package org.apache.atlas.authorize.simple;

import java.io.IOException;
import java.io.InputStream;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
import org.apache.atlas.authorize.AtlasAccessRequest;
import org.apache.atlas.authorize.AtlasAdminAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
import org.apache.atlas.authorize.AtlasPrivilege;
import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
import org.apache.atlas.authorize.AtlasTypesDefFilterRequest;
import org.apache.atlas.authorize.simple.AtlasSimpleAuthzPolicy;
import org.apache.atlas.model.discovery.AtlasSearchResult;
import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.apache.atlas.model.typedef.AtlasBaseTypeDef;
import org.apache.atlas.model.typedef.AtlasTypesDef;
import org.apache.atlas.utils.AtlasJson;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/atlas/authorize/simple/AtlasSimpleAuthorizer.class */
public final class AtlasSimpleAuthorizer implements AtlasAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger(AtlasSimpleAuthorizer.class);
    private static final String WILDCARD_ASTERISK = "*";
    private AtlasSimpleAuthzPolicy authzPolicy;

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public void init() {
        LOG.info("==> SimpleAtlasAuthorizer.init()");
        InputStream inputStream = null;
        try {
            try {
                inputStream = ApplicationProperties.getFileAsInputStream(ApplicationProperties.get(), "atlas.authorizer.simple.authz.policy.file", "atlas-simple-authz-policy.json");
                this.authzPolicy = (AtlasSimpleAuthzPolicy) AtlasJson.fromJson(inputStream, AtlasSimpleAuthzPolicy.class);
                addImpliedTypeReadPrivilege(this.authzPolicy);
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e) {
                    }
                }
                LOG.info("<== SimpleAtlasAuthorizer.init()");
            } catch (Throwable th) {
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e2) {
                    }
                }
                throw th;
            }
        } catch (IOException | AtlasException e3) {
            LOG.error("SimpleAtlasAuthorizer.init(): initialization failed", e3);
            throw new RuntimeException(e3);
        }
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public void cleanUp() {
        LOG.info("==> SimpleAtlasAuthorizer.cleanUp()");
        this.authzPolicy = null;
        LOG.info("<== SimpleAtlasAuthorizer.cleanUp()");
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public boolean isAccessAllowed(AtlasAdminAccessRequest atlasAdminAccessRequest) throws AtlasAuthorizationException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", atlasAdminAccessRequest);
        }
        boolean z = false;
        Iterator<String> it = getRoles(atlasAdminAccessRequest.getUser(), atlasAdminAccessRequest.getUserGroups()).iterator();
        while (it.hasNext()) {
            List<AtlasSimpleAuthzPolicy.AtlasAdminPermission> adminPermissionsForRole = getAdminPermissionsForRole(it.next());
            if (adminPermissionsForRole != null) {
                String type = atlasAdminAccessRequest.getAction() != null ? atlasAdminAccessRequest.getAction().getType() : null;
                Iterator<AtlasSimpleAuthzPolicy.AtlasAdminPermission> it2 = adminPermissionsForRole.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (isMatch(type, it2.next().getPrivileges())) {
                        z = true;
                        break;
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", atlasAdminAccessRequest, Boolean.valueOf(z));
        }
        return z;
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public boolean isAccessAllowed(AtlasTypeAccessRequest atlasTypeAccessRequest) throws AtlasAuthorizationException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", atlasTypeAccessRequest);
        }
        boolean z = false;
        Iterator<String> it = getRoles(atlasTypeAccessRequest.getUser(), atlasTypeAccessRequest.getUserGroups()).iterator();
        while (it.hasNext()) {
            List<AtlasSimpleAuthzPolicy.AtlasTypePermission> typePermissionsForRole = getTypePermissionsForRole(it.next());
            if (typePermissionsForRole != null) {
                String type = atlasTypeAccessRequest.getAction() != null ? atlasTypeAccessRequest.getAction().getType() : null;
