package org.apache.ranger.plugin.service;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.audit.provider.AuditHandler;
import org.apache.ranger.audit.provider.AuditProviderFactory;
import org.apache.ranger.audit.provider.StandAloneAuditProviderFactory;
import org.apache.ranger.authorization.hadoop.config.RangerAuditConfig;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.contextenricher.RangerUserStoreEnricher;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.DownloadTrigger;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.apache.ranger.plugin.util.PolicyRefresher;
import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRolesUtil;
import org.apache.ranger.plugin.util.RangerUserStore;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.apache.ranger.plugin.util.ServiceTags;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/service/RangerBasePlugin.class */
public class RangerBasePlugin {
    private static final Logger LOG = LoggerFactory.getLogger(RangerBasePlugin.class);
    private final RangerPluginConfig pluginConfig;
    private final RangerPluginContext pluginContext;
    private final Map<String, LogHistory> logHistoryList;
    private final int logInterval = 30000;
    private final DownloadTrigger accessTrigger;
    private PolicyRefresher refresher;
    private RangerPolicyEngine policyEngine;
    private RangerAuthContext currentAuthContext;
    private RangerAccessResultProcessor resultProcessor;
    private RangerRoles roles;
    private final List<RangerChainedPlugin> chainedPlugins;
    private final boolean enableImplicitUserStoreEnricher;
    private boolean isUserStoreEnricherAddedImplcitly;

    /* loaded from: input_file:org/apache/ranger/plugin/service/RangerBasePlugin$LogHistory.class */
    private static final class LogHistory {
        long lastLogTime;
        int counter;

        private LogHistory() {
        }
    }

    public RangerBasePlugin(String str, String str2) {
        this(new RangerPluginConfig(str, null, str2, null, null, null));
    }

    public RangerBasePlugin(String str, String str2, String str3) {
        this(new RangerPluginConfig(str, str2, str3, null, null, null));
    }

    public RangerBasePlugin(RangerPluginConfig rangerPluginConfig) {
        this.logHistoryList = new Hashtable();
        this.logInterval = 30000;
        this.accessTrigger = new DownloadTrigger();
        this.isUserStoreEnricherAddedImplcitly = false;
        this.pluginConfig = rangerPluginConfig;
        this.pluginContext = new RangerPluginContext(rangerPluginConfig);
        Set<String> set = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".super.users"));
        Set<String> set2 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".super.groups"));
        Set<String> set3 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".audit.exclude.users"));
        Set<String> set4 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".audit.exclude.groups"));
        Set<String> set5 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".audit.exclude.roles"));
        Set<String> set6 = toSet(rangerPluginConfig.get(rangerPluginConfig.getPropertyPrefix() + ".service.admins"));
        setSuperUsersAndGroups(set, set2);
        setAuditExcludedUsersGroupsRoles(set3, set4, set5);
        setIsFallbackSupported(rangerPluginConfig.getBoolean(rangerPluginConfig.getPropertyPrefix() + ".is.fallback.supported", false));
        setServiceAdmins(set6);
        RangerRequestScriptEvaluator.init(rangerPluginConfig);
        this.enableImplicitUserStoreEnricher = rangerPluginConfig.getBoolean(rangerPluginConfig.getPropertyPrefix() + ".enable.implicit.userstore.enricher", false);
        this.chainedPlugins = initChainedPlugins();
    }

    public RangerBasePlugin(RangerPluginConfig rangerPluginConfig, ServicePolicies servicePolicies, ServiceTags serviceTags, RangerRoles rangerRoles) {
        this(rangerPluginConfig, servicePolicies, serviceTags, rangerRoles, null);
    }

    public RangerBasePlugin(RangerPluginConfig rangerPluginConfig, ServicePolicies servicePolicies, ServiceTags serviceTags, RangerRoles rangerRoles, RangerUserStore rangerUserStore) {
        this(rangerPluginConfig);
        init();
        setPolicies(servicePolicies);
        setRoles(rangerRoles);
        if (serviceTags != null) {
            RangerTagEnricher tagEnricher = getTagEnricher();
            if (tagEnricher != null) {
                tagEnricher.setServiceTags(serviceTags);
            } else {
                LOG.warn("RangerBasePlugin(tagsVersion=" + serviceTags.getTagVersion() + "): no tag enricher found. Plugin will not enforce tag-based policies");
            }
        }
        if (rangerUserStore != null) {
            RangerUserStoreEnricher userStoreEnricher = getUserStoreEnricher();
            if (userStoreEnricher != null) {
                userStoreEnricher.setRangerUserStore(rangerUserStore);
            } else {
                LOG.warn("RangerBasePlugin(userStoreVersion=" + rangerUserStore.getUserStoreVersion() + "): no userstore enricher found. Plugin will not enforce user/group attribute-based policies");
            }
        }
    }

    public static AuditHandler getAuditProvider(String str) {
        return getAuditProviderFactory(str).getAuditProvider();
    }

    public String getServiceType() {
        return this.pluginConfig.getServiceType();
    }

    public String getAppId() {
        return this.pluginConfig.getAppId();
    }

    public RangerPluginConfig getConfig() {
        return this.pluginConfig;
    }

    public String getClusterName() {
        return this.pluginConfig.getClusterName();
    }

    public RangerPluginContext getPluginContext() {
        return this.pluginContext;
    }

