package org.apache.sentry.provider.db.generic.service.persistent;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.jdo.PersistenceManager;
import javax.jdo.Query;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.api.generic.thrift.TSentryRole;
import org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor;
import org.apache.sentry.api.service.thrift.TSentryGroup;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryGroup;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.provider.db.service.persistent.QueryParamBuilder;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.persistent.TransactionBlock;

/* loaded from: input_file:org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.class */
public class DelegateSentryStore implements SentryStoreLayer {
    private SentryStore delegate;
    private Configuration conf;
    private Set<String> adminGroups;
    private PrivilegeOperatePersistence privilegeOperator;

    public DelegateSentryStore(Configuration configuration) throws Exception {
        this.privilegeOperator = new PrivilegeOperatePersistence(configuration);
        this.conf = configuration;
        this.delegate = new SentryStore(configuration);
        this.adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(configuration.getStrings("sentry.service.admin.group", new String[0]))));
    }

    private MSentryRole getRole(String str, PersistenceManager persistenceManager) {
        return this.delegate.getRole(persistenceManager, str);
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object createRole(String str, String str2, String str3) throws Exception {
        this.delegate.createSentryRole(str2);
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object dropRole(String str, String str2, String str3) throws Exception {
        this.delegate.dropSentryRole(toTrimmedLower(str2));
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<String> getAllRoleNames() throws Exception {
        return this.delegate.getAllRoleNames();
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object alterRoleAddGroups(String str, String str2, Set<String> set, String str3) throws Exception {
        this.delegate.alterSentryRoleAddGroups(str3, str2, toTSentryGroups(set));
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object alterRoleDeleteGroups(String str, String str2, Set<String> set, String str3) throws Exception {
        this.delegate.alterSentryRoleDeleteGroups(str2, toTSentryGroups(set));
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object alterRoleGrantPrivilege(String str, String str2, PrivilegeObject privilegeObject, String str3) throws Exception {
        this.delegate.getTransactionManager().executeTransactionWithRetry(persistenceManager -> {
            persistenceManager.setDetachAllOnCommit(false);
            String trimmedLower = toTrimmedLower(str2);
            MSentryRole role = getRole(trimmedLower, persistenceManager);
            if (role == null) {
                throw new SentryNoSuchObjectException("Role: " + trimmedLower);
            }
            grantOptionCheck(privilegeObject, str3, persistenceManager);
            this.privilegeOperator.grantPrivilege(privilegeObject, role, persistenceManager);
            return null;
        });
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object alterRoleRevokePrivilege(String str, String str2, PrivilegeObject privilegeObject, String str3) throws Exception {
        this.delegate.getTransactionManager().executeTransactionWithRetry(persistenceManager -> {
            persistenceManager.setDetachAllOnCommit(false);
            String trimmedLower = toTrimmedLower(str2);
            MSentryRole role = getRole(trimmedLower, persistenceManager);
            if (role == null) {
                throw new SentryNoSuchObjectException("Role: " + trimmedLower);
            }
            grantOptionCheck(privilegeObject, str3, persistenceManager);
            this.privilegeOperator.revokePrivilege(privilegeObject, role, persistenceManager);
            return null;
        });
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object renamePrivilege(String str, String str2, List<? extends Authorizable> list, List<? extends Authorizable> list2, String str3) throws Exception {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        Preconditions.checkNotNull(list);
        Preconditions.checkNotNull(list2);
        if (list.size() != list2.size()) {
            throw new SentryAccessDeniedException("rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables oldAuthorizables:" + Arrays.toString(list.toArray()) + " newAuthorizables:" + Arrays.toString(list2.toArray()));
        }
        this.delegate.getTransactionManager().executeTransactionWithRetry(persistenceManager -> {
            persistenceManager.setDetachAllOnCommit(false);
            this.privilegeOperator.renamePrivilege(toTrimmedLower(str), toTrimmedLower(str2), list, list2, str3, persistenceManager);
            return null;
        });
        return null;
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Object dropPrivilege(String str, PrivilegeObject privilegeObject, String str2) throws Exception {
        Preconditions.checkNotNull(str2);
        this.delegate.getTransactionManager().executeTransactionWithRetry(persistenceManager -> {
            persistenceManager.setDetachAllOnCommit(false);
            this.privilegeOperator.dropPrivilege(privilegeObject, persistenceManager);
            return null;
        });
        return null;
    }