                String name = atlasTypeAccessRequest.getTypeDef() != null ? atlasTypeAccessRequest.getTypeDef().getCategory().name() : null;
                String name2 = atlasTypeAccessRequest.getTypeDef() != null ? atlasTypeAccessRequest.getTypeDef().getName() : null;
                Iterator<AtlasSimpleAuthzPolicy.AtlasTypePermission> it2 = typePermissionsForRole.iterator();
                while (true) {
                    if (it2.hasNext()) {
                        AtlasSimpleAuthzPolicy.AtlasTypePermission next = it2.next();
                        if (isMatch(type, next.getPrivileges()) && isMatch(name, next.getTypeCategories()) && isMatch(name2, next.getTypeNames())) {
                            z = true;
                            break;
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", atlasTypeAccessRequest, Boolean.valueOf(z));
        }
        return z;
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public boolean isAccessAllowed(AtlasRelationshipAccessRequest atlasRelationshipAccessRequest) throws AtlasAuthorizationException {
        Set<String> roles = getRoles(atlasRelationshipAccessRequest.getUser(), atlasRelationshipAccessRequest.getUserGroups());
        String relationshipType = atlasRelationshipAccessRequest.getRelationshipType();
        Set<String> end1EntityTypeAndAllSuperTypes = atlasRelationshipAccessRequest.getEnd1EntityTypeAndAllSuperTypes();
        HashSet hashSet = new HashSet(atlasRelationshipAccessRequest.getEnd1EntityClassifications());
        String end1EntityId = atlasRelationshipAccessRequest.getEnd1EntityId();
        Set<String> end2EntityTypeAndAllSuperTypes = atlasRelationshipAccessRequest.getEnd2EntityTypeAndAllSuperTypes();
        HashSet hashSet2 = new HashSet(atlasRelationshipAccessRequest.getEnd2EntityClassifications());
        String end2EntityId = atlasRelationshipAccessRequest.getEnd2EntityId();
        String type = atlasRelationshipAccessRequest.getAction() != null ? atlasRelationshipAccessRequest.getAction().getType() : null;
        boolean z = false;
        boolean z2 = false;
        Iterator<String> it = roles.iterator();
        while (it.hasNext()) {
            List<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission> relationshipPermissionsForRole = getRelationshipPermissionsForRole(it.next());
            if (relationshipPermissionsForRole != null) {
                for (AtlasSimpleAuthzPolicy.AtlasRelationshipPermission atlasRelationshipPermission : relationshipPermissionsForRole) {
                    if (isMatch(relationshipType, atlasRelationshipPermission.getRelationshipTypes()) && isMatch(type, atlasRelationshipPermission.getPrivileges())) {
                        if (!z && isMatchAny(end1EntityTypeAndAllSuperTypes, atlasRelationshipPermission.getEnd1EntityType()) && isMatch(end1EntityId, atlasRelationshipPermission.getEnd1EntityId())) {
                            Iterator it2 = hashSet.iterator();
                            while (it2.hasNext()) {
                                if (isMatchAny(atlasRelationshipAccessRequest.getClassificationTypeAndAllSuperTypes((String) it2.next()), atlasRelationshipPermission.getEnd1EntityClassification())) {
                                    it2.remove();
                                }
                            }
                            z = CollectionUtils.isEmpty(hashSet);
                        }
                        if (!z2 && isMatchAny(end2EntityTypeAndAllSuperTypes, atlasRelationshipPermission.getEnd2EntityType()) && isMatch(end2EntityId, atlasRelationshipPermission.getEnd2EntityId())) {
                            Iterator it3 = hashSet2.iterator();
                            while (it3.hasNext()) {
                                if (isMatchAny(atlasRelationshipAccessRequest.getClassificationTypeAndAllSuperTypes((String) it3.next()), atlasRelationshipPermission.getEnd2EntityClassification())) {
                                    it3.remove();
                                }
                            }
                            z2 = CollectionUtils.isEmpty(hashSet2);
                        }
                    }
                }
            }
        }
        return z && z2;
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public boolean isAccessAllowed(AtlasEntityAccessRequest atlasEntityAccessRequest) throws AtlasAuthorizationException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> SimpleAtlasAuthorizer.isAccessAllowed({})", atlasEntityAccessRequest);
