package org.apache.ranger.authorization.kafka.authorizer;

import java.util.Date;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import kafka.network.RequestChannel;
import kafka.security.auth.Acl;
import kafka.security.auth.Alter$;
import kafka.security.auth.Authorizer;
import kafka.security.auth.Cluster$;
import kafka.security.auth.ClusterAction$;
import kafka.security.auth.Create$;
import kafka.security.auth.Delete$;
import kafka.security.auth.Describe$;
import kafka.security.auth.Group$;
import kafka.security.auth.Operation;
import kafka.security.auth.Read$;
import kafka.security.auth.Resource;
import kafka.security.auth.Topic$;
import kafka.security.auth.Write$;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.LoginManager;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import scala.collection.immutable.HashMap;
import scala.collection.immutable.HashSet;

/* loaded from: input_file:org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.class */
public class RangerKafkaAuthorizer implements Authorizer {
    public static final String KEY_TOPIC = "topic";
    public static final String KEY_CLUSTER = "cluster";
    public static final String KEY_CONSUMER_GROUP = "consumer_group";
    public static final String ACCESS_TYPE_READ = "consume";
    public static final String ACCESS_TYPE_WRITE = "publish";
    public static final String ACCESS_TYPE_CREATE = "create";
    public static final String ACCESS_TYPE_DELETE = "delete";
    public static final String ACCESS_TYPE_CONFIGURE = "configure";
    public static final String ACCESS_TYPE_DESCRIBE = "describe";
    public static final String ACCESS_TYPE_KAFKA_ADMIN = "kafka_admin";
    private static final Log logger = LogFactory.getLog(RangerKafkaAuthorizer.class);
    private static final Log PERF_KAFKAAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("kafkaauth.request");
    private static volatile RangerBasePlugin rangerPlugin = null;

    public void configure(Map<String, ?> map) {
        if (rangerPlugin == null) {
            synchronized (RangerKafkaAuthorizer.class) {
                if (rangerPlugin == null) {
                    try {
                        Object obj = map.get("ranger.jaas.context");
                        Subject subject = LoginManager.acquireLoginManager(JaasContext.load(JaasContext.Type.SERVER, new ListenerName(((obj instanceof String) && StringUtils.isNotEmpty((String) obj)) ? (String) obj : SecurityProtocol.SASL_PLAINTEXT.name()), map), true, map).subject();
                        UserGroupInformation createUGIFromSubject = MiscUtil.createUGIFromSubject(subject);
                        if (createUGIFromSubject != null) {
                            MiscUtil.setUGILoginUser(createUGIFromSubject, subject);
                        }
                        logger.info("LoginUser=" + MiscUtil.getUGILoginUser());
                    } catch (Throwable th) {
                        logger.error("Error getting principal.", th);
                    }
                    rangerPlugin = new RangerBasePlugin("kafka", "kafka");
                }
            }
        }
        logger.info("Calling plugin.init()");
        rangerPlugin.init();
        rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
    }

    public void close() {
        logger.info("close() called on authorizer.");
        try {
            if (rangerPlugin != null) {
                rangerPlugin.cleanup();
            }
        } catch (Throwable th) {
            logger.error("Error closing RangerPlugin.", th);
        }
    }

