package org.apache.ranger.authorization.storm.authorizer;

import com.google.common.collect.Sets;
import java.security.Principal;
import java.util.Map;
import java.util.Set;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.storm.StormRangerPlugin;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.storm.security.auth.IAuthorizer;
import org.apache.storm.security.auth.ReqContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.class */
public class RangerStormAuthorizer implements IAuthorizer {
    private static final String STORM_CLIENT_JASS_CONFIG_SECTION = "StormClient";
    private static final Logger LOG = LoggerFactory.getLogger(RangerStormAuthorizer.class);
    private static final Logger PERF_STORMAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("stormauth.request");
    private static volatile StormRangerPlugin plugin = null;
    static final Set<String> noAuthzOperations = Sets.newHashSet(new String[]{"getNimbusConf", "getClusterInfo"});

    public boolean permit(ReqContext reqContext, String str, Map map) {
        boolean z = false;
        boolean z2 = false;
        try {
            try {
                RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(PERF_STORMAUTH_REQUEST_LOG) ? RangerPerfTracer.getPerfTracer(PERF_STORMAUTH_REQUEST_LOG, "RangerStormAuthorizer.permit()") : null;
                String str2 = map == null ? "" : (String) map.get("topology.name");
                if (LOG.isDebugEnabled()) {
                    LOG.debug("[req " + reqContext.requestID() + "] Access  from: [" + reqContext.remoteAddress() + "] user: [" + reqContext.principal() + "], op:   [" + str + "],topology: [" + str2 + "]");
                    if (map != null) {
                        for (Object obj : map.keySet()) {
                            LOG.debug("TOPOLOGY CONFIG MAP [" + obj + "] => [" + map.get(obj) + "]");
                        }
                    } else {
                        LOG.debug("TOPOLOGY CONFIG MAP is passed as null.");
                    }
                }
                if (noAuthzOperations.contains(str)) {
                    z = true;
                } else if (plugin == null) {
                    LOG.info("Ranger plugin not initialized yet! Skipping authorization;  allowedFlag => [false], Audit Enabled:false");
                } else {
                    String str3 = null;
                    String[] strArr = null;
                    Principal principal = reqContext.principal();
                    if (principal != null) {
                        str3 = principal.getName();
                        if (str3 != null) {
                            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(str3);
                            str3 = createRemoteUser.getShortUserName();
                            strArr = createRemoteUser.getGroupNames();
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("User found from principal [" + principal.getName() + "] => user:[" + str3 + "], groups:[" + StringUtil.toString(strArr) + "]");
                            }
                        }
                    }
                    if (str3 != null) {
                        RangerAccessResult isAccessAllowed = plugin.isAccessAllowed(plugin.buildAccessRequest(str3, strArr, reqContext.remoteAddress() == null ? null : reqContext.remoteAddress().getHostAddress(), str2, str));
                        z = isAccessAllowed != null && isAccessAllowed.getIsAllowed();
                        z2 = isAccessAllowed != null && isAccessAllowed.getIsAudited();
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("User found from principal [" + str3 + "], groups [" + StringUtil.toString(strArr) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + z + "], Audit Enabled:" + z2);
                        }
                    } else {
                        LOG.info("NULL User found from principal [" + principal + "]: Skipping authorization;  allowedFlag => [false], Audit Enabled:false");
                    }
                }
                RangerPerfTracer.log(perfTracer);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("[req " + reqContext.requestID() + "] Access  from: [" + reqContext.remoteAddress() + "] user: [" + reqContext.principal() + "], op:   [" + str + "],topology: [" + str2 + "] => returns [" + z + "], Audit Enabled:" + z2);
                }
            } catch (Throwable th) {
                LOG.error("RangerStormAuthorizer found this exception", th);
                RangerPerfTracer.log((RangerPerfTracer) null);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("[req " + reqContext.requestID() + "] Access  from: [" + reqContext.remoteAddress() + "] user: [" + reqContext.principal() + "], op:   [" + str + "],topology: [" + ((String) null) + "] => returns [false], Audit Enabled:false");
                }
            }
            return z;
        } catch (Throwable th2) {
            RangerPerfTracer.log((RangerPerfTracer) null);
            if (LOG.isDebugEnabled()) {
                LOG.debug("[req " + reqContext.requestID() + "] Access  from: [" + reqContext.remoteAddress() + "] user: [" + reqContext.principal() + "], op:   [" + str + "],topology: [" + ((String) null) + "] => returns [false], Audit Enabled:false");
            }
            throw th2;
        }
    }

    public void prepare(Map map) {
        if (plugin == null) {
            synchronized (RangerStormAuthorizer.class) {
                if (plugin == null) {
                    try {
                        MiscUtil.setUGIFromJAASConfig(STORM_CLIENT_JASS_CONFIG_SECTION);
                        LOG.info("LoginUser=" + MiscUtil.getUGILoginUser());
                    } catch (Throwable th) {
                        LOG.error("Error while setting UGI for Storm Plugin...", th);
                    }
                    LOG.info("Creating StormRangerPlugin");
                    plugin = new StormRangerPlugin();
                    plugin.init();
                }
            }
        }
    }
}