        }
        String type = atlasEntityAccessRequest.getAction() != null ? atlasEntityAccessRequest.getAction().getType() : null;
        Set<String> entityTypeAndAllSuperTypes = atlasEntityAccessRequest.getEntityTypeAndAllSuperTypes();
        String entityId = atlasEntityAccessRequest.getEntityId();
        String typeName = atlasEntityAccessRequest.getClassification() != null ? atlasEntityAccessRequest.getClassification().getTypeName() : null;
        String attributeName = atlasEntityAccessRequest.getAttributeName();
        HashSet hashSet = new HashSet(atlasEntityAccessRequest.getEntityClassifications());
        boolean z = false;
        boolean z2 = false;
        Iterator<String> it = getRoles(atlasEntityAccessRequest.getUser(), atlasEntityAccessRequest.getUserGroups()).iterator();
        while (it.hasNext()) {
            List<AtlasSimpleAuthzPolicy.AtlasEntityPermission> entityPermissionsForRole = getEntityPermissionsForRole(it.next());
            if (entityPermissionsForRole != null) {
                for (AtlasSimpleAuthzPolicy.AtlasEntityPermission atlasEntityPermission : entityPermissionsForRole) {
                    if (isMatchAny(entityTypeAndAllSuperTypes, atlasEntityPermission.getEntityTypes()) && isMatch(entityId, atlasEntityPermission.getEntityIds()) && isMatch(attributeName, atlasEntityPermission.getAttributes()) && isLabelMatch(atlasEntityAccessRequest, atlasEntityPermission) && isBusinessMetadataMatch(atlasEntityAccessRequest, atlasEntityPermission)) {
                        if (!z && isMatch(type, atlasEntityPermission.getPrivileges()) && isMatch(typeName, atlasEntityPermission.getClassifications())) {
                            z = true;
                        }
                        Iterator it2 = hashSet.iterator();
                        while (it2.hasNext()) {
                            if (isMatchAny(atlasEntityAccessRequest.getClassificationTypeAndAllSuperTypes((String) it2.next()), atlasEntityPermission.getClassifications())) {
                                it2.remove();
                            }
                        }
                        z2 = CollectionUtils.isEmpty(hashSet);
                        if (z && z2) {
                            break;
                        }
                    }
                }
            }
        }
        boolean z3 = z && z2;
        if (LOG.isDebugEnabled()) {
            if (!z3) {
                LOG.debug("hasEntityAccess={}; hasClassificationsAccess={}, classificationsWithNoAccess={}", new Object[]{Boolean.valueOf(z), Boolean.valueOf(z2), hashSet});
            }
            LOG.debug("<== SimpleAtlasAuthorizer.isAccessAllowed({}): {}", atlasEntityAccessRequest, Boolean.valueOf(z3));
        }
        return z3;
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public void scrubSearchResults(AtlasSearchResultScrubRequest atlasSearchResultScrubRequest) throws AtlasAuthorizationException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> SimpleAtlasAuthorizer.scrubSearchResults({})", atlasSearchResultScrubRequest);
        }
        AtlasSearchResult searchResult = atlasSearchResultScrubRequest.getSearchResult();
        if (CollectionUtils.isNotEmpty(searchResult.getEntities())) {
            Iterator it = searchResult.getEntities().iterator();
            while (it.hasNext()) {
                checkAccessAndScrub((AtlasEntityHeader) it.next(), atlasSearchResultScrubRequest);
            }
        }
        if (CollectionUtils.isNotEmpty(searchResult.getFullTextResult())) {
            for (AtlasSearchResult.AtlasFullTextResult atlasFullTextResult : searchResult.getFullTextResult()) {
                if (atlasFullTextResult != null) {
                    checkAccessAndScrub(atlasFullTextResult.getEntity(), atlasSearchResultScrubRequest);
                }
            }
        }
        if (MapUtils.isNotEmpty(searchResult.getReferredEntities())) {
            Iterator it2 = searchResult.getReferredEntities().values().iterator();
            while (it2.hasNext()) {
                checkAccessAndScrub((AtlasEntityHeader) it2.next(), atlasSearchResultScrubRequest);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== SimpleAtlasAuthorizer.scrubSearchResults({}): {}", atlasSearchResultScrubRequest, searchResult);
        }
    }

