package org.apache.ranger.plugin.policyevaluator;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.conditionevaluator.RangerAbstractConditionEvaluator;
import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerValiditySchedule;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestWrapper;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.class */
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
    private static final Logger LOG = LoggerFactory.getLogger(RangerDefaultPolicyEvaluator.class);
    private static final Logger PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init");
    private static final Logger PERF_POLICY_INIT_ACLSUMMARY_LOG = RangerPerfTracer.getPerfLogger("policy.init.ACLSummary");
    private static final Logger PERF_POLICY_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policy.request");
    private static final Logger PERF_POLICYCONDITION_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policycondition.request");
    private List<RangerValidityScheduleEvaluator> validityScheduleEvaluators;
    private List<RangerPolicyItemEvaluator> allowEvaluators;
    private List<RangerPolicyItemEvaluator> denyEvaluators;
    private List<RangerPolicyItemEvaluator> allowExceptionEvaluators;
    private List<RangerPolicyItemEvaluator> denyExceptionEvaluators;
    private int customConditionsCount;
    private List<RangerDataMaskPolicyItemEvaluator> dataMaskEvaluators;
    private List<RangerRowFilterPolicyItemEvaluator> rowFilterEvaluators;
    private List<RangerConditionEvaluator> conditionEvaluators;
    private String perfTag;
    private RangerPolicyEvaluator.PolicyACLSummary aclSummary = null;
    private boolean useAclSummaryForEvaluation = false;
    private boolean disableRoleResolution = true;

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public int getCustomConditionsCount() {
        return this.customConditionsCount;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public int getValidityScheduleEvaluatorsCount() {
        return this.validityScheduleEvaluators.size();
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void init(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
        }
        StringBuilder sb = new StringBuilder();
        if (rangerPolicy != null) {
            sb.append("policyId=").append(rangerPolicy.getId()).append(", policyName=").append(rangerPolicy.getName());
        }
        this.perfTag = sb.toString();
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + this.perfTag + ")");
        }
        super.init(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions);
        RangerPolicy policy = getPolicy();
        preprocessPolicy(policy, rangerServiceDef);
        if (policy != null) {
            this.validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
            this.disableRoleResolution = rangerPolicyEngineOptions.disableRoleResolution;
            if (!rangerPolicyEngineOptions.disableAccessEvaluationWithPolicyACLSummary) {
                this.aclSummary = createPolicyACLSummary();
            }
            this.useAclSummaryForEvaluation = this.aclSummary != null;
            if (this.useAclSummaryForEvaluation) {
                this.allowEvaluators = Collections.emptyList();
                this.denyEvaluators = Collections.emptyList();
                this.allowExceptionEvaluators = Collections.emptyList();
                this.denyExceptionEvaluators = Collections.emptyList();
            } else {
                this.allowEvaluators = createPolicyItemEvaluators(policy, rangerServiceDef, rangerPolicyEngineOptions, 0);
                if (ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(rangerServiceDef, getPluginContext())) {
                    this.denyEvaluators = createPolicyItemEvaluators(policy, rangerServiceDef, rangerPolicyEngineOptions, 1);
                    this.allowExceptionEvaluators = createPolicyItemEvaluators(policy, rangerServiceDef, rangerPolicyEngineOptions, 2);
                    this.denyExceptionEvaluators = createPolicyItemEvaluators(policy, rangerServiceDef, rangerPolicyEngineOptions, 3);
                } else {
                    this.denyEvaluators = Collections.emptyList();
                    this.allowExceptionEvaluators = Collections.emptyList();
                    this.denyExceptionEvaluators = Collections.emptyList();
                }
            }
            this.dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, rangerServiceDef, rangerPolicyEngineOptions, policy.getDataMaskPolicyItems());
            this.rowFilterEvaluators = createRowFilterPolicyItemEvaluators(policy, rangerServiceDef, rangerPolicyEngineOptions, policy.getRowFilterPolicyItems());
            this.conditionEvaluators = createRangerPolicyConditionEvaluator(policy, rangerServiceDef, rangerPolicyEngineOptions);
        } else {
            this.validityScheduleEvaluators = Collections.emptyList();
            this.allowEvaluators = Collections.emptyList();
            this.denyEvaluators = Collections.emptyList();
            this.allowExceptionEvaluators = Collections.emptyList();
