package org.apache.sentry.provider.db.generic.service.thrift;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.lang.reflect.Constructor;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore;
import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService;
import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.service.thrift.Status;
import org.apache.sentry.service.thrift.TSentryResponseStatus;
import org.apache.thrift.TException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.class */
public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.Iface {
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericPolicyProcessor.class);
    private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME_GENERIC);
    private final Configuration conf;
    private final ImmutableSet<String> adminGroups;
    private final SentryStoreLayer store;
    private final NotificationHandlerInvoker handerInvoker;
    public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService";
    private static final String ACCESS_DENIAL_MESSAGE = "Access denied to ";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor$RequestHandler.class */
    public interface RequestHandler<T> {
        Response<T> handle() throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor$Response.class */
    public static class Response<T> {
        private TSentryResponseStatus status;
        private T content;

        Response() {
        }

        Response(TSentryResponseStatus tSentryResponseStatus) {
            this(tSentryResponseStatus, null);
        }

        Response(TSentryResponseStatus tSentryResponseStatus, T t) {
            this.status = tSentryResponseStatus;
            this.content = t;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SentryGenericPolicyProcessor(Configuration configuration) throws Exception {
        this.store = new DelegateSentryStore(configuration);
        this.handerInvoker = new NotificationHandlerInvoker(createHandlers(configuration));
        this.conf = configuration;
        this.adminGroups = ImmutableSet.copyOf(Sets.newHashSet(configuration.getStrings(ServiceConstants.ServerConfig.ADMIN_GROUPS, new String[0])));
    }

    @VisibleForTesting
    SentryGenericPolicyProcessor(Configuration configuration, SentryStoreLayer sentryStoreLayer) throws Exception {
        this.store = sentryStoreLayer;
        this.handerInvoker = new NotificationHandlerInvoker(createHandlers(configuration));
        this.conf = configuration;
        this.adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(configuration.getStrings(ServiceConstants.ServerConfig.ADMIN_GROUPS, new String[0]))));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void authorize(String str, Set<String> set) throws SentryAccessDeniedException {
        if (inAdminGroups(set)) {
            return;
        }
        LOGGER.warn("User: " + str + " is part of " + set + " which does not, intersect admin groups " + this.adminGroups);
        throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<String> toTrimmedLower(Set<String> set) {
        if (set == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(set.size());
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().trim().toLowerCase());
        }
        return hashSet;
    }

    private Set<String> toTrimmed(Set<String> set) {
        if (set == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(set.size());
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().trim());
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String toTrimmedLower(String str) {
        return Strings.isNullOrEmpty(str) ? "" : str.trim().toLowerCase();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Set<String> getRequestorGroups(Configuration configuration, String str) throws SentryUserException {
        return SentryPolicyStoreProcessor.getGroupsFromUserName(configuration, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean inAdminGroups(Set<String> set) {
        return !Sets.intersection(this.adminGroups, set).isEmpty();
    }

    static List<NotificationHandler> createHandlers(Configuration configuration) throws SentrySiteConfigurationException {
        ArrayList newArrayList = Lists.newArrayList();
        try {
            Iterator it = Splitter.onPattern("[\\s,]").trimResults().omitEmptyStrings().split(configuration.get("sentry.generic.policy.notification", "")).iterator();
            while (it.hasNext()) {
                newArrayList.add(createInstance((String) it.next(), configuration, NotificationHandler.class));
            }
            return newArrayList;
        } catch (Exception e) {
            throw new SentrySiteConfigurationException("Create notificationHandlers error: " + e.getMessage(), e);
        }
    }