    public RangerAuthContext getCurrentRangerAuthContext() {
        return this.currentAuthContext;
    }

    public List<RangerChainedPlugin> getChainedPlugins() {
        return this.chainedPlugins;
    }

    public RangerAuthContext createRangerAuthContext() {
        return this.currentAuthContext;
    }

    public RangerRoles getRoles() {
        return this.roles;
    }

    public void setRoles(RangerRoles rangerRoles) {
        this.roles = rangerRoles;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            rangerPolicyEngine.setRoles(rangerRoles);
        }
        this.pluginContext.notifyAuthContextChanged();
    }

    public void setAuditExcludedUsersGroupsRoles(Set<String> set, Set<String> set2, Set<String> set3) {
        this.pluginConfig.setAuditExcludedUsersGroupsRoles(set, set2, set3);
    }

    public void setSuperUsersAndGroups(Set<String> set, Set<String> set2) {
        this.pluginConfig.setSuperUsersGroups(set, set2);
    }

    public void setIsFallbackSupported(boolean z) {
        this.pluginConfig.setIsFallbackSupported(z);
    }

    public void setServiceAdmins(Set<String> set) {
        this.pluginConfig.setServiceAdmins(set);
    }

    public RangerServiceDef getServiceDef() {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getServiceDef();
        }
        return null;
    }

    public int getServiceDefId() {
        RangerServiceDef serviceDef = getServiceDef();
        if (serviceDef == null || serviceDef.getId() == null) {
            return -1;
        }
        return serviceDef.getId().intValue();
    }

    public String getServiceName() {
        return this.pluginConfig.getServiceName();
    }

    public AuditProviderFactory getAuditProviderFactory() {
        return getAuditProviderFactory(getServiceName());
    }

    public void init() {
        cleanup();
        AuditProviderFactory auditProviderFactory = AuditProviderFactory.getInstance();
        if (!auditProviderFactory.isInitDone()) {
            if (this.pluginConfig.getProperties() != null) {
                auditProviderFactory.init(this.pluginConfig.getProperties(), getAppId());
            } else {
                LOG.error("Audit subsystem is not initialized correctly. Please check audit configuration. ");
                LOG.error("No authorization audits will be generated. ");
            }
        }
        if (!this.pluginConfig.getPolicyEngineOptions().disablePolicyRefresher) {
            this.refresher = new PolicyRefresher(this);
            LOG.info("Created PolicyRefresher Thread(" + this.refresher.getName() + ")");
            this.refresher.setDaemon(true);
            this.refresher.startRefresher();
        }
        Iterator<RangerChainedPlugin> it = this.chainedPlugins.iterator();
        while (it.hasNext()) {
            it.next().init();
        }
    }

    public long getPoliciesVersion() {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        Long valueOf = rangerPolicyEngine != null ? Long.valueOf(rangerPolicyEngine.getPolicyVersion()) : null;
        if (valueOf != null) {
            return valueOf.longValue();
        }
        return -1L;
    }

    public long getTagsVersion() {
        RangerTagEnricher tagEnricher = getTagEnricher();
        Long serviceTagsVersion = tagEnricher != null ? tagEnricher.getServiceTagsVersion() : null;
        if (serviceTagsVersion != null) {
            return serviceTagsVersion.longValue();
        }
        return -1L;
    }

    public long getRolesVersion() {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        Long valueOf = rangerPolicyEngine != null ? Long.valueOf(rangerPolicyEngine.getRoleVersion()) : null;
        if (valueOf != null) {
            return valueOf.longValue();
        }
        return -1L;
    }

    public long getUserStoreVersion() {
        RangerUserStoreEnricher userStoreEnricher = getUserStoreEnricher();
        Long userStoreVersion = userStoreEnricher != null ? userStoreEnricher.getUserStoreVersion() : null;
        if (userStoreVersion != null) {
            return userStoreVersion.longValue();
        }
        return -1L;
    }