    public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) {
        if (rangerPlugin == null) {
            MiscUtil.logErrorMessageByInterval(logger, "Authorizer is still not initialized");
            return false;
        }
        if (resource.resourceType().equals(Group$.MODULE$)) {
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("If resource type is consumer group, then we allow it by default!  Returning true");
            return true;
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_KAFKAAUTH_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_KAFKAAUTH_REQUEST_LOG, "RangerKafkaAuthorizer.authorize(resource=" + resource + ")");
        }
        String str = null;
        if (session.principal() != null) {
            str = session.principal().getName();
        }
        Set groupsForRequestUser = MiscUtil.getGroupsForRequestUser(str);
        String hostAddress = session.clientAddress().getHostAddress();
        if (StringUtils.isNotEmpty(hostAddress) && hostAddress.charAt(0) == '/') {
            hostAddress = hostAddress.substring(1);
        }
        Date date = new Date();
        String mapToRangerAccessType = mapToRangerAccessType(operation);
        boolean z = false;
        String str2 = "";
        if (mapToRangerAccessType == null) {
            if (MiscUtil.logErrorMessageByInterval(logger, "Unsupported access type. operation=" + operation)) {
                logger.fatal("Unsupported access type. session=" + session + ", operation=" + operation + ", resource=" + resource);
            }
            z = true;
            str2 = str2 + "Unsupported access type. operation=" + operation;
        }
        String clusterName = rangerPlugin.getClusterName();
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setUser(str);
        rangerAccessRequestImpl.setUserGroups(groupsForRequestUser);
        rangerAccessRequestImpl.setClientIPAddress(hostAddress);
        rangerAccessRequestImpl.setAccessTime(date);
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessRequestImpl.setResource(rangerAccessResourceImpl);
        rangerAccessRequestImpl.setAccessType(mapToRangerAccessType);
        rangerAccessRequestImpl.setAction(mapToRangerAccessType);
        rangerAccessRequestImpl.setRequestData(resource.name());
        rangerAccessRequestImpl.setClusterName(clusterName);
        if (resource.resourceType().equals(Topic$.MODULE$)) {
            rangerAccessResourceImpl.setValue(KEY_TOPIC, resource.name());
        } else if (!resource.resourceType().equals(Cluster$.MODULE$)) {
            if (resource.resourceType().equals(Group$.MODULE$)) {
                rangerAccessResourceImpl.setValue(KEY_CONSUMER_GROUP, resource.name());
            } else {
                logger.fatal("Unsupported resourceType=" + resource.resourceType());
                z = true;
            }
        }
        boolean z2 = false;
        if (z) {
            MiscUtil.logErrorMessageByInterval(logger, str2 + ", request=" + rangerAccessRequestImpl);
        } else {
            try {
                RangerAccessResult isAccessAllowed = rangerPlugin.isAccessAllowed(rangerAccessRequestImpl);
                if (isAccessAllowed == null) {
                    logger.error("Ranger Plugin returned null. Returning false");
                } else {
                    z2 = isAccessAllowed.getIsAllowed();
                }
            } catch (Throwable th) {
                logger.error("Error while calling isAccessAllowed(). request=" + rangerAccessRequestImpl, th);
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (logger.isDebugEnabled()) {
            logger.debug("rangerRequest=" + rangerAccessRequestImpl + ", return=" + z2);
        }
        return z2;
    }

    public void addAcls(scala.collection.immutable.Set<Acl> set, Resource resource) {
        logger.error("addAcls(Set<Acl>, Resource) is not supported by Ranger for Kafka");
    }

    public boolean removeAcls(scala.collection.immutable.Set<Acl> set, Resource resource) {
        logger.error("removeAcls(Set<Acl>, Resource) is not supported by Ranger for Kafka");
        return false;
    }

    public boolean removeAcls(Resource resource) {
        logger.error("removeAcls(Resource) is not supported by Ranger for Kafka");
        return false;
    }

    public scala.collection.immutable.Set<Acl> getAcls(Resource resource) {
        HashSet hashSet = new HashSet();
        logger.error("getAcls(Resource) is not supported by Ranger for Kafka");
        return hashSet;
    }

    public scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal kafkaPrincipal) {
        HashMap hashMap = new HashMap();
        logger.error("getAcls(KafkaPrincipal) is not supported by Ranger for Kafka");
        return hashMap;
    }

    public scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> getAcls() {
        HashMap hashMap = new HashMap();
        logger.error("getAcls() is not supported by Ranger for Kafka");
        return hashMap;
    }

    private String mapToRangerAccessType(Operation operation) {
        if (operation.equals(Read$.MODULE$)) {
            return ACCESS_TYPE_READ;
        }
        if (operation.equals(Write$.MODULE$)) {
            return ACCESS_TYPE_WRITE;
        }
        if (operation.equals(Alter$.MODULE$)) {
            return ACCESS_TYPE_CONFIGURE;
        }
        if (operation.equals(Describe$.MODULE$)) {
            return ACCESS_TYPE_DESCRIBE;
        }
        if (operation.equals(ClusterAction$.MODULE$)) {
            return ACCESS_TYPE_KAFKA_ADMIN;
        }
        if (operation.equals(Create$.MODULE$)) {
            return ACCESS_TYPE_CREATE;
        }
        if (operation.equals(Delete$.MODULE$)) {
            return ACCESS_TYPE_DELETE;
        }
        return null;
    }
}