    private static <T> T createInstance(String str, Configuration configuration, Class<T> cls) throws Exception {
        try {
            Class<?> cls2 = Class.forName(str);
            if (!cls.isAssignableFrom(cls2)) {
                throw new IllegalArgumentException("Class " + cls2 + " is not a " + cls.getName());
            }
            Constructor<?> declaredConstructor = cls2.getDeclaredConstructor(Configuration.class);
            declaredConstructor.setAccessible(true);
            return (T) declaredConstructor.newInstance(configuration);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private <T> Response<T> requestHandle(RequestHandler<T> requestHandler) {
        Response<T> response = new Response<>();
        try {
            response = requestHandler.handle();
        } catch (SentryAccessDeniedException e) {
            LOGGER.error("Sentry access denied: " + e.getMessage(), e);
            ((Response) response).status = Status.AccessDenied(e.getMessage(), e);
        } catch (SentryThriftAPIMismatchException e2) {
            LOGGER.error("Sentry thrift API mismatch error: " + e2.getMessage(), e2);
            ((Response) response).status = Status.THRIFT_VERSION_MISMATCH(e2.getMessage(), e2);
        } catch (SentryInvalidInputException e3) {
            String str = "Invalid input privilege object: " + e3.getMessage();
            LOGGER.error(str, e3);
            ((Response) response).status = Status.InvalidInput(str, e3);
        } catch (SentryAlreadyExistsException e4) {
            LOGGER.error("Sentry object already exists: " + e4.getMessage(), e4);
            ((Response) response).status = Status.AlreadyExists(e4.getMessage(), e4);
        } catch (Exception e5) {
            String str2 = "Unknown error:" + e5.getMessage();
            LOGGER.error(str2, e5);
            ((Response) response).status = Status.RuntimeError(str2, e5);
        } catch (SentryNoSuchObjectException e6) {
            LOGGER.error("Sentry object doesn't exist: " + e6.getMessage(), e6);
            ((Response) response).status = Status.NoSuchObject(e6.getMessage(), e6);
        }
        return response;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public PrivilegeObject toPrivilegeObject(TSentryPrivilege tSentryPrivilege) {
        return new PrivilegeObject.Builder().setComponent(tSentryPrivilege.getComponent()).setService(tSentryPrivilege.getServiceName()).setAuthorizables(toAuthorizables(tSentryPrivilege.getAuthorizables())).setAction(tSentryPrivilege.getAction()).withGrantOption(tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.FALSE) ? false : null).build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public TSentryPrivilege fromPrivilegeObject(PrivilegeObject privilegeObject) {
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(privilegeObject.getComponent(), privilegeObject.getService(), fromAuthorizable(privilegeObject.getAuthorizables()), privilegeObject.getAction());
        if (privilegeObject.getGrantOption() == null) {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.UNSET);
        } else if (privilegeObject.getGrantOption().booleanValue()) {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.TRUE);
        } else {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.FALSE);
        }
        return tSentryPrivilege;
    }

    private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> list) {
        ArrayList newArrayList = Lists.newArrayList();
        for (Authorizable authorizable : list) {
            newArrayList.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
        }
        return newArrayList;
    }

    private String fromAuthorizableToStr(List<? extends Authorizable> list) {
        if (list == null || list.isEmpty()) {
            return "";
        }
        ArrayList newArrayList = Lists.newArrayList();
        for (Authorizable authorizable : list) {
            newArrayList.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(), authorizable.getName(), new Object[0]));
        }
        return SentryConstants.AUTHORIZABLE_JOINER.join(newArrayList);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<? extends Authorizable> toAuthorizables(List<TAuthorizable> list) {
        ArrayList newArrayList = Lists.newArrayList();
        if (list == null) {
            return newArrayList;
        }
        for (final TAuthorizable tAuthorizable : list) {
            newArrayList.add(new Authorizable() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.1
                public String getTypeName() {
                    return tAuthorizable.getType();
                }

                public String getName() {
                    return tAuthorizable.getName();
                }
            });
        }
        return newArrayList;
    }

    private List<? extends Authorizable> toAuthorizables(String str) {
        ArrayList newArrayList = Lists.newArrayList();
        if (str == null) {
            return newArrayList;
        }
        Iterator it = SentryConstants.AUTHORIZABLE_SPLITTER.split(str).iterator();
        while (it.hasNext()) {
            KeyValue keyValue = new KeyValue((String) it.next());
            final String key = keyValue.getKey();
            final String value = keyValue.getValue();
            newArrayList.add(new Authorizable() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.2
                public String getTypeName() {
                    return key;
                }

                public String getName() {
                    return value;
                }
            });
        }
        return newArrayList;
    }