    public void setPolicies(ServicePolicies servicePolicies) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> setPolicies(" + servicePolicies + ")");
        }
        if (this.enableImplicitUserStoreEnricher && servicePolicies != null && !ServiceDefUtil.isUserStoreEnricherPresent(servicePolicies)) {
            String str = getConfig().get(RangerUserStoreEnricher.USERSTORE_RETRIEVER_CLASSNAME_OPTION, RangerAdminUserStoreRetriever.class.getCanonicalName());
            String str2 = getConfig().get(RangerUserStoreEnricher.USERSTORE_REFRESHER_POLLINGINTERVAL_OPTION, Integer.toString(60000));
            if (RangerPolicyDeltaUtil.hasPolicyDeltas(servicePolicies) == Boolean.TRUE && this.isUserStoreEnricherAddedImplcitly) {
                ServiceDefUtil.addUserStoreEnricher(servicePolicies, str, str2);
            } else {
                this.isUserStoreEnricherAddedImplcitly = ServiceDefUtil.addUserStoreEnricherIfNeeded(servicePolicies, str, str2);
            }
        }
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            ServicePolicies servicePolicies2 = null;
            boolean z = true;
            boolean z2 = false;
            if (servicePolicies == null) {
                servicePolicies = getDefaultSvcPolicies();
                if (servicePolicies == null) {
                    LOG.error("Could not get default Service Policies. Keeping old policy-engine!");
                    z = false;
                }
            } else {
                Boolean hasPolicyDeltas = RangerPolicyDeltaUtil.hasPolicyDeltas(servicePolicies);
                if (hasPolicyDeltas == null) {
                    LOG.info("Downloaded policies do not require policy change !! [" + servicePolicies + "]");
                    if (this.policyEngine == null) {
                        LOG.info("There are no material changes, and current policy-engine is null! Creating a policy-engine with default service policies");
                        ServicePolicies defaultSvcPolicies = getDefaultSvcPolicies();
                        if (defaultSvcPolicies == null) {
                            LOG.error("Could not get default Service Policies. Keeping old policy-engine! This is a FATAL error as the old policy-engine is null!");
                            z = false;
                        } else {
                            defaultSvcPolicies.setPolicyVersion(servicePolicies.getPolicyVersion());
                            servicePolicies = defaultSvcPolicies;
                            z = true;
                        }
                    } else {
                        LOG.info("Keeping old policy-engine!");
                        z = false;
                    }
                } else if (hasPolicyDeltas.equals(Boolean.TRUE)) {
                    servicePolicies2 = ServicePolicies.applyDelta(servicePolicies, (RangerPolicyEngineImpl) rangerPolicyEngine);
                    if (servicePolicies2 != null) {
                        z2 = true;
                    } else {
                        LOG.error("Could not apply deltas=" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()));
                        LOG.warn("Keeping old policy-engine!");
                        z = false;
                    }
                } else if (servicePolicies.getPolicies() == null) {
                    servicePolicies.setPolicies(new ArrayList());
                }
            }
            if (z) {
                RangerPolicyEngine rangerPolicyEngine2 = null;
                boolean z3 = false;
                if (z2) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("policy-deltas are not null");
                    }
                    if (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) || MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Non empty policy-deltas found. Cloning engine using policy-deltas");
                        }
                        if (rangerPolicyEngine != null) {
                            rangerPolicyEngine2 = RangerPolicyEngineImpl.getPolicyEngine((RangerPolicyEngineImpl) rangerPolicyEngine, servicePolicies);
                        }
                        if (rangerPolicyEngine2 != null) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Applied policyDeltas=" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ")");
                            }
                            z3 = true;
                        } else {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Failed to apply policyDeltas=" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + "), Creating engine from policies");
                                LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies2 + "]");
                            }
                            rangerPolicyEngine2 = new RangerPolicyEngineImpl(servicePolicies2, this.pluginContext, this.roles);
                        }
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug("Empty policy-deltas. No need to change policy engine");
                    }
                } else {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Creating engine from policies");
                    }
                    rangerPolicyEngine2 = new RangerPolicyEngineImpl(servicePolicies, this.pluginContext, this.roles);
                }
                if (rangerPolicyEngine2 != null) {
                    if (!z3) {
                        rangerPolicyEngine2.setUseForwardedIPAddress(this.pluginConfig.isUseForwardedIPAddress());
                        rangerPolicyEngine2.setTrustedProxyAddresses(this.pluginConfig.getTrustedProxyAddresses());
                    }
                    this.policyEngine = rangerPolicyEngine2;
                    this.currentAuthContext = this.pluginContext.getAuthContext();
                    this.pluginContext.notifyAuthContextChanged();
                    if (rangerPolicyEngine != null && rangerPolicyEngine != rangerPolicyEngine2) {
                        ((RangerPolicyEngineImpl) rangerPolicyEngine).releaseResources(!z3);
                    }
                    if (this.refresher != null) {
                        this.refresher.saveToCache(z2 ? servicePolicies2 : servicePolicies);
                    }
                }
            } else {
                LOG.warn("Leaving current policy engine as-is");
                LOG.warn("Policies are not saved to cache. policyVersion in the policy-cache may be different than in Ranger-admin, even though the policies are the same!");
                LOG.warn("Ranger-PolicyVersion:[" + (servicePolicies != null ? servicePolicies.getPolicyVersion().longValue() : -1L) + "], Cached-PolicyVersion:[" + (this.policyEngine != null ? this.policyEngine.getPolicyVersion() : -1L) + "]");
            }
        } catch (Exception e) {
            LOG.error("setPolicies: policy engine initialization failed!  Leaving current policy engine as-is. Exception : ", e);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== setPolicies(" + servicePolicies + ")");
        }
    }

    public void cleanup() {
        PolicyRefresher policyRefresher = this.refresher;
        this.refresher = null;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        this.policyEngine = null;
        if (policyRefresher != null) {
            policyRefresher.stopRefresher();
        }
        if (rangerPolicyEngine != null) {
            ((RangerPolicyEngineImpl) rangerPolicyEngine).releaseResources(true);
        }
    }

    public void setResultProcessor(RangerAccessResultProcessor rangerAccessResultProcessor) {
        this.resultProcessor = rangerAccessResultProcessor;
    }

    public RangerAccessResultProcessor getResultProcessor() {
        return this.resultProcessor;
    }

    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest) {
        return isAccessAllowed(rangerAccessRequest, this.resultProcessor);
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection) {
        return isAccessAllowed(collection, this.resultProcessor);
    }

