package org.apache.sentry.sqoop.binding;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.lang.reflect.Constructor;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient;
import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory;
import org.apache.sentry.api.generic.thrift.TAuthorizable;
import org.apache.sentry.api.generic.thrift.TSentryGrantOption;
import org.apache.sentry.api.generic.thrift.TSentryPrivilege;
import org.apache.sentry.api.generic.thrift.TSentryRole;
import org.apache.sentry.api.tools.GenericPrivilegeConverter;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.BitFieldAction;
import org.apache.sentry.core.common.Model;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.model.sqoop.Server;
import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
import org.apache.sentry.sqoop.conf.SqoopAuthConf;
import org.apache.sqoop.common.SqoopException;
import org.apache.sqoop.model.MPrivilege;
import org.apache.sqoop.model.MResource;
import org.apache.sqoop.model.MRole;
import org.apache.sqoop.security.SecurityError;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/sqoop/binding/SqoopAuthBinding.class */
public class SqoopAuthBinding {
    private static final Logger LOG = LoggerFactory.getLogger(SqoopAuthBinding.class);
    private static final String COMPONENT_TYPE = "sqoop";
    private final Configuration authConf;
    private final AuthorizationProvider authProvider;
    private final Server sqoopServer;
    private final Subject bindingSubject;
    private ProviderBackend providerBackend;
    private final SqoopActionFactory actionFactory = new SqoopActionFactory();
    private final String SQOOP_POLICY_ENGINE_OLD = "org.apache.sentry.policy.sqoop.SimpleSqoopPolicyEngine";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sentry/sqoop/binding/SqoopAuthBinding$Command.class */
    public interface Command<T> {
        T run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception;
    }

    public SqoopAuthBinding(Configuration configuration, String str) throws Exception {
        this.authConf = configuration;
        this.authConf.set(SqoopAuthConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar(), str);
        this.sqoopServer = new Server(str);
        this.authProvider = createAuthProvider();
        this.bindingSubject = new Subject(UserGroupInformation.getCurrentUser().getShortUserName());
    }

    private AuthorizationProvider createAuthProvider() throws Exception {
        String str = this.authConf.get(SqoopAuthConf.AuthzConfVars.AUTHZ_PROVIDER.getVar(), SqoopAuthConf.AuthzConfVars.AUTHZ_PROVIDER.getDefault());
        String str2 = this.authConf.get(SqoopAuthConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), SqoopAuthConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getDefault());
        String str3 = this.authConf.get(SqoopAuthConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), SqoopAuthConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getDefault());
        String str4 = this.authConf.get(SqoopAuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), SqoopAuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault());
        String str5 = this.authConf.get(SqoopAuthConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
        if ("org.apache.sentry.policy.sqoop.SimpleSqoopPolicyEngine".equals(str4)) {
            str4 = SqoopAuthConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Using authorization provider " + str + " with resource " + str2 + ", policy engine " + str4 + ", provider backend " + str3);
        }
        if ("org.apache.sentry.sqoop.binding.SqoopProviderBackend".equals(str3)) {
            str3 = SentryGenericProviderBackend.class.getName();
        }
        if (this.authConf.get("sentry.provider.backend.generic.privilege.converter") == null) {
            this.authConf.set("sentry.provider.backend.generic.privilege.converter", GenericPrivilegeConverter.class.getName());
        }
        Constructor<?> declaredConstructor = Class.forName(str3).getDeclaredConstructor(Configuration.class, String.class);
        declaredConstructor.setAccessible(true);
        this.providerBackend = (ProviderBackend) declaredConstructor.newInstance(this.authConf, str2);
        if (this.providerBackend instanceof SentryGenericProviderBackend) {
            this.providerBackend.setComponentType(COMPONENT_TYPE);
            this.providerBackend.setServiceName(str5);
        }
        ProviderBackendContext providerBackendContext = new ProviderBackendContext();
        providerBackendContext.setAllowPerDatabase(false);
        providerBackendContext.setValidators(SqoopPrivilegeModel.getInstance().getPrivilegeValidators(str5));
        this.providerBackend.initialize(providerBackendContext);
        Constructor<?> declaredConstructor2 = Class.forName(str4).getDeclaredConstructor(ProviderBackend.class);
        declaredConstructor2.setAccessible(true);
        PolicyEngine policyEngine = (PolicyEngine) declaredConstructor2.newInstance(this.providerBackend);
        Constructor<?> declaredConstructor3 = Class.forName(str).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class, Model.class);
        declaredConstructor3.setAccessible(true);
        return (AuthorizationProvider) declaredConstructor3.newInstance(this.authConf, str2, policyEngine, SqoopPrivilegeModel.getInstance());
    }