    private TSentryPrivilegeMap toTSentryPrivilegeMap(Set<MSentryGMPrivilege> set) {
        TreeMap newTreeMap = Maps.newTreeMap();
        for (MSentryGMPrivilege mSentryGMPrivilege : set) {
            for (MSentryRole mSentryRole : mSentryGMPrivilege.getRoles()) {
                TSentryPrivilege tSentryPrivilege = toTSentryPrivilege(mSentryGMPrivilege);
                if (newTreeMap.containsKey(mSentryRole.getRoleName())) {
                    ((Set) newTreeMap.get(mSentryRole.getRoleName())).add(tSentryPrivilege);
                } else {
                    TreeSet newTreeSet = Sets.newTreeSet();
                    newTreeSet.add(tSentryPrivilege);
                    newTreeMap.put(mSentryRole.getRoleName(), newTreeSet);
                }
            }
        }
        return new TSentryPrivilegeMap(newTreeMap);
    }

    private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mSentryGMPrivilege) {
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(mSentryGMPrivilege.getComponentName(), mSentryGMPrivilege.getServiceName(), fromAuthorizable(mSentryGMPrivilege.getAuthorizables()), mSentryGMPrivilege.getAction());
        if (mSentryGMPrivilege.getGrantOption() == null) {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.UNSET);
        } else if (mSentryGMPrivilege.getGrantOption().booleanValue()) {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.TRUE);
        } else {
            tSentryPrivilege.setGrantOption(TSentryGrantOption.FALSE);
        }
        return tSentryPrivilege;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<String> buildPermissions(Set<PrivilegeObject> set) {
        HashSet newHashSet = Sets.newHashSet();
        for (PrivilegeObject privilegeObject : set) {
            ArrayList newArrayList = Lists.newArrayList();
            if (hasComponentServerPrivilege(privilegeObject.getComponent())) {
                newArrayList.add(SentryConstants.KV_JOINER.join("server", privilegeObject.getService(), new Object[0]));
            }
            for (Authorizable authorizable : privilegeObject.getAuthorizables()) {
                newArrayList.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(), authorizable.getName(), new Object[0]));
            }
            newArrayList.add(SentryConstants.KV_JOINER.join(SentryStore.ACTION, privilegeObject.getAction(), new Object[0]));
            newHashSet.add(SentryConstants.AUTHORIZABLE_JOINER.join(newArrayList));
        }
        return newHashSet;
    }