    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        RangerAccessResult evaluatePolicies = rangerPolicyEngine != null ? rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, 0, (RangerAccessResultProcessor) null) : null;
        if (evaluatePolicies != null) {
            for (RangerChainedPlugin rangerChainedPlugin : this.chainedPlugins) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("BasePlugin.isAccessAllowed result=[" + evaluatePolicies + "]");
                    LOG.debug("Calling chainedPlugin.isAccessAllowed for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "]");
                }
                RangerAccessResult isAccessAllowed = rangerChainedPlugin.isAccessAllowed(rangerAccessRequest);
                if (isAccessAllowed != null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("chainedPlugin.isAccessAllowed for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "] returned result=[" + isAccessAllowed + "]");
                    }
                    updateResultFromChainedResult(evaluatePolicies, isAccessAllowed);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("After updating result from chainedPlugin.isAccessAllowed for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "], result=" + evaluatePolicies + "]");
                    }
                }
            }
        }
        if (rangerPolicyEngine != null) {
            rangerPolicyEngine.evaluateAuditPolicies(evaluatePolicies);
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResult(evaluatePolicies);
        }
        return evaluatePolicies;
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection, RangerAccessResultProcessor rangerAccessResultProcessor) {
        Collection<RangerAccessResult> collection2 = null;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            collection2 = rangerPolicyEngine.evaluatePolicies(collection, 0, (RangerAccessResultProcessor) null);
        }
        if (CollectionUtils.isNotEmpty(collection2)) {
            Iterator<RangerChainedPlugin> it = this.chainedPlugins.iterator();
            while (it.hasNext()) {
                Collection<RangerAccessResult> isAccessAllowed = it.next().isAccessAllowed(collection);
                if (CollectionUtils.isNotEmpty(isAccessAllowed)) {
                    Iterator<RangerAccessResult> it2 = collection2.iterator();
                    Iterator<RangerAccessResult> it3 = isAccessAllowed.iterator();
                    while (it2.hasNext() && it3.hasNext()) {
                        RangerAccessResult next = it2.next();
                        RangerAccessResult next2 = it3.next();
                        if (next != null && next2 != null) {
                            updateResultFromChainedResult(next, next2);
                        }
                    }
                }
            }
        }
        if (rangerPolicyEngine != null && CollectionUtils.isNotEmpty(collection2)) {
            Iterator<RangerAccessResult> it4 = collection2.iterator();
            while (it4.hasNext()) {
                rangerPolicyEngine.evaluateAuditPolicies(it4.next());
            }
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResults(collection2);
        }
        return collection2;
    }

    public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        RangerAccessResult rangerAccessResult = null;
        if (rangerPolicyEngine != null) {
            rangerAccessResult = rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, 1, rangerAccessResultProcessor);
            if (rangerAccessResult != null) {
                for (RangerChainedPlugin rangerChainedPlugin : this.chainedPlugins) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("BasePlugin.evalDataMaskPolicies result=[" + rangerAccessResult + "]");
                        LOG.debug("Calling chainedPlugin.evalDataMaskPolicies for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "]");
                    }
                    RangerAccessResult evalDataMaskPolicies = rangerChainedPlugin.evalDataMaskPolicies(rangerAccessRequest);
                    if (evalDataMaskPolicies != null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("chainedPlugin.evalDataMaskPolicies for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "] returned result=[" + evalDataMaskPolicies + "]");
                        }
                        updateResultFromChainedResult(rangerAccessResult, evalDataMaskPolicies);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("After updating result from chainedPlugin.evalDataMaskPolicies for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "], result=" + rangerAccessResult + "]");
                        }
                    }
                }
            }
            rangerPolicyEngine.evaluateAuditPolicies(rangerAccessResult);
        }
        return rangerAccessResult;
    }

    public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest rangerAccessRequest, RangerAccessResultProcessor rangerAccessResultProcessor) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        RangerAccessResult rangerAccessResult = null;
        if (rangerPolicyEngine != null) {
            rangerAccessResult = rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, 2, rangerAccessResultProcessor);
            if (rangerAccessResult != null) {
                for (RangerChainedPlugin rangerChainedPlugin : this.chainedPlugins) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("BasePlugin.evalRowFilterPolicies result=[" + rangerAccessResult + "]");
                        LOG.debug("Calling chainedPlugin.evalRowFilterPolicies for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "]");
                    }
                    RangerAccessResult evalRowFilterPolicies = rangerChainedPlugin.evalRowFilterPolicies(rangerAccessRequest);
                    if (evalRowFilterPolicies != null) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("chainedPlugin.evalRowFilterPolicies for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "] returned result=[" + evalRowFilterPolicies + "]");
                        }
                        updateResultFromChainedResult(rangerAccessResult, evalRowFilterPolicies);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("After updating result from chainedPlugin.evalRowFilterPolicies for service:[" + rangerChainedPlugin.plugin.pluginConfig.getServiceName() + "], result=" + rangerAccessResult + "]");
                        }
                    }
                }
            }
            rangerPolicyEngine.evaluateAuditPolicies(rangerAccessResult);
        }
        return rangerAccessResult;
    }

    public void evalAuditPolicies(RangerAccessResult rangerAccessResult) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            rangerPolicyEngine.evaluateAuditPolicies(rangerAccessResult);
        }
    }

    public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest rangerAccessRequest) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getResourceAccessInfo(rangerAccessRequest);
        }
        return null;
    }

    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest) {
        return getResourceACLs(rangerAccessRequest, null);
    }