    private void grantOptionCheck(PrivilegeObject privilegeObject, String str, PersistenceManager persistenceManager) throws SentryUserException {
        if (Strings.isNullOrEmpty(str)) {
            throw new SentryInvalidInputException("grantorPrincipal should not be null or empty");
        }
        Set<String> requestorGroups = getRequestorGroups(str);
        if (requestorGroups == null || requestorGroups.isEmpty()) {
            throw new SentryGrantDeniedException(str + " has no grant!");
        }
        if (Sets.intersection(this.adminGroups, toTrimmed(requestorGroups)).isEmpty()) {
            if (!this.privilegeOperator.checkPrivilegeOption(this.delegate.getRolesForGroups(persistenceManager, requestorGroups), privilegeObject, persistenceManager)) {
                throw new SentryGrantDeniedException(str + " has no grant!");
            }
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<String> getRolesByGroups(String str, Set<String> set) throws Exception {
        if (set == null || set.isEmpty()) {
            return Collections.emptySet();
        }
        Sets.newHashSet();
        return set.contains(null) ? this.delegate.getAllRoleNames() : this.delegate.getRoleNamesForGroups(set);
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<TSentryRole> getTSentryRolesByGroupName(String str, final Set<String> set) throws Exception {
        return (set == null || set.isEmpty()) ? Collections.emptySet() : (Set) this.delegate.getTransactionManager().executeTransaction(new TransactionBlock<Set<TSentryRole>>() { // from class: org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.1
            /* JADX WARN: Can't rename method to resolve collision */
            /* JADX WARN: Multi-variable type inference failed */
            @Override // org.apache.sentry.provider.db.service.persistent.TransactionBlock
            public Set<TSentryRole> execute(PersistenceManager persistenceManager) throws Exception {
                HashSet newHashSet = Sets.newHashSet();
                persistenceManager.setDetachAllOnCommit(false);
                Set<MSentryRole> newHashSet2 = Sets.newHashSet();
                if (set.contains(null)) {
                    newHashSet2.addAll(DelegateSentryStore.this.delegate.getAllRoles(persistenceManager));
                } else {
                    newHashSet2 = DelegateSentryStore.this.delegate.getRolesForGroups(persistenceManager, set);
                }
                for (MSentryRole mSentryRole : newHashSet2) {
                    String intern = mSentryRole.getRoleName().intern();
                    HashSet newHashSet3 = Sets.newHashSet();
                    Iterator<MSentryGroup> it = mSentryRole.getGroups().iterator();
                    while (it.hasNext()) {
                        newHashSet3.add(it.next().getGroupName());
                    }
                    newHashSet.add(new TSentryRole(intern, newHashSet3));
                }
                return newHashSet;
            }
        });
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<String> getGroupsByRoles(String str, final Set<String> set) throws Exception {
        return set.isEmpty() ? Collections.emptySet() : (Set) this.delegate.getTransactionManager().executeTransaction(new TransactionBlock<Set<String>>() { // from class: org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.sentry.provider.db.service.persistent.TransactionBlock
            public Set<String> execute(PersistenceManager persistenceManager) throws Exception {
                persistenceManager.setDetachAllOnCommit(false);
                Query newQuery = persistenceManager.newQuery(MSentryGroup.class);
                QueryParamBuilder addRolesFilter = QueryParamBuilder.addRolesFilter(newQuery, null, set);
                newQuery.setFilter(addRolesFilter.toString());
                List list = (List) newQuery.executeWithMap(addRolesFilter.getArguments());
                HashSet hashSet = new HashSet();
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    hashSet.add(((MSentryGroup) it.next()).getGroupName());
                }
                return hashSet;
            }
        });
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<PrivilegeObject> getPrivilegesByRole(String str, Set<String> set) throws Exception {
        Preconditions.checkNotNull(set);
        return set.isEmpty() ? Collections.emptySet() : (Set) this.delegate.getTransactionManager().executeTransaction(persistenceManager -> {
            persistenceManager.setDetachAllOnCommit(false);