            this.denyExceptionEvaluators = Collections.emptyList();
            this.dataMaskEvaluators = Collections.emptyList();
            this.rowFilterEvaluators = Collections.emptyList();
            this.conditionEvaluators = Collections.emptyList();
        }
        RangerPolicyItemEvaluator.EvalOrderComparator evalOrderComparator = new RangerPolicyItemEvaluator.EvalOrderComparator();
        Collections.sort(this.allowEvaluators, evalOrderComparator);
        Collections.sort(this.denyEvaluators, evalOrderComparator);
        Collections.sort(this.allowExceptionEvaluators, evalOrderComparator);
        Collections.sort(this.denyExceptionEvaluators, evalOrderComparator);
        RangerPerfTracer.log(rangerPerfTracer);
        if (this.useAclSummaryForEvaluation && (policy.getPolicyType() == null || policy.getPolicyType().intValue() == 0)) {
            LOG.info("PolicyEvaluator for policy:[" + policy.getId() + "] is set up to use ACL Summary to evaluate access");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isApplicable(Date date) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isApplicable(" + date + ")");
        }
        boolean z = false;
        if (date == null || !CollectionUtils.isNotEmpty(this.validityScheduleEvaluators)) {
            z = true;
        } else {
            Iterator<RangerValidityScheduleEvaluator> it = this.validityScheduleEvaluators.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().isApplicable(date.getTime())) {
                    z = true;
                    break;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isApplicable(" + date + ") : " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void evaluate(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyResourceMatcher.MatchType matchType;
        boolean z;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicy().getId() + ", " + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + "," + this.perfTag + ")");
        }
        if (rangerAccessRequest != null && rangerAccessResult != null) {
            Iterator<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> it = getResourceEvaluators().iterator();
            while (it.hasNext()) {
                RangerPolicyResourceMatcher policyResourceMatcher = it.next().getPolicyResourceMatcher();
                if (!rangerAccessResult.getIsAccessDetermined() || !rangerAccessResult.getIsAuditedDetermined()) {
                    if (RangerTagAccessRequest.class.isInstance(rangerAccessRequest)) {
                        matchType = ((RangerTagAccessRequest) rangerAccessRequest).getMatchType();
                        if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
                            matchType = RangerPolicyResourceMatcher.MatchType.SELF;
                        }
                    } else {
                        if (rangerAccessRequest.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_CHILD) {
                            rangerAccessRequest.getContext().put(RangerAccessRequest.RANGER_ACCESS_REQUEST_SCOPE_STRING, RangerAccessRequest.ResourceMatchingScope.SELF_OR_CHILD);
                        }
                        matchType = policyResourceMatcher != null ? policyResourceMatcher.getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
                        rangerAccessRequest.getContext().remove(RangerAccessRequest.RANGER_ACCESS_REQUEST_SCOPE_STRING);
                    }
                    if (rangerAccessRequest.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(rangerAccessRequest.getContext()).booleanValue()) {
                        z = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
                    } else if (rangerAccessRequest.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                        z = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
                    } else {
                        z = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
                    }
                    if (z && matchPolicyCustomConditions(rangerAccessRequest)) {
                        if (!rangerAccessResult.getIsAuditedDetermined() && isAuditEnabled()) {
                            rangerAccessResult.setIsAudited(true);
                            rangerAccessResult.setAuditPolicyId(getPolicy().getId().longValue());
                        }
                        if (!rangerAccessResult.getIsAccessDetermined() && hasMatchablePolicyItem(rangerAccessRequest)) {
                            evaluatePolicyItems(rangerAccessRequest, matchType, rangerAccessResult);
                        }
                    }
                }
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(policyId=" + getPolicy().getId() + ", " + rangerAccessRequest + ", " + rangerAccessResult + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isMatch(RangerAccessResource rangerAccessResource, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + rangerAccessResource + ", " + map + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isMatch(resource=" + rangerAccessResource.getAsString() + "," + map + "," + this.perfTag + ")");
        }
