package org.apache.hadoop.hbase.security.access;

import java.io.IOException;
import java.net.InetAddress;
import java.util.Collection;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/AccessChecker.class */
public final class AccessChecker {
    private static final Logger AUDITLOG = LoggerFactory.getLogger("SecurityLogger." + AccessChecker.class.getName());
    private TableAuthManager authManager;
    private boolean authorizationEnabled;

    public static boolean isAuthorizationSupported(Configuration configuration) {
        return configuration.getBoolean("hbase.security.authorization", false);
    }

    public AccessChecker(Configuration configuration, ZooKeeperWatcher zooKeeperWatcher) throws RuntimeException {
        if (zooKeeperWatcher == null) {
            throw new NullPointerException("Error obtaining AccessChecker, zk found null.");
        }
        try {
            this.authManager = TableAuthManager.getOrCreate(zooKeeperWatcher, configuration);
            this.authorizationEnabled = isAuthorizationSupported(configuration);
        } catch (IOException e) {
            throw new RuntimeException("Error obtaining AccessChecker", e);
        }
    }

    public TableAuthManager getAuthManager() {
        return this.authManager;
    }

    public void logResult(AuthResult authResult) {
        if (AUDITLOG.isTraceEnabled()) {
            InetAddress remoteAddress = RpcServer.getRemoteAddress();
            AUDITLOG.trace("Access " + (authResult.isAllowed() ? "allowed" : "denied") + " for user " + (authResult.getUser() != null ? authResult.getUser().getShortName() : "UNKNOWN") + "; reason: " + authResult.getReason() + "; remote address: " + (remoteAddress != null ? remoteAddress : "") + "; request: " + authResult.getRequest() + "; context: " + authResult.toContextString());
        }
    }

    public void requirePermission(User user, String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        AuthResult authResult = null;
        int length = actionArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Permission.Action action = actionArr[i];
            if (this.authManager.authorize(user, tableName, bArr, bArr2, action)) {
                authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, bArr, bArr2);
                break;
            } else {
                authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, bArr, bArr2);
                i++;
            }
        }
        logResult(authResult);
        if (this.authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }

    public void requireTablePermission(User user, String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        AuthResult authResult = null;
        int length = actionArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Permission.Action action = actionArr[i];
            if (this.authManager.authorize(user, tableName, (byte[]) null, (byte[]) null, action)) {
                authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, null, null);
                authResult.getParams().setFamily(bArr).setQualifier(bArr2);
                break;
            } else {
                authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, bArr, bArr2);
                authResult.getParams().setFamily(bArr).setQualifier(bArr2);
                i++;
            }
        }
        logResult(authResult);
        if (this.authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }

    public void requireAccess(User user, String str, TableName tableName, Permission.Action... actionArr) throws IOException {
        AuthResult authResult = null;
        int length = actionArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Permission.Action action = actionArr[i];
            if (this.authManager.hasAccess(user, tableName, action)) {
                authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, null, null);
                break;
            } else {
                authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, null, null);
                i++;
            }
        }
        logResult(authResult);
        if (this.authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }

    public void requirePermission(User user, String str, Permission.Action action) throws IOException {
        requireGlobalPermission(user, str, action, null, null);
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map) throws IOException {
        if (this.authManager.authorize(user, action)) {
            AuthResult allow = AuthResult.allow(str, "Global check allowed", user, action, tableName, map);
            allow.getParams().setTableName(tableName).setFamilies(map);
            logResult(allow);
        } else {
            AuthResult deny = AuthResult.deny(str, "Global check failed", user, action, tableName, map);
            deny.getParams().setTableName(tableName).setFamilies(map);
            logResult(deny);
            if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + ")");
            }
        }
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, String str2) throws IOException {
        if (this.authManager.authorize(user, action)) {
            AuthResult allow = AuthResult.allow(str, "Global check allowed", user, action, null);
            allow.getParams().setNamespace(str2);
            logResult(allow);
        } else {
            AuthResult deny = AuthResult.deny(str, "Global check failed", user, action, null);
            deny.getParams().setNamespace(str2);
            logResult(deny);
            if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + ")");
            }
        }
    }

    public void requireNamespacePermission(User user, String str, String str2, Permission.Action... actionArr) throws IOException {
        AuthResult authResult = null;
        int length = actionArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Permission.Action action = actionArr[i];
            if (this.authManager.authorize(user, str2, action)) {
                authResult = AuthResult.allow(str, "Namespace permission granted", user, action, str2);
                break;
            } else {
                authResult = AuthResult.deny(str, "Insufficient permissions", user, action, str2);
                i++;
            }
        }
        logResult(authResult);
        if (this.authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }

    public void requireNamespacePermission(User user, String str, String str2, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map, Permission.Action... actionArr) throws IOException {
        AuthResult authResult = null;
        int length = actionArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Permission.Action action = actionArr[i];
            if (this.authManager.authorize(user, str2, action)) {
                authResult = AuthResult.allow(str, "Namespace permission granted", user, action, str2);
                authResult.getParams().setTableName(tableName).setFamilies(map);
                break;
            } else {
                authResult = AuthResult.deny(str, "Insufficient permissions", user, action, str2);
                authResult.getParams().setTableName(tableName).setFamilies(map);
                i++;
            }
        }
        logResult(authResult);
        if (this.authorizationEnabled && !authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
        }
    }
}