    private boolean hasComponentServerPrivilege(String str) {
        return "sqoop".equalsIgnoreCase(str);
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TCreateSentryRoleResponse create_sentry_role(final TCreateSentryRoleRequest tCreateSentryRoleRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.3
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tCreateSentryRoleRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.authorize(tCreateSentryRoleRequest.getRequestorUserName(), SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tCreateSentryRoleRequest.getRequestorUserName()));
                SentryGenericPolicyProcessor.this.store.createRole(tCreateSentryRoleRequest.getComponent(), tCreateSentryRoleRequest.getRoleName(), tCreateSentryRoleRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TCreateSentryRoleResponse tCreateSentryRoleResponse = new TCreateSentryRoleResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.create_sentry_role(tCreateSentryRoleRequest, tCreateSentryRoleResponse);
        }
        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tCreateSentryRoleRequest, tCreateSentryRoleResponse, this.conf).toJsonFormatLog());
        } catch (Exception e) {
            LOGGER.error("Error in creating audit log for create role: " + e.getMessage(), e);
        }
        return tCreateSentryRoleResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TDropSentryRoleResponse drop_sentry_role(final TDropSentryRoleRequest tDropSentryRoleRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.4
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tDropSentryRoleRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.authorize(tDropSentryRoleRequest.getRequestorUserName(), SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tDropSentryRoleRequest.getRequestorUserName()));
                SentryGenericPolicyProcessor.this.store.dropRole(tDropSentryRoleRequest.getComponent(), tDropSentryRoleRequest.getRoleName(), tDropSentryRoleRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TDropSentryRoleResponse tDropSentryRoleResponse = new TDropSentryRoleResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.drop_sentry_role(tDropSentryRoleRequest, tDropSentryRoleResponse);
        }
        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tDropSentryRoleRequest, tDropSentryRoleResponse, this.conf).toJsonFormatLog());
        } catch (Exception e) {
            LOGGER.error("Error in creating audit log for drop role: " + e.getMessage(), e);
        }
        return tDropSentryRoleResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(final TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.5
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tAlterSentryRoleGrantPrivilegeRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.store.alterRoleGrantPrivilege(tAlterSentryRoleGrantPrivilegeRequest.getComponent(), tAlterSentryRoleGrantPrivilegeRequest.getRoleName(), SentryGenericPolicyProcessor.this.toPrivilegeObject(tAlterSentryRoleGrantPrivilegeRequest.getPrivilege()), tAlterSentryRoleGrantPrivilegeRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TAlterSentryRoleGrantPrivilegeResponse tAlterSentryRoleGrantPrivilegeResponse = new TAlterSentryRoleGrantPrivilegeResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.alter_sentry_role_grant_privilege(tAlterSentryRoleGrantPrivilegeRequest, tAlterSentryRoleGrantPrivilegeResponse);
        }
        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleGrantPrivilegeRequest, tAlterSentryRoleGrantPrivilegeResponse, this.conf).toJsonFormatLog());
        } catch (Exception e) {
            LOGGER.error("Error in creating audit log for grant privilege to role: " + e.getMessage(), e);
        }
        return tAlterSentryRoleGrantPrivilegeResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(final TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.6
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tAlterSentryRoleRevokePrivilegeRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.store.alterRoleRevokePrivilege(tAlterSentryRoleRevokePrivilegeRequest.getComponent(), tAlterSentryRoleRevokePrivilegeRequest.getRoleName(), SentryGenericPolicyProcessor.this.toPrivilegeObject(tAlterSentryRoleRevokePrivilegeRequest.getPrivilege()), tAlterSentryRoleRevokePrivilegeRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TAlterSentryRoleRevokePrivilegeResponse tAlterSentryRoleRevokePrivilegeResponse = new TAlterSentryRoleRevokePrivilegeResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.alter_sentry_role_revoke_privilege(tAlterSentryRoleRevokePrivilegeRequest, tAlterSentryRoleRevokePrivilegeResponse);
        }
        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleRevokePrivilegeRequest, tAlterSentryRoleRevokePrivilegeResponse, this.conf).toJsonFormatLog());
        } catch (Exception e) {
            LOGGER.error("Error in creating audit log for revoke privilege from role: " + e.getMessage(), e);
        }
        return tAlterSentryRoleRevokePrivilegeResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(final TAlterSentryRoleAddGroupsRequest tAlterSentryRoleAddGroupsRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.7