    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest, Integer num) {
        RangerResourceACLs rangerResourceACLs = null;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            rangerResourceACLs = rangerPolicyEngine.getResourceACLs(rangerAccessRequest, num);
        }
        Iterator<RangerChainedPlugin> it = this.chainedPlugins.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerChainedPlugin next = it.next();
            RangerResourceACLs resourceACLs = next.getResourceACLs(rangerAccessRequest, num);
            if (resourceACLs != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Chained-plugin returned non-null ACLs!!");
                }
                if (next.isAuthorizeOnlyWithChainedPlugin()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Chained-plugin is configured to ignore Base-plugin's ACLs");
                    }
                    rangerResourceACLs = resourceACLs;
                } else if (rangerResourceACLs != null) {
                    rangerResourceACLs = getMergedResourceACLs(rangerResourceACLs, resourceACLs);
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("Chained-plugin returned null ACLs!!");
            }
        }
        return rangerResourceACLs;
    }

    public Set<String> getRolesFromUserAndGroups(String str, Set<String> set) {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getRolesFromUserAndGroups(str, set);
        }
        return null;
    }

    public RangerRoles getRangerRoles() {
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            return rangerPolicyEngine.getRangerRoles();
        }
        return null;
    }

    public Set<RangerRole> getRangerRoleForPrincipal(String str, String str2) {
        RangerAuthContext authContext;
        RangerRolesUtil rangerRolesUtil;
        HashSet hashSet = new HashSet();
        Map<String, Set<String>> map = null;
        RangerRoles rangerRoles = getRangerRoles();
        Set<RangerRole> rangerRoles2 = rangerRoles != null ? rangerRoles.getRangerRoles() : null;
        if (rangerRoles2 != null) {
            RangerPluginContext pluginContext = this.policyEngine.getPluginContext();
            if (pluginContext != null && (authContext = pluginContext.getAuthContext()) != null && (rangerRolesUtil = authContext.getRangerRolesUtil()) != null) {
                boolean z = -1;
                switch (str2.hashCode()) {
                    case 2521206:
                        if (str2.equals("ROLE")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 2614219:
                        if (str2.equals("USER")) {
                            z = false;
                            break;
                        }
                        break;
                    case 68091487:
                        if (str2.equals("GROUP")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        map = rangerRolesUtil.getUserRoleMapping();
                        break;
                    case true:
                        map = rangerRolesUtil.getGroupRoleMapping();
                        break;
                    case true:
                        map = rangerRolesUtil.getRoleRoleMapping();
                        break;
                }
            }
            if (map != null) {
                Set<String> set = map.get(str);
                if (CollectionUtils.isNotEmpty(set)) {
                    for (String str3 : set) {
                        for (RangerRole rangerRole : rangerRoles2) {
                            if (rangerRole.getName().equals(str3)) {
                                hashSet.add(rangerRole);
                            }
                        }
                    }
                }
            }
        }
        return hashSet;
    }

    public boolean isServiceAdmin(String str) {
        boolean z = false;
        RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
        if (rangerPolicyEngine != null) {
            z = ((RangerPolicyEngineImpl) rangerPolicyEngine).isServiceAdmin(str);
        }
        return z;
    }

    public RangerRole createRole(RangerRole rangerRole, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.createRole(" + rangerRole + ")");
        }
        RangerRole createRole = getAdminClient().createRole(rangerRole);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.createRole(" + rangerRole + ")");
        }
        return createRole;
    }

    public void dropRole(String str, String str2, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.dropRole(" + str2 + ")");
        }
        getAdminClient().dropRole(str, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.dropRole(" + str2 + ")");
        }
    }

    public List<String> getUserRoles(String str, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getUserRoleNames(" + str + ")");
        }
        List<String> userRoles = getAdminClient().getUserRoles(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getUserRoleNames(" + str + ")");
        }
        return userRoles;
    }

    public List<String> getAllRoles(String str, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getAllRoles()");
        }
        List<String> allRoles = getAdminClient().getAllRoles(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getAllRoles()");
        }
        return allRoles;
    }

    public RangerRole getRole(String str, String str2, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getPrincipalsForRole(" + str2 + ")");
        }
        RangerRole role = getAdminClient().getRole(str, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getPrincipalsForRole(" + str2 + ")");
        }
        return role;
    }

    public void grantRole(GrantRevokeRoleRequest grantRevokeRoleRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.grantRole(" + grantRevokeRoleRequest + ")");
        }
        getAdminClient().grantRole(grantRevokeRoleRequest);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.grantRole(" + grantRevokeRoleRequest + ")");
        }
    }

    public void revokeRole(GrantRevokeRoleRequest grantRevokeRoleRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.revokeRole(" + grantRevokeRoleRequest + ")");
        }
        getAdminClient().revokeRole(grantRevokeRoleRequest);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.revokeRole(" + grantRevokeRoleRequest + ")");
        }
    }

    public void grantAccess(GrantRevokeRequest grantRevokeRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.grantAccess(" + grantRevokeRequest + ")");
        }
        boolean z = false;
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            if (rangerPolicyEngine != null) {
                grantRevokeRequest.setZoneName(rangerPolicyEngine.getUniquelyMatchedZoneName(grantRevokeRequest));
            }
            getAdminClient().grantAccess(grantRevokeRequest);
            z = true;
            auditGrantRevoke(grantRevokeRequest, "grant", true, rangerAccessResultProcessor);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerBasePlugin.grantAccess(" + grantRevokeRequest + ")");
            }
        } catch (Throwable th) {
            auditGrantRevoke(grantRevokeRequest, "grant", z, rangerAccessResultProcessor);
            throw th;
        }
    }