    @Override // org.apache.atlas.authorize.AtlasAuthorizer
    public void filterTypesDef(AtlasTypesDefFilterRequest atlasTypesDefFilterRequest) throws AtlasAuthorizationException {
        AtlasTypesDef typesDef = atlasTypesDefFilterRequest.getTypesDef();
        filterTypes(atlasTypesDefFilterRequest, typesDef.getEnumDefs());
        filterTypes(atlasTypesDefFilterRequest, typesDef.getStructDefs());
        filterTypes(atlasTypesDefFilterRequest, typesDef.getEntityDefs());
        filterTypes(atlasTypesDefFilterRequest, typesDef.getClassificationDefs());
        filterTypes(atlasTypesDefFilterRequest, typesDef.getRelationshipDefs());
        filterTypes(atlasTypesDefFilterRequest, typesDef.getBusinessMetadataDefs());
    }

    private Set<String> getRoles(String str, Set<String> set) {
        List<String> list;
        HashSet hashSet = new HashSet();
        if (this.authzPolicy != null) {
            if (str != null && this.authzPolicy.getUserRoles() != null && (list = this.authzPolicy.getUserRoles().get(str)) != null) {
                hashSet.addAll(list);
            }
            if (set != null && this.authzPolicy.getGroupRoles() != null) {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    List<String> list2 = this.authzPolicy.getGroupRoles().get(it.next());
                    if (list2 != null) {
                        hashSet.addAll(list2);
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== getRoles({}, {}): {}", new Object[]{str, set, hashSet});
        }
        return hashSet;
    }

    private List<AtlasSimpleAuthzPolicy.AtlasAdminPermission> getAdminPermissionsForRole(String str) {
        List<AtlasSimpleAuthzPolicy.AtlasAdminPermission> list = null;
        if (this.authzPolicy != null && str != null) {
            AtlasSimpleAuthzPolicy.AtlasAuthzRole atlasAuthzRole = this.authzPolicy.getRoles().get(str);
            list = atlasAuthzRole != null ? atlasAuthzRole.getAdminPermissions() : null;
        }
        return list;
    }

    private List<AtlasSimpleAuthzPolicy.AtlasTypePermission> getTypePermissionsForRole(String str) {
        List<AtlasSimpleAuthzPolicy.AtlasTypePermission> list = null;
        if (this.authzPolicy != null && str != null) {
            AtlasSimpleAuthzPolicy.AtlasAuthzRole atlasAuthzRole = this.authzPolicy.getRoles().get(str);
            list = atlasAuthzRole != null ? atlasAuthzRole.getTypePermissions() : null;
        }
        return list;
    }

    private List<AtlasSimpleAuthzPolicy.AtlasEntityPermission> getEntityPermissionsForRole(String str) {
        List<AtlasSimpleAuthzPolicy.AtlasEntityPermission> list = null;
        if (this.authzPolicy != null && str != null) {
            AtlasSimpleAuthzPolicy.AtlasAuthzRole atlasAuthzRole = this.authzPolicy.getRoles().get(str);
            list = atlasAuthzRole != null ? atlasAuthzRole.getEntityPermissions() : null;
        }
        return list;
    }

    private List<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission> getRelationshipPermissionsForRole(String str) {
        List<AtlasSimpleAuthzPolicy.AtlasRelationshipPermission> list = null;
        if (this.authzPolicy != null && str != null) {
            AtlasSimpleAuthzPolicy.AtlasAuthzRole atlasAuthzRole = this.authzPolicy.getRoles().get(str);
            list = atlasAuthzRole != null ? atlasAuthzRole.getRelationshipPermissions() : null;
        }
        return list;
    }

    private boolean isMatch(String str, List<String> list) {
        boolean z = false;
        if (str == null) {
            z = true;
        }
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator<String> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (isMatch(str, it.next())) {
                    z = true;
                    break;
                }
            }
        }
        if (!z && LOG.isDebugEnabled()) {
            LOG.debug("<== isMatch({}, {}): {}", new Object[]{str, list, Boolean.valueOf(z)});
        }
        return z;
    }

    private boolean isMatchAny(Set<String> set, List<String> list) {
        boolean z = false;
        if (CollectionUtils.isEmpty(set)) {
            z = true;
        }
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator<String> it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (isMatch(it.next(), list)) {
                    z = true;
                    break;
                }
            }
        }
        if (!z && LOG.isDebugEnabled()) {
            LOG.debug("<== isMatchAny({}, {}): {}", new Object[]{set, list, Boolean.valueOf(z)});
        }
        return z;
    }

    private boolean isMatch(String str, String str2) {
        boolean z;
        if (str == null) {
            z = true;
        } else {
            z = StringUtils.equalsIgnoreCase(str, str2) || str.matches(str2);
        }
        return z;
    }