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tAlterSentryRoleAddGroupsRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.authorize(tAlterSentryRoleAddGroupsRequest.getRequestorUserName(), SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tAlterSentryRoleAddGroupsRequest.getRequestorUserName()));
                SentryGenericPolicyProcessor.this.store.alterRoleAddGroups(tAlterSentryRoleAddGroupsRequest.getComponent(), tAlterSentryRoleAddGroupsRequest.getRoleName(), tAlterSentryRoleAddGroupsRequest.getGroups(), tAlterSentryRoleAddGroupsRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TAlterSentryRoleAddGroupsResponse tAlterSentryRoleAddGroupsResponse = new TAlterSentryRoleAddGroupsResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.alter_sentry_role_add_groups(tAlterSentryRoleAddGroupsRequest, tAlterSentryRoleAddGroupsResponse);
        }
        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleAddGroupsRequest, tAlterSentryRoleAddGroupsResponse, this.conf).toJsonFormatLog());
        } catch (Exception e) {
            LOGGER.error("Error in creating audit log for add role to group: " + e.getMessage(), e);
        }
        return tAlterSentryRoleAddGroupsResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(final TAlterSentryRoleDeleteGroupsRequest tAlterSentryRoleDeleteGroupsRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.8
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tAlterSentryRoleDeleteGroupsRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.authorize(tAlterSentryRoleDeleteGroupsRequest.getRequestorUserName(), SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tAlterSentryRoleDeleteGroupsRequest.getRequestorUserName()));
                SentryGenericPolicyProcessor.this.store.alterRoleDeleteGroups(tAlterSentryRoleDeleteGroupsRequest.getComponent(), tAlterSentryRoleDeleteGroupsRequest.getRoleName(), tAlterSentryRoleDeleteGroupsRequest.getGroups(), tAlterSentryRoleDeleteGroupsRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TAlterSentryRoleDeleteGroupsResponse tAlterSentryRoleDeleteGroupsResponse = new TAlterSentryRoleDeleteGroupsResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.alter_sentry_role_delete_groups(tAlterSentryRoleDeleteGroupsRequest, tAlterSentryRoleDeleteGroupsResponse);
        }
        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleDeleteGroupsRequest, tAlterSentryRoleDeleteGroupsResponse, this.conf).toJsonFormatLog());
        } catch (Exception e) {
            LOGGER.error("Error in creating audit log for delete role from group: " + e.getMessage(), e);
        }
        return tAlterSentryRoleDeleteGroupsResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TListSentryRolesResponse list_sentry_roles_by_group(final TListSentryRolesRequest tListSentryRolesRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Set<TSentryRole>>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.9
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Set<TSentryRole>> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tListSentryRolesRequest.getProtocol_version());
                Set<String> requestorGroups = SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tListSentryRolesRequest.getRequestorUserName());
                if (!"*".equalsIgnoreCase(tListSentryRolesRequest.getGroupName())) {
                    if (!SentryGenericPolicyProcessor.this.inAdminGroups(requestorGroups) && (tListSentryRolesRequest.getGroupName() == null || !requestorGroups.contains(tListSentryRolesRequest.getGroupName()))) {
                        throw new SentryAccessDeniedException(SentryGenericPolicyProcessor.ACCESS_DENIAL_MESSAGE + tListSentryRolesRequest.getRequestorUserName());
                    }
                    requestorGroups.clear();
                    requestorGroups.add(tListSentryRolesRequest.getGroupName());
                }
                Set<String> rolesByGroups = SentryGenericPolicyProcessor.this.store.getRolesByGroups(tListSentryRolesRequest.getComponent(), requestorGroups);
                HashSet newHashSet = Sets.newHashSet();
                for (String str : rolesByGroups) {
                    newHashSet.add(new TSentryRole(str, SentryGenericPolicyProcessor.this.store.getGroupsByRoles(tListSentryRolesRequest.getComponent(), Sets.newHashSet(new String[]{str}))));
                }
                return new Response<>(Status.OK(), newHashSet);
            }
        });
        TListSentryRolesResponse tListSentryRolesResponse = new TListSentryRolesResponse();
        tListSentryRolesResponse.setStatus(requestHandle.status);
        tListSentryRolesResponse.setRoles((Set) requestHandle.content);
        return tListSentryRolesResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TListSentryPrivilegesResponse list_sentry_privileges_by_role(final TListSentryPrivilegesRequest tListSentryPrivilegesRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Set<TSentryPrivilege>>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.10
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Set<TSentryPrivilege>> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tListSentryPrivilegesRequest.getProtocol_version());
                Set<String> requestorGroups = SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tListSentryPrivilegesRequest.getRequestorUserName());