    public void revokeAccess(GrantRevokeRequest grantRevokeRequest, RangerAccessResultProcessor rangerAccessResultProcessor) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.revokeAccess(" + grantRevokeRequest + ")");
        }
        boolean z = false;
        try {
            RangerPolicyEngine rangerPolicyEngine = this.policyEngine;
            if (rangerPolicyEngine != null) {
                grantRevokeRequest.setZoneName(rangerPolicyEngine.getUniquelyMatchedZoneName(grantRevokeRequest));
            }
            getAdminClient().revokeAccess(grantRevokeRequest);
            z = true;
            auditGrantRevoke(grantRevokeRequest, "revoke", true, rangerAccessResultProcessor);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== RangerBasePlugin.revokeAccess(" + grantRevokeRequest + ")");
            }
        } catch (Throwable th) {
            auditGrantRevoke(grantRevokeRequest, "revoke", z, rangerAccessResultProcessor);
            throw th;
        }
    }

    public void registerAuthContextEventListener(RangerAuthContextListener rangerAuthContextListener) {
        this.pluginContext.setAuthContextListener(rangerAuthContextListener);
    }

    public static RangerAdminClient createAdminClient(RangerPluginConfig rangerPluginConfig) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.createAdminClient(" + rangerPluginConfig.getServiceName() + ", " + rangerPluginConfig.getAppId() + ", " + rangerPluginConfig.getPropertyPrefix() + ")");
        }
        RangerAdminClient rangerAdminClient = null;
        String str = rangerPluginConfig.getPropertyPrefix() + ".policy.source.impl";
        String str2 = rangerPluginConfig.get(str);
        if (!StringUtils.isEmpty(str2)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Value for property[%s] was [%s].", str, str2));
            }
            try {
                rangerAdminClient = (RangerAdminClient) Class.forName(str2).newInstance();
            } catch (Exception e) {
                LOG.error("failed to instantiate policy source of type '" + str2 + "'. Will use policy source of type '" + RangerAdminRESTClient.class.getName() + "'", e);
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Value for property[%s] was null or empty. Unexpected! Will use policy source of type[%s]", str, RangerAdminRESTClient.class.getName()));
        }
        if (rangerAdminClient == null) {
            rangerAdminClient = new RangerAdminRESTClient();
        }
        rangerAdminClient.init(rangerPluginConfig.getServiceName(), rangerPluginConfig.getAppId(), rangerPluginConfig.getPropertyPrefix(), rangerPluginConfig);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.createAdminClient(" + rangerPluginConfig.getServiceName() + ", " + rangerPluginConfig.getAppId() + ", " + rangerPluginConfig.getPropertyPrefix() + "): policySourceImpl=" + str2 + ", client=" + rangerAdminClient);
        }
        return rangerAdminClient;
    }

    public void refreshPoliciesAndTags() {
        RangerTagEnricher tagEnricher;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> refreshPoliciesAndTags()");
        }
        try {
            long policyVersion = this.policyEngine.getPolicyVersion();
            if (this.refresher != null) {
                this.refresher.syncPoliciesWithAdmin(this.accessTrigger);
            }
            if (policyVersion == this.policyEngine.getPolicyVersion() && (tagEnricher = getTagEnricher()) != null) {
                tagEnricher.syncTagsWithAdmin(this.accessTrigger);
            }
        } catch (InterruptedException e) {
            LOG.error("Failed to update policy-engine, continuing to use old policy-engine and/or tags", e);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== refreshPoliciesAndTags()");
        }
    }

    private void auditGrantRevoke(GrantRevokeRequest grantRevokeRequest, String str, boolean z, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (grantRevokeRequest == null || rangerAccessResultProcessor == null) {
            return;
        }
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setResource(new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRevokeRequest.getResource())));
        rangerAccessRequestImpl.setUser(grantRevokeRequest.getGrantor());
        rangerAccessRequestImpl.setAccessType(RangerPolicyEngine.ANY_ACCESS);
        rangerAccessRequestImpl.setAction(str);
        rangerAccessRequestImpl.setClientIPAddress(grantRevokeRequest.getClientIPAddress());
        rangerAccessRequestImpl.setClientType(grantRevokeRequest.getClientType());
        rangerAccessRequestImpl.setRequestData(grantRevokeRequest.getRequestData());
        rangerAccessRequestImpl.setSessionId(grantRevokeRequest.getSessionId());
        RangerAccessResult isAccessAllowed = isAccessAllowed(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
        if (isAccessAllowed == null || !isAccessAllowed.getIsAudited()) {
            return;
        }
        rangerAccessRequestImpl.setAccessType(str);
        isAccessAllowed.setIsAllowed(z);
        if (!z) {
            isAccessAllowed.setPolicyId(-1L);
        }
        rangerAccessResultProcessor.processResult(isAccessAllowed);
    }

    private RangerServiceDef getDefaultServiceDef() {
        RangerServiceDef rangerServiceDef = null;
        if (StringUtils.isNotBlank(getServiceType())) {
            try {
                rangerServiceDef = EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(getServiceType());
            } catch (Exception e) {
                LOG.error("Could not get embedded service-def for " + getServiceType());
            }
        }
        return rangerServiceDef;
    }