            HashSet hashSet = new HashSet();
            Iterator it = set.iterator();
            while (it.hasNext()) {
                MSentryRole role = getRole(toTrimmedLower((String) it.next()), persistenceManager);
                if (role != null) {
                    hashSet.add(role);
                }
            }
            return new HashSet(this.privilegeOperator.getPrivilegesByRole(hashSet, persistenceManager));
        });
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<PrivilegeObject> getPrivilegesByProvider(String str, String str2, Set<String> set, Set<String> set2, List<? extends Authorizable> list) throws Exception {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        return (Set) this.delegate.getTransactionManager().executeTransaction(persistenceManager -> {
            persistenceManager.setDetachAllOnCommit(false);
            String trimmedLower = toTrimmedLower(str);
            String trimmedLower2 = toTrimmedLower(str2);
            Set<String> trimedLower = SentryStore.toTrimedLower(set);
            if (set2 != null) {
                trimedLower.addAll(this.delegate.getRoleNamesForGroups(set2));
            }
            if (trimedLower.isEmpty()) {
                return Collections.emptySet();
            }
            HashSet hashSet = new HashSet(trimedLower.size());
            Iterator<String> it = trimedLower.iterator();
            while (it.hasNext()) {
                MSentryRole role = getRole(it.next(), persistenceManager);
                if (role != null) {
                    hashSet.add(role);
                }
            }
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(this.privilegeOperator.getPrivilegesByProvider(trimmedLower, trimmedLower2, hashSet, list, persistenceManager));
            return hashSet2;
        });
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String str, String str2, Set<String> set, List<? extends Authorizable> list) throws Exception {
        if (set == null || set.isEmpty()) {
            return Collections.emptySet();
        }
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        return (Set) this.delegate.getTransactionManager().executeTransaction(persistenceManager -> {
            String trimmedLower = toTrimmedLower(str);
            String trimmedLower2 = toTrimmedLower(str2);
            HashSet hashSet = new HashSet(set.size());
            Iterator it = set.iterator();
            while (it.hasNext()) {
                MSentryRole role = getRole((String) it.next(), persistenceManager);
                if (role != null) {
                    hashSet.add(role);
                }
            }
            Set<MSentryGMPrivilege> privilegesByAuthorizable = this.privilegeOperator.getPrivilegesByAuthorizable(trimmedLower, trimmedLower2, hashSet, list, persistenceManager);
            HashSet hashSet2 = new HashSet(privilegesByAuthorizable.size());
            for (MSentryGMPrivilege mSentryGMPrivilege : privilegesByAuthorizable) {
                persistenceManager.retrieve(mSentryGMPrivilege);
                hashSet2.add(mSentryGMPrivilege);
            }
            return hashSet2;
        });
    }

    @Override // org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer
    public void close() {
        this.delegate.stop();
    }

    private Set<TSentryGroup> toTSentryGroups(Set<String> set) {
        if (set.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(set.size());
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(new TSentryGroup(it.next()));
        }
        return hashSet;
    }

    private static Set<String> toTrimmed(Set<String> set) {
        if (set.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(set.size());
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().trim());
        }
        return hashSet;
    }

    private static String toTrimmedLower(String str) {
        return str == null ? "" : str.trim().toLowerCase();
    }

    private Set<String> getRequestorGroups(String str) throws SentryUserException {
        return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, str);
    }

    @VisibleForTesting
    void clearAllTables() throws Exception {
        this.delegate.getTransactionManager().executeTransaction(persistenceManager -> {
            persistenceManager.newQuery(MSentryRole.class).deletePersistentAll();
            persistenceManager.newQuery(MSentryGroup.class).deletePersistentAll();
            persistenceManager.newQuery(MSentryGMPrivilege.class).deletePersistentAll();
            return null;
        });
    }
}