        Iterator<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> it = getResourceEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicyResourceMatcher policyResourceMatcher = it.next().getPolicyResourceMatcher();
            z = policyResourceMatcher != null && policyResourceMatcher.isMatch(rangerAccessResource, map);
            if (z) {
                break;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + rangerAccessResource + ", " + map + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isCompleteMatch(RangerAccessResource rangerAccessResource, Map<String, Object> map) {
        boolean z;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + rangerAccessResource + ", " + map + ")");
        }
        List<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> resourceEvaluators = getResourceEvaluators();
        if (resourceEvaluators.size() == 1) {
            RangerPolicyResourceMatcher policyResourceMatcher = resourceEvaluators.get(0).getPolicyResourceMatcher();
            z = policyResourceMatcher != null && policyResourceMatcher.isCompleteMatch(rangerAccessResource, map);
        } else {
            z = false;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + rangerAccessResource + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isCompleteMatch(Map<String, RangerPolicy.RangerPolicyResource> map, List<Map<String, RangerPolicy.RangerPolicyResource>> list, Map<String, Object> map2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + map + ", " + map2 + ")");
        }
        boolean z = false;
        List<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> resourceEvaluators = getResourceEvaluators();
        for (int i = 0; i < resourceEvaluators.size(); i++) {
            RangerPolicyResourceMatcher policyResourceMatcher = resourceEvaluators.get(i).getPolicyResourceMatcher();
            Map<String, RangerPolicy.RangerPolicyResource> map3 = null;
            if (i == 0) {
                map3 = map;
            } else if (list != null && list.size() >= i) {
                map3 = list.get(i - 1);
            }
            z = (policyResourceMatcher == null || map3 == null || !policyResourceMatcher.isCompleteMatch(map3, map2)) ? false : true;
            if (!z) {
                break;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + map + ", " + map2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public Set<String> getAllowedAccesses(RangerAccessResource rangerAccessResource, String str, Set<String> set, Set<String> set2, Set<String> set3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getAllowedAccesses(" + rangerAccessResource + ", " + str + ", " + set + ", " + set2 + ", " + set3 + ")");
        }
        HashSet hashSet = null;
        if (isMatch(rangerAccessResource, (Map<String, Object>) null)) {
            hashSet = new HashSet();
            for (String str2 : set3) {
                if (isAccessAllowed(str, set, set2, rangerAccessResource.getOwnerUser(), str2)) {
                    hashSet.add(str2);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getAllowedAccesses(" + rangerAccessResource + ", " + str + ", " + set + ", " + set2 + ", " + set3 + "): " + hashSet);
        }
        return hashSet;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public Set<String> getAllowedAccesses(Map<String, RangerPolicy.RangerPolicyResource> map, String str, Set<String> set, Set<String> set2, Set<String> set3, Map<String, Object> map2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getAllowedAccesses(" + getPolicy().getId() + ", " + str + ", " + set + ", " + set2 + ", " + set3 + ", " + map2 + ")");
        }
        HashSet hashSet = null;
        if (isMatch(map, map2)) {
            if (CollectionUtils.isNotEmpty(set3)) {
                hashSet = new HashSet();
                for (String str2 : set3) {
                    if (isAccessAllowed(str, set, set2, (String) null, str2)) {
                        hashSet.add(str2);
                    }
                }
            } else if (isAccessAllowed(str, set, set2, (String) null, (String) null)) {
                hashSet = new HashSet();
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getAllowedAccesses(" + getPolicy().getId() + ", " + str + ", " + set + ", " + set2 + ", " + set3 + ", " + map2 + "): " + hashSet);
        }
        return hashSet;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public boolean isAccessAllowed(Map<String, RangerPolicy.RangerPolicyResource> map, List<Map<String, RangerPolicy.RangerPolicyResource>> list, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + ")");
        }
        boolean z = isAccessAllowed(str, set, (Set<String>) null, (String) null, str2) && isMatch(map, (Map<String, Object>) null);
        if (z && list != null) {
            Iterator<Map<String, RangerPolicy.RangerPolicyResource>> it = list.iterator();
            while (it.hasNext()) {
                z = isMatch(it.next(), (Map<String, Object>) null);
                if (!z) {
                    break;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void getResourceAccessInfo(RangerAccessRequest rangerAccessRequest, RangerResourceAccessInfo rangerResourceAccessInfo) {