                if (!SentryGenericPolicyProcessor.this.inAdminGroups(requestorGroups) && !SentryGenericPolicyProcessor.this.toTrimmedLower(SentryGenericPolicyProcessor.this.store.getRolesByGroups(tListSentryPrivilegesRequest.getComponent(), requestorGroups)).contains(SentryGenericPolicyProcessor.this.toTrimmedLower(tListSentryPrivilegesRequest.getRoleName()))) {
                    throw new SentryAccessDeniedException(SentryGenericPolicyProcessor.ACCESS_DENIAL_MESSAGE + tListSentryPrivilegesRequest.getRequestorUserName());
                }
                Set<PrivilegeObject> privilegesByProvider = SentryGenericPolicyProcessor.this.store.getPrivilegesByProvider(tListSentryPrivilegesRequest.getComponent(), tListSentryPrivilegesRequest.getServiceName(), Sets.newHashSet(new String[]{tListSentryPrivilegesRequest.getRoleName()}), null, SentryGenericPolicyProcessor.this.toAuthorizables(tListSentryPrivilegesRequest.getAuthorizables()));
                HashSet newHashSet = Sets.newHashSet();
                Iterator<PrivilegeObject> it = privilegesByProvider.iterator();
                while (it.hasNext()) {
                    newHashSet.add(SentryGenericPolicyProcessor.this.fromPrivilegeObject(it.next()));
                }
                return new Response<>(Status.OK(), newHashSet);
            }
        });
        TListSentryPrivilegesResponse tListSentryPrivilegesResponse = new TListSentryPrivilegesResponse();
        tListSentryPrivilegesResponse.setStatus(requestHandle.status);
        tListSentryPrivilegesResponse.setPrivileges((Set) requestHandle.content);
        return tListSentryPrivilegesResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(final TListSentryPrivilegesForProviderRequest tListSentryPrivilegesForProviderRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Set<String>>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.11
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Set<String>> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tListSentryPrivilegesForProviderRequest.getProtocol_version());
                Set trimmedLower = SentryGenericPolicyProcessor.this.toTrimmedLower(tListSentryPrivilegesForProviderRequest.getRoleSet().getRoles());
                Sets.SetView rolesByGroups = SentryGenericPolicyProcessor.this.store.getRolesByGroups(tListSentryPrivilegesForProviderRequest.getComponent(), tListSentryPrivilegesForProviderRequest.getGroups());
                return new Response<>(Status.OK(), SentryGenericPolicyProcessor.this.buildPermissions(SentryGenericPolicyProcessor.this.store.getPrivilegesByProvider(tListSentryPrivilegesForProviderRequest.getComponent(), tListSentryPrivilegesForProviderRequest.getServiceName(), tListSentryPrivilegesForProviderRequest.getRoleSet().isAll() ? rolesByGroups : Sets.intersection(trimmedLower, rolesByGroups), null, SentryGenericPolicyProcessor.this.toAuthorizables(tListSentryPrivilegesForProviderRequest.getAuthorizables()))));
            }
        });
        TListSentryPrivilegesForProviderResponse tListSentryPrivilegesForProviderResponse = new TListSentryPrivilegesForProviderResponse();
        tListSentryPrivilegesForProviderResponse.setStatus(requestHandle.status);
        tListSentryPrivilegesForProviderResponse.setPrivileges((Set) requestHandle.content);
        return tListSentryPrivilegesForProviderResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest tListSentryPrivilegesByAuthRequest) throws TException {
        TListSentryPrivilegesByAuthResponse tListSentryPrivilegesByAuthResponse = new TListSentryPrivilegesByAuthResponse();
        HashMap newHashMap = Maps.newHashMap();
        Set<String> groups = tListSentryPrivilegesByAuthRequest.getGroups();
        String requestorUserName = tListSentryPrivilegesByAuthRequest.getRequestorUserName();
        TSentryActiveRoleSet roleSet = tListSentryPrivilegesByAuthRequest.getRoleSet();
        HashSet newHashSet = Sets.newHashSet();
        try {
            validateClientVersion(tListSentryPrivilegesByAuthRequest.getProtocol_version());
            Set<String> requestorGroups = getRequestorGroups(this.conf, requestorUserName);
            if (inAdminGroups(requestorGroups)) {
                Set<String> trimmedLower = toTrimmedLower(this.store.getAllRoleNames());
                if (groups != null && !groups.isEmpty()) {
                    trimmedLower = toTrimmedLower(this.store.getRolesByGroups(tListSentryPrivilegesByAuthRequest.getComponent(), groups));
                }
                if (roleSet == null || roleSet.isAll()) {
                    newHashSet.addAll(trimmedLower);
                } else {
                    newHashSet.addAll(Sets.intersection(toTrimmedLower(roleSet.getRoles()), trimmedLower));
                }
            } else {
                if (groups == null || groups.isEmpty()) {
                    groups = requestorGroups;
                } else {
                    Iterator<String> it = groups.iterator();
                    while (it.hasNext()) {
                        if (!requestorGroups.contains(it.next())) {
                            throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUserName);
                        }
                    }
                }