    private void checkAccessAndScrub(AtlasEntityHeader atlasEntityHeader, AtlasSearchResultScrubRequest atlasSearchResultScrubRequest) throws AtlasAuthorizationException {
        if (atlasEntityHeader == null || atlasSearchResultScrubRequest == null) {
            return;
        }
        AtlasEntityAccessRequest atlasEntityAccessRequest = new AtlasEntityAccessRequest(atlasSearchResultScrubRequest.getTypeRegistry(), AtlasPrivilege.ENTITY_READ, atlasEntityHeader, atlasSearchResultScrubRequest.getUser(), atlasSearchResultScrubRequest.getUserGroups());
        atlasEntityAccessRequest.setClientIPAddress(atlasSearchResultScrubRequest.getClientIPAddress());
        if (isAccessAllowed(atlasEntityAccessRequest)) {
            return;
        }
        scrubEntityHeader(atlasEntityHeader);
    }

    private boolean isLabelMatch(AtlasEntityAccessRequest atlasEntityAccessRequest, AtlasSimpleAuthzPolicy.AtlasEntityPermission atlasEntityPermission) {
        if (AtlasPrivilege.ENTITY_ADD_LABEL.equals(atlasEntityAccessRequest.getAction()) || AtlasPrivilege.ENTITY_REMOVE_LABEL.equals(atlasEntityAccessRequest.getAction())) {
            return isMatch(atlasEntityAccessRequest.getLabel(), atlasEntityPermission.getLabels());
        }
        return true;
    }

    private boolean isBusinessMetadataMatch(AtlasEntityAccessRequest atlasEntityAccessRequest, AtlasSimpleAuthzPolicy.AtlasEntityPermission atlasEntityPermission) {
        if (AtlasPrivilege.ENTITY_UPDATE_BUSINESS_METADATA.equals(atlasEntityAccessRequest.getAction())) {
            return isMatch(atlasEntityAccessRequest.getBusinessMetadata(), atlasEntityPermission.getBusinessMetadata());
        }
        return true;
    }

    private void filterTypes(AtlasAccessRequest atlasAccessRequest, List<? extends AtlasBaseTypeDef> list) throws AtlasAuthorizationException {
        if (list != null) {
            ListIterator<? extends AtlasBaseTypeDef> listIterator = list.listIterator();
            while (listIterator.hasNext()) {
                AtlasTypeAccessRequest atlasTypeAccessRequest = new AtlasTypeAccessRequest(atlasAccessRequest.getAction(), listIterator.next(), atlasAccessRequest.getUser(), atlasAccessRequest.getUserGroups());
                atlasTypeAccessRequest.setClientIPAddress(atlasAccessRequest.getClientIPAddress());
                atlasTypeAccessRequest.setForwardedAddresses(atlasAccessRequest.getForwardedAddresses());
                atlasTypeAccessRequest.setRemoteIPAddress(atlasAccessRequest.getRemoteIPAddress());
                if (!isAccessAllowed(atlasTypeAccessRequest)) {
                    listIterator.remove();
                }
            }
        }
    }

    private void addImpliedTypeReadPrivilege(AtlasSimpleAuthzPolicy atlasSimpleAuthzPolicy) {
        if (atlasSimpleAuthzPolicy == null || atlasSimpleAuthzPolicy.getRoles() == null) {
            return;
        }
        for (AtlasSimpleAuthzPolicy.AtlasAuthzRole atlasAuthzRole : atlasSimpleAuthzPolicy.getRoles().values()) {
            if (atlasAuthzRole.getTypePermissions() != null) {
                Iterator<AtlasSimpleAuthzPolicy.AtlasTypePermission> it = atlasAuthzRole.getTypePermissions().iterator();
                while (it.hasNext()) {
                    List<String> privileges = it.next().getPrivileges();
                    if (!CollectionUtils.isEmpty(privileges) && !privileges.contains(AtlasPrivilege.TYPE_READ.name()) && (privileges.contains(AtlasPrivilege.TYPE_CREATE.name()) || privileges.contains(AtlasPrivilege.TYPE_UPDATE.name()) || privileges.contains(AtlasPrivilege.TYPE_DELETE.name()))) {
                        privileges.add(AtlasPrivilege.TYPE_READ.name());
                    }
                }
            }
        }
    }
}