    public boolean authorize(Subject subject, MPrivilege mPrivilege) throws SentryUserException {
        List<Authorizable> authorizable = toAuthorizable(mPrivilege.getResource());
        if (!hasServerInclude(authorizable)) {
            authorizable.add(0, this.sqoopServer);
        }
        return this.authProvider.hasAccess(subject, authorizable, Sets.newHashSet(new BitFieldAction[]{this.actionFactory.getActionByName(mPrivilege.getAction())}), ActiveRoleSet.ALL);
    }

    public boolean hasServerInclude(List<Authorizable> list) {
        Iterator<Authorizable> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().getTypeName().equalsIgnoreCase(this.sqoopServer.getTypeName())) {
                return true;
            }
        }
        return false;
    }

    private SentryGenericServiceClient getClient() throws Exception {
        return SentryGenericServiceClientFactory.create(this.authConf);
    }

    public void createRole(final Subject subject, final String str) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.createRole(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE);
                return null;
            }
        });
    }

    public void dropRole(final Subject subject, final String str) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.dropRole(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE);
                return null;
            }
        });
    }

    public List<MRole> listAllRoles(final Subject subject) throws SqoopException {
        Set set = (Set) execute(new Command<Set<TSentryRole>>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Set<TSentryRole> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                return sentryGenericServiceClient.listAllRoles(subject.getName(), SqoopAuthBinding.COMPONENT_TYPE);
            }
        });
        ArrayList newArrayList = Lists.newArrayList();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            newArrayList.add(new MRole(((TSentryRole) it.next()).getRoleName()));
        }
        return newArrayList;
    }

    public List<MRole> listRolesByGroup(final Subject subject, final String str) throws SqoopException {
        Set set = (Set) execute(new Command<Set<TSentryRole>>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Set<TSentryRole> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                return sentryGenericServiceClient.listRolesByGroupName(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE);
            }
        });
        ArrayList newArrayList = Lists.newArrayList();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            newArrayList.add(new MRole(((TSentryRole) it.next()).getRoleName()));
        }
        return newArrayList;
    }

    public List<MPrivilege> listPrivilegeByRole(final Subject subject, final String str, final MResource mResource) throws SqoopException {
        Set set = (Set) execute(new Command<Set<TSentryPrivilege>>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Set<TSentryPrivilege> run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                return mResource == null ? sentryGenericServiceClient.listAllPrivilegesByRoleName(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE, SqoopAuthBinding.this.sqoopServer.getName()) : mResource.getType().equalsIgnoreCase(MResource.TYPE.SERVER.name()) ? sentryGenericServiceClient.listAllPrivilegesByRoleName(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE, mResource.getName()) : sentryGenericServiceClient.listPrivilegesByRoleName(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE, SqoopAuthBinding.this.sqoopServer.getName(), SqoopAuthBinding.this.toAuthorizable(mResource));
            }
        });
        ArrayList newArrayList = Lists.newArrayList();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            newArrayList.add(toSqoopPrivilege((TSentryPrivilege) it.next()));
        }
        return newArrayList;
    }

    public void grantPrivilege(final Subject subject, final String str, final MPrivilege mPrivilege) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.grantPrivilege(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE, SqoopAuthBinding.this.toTSentryPrivilege(mPrivilege));
                return null;
            }
        });
    }

    public void revokePrivilege(final Subject subject, final String str, final MPrivilege mPrivilege) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.revokePrivilege(subject.getName(), str, SqoopAuthBinding.COMPONENT_TYPE, SqoopAuthBinding.this.toTSentryPrivilege(mPrivilege));
                return null;
            }
        });
    }

    public void grantGroupToRole(final Subject subject, final String str, final MRole mRole) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.grantRoleToGroups(subject.getName(), mRole.getName(), SqoopAuthBinding.COMPONENT_TYPE, Sets.newHashSet(new String[]{str}));
                return null;
            }
        });
    }

    public void revokeGroupfromRole(final Subject subject, final String str, final MRole mRole) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.revokeRoleFromGroups(subject.getName(), mRole.getName(), SqoopAuthBinding.COMPONENT_TYPE, Sets.newHashSet(new String[]{str}));
                return null;
            }
        });
    }