    private ServicePolicies getDefaultSvcPolicies() {
        ServicePolicies servicePolicies = null;
        RangerServiceDef serviceDef = getServiceDef();
        if (serviceDef == null) {
            serviceDef = getDefaultServiceDef();
        }
        if (serviceDef != null) {
            servicePolicies = new ServicePolicies();
            servicePolicies.setServiceDef(serviceDef);
            servicePolicies.setServiceName(getServiceName());
            servicePolicies.setPolicies(new ArrayList());
        }
        return servicePolicies;
    }

    public boolean logErrorMessage(String str) {
        LogHistory logHistory = this.logHistoryList.get(str);
        if (logHistory == null) {
            logHistory = new LogHistory();
            this.logHistoryList.put(str, logHistory);
        }
        if (System.currentTimeMillis() - logHistory.lastLogTime <= 30000) {
            logHistory.counter++;
            return false;
        }
        logHistory.lastLogTime = System.currentTimeMillis();
        int i = logHistory.counter;
        logHistory.counter = 0;
        if (i > 0) {
            str = str + ". Messages suppressed before: " + i;
        }
        LOG.error(str);
        return true;
    }

    private Set<String> toSet(String str) {
        return StringUtils.isNotBlank(str) ? StringUtil.toSet(str) : Collections.emptySet();
    }

    public RangerTagEnricher getTagEnricher() {
        RangerTagEnricher rangerTagEnricher = null;
        RangerAuthContext currentRangerAuthContext = getCurrentRangerAuthContext();
        if (currentRangerAuthContext != null) {
            Map<RangerContextEnricher, Object> requestContextEnrichers = currentRangerAuthContext.getRequestContextEnrichers();
            if (MapUtils.isNotEmpty(requestContextEnrichers)) {
                Iterator<RangerContextEnricher> it = requestContextEnrichers.keySet().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerContextEnricher next = it.next();
                    if (next instanceof RangerTagEnricher) {
                        rangerTagEnricher = (RangerTagEnricher) next;
                        break;
                    }
                }
            }
        }
        return rangerTagEnricher;
    }

    public RangerUserStoreEnricher getUserStoreEnricher() {
        RangerUserStoreEnricher rangerUserStoreEnricher = null;
        RangerAuthContext currentRangerAuthContext = getCurrentRangerAuthContext();
        if (currentRangerAuthContext != null) {
            Map<RangerContextEnricher, Object> requestContextEnrichers = currentRangerAuthContext.getRequestContextEnrichers();
            if (MapUtils.isNotEmpty(requestContextEnrichers)) {
                Iterator<RangerContextEnricher> it = requestContextEnrichers.keySet().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerContextEnricher next = it.next();
                    if (next instanceof RangerUserStoreEnricher) {
                        rangerUserStoreEnricher = (RangerUserStoreEnricher) next;
                        rangerUserStoreEnricher.getRangerUserStore();
                        break;
                    }
                }
            }
        }
        return rangerUserStoreEnricher;
    }

    public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs rangerResourceACLs, RangerResourceACLs rangerResourceACLs2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.getMergedResourceACLs()");
            LOG.debug("baseACLs:[" + rangerResourceACLs + "]");
            LOG.debug("chainedACLS:[" + rangerResourceACLs2 + "]");
        }
        overrideACLs(rangerResourceACLs2, rangerResourceACLs, RangerRolesUtil.ROLES_FOR.USER);
        overrideACLs(rangerResourceACLs2, rangerResourceACLs, RangerRolesUtil.ROLES_FOR.GROUP);
        overrideACLs(rangerResourceACLs2, rangerResourceACLs, RangerRolesUtil.ROLES_FOR.ROLE);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.getMergedResourceACLs() : ret:[" + rangerResourceACLs + "]");
        }
        return rangerResourceACLs;
    }

    private RangerAdminClient getAdminClient() throws Exception {
        PolicyRefresher policyRefresher = this.refresher;
        RangerAdminClient rangerAdminClient = policyRefresher == null ? null : policyRefresher.getRangerAdminClient();
        if (rangerAdminClient == null) {
            throw new Exception("ranger-admin client is null");
        }
        return rangerAdminClient;
    }

    private List<RangerChainedPlugin> initChainedPlugins() {
        ArrayList arrayList = new ArrayList();
        String str = this.pluginConfig.getPropertyPrefix() + ".chained.services";
        for (String str2 : StringUtil.toList(this.pluginConfig.get(str))) {
            if (!StringUtils.isBlank(str2)) {
                String str3 = this.pluginConfig.get(str + "." + str2 + ".impl");
                if (StringUtils.isBlank(str3)) {
                    LOG.error("Ignoring chained service " + str2 + ": no impl class specified");
                } else {
                    try {
                        arrayList.add((RangerChainedPlugin) Class.forName(str3).getConstructor(RangerBasePlugin.class, String.class).newInstance(this, str2));
                    } catch (Throwable th) {
                        LOG.error("initChainedPlugins(): error instantiating plugin impl " + str3, th);
                    }
                }
            }
        }
        return arrayList;
    }

