLower3.addAll(this.delegate.getRoleNamesForGroups(set2));
            }
            if (trimmedLower3.size() == 0) {
                if (persistenceManager != null) {
                    commitTransaction(persistenceManager);
                }
                return newHashSet;
            }
            HashSet newHashSet2 = Sets.newHashSet();
            Iterator<String> it = trimmedLower3.iterator();
            while (it.hasNext()) {
                MSentryRole role = getRole(it.next(), persistenceManager);
                if (role != null) {
                    newHashSet2.add(role);
                }
            }
            newHashSet.addAll(this.privilegeOperator.getPrivilegesByProvider(trimmedLower, trimmedLower2, newHashSet2, list, persistenceManager));
            if (persistenceManager != null) {
                commitTransaction(persistenceManager);
            }
            return newHashSet;
        } catch (Throwable th) {
            if (persistenceManager != null) {
                commitTransaction(persistenceManager);
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String str, String str2, Set<String> set, List<? extends Authorizable> list) throws SentryUserException {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        String trimmedLower = toTrimmedLower(str);
        String trimmedLower2 = toTrimmedLower(str2);
        HashSet newHashSet = Sets.newHashSet();
        if (set == null || set.isEmpty()) {
            return newHashSet;
        }
        PersistenceManager persistenceManager = null;
        try {
            persistenceManager = openTransaction();
            HashSet newHashSet2 = Sets.newHashSet();
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                MSentryRole role = getRole(it.next(), persistenceManager);
                if (role != null) {
                    newHashSet2.add(role);
                }
            }
            for (MSentryGMPrivilege mSentryGMPrivilege : this.privilegeOperator.getPrivilegesByAuthorizable(trimmedLower, trimmedLower2, newHashSet2, list, persistenceManager)) {
                persistenceManager.retrieve(mSentryGMPrivilege);
                newHashSet.add(mSentryGMPrivilege);
            }
            commitTransaction(persistenceManager);
            return newHashSet;
        } catch (Throwable th) {
            commitTransaction(persistenceManager);
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public void close() {
        this.delegate.stop();
    }

    private Set<TSentryGroup> toTSentryGroups(Set<String> set) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            newHashSet.add(new TSentryGroup(it.next()));
        }
        return newHashSet;
    }

    private Set<String> toTrimmedLower(Set<String> set) {
        if (set == null) {
            return new HashSet();
        }
        HashSet newHashSet = Sets.newHashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            newHashSet.add(it.next().trim().toLowerCase());
        }
        return newHashSet;
    }

    private Set<String> toTrimmed(Set<String> set) {
        if (set == null) {
            return new HashSet();
        }
        HashSet newHashSet = Sets.newHashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            newHashSet.add(it.next().trim());
        }
        return newHashSet;
    }

    private String toTrimmedLower(String str) {
        return str == null ? "" : str.trim().toLowerCase();
    }

    private Set<String> getRequestorGroups(String str) throws SentryUserException {
        return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, str);
    }

    @VisibleForTesting
    void clearAllTables() {
        boolean z = true;
        PersistenceManager persistenceManager = null;
        try {
            persistenceManager = openTransaction();
            persistenceManager.newQuery(MSentryRole.class).deletePersistentAll();
            persistenceManager.newQuery(MSentryGroup.class).deletePersistentAll();
            persistenceManager.newQuery(MSentryGMPrivilege.class).deletePersistentAll();
            commitUpdateTransaction(persistenceManager);
            z = false;
            if (0 != 0) {
                rollbackTransaction(persistenceManager);
            }
        } catch (Throwable th) {
            if (z) {
                rollbackTransaction(persistenceManager);
            }
            throw th;
        }
    }
}