                Sets.SetView trimmedLower2 = toTrimmedLower(this.store.getRolesByGroups(tListSentryPrivilegesByAuthRequest.getComponent(), groups));
                if (roleSet == null || roleSet.isAll()) {
                    newHashSet.addAll(trimmedLower2);
                } else {
                    Set<String> trimmedLower3 = toTrimmedLower(roleSet.getRoles());
                    Iterator<String> it2 = trimmedLower3.iterator();
                    while (it2.hasNext()) {
                        if (!trimmedLower2.contains(it2.next())) {
                            throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUserName);
                        }
                    }
                    newHashSet.addAll(roleSet.isAll() ? trimmedLower2 : Sets.intersection(trimmedLower3, trimmedLower2));
                }
            }
            if (tListSentryPrivilegesByAuthRequest.getAuthorizablesSet() != null) {
                Iterator<String> it3 = tListSentryPrivilegesByAuthRequest.getAuthorizablesSet().iterator();
                while (it3.hasNext()) {
                    List<? extends Authorizable> authorizables = toAuthorizables(it3.next());
                    newHashMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(this.store.getPrivilegesByAuthorizable(tListSentryPrivilegesByAuthRequest.getComponent(), tListSentryPrivilegesByAuthRequest.getServiceName(), newHashSet, authorizables)));
                }
            }
            tListSentryPrivilegesByAuthResponse.setPrivilegesMapByAuth(newHashMap);
            tListSentryPrivilegesByAuthResponse.setStatus(Status.OK());
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            tListSentryPrivilegesByAuthResponse.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (Exception e2) {
            String str = "Unknown error for request: " + tListSentryPrivilegesByAuthRequest + ", message: " + e2.getMessage();
            LOGGER.error(str, e2);
            tListSentryPrivilegesByAuthResponse.setStatus(Status.RuntimeError(str, e2));
        } catch (SentryThriftAPIMismatchException e3) {
            LOGGER.error(e3.getMessage(), e3);
            tListSentryPrivilegesByAuthResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e3.getMessage(), e3));
        }
        return tListSentryPrivilegesByAuthResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TDropPrivilegesResponse drop_sentry_privilege(final TDropPrivilegesRequest tDropPrivilegesRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.12
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tDropPrivilegesRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.authorize(tDropPrivilegesRequest.getRequestorUserName(), SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tDropPrivilegesRequest.getRequestorUserName()));
                SentryGenericPolicyProcessor.this.store.dropPrivilege(tDropPrivilegesRequest.getComponent(), SentryGenericPolicyProcessor.this.toPrivilegeObject(tDropPrivilegesRequest.getPrivilege()), tDropPrivilegesRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TDropPrivilegesResponse tDropPrivilegesResponse = new TDropPrivilegesResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.drop_sentry_privilege(tDropPrivilegesRequest, tDropPrivilegesResponse);
        }
        return tDropPrivilegesResponse;
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService.Iface
    public TRenamePrivilegesResponse rename_sentry_privilege(final TRenamePrivilegesRequest tRenamePrivilegesRequest) throws TException {
        Response requestHandle = requestHandle(new RequestHandler<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.13
            @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.RequestHandler
            public Response<Void> handle() throws Exception {
                SentryGenericPolicyProcessor.validateClientVersion(tRenamePrivilegesRequest.getProtocol_version());
                SentryGenericPolicyProcessor.this.authorize(tRenamePrivilegesRequest.getRequestorUserName(), SentryGenericPolicyProcessor.getRequestorGroups(SentryGenericPolicyProcessor.this.conf, tRenamePrivilegesRequest.getRequestorUserName()));
                SentryGenericPolicyProcessor.this.store.renamePrivilege(tRenamePrivilegesRequest.getComponent(), tRenamePrivilegesRequest.getServiceName(), SentryGenericPolicyProcessor.this.toAuthorizables(tRenamePrivilegesRequest.getOldAuthorizables()), SentryGenericPolicyProcessor.this.toAuthorizables(tRenamePrivilegesRequest.getNewAuthorizables()), tRenamePrivilegesRequest.getRequestorUserName());
                return new Response<>(Status.OK());
            }
        });
        TRenamePrivilegesResponse tRenamePrivilegesResponse = new TRenamePrivilegesResponse(requestHandle.status);
        if (Status.OK.getCode() == requestHandle.status.getValue()) {
            this.handerInvoker.rename_sentry_privilege(tRenamePrivilegesRequest, tRenamePrivilegesResponse);
        }
        return tRenamePrivilegesResponse;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void validateClientVersion(int i) throws SentryThriftAPIMismatchException {
        if (2 != i) {
            throw new SentryThriftAPIMismatchException("Sentry thrift API protocol version mismatch: Client thrift version is: " + i + " , server thrift version is 2");
        }
    }
}