    private void updateResultFromChainedResult(RangerAccessResult rangerAccessResult, RangerAccessResult rangerAccessResult2) {
        boolean z = false;
        int policyType = rangerAccessResult.getPolicyType();
        if (rangerAccessResult2.getIsAccessDetermined()) {
            z = rangerAccessResult2.getPolicyPriority() > rangerAccessResult.getPolicyPriority() || !rangerAccessResult.getIsAccessDetermined() || (!rangerAccessResult.getIsAllowed() && rangerAccessResult.getPolicyId() == -1);
            if (!z && rangerAccessResult2.getPolicyPriority() == rangerAccessResult.getPolicyPriority() && !rangerAccessResult2.getIsAllowed() && rangerAccessResult2.getPolicyId() != -1 && rangerAccessResult.getIsAllowed()) {
                z = true;
            }
        }
        if (z) {
            rangerAccessResult.setIsAllowed(rangerAccessResult2.getIsAllowed());
            rangerAccessResult.setIsAccessDetermined(rangerAccessResult2.getIsAccessDetermined());
            rangerAccessResult.setPolicyId(rangerAccessResult2.getPolicyId());
            rangerAccessResult.setPolicyVersion(rangerAccessResult2.getPolicyVersion());
            rangerAccessResult.setPolicyPriority(rangerAccessResult2.getPolicyPriority());
            rangerAccessResult.setZoneName(rangerAccessResult2.getZoneName());
            if (policyType == 1) {
                rangerAccessResult.setMaskType(rangerAccessResult2.getMaskType());
                rangerAccessResult.setMaskCondition(rangerAccessResult2.getMaskCondition());
                rangerAccessResult.setMaskedValue(rangerAccessResult2.getMaskedValue());
            } else if (policyType == 2) {
                rangerAccessResult.setFilterExpr(rangerAccessResult2.getFilterExpr());
            }
        }
        if (rangerAccessResult.getIsAuditedDetermined() || !rangerAccessResult2.getIsAuditedDetermined()) {
            return;
        }
        rangerAccessResult.setIsAudited(rangerAccessResult2.getIsAudited());
        rangerAccessResult.setAuditPolicyId(rangerAccessResult2.getAuditPolicyId());
    }

    private static void overrideACLs(RangerResourceACLs rangerResourceACLs, RangerResourceACLs rangerResourceACLs2, RangerRolesUtil.ROLES_FOR roles_for) {
        boolean z;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerBasePlugin.overrideACLs(isUser=" + roles_for.name() + ")");
        }
        Map<String, Map<String, RangerResourceACLs.AccessResult>> map = null;
        Map<String, Map<String, RangerResourceACLs.AccessResult>> map2 = null;
        switch (roles_for) {
            case USER:
                map = rangerResourceACLs.getUserACLs();
                map2 = rangerResourceACLs2.getUserACLs();
                break;
            case GROUP:
                map = rangerResourceACLs.getGroupACLs();
                map2 = rangerResourceACLs2.getGroupACLs();
                break;
            case ROLE:
                map = rangerResourceACLs.getRoleACLs();
                map2 = rangerResourceACLs2.getRoleACLs();
                break;
        }
        for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : map.entrySet()) {
            String key = entry.getKey();
            Map<String, RangerResourceACLs.AccessResult> value = entry.getValue();
            Map<String, RangerResourceACLs.AccessResult> map3 = map2.get(key);
            for (Map.Entry<String, RangerResourceACLs.AccessResult> entry2 : value.entrySet()) {
                String key2 = entry2.getKey();
                RangerResourceACLs.AccessResult value2 = entry2.getValue();
                RangerResourceACLs.AccessResult accessResult = map3 == null ? null : map3.get(key2);
                if (accessResult == null) {
                    z = true;
                } else if (value2.getPolicy().getPolicyPriority().intValue() > accessResult.getPolicy().getPolicyPriority().intValue()) {
                    z = true;
                } else if (!value2.getPolicy().getPolicyPriority().equals(accessResult.getPolicy().getPolicyPriority())) {
                    z = false;
                } else if (value2.getResult() == accessResult.getResult()) {
                    z = true;
                } else {
                    z = value2.getResult() == RangerPolicyEvaluator.ACCESS_DENIED.intValue();
                }
                RangerResourceACLs.AccessResult accessResult2 = z ? value2 : accessResult;
                switch (roles_for) {
                    case USER:
                        rangerResourceACLs2.setUserAccessInfo(key, key2, Integer.valueOf(accessResult2.getResult()), accessResult2.getPolicy());
                        break;
                    case GROUP:
                        rangerResourceACLs2.setGroupAccessInfo(key, key2, Integer.valueOf(accessResult2.getResult()), accessResult2.getPolicy());
                        break;
                    case ROLE:
                        rangerResourceACLs2.setRoleAccessInfo(key, key2, Integer.valueOf(accessResult2.getResult()), accessResult2.getPolicy());
                        break;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerBasePlugin.mergeACLsOneWay(isUser=" + roles_for.name() + ")");
        }
    }

    private static AuditProviderFactory getAuditProviderFactory(String str) {
        AuditProviderFactory auditProviderFactory = AuditProviderFactory.getInstance();
        if (!auditProviderFactory.isInitDone()) {
            LOG.warn("RangerBasePlugin.getAuditProviderFactory(serviceName=" + str + "): audit not initialized yet. Will use stand-alone audit factory");
            auditProviderFactory = StandAloneAuditProviderFactory.getInstance();
            if (!auditProviderFactory.isInitDone()) {
                RangerAuditConfig rangerAuditConfig = new RangerAuditConfig();
                if (rangerAuditConfig.isInitSuccess()) {
                    auditProviderFactory.init(rangerAuditConfig.getProperties(), "StandAlone");
                }
            }
        }
        return auditProviderFactory;
    }
}