        RangerPolicyResourceMatcher.MatchType matchType;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + rangerResourceAccessInfo + ")");
        }
        Iterator<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> it = getResourceEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicyResourceMatcher policyResourceMatcher = it.next().getPolicyResourceMatcher();
            if (RangerTagAccessRequest.class.isInstance(rangerAccessRequest)) {
                matchType = ((RangerTagAccessRequest) rangerAccessRequest).getMatchType();
            } else {
                matchType = policyResourceMatcher != null ? policyResourceMatcher.getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
            }
            if (matchType != RangerPolicyResourceMatcher.MatchType.NONE) {
                if (CollectionUtils.isNotEmpty(this.allowEvaluators)) {
                    Set<String> hashSet = new HashSet<>();
                    Set<String> hashSet2 = new HashSet<>();
                    getResourceAccessInfo(rangerAccessRequest, this.allowEvaluators, hashSet, hashSet2);
                    if (CollectionUtils.isNotEmpty(this.allowExceptionEvaluators)) {
                        Set<String> hashSet3 = new HashSet<>();
                        Set<String> hashSet4 = new HashSet<>();
                        getResourceAccessInfo(rangerAccessRequest, this.allowExceptionEvaluators, hashSet3, hashSet4);
                        hashSet.removeAll(hashSet3);
                        hashSet2.removeAll(hashSet4);
                    }
                    rangerResourceAccessInfo.getAllowedUsers().addAll(hashSet);
                    rangerResourceAccessInfo.getAllowedGroups().addAll(hashSet2);
                }
                if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT && CollectionUtils.isNotEmpty(this.denyEvaluators)) {
                    Set<String> hashSet5 = new HashSet<>();
                    Set<String> hashSet6 = new HashSet<>();
                    getResourceAccessInfo(rangerAccessRequest, this.denyEvaluators, hashSet5, hashSet6);
                    if (CollectionUtils.isNotEmpty(this.denyExceptionEvaluators)) {
                        Set<String> hashSet7 = new HashSet<>();
                        Set<String> hashSet8 = new HashSet<>();
                        getResourceAccessInfo(rangerAccessRequest, this.denyExceptionEvaluators, hashSet7, hashSet8);
                        hashSet5.removeAll(hashSet7);
                        hashSet6.removeAll(hashSet8);
                    }
                    rangerResourceAccessInfo.getDeniedUsers().addAll(hashSet5);
                    rangerResourceAccessInfo.getDeniedGroups().addAll(hashSet6);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + rangerResourceAccessInfo + ")");
        }
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator, org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public RangerPolicyEvaluator.PolicyACLSummary getPolicyACLSummary() {
        if (this.aclSummary == null) {
            this.aclSummary = createPolicyACLSummary(true);
        }
        return this.aclSummary;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator
    public void updateAccessResult(RangerAccessResult rangerAccessResult, RangerPolicyResourceMatcher.MatchType matchType, boolean z, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + rangerAccessResult + ", " + matchType + ", " + z + ", " + str + ", " + getPolicyId() + ")");
        }
        if (z) {
            if (!rangerAccessResult.getIsAllowed() && matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
                rangerAccessResult.setIsAllowed(true);
                rangerAccessResult.setPolicyPriority(getPolicyPriority());
                rangerAccessResult.setPolicyId(getPolicyId());
                rangerAccessResult.setReason(str);
                rangerAccessResult.setPolicyVersion(getPolicy().getVersion());
            }
        } else if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
            rangerAccessResult.setIsAllowed(false);
            rangerAccessResult.setPolicyPriority(getPolicyPriority());
            rangerAccessResult.setPolicyId(getPolicyId());
            rangerAccessResult.setReason(str);
            rangerAccessResult.setPolicyVersion(getPolicy().getVersion());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + rangerAccessResult + ", " + matchType + ", " + z + ", " + str + ", " + getPolicyId() + ")");
        }
    }

    private RangerPolicyEvaluator.PolicyACLSummary createPolicyACLSummary() {
        return createPolicyACLSummary(false);
    }

    private RangerPolicyEvaluator.PolicyACLSummary createPolicyACLSummary(boolean z) {
        Set<String> set;
        RangerPolicyEvaluator.PolicyACLSummary policyACLSummary = null;
        RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_ACLSUMMARY_LOG) ? RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_ACLSUMMARY_LOG, "RangerPolicyEvaluator.init.ACLSummary(" + this.perfTag + ")") : null;
        RangerPolicy policy = (this.disableRoleResolution || !hasRoles(getPolicy())) ? getPolicy() : getPolicyWithRolesResolved(getPolicy());