    public void renamePrivilege(final Subject subject, final MResource mResource, final MResource mResource2) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.10
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                sentryGenericServiceClient.renamePrivilege(subject.getName(), SqoopAuthBinding.COMPONENT_TYPE, SqoopAuthBinding.this.sqoopServer.getName(), SqoopAuthBinding.this.toAuthorizable(mResource), SqoopAuthBinding.this.toAuthorizable(mResource2));
                return null;
            }
        });
    }

    public void dropPrivilege(final MResource mResource) throws SqoopException {
        execute(new Command<Void>() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.11
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.sqoop.binding.SqoopAuthBinding.Command
            public Void run(SentryGenericServiceClient sentryGenericServiceClient) throws Exception {
                TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
                tSentryPrivilege.setComponent(SqoopAuthBinding.COMPONENT_TYPE);
                tSentryPrivilege.setServiceName(SqoopAuthBinding.this.sqoopServer.getName());
                tSentryPrivilege.setAuthorizables(SqoopAuthBinding.this.toTSentryAuthorizable(mResource));
                tSentryPrivilege.setAction("*");
                sentryGenericServiceClient.dropPrivilege(SqoopAuthBinding.this.bindingSubject.getName(), SqoopAuthBinding.COMPONENT_TYPE, tSentryPrivilege);
                return null;
            }
        });
    }

    private MPrivilege toSqoopPrivilege(TSentryPrivilege tSentryPrivilege) {
        boolean z = false;
        if (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE) {
            z = true;
        }
        return new MPrivilege(toSqoopResource(tSentryPrivilege.getAuthorizables()), tSentryPrivilege.getAction().equalsIgnoreCase("*") ? "ALL" : tSentryPrivilege.getAction(), z);
    }

    private MResource toSqoopResource(List<TAuthorizable> list) {
        return (list == null || list.isEmpty()) ? new MResource(this.sqoopServer.getName(), MResource.TYPE.SERVER) : new MResource(list.get(0).getName(), list.get(0).getType());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public TSentryPrivilege toTSentryPrivilege(MPrivilege mPrivilege) {
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
        tSentryPrivilege.setComponent(COMPONENT_TYPE);
        tSentryPrivilege.setServiceName(this.sqoopServer.getName());
        tSentryPrivilege.setAction(mPrivilege.getAction().equalsIgnoreCase("ALL") ? "*" : mPrivilege.getAction());
        if (mPrivilege.isWith_grant_option()) {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.TRUE);
        } else {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.FALSE);
        }
        tSentryPrivilege.setAuthorizables(toTSentryAuthorizable(mPrivilege.getResource()));
        return tSentryPrivilege;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<TAuthorizable> toTSentryAuthorizable(MResource mResource) {
        ArrayList newArrayList = Lists.newArrayList();
        if (!mResource.getType().equalsIgnoreCase(MResource.TYPE.SERVER.name())) {
            newArrayList.add(new TAuthorizable(mResource.getType(), mResource.getName()));
        } else if (!mResource.getName().equalsIgnoreCase(this.sqoopServer.getName())) {
            throw new IllegalArgumentException(mResource.getName() + " must be equal to " + this.sqoopServer.getName() + "\n Currently Sqoop supports grant/revoke privileges on server object, but the server name must be equal to the configuration of org.apache.sqoop.security.authorization.server_name in the Sqoop.properties");
        }
        return newArrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<Authorizable> toAuthorizable(final MResource mResource) {
        ArrayList newArrayList = Lists.newArrayList();
        if (mResource == null) {
            return newArrayList;
        }
        newArrayList.add(new Authorizable() { // from class: org.apache.sentry.sqoop.binding.SqoopAuthBinding.12
            public String getTypeName() {
                return mResource.getType();
            }

            public String getName() {
                return mResource.getName();
            }
        });
        return newArrayList;
    }

    private <T> T execute(Command<T> command) throws SqoopException {
        try {
            SentryGenericServiceClient client = getClient();
            Throwable th = null;
            try {
                try {
                    T run = command.run(client);
                    if (client != null) {
                        if (0 != 0) {
                            try {
                                client.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            client.close();
                        }
                    }
                    return run;
                } finally {
                }
            } finally {
            }
        } catch (SentryUserException e) {
            String str = "Unable to excute command on sentry server: " + e.getMessage();
            LOG.error(str, e);
            throw new SqoopException(SecurityError.AUTH_0014, str, e);
        } catch (Exception e2) {
            String str2 = "Unable to obtain client:" + e2.getMessage();
            LOG.error(str2, e2);
            throw new SqoopException(SecurityError.AUTH_0014, str2, e2);
        }
    }
}