        boolean hasNonPublicGroupOrConditions = hasNonPublicGroupOrConditions(policy.getAllowExceptions());
        boolean hasNonPublicGroupOrConditions2 = hasNonPublicGroupOrConditions(policy.getDenyExceptions());
        boolean hasPublicGroupAndUserInException = hasPublicGroupAndUserInException(policy.getPolicyItems(), policy.getAllowExceptions());
        boolean hasPublicGroupAndUserInException2 = hasPublicGroupAndUserInException(policy.getDenyPolicyItems(), policy.getDenyExceptions());
        if (((hasNonPublicGroupOrConditions || hasNonPublicGroupOrConditions2 || hasPublicGroupAndUserInException || hasPublicGroupAndUserInException2 || hasContextSensitiveSpecification() || hasRoles(policy)) ? false : true) || z) {
            policyACLSummary = new RangerPolicyEvaluator.PolicyACLSummary();
            Iterator<RangerPolicy.RangerPolicyItem> it = policy.getDenyPolicyItems().iterator();
            while (it.hasNext()) {
                policyACLSummary.processPolicyItem(it.next(), 1, hasNonPublicGroupOrConditions2 || hasPublicGroupAndUserInException2);
            }
            if (!hasNonPublicGroupOrConditions2 && !hasPublicGroupAndUserInException2) {
                Iterator<RangerPolicy.RangerPolicyItem> it2 = policy.getDenyExceptions().iterator();
                while (it2.hasNext()) {
                    policyACLSummary.processPolicyItem(it2.next(), 3, false);
                }
            }
            Iterator<RangerPolicy.RangerPolicyItem> it3 = policy.getPolicyItems().iterator();
            while (it3.hasNext()) {
                policyACLSummary.processPolicyItem(it3.next(), 0, hasNonPublicGroupOrConditions || hasPublicGroupAndUserInException);
            }
            if (!hasNonPublicGroupOrConditions && !hasPublicGroupAndUserInException) {
                Iterator<RangerPolicy.RangerPolicyItem> it4 = policy.getAllowExceptions().iterator();
                while (it4.hasNext()) {
                    policyACLSummary.processPolicyItem(it4.next(), 2, false);
                }
            }
            Iterator<RangerPolicy.RangerRowFilterPolicyItem> it5 = policy.getRowFilterPolicyItems().iterator();
            while (it5.hasNext()) {
                policyACLSummary.processRowFilterPolicyItem(it5.next());
            }
            Iterator<RangerPolicy.RangerDataMaskPolicyItem> it6 = policy.getDataMaskPolicyItems().iterator();
            while (it6.hasNext()) {
                policyACLSummary.processDataMaskPolicyItem(it6.next());
            }
            boolean equals = Boolean.TRUE.equals(policy.getIsDenyAllElse());
            if (equals) {
                set = new HashSet();
                for (RangerServiceDef.RangerAccessTypeDef rangerAccessTypeDef : getServiceDef().getAccessTypes()) {
                    if (!StringUtils.equalsIgnoreCase(rangerAccessTypeDef.getName(), "all")) {
                        set.add(rangerAccessTypeDef.getName());
                    }
                }
            } else {
                set = Collections.EMPTY_SET;
            }
            policyACLSummary.finalizeAcls(equals, set);
        }
        RangerPerfTracer.logAlways(perfTracer);
        return policyACLSummary;
    }

    private RangerPolicy getPolicyWithRolesResolved(RangerPolicy rangerPolicy) {
        RangerPolicy rangerPolicy2 = new RangerPolicy();
        rangerPolicy2.updateFrom(rangerPolicy);
        rangerPolicy2.setId(rangerPolicy.getId());
        rangerPolicy2.setGuid(rangerPolicy.getGuid());
        rangerPolicy2.setVersion(rangerPolicy.getVersion());
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        ArrayList arrayList4 = new ArrayList();
        ArrayList arrayList5 = new ArrayList();
        ArrayList arrayList6 = new ArrayList();
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem : rangerPolicy.getPolicyItems()) {
            RangerPolicy.RangerPolicyItem rangerPolicyItem2 = new RangerPolicy.RangerPolicyItem(rangerPolicyItem.getAccesses(), rangerPolicyItem.getUsers(), rangerPolicyItem.getGroups(), rangerPolicyItem.getRoles(), rangerPolicyItem.getConditions(), rangerPolicyItem.getDelegateAdmin());
            getPolicyItemWithRolesResolved(rangerPolicyItem2, rangerPolicyItem);
            arrayList.add(rangerPolicyItem2);
        }
        rangerPolicy2.setPolicyItems(arrayList);
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem3 : rangerPolicy.getDenyPolicyItems()) {
            RangerPolicy.RangerPolicyItem rangerPolicyItem4 = new RangerPolicy.RangerPolicyItem(rangerPolicyItem3.getAccesses(), rangerPolicyItem3.getUsers(), rangerPolicyItem3.getGroups(), rangerPolicyItem3.getRoles(), rangerPolicyItem3.getConditions(), rangerPolicyItem3.getDelegateAdmin());
            getPolicyItemWithRolesResolved(rangerPolicyItem4, rangerPolicyItem3);
            arrayList2.add(rangerPolicyItem4);
        }
        rangerPolicy2.setDenyPolicyItems(arrayList2);
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem5 : rangerPolicy.getAllowExceptions()) {
            RangerPolicy.RangerPolicyItem rangerPolicyItem6 = new RangerPolicy.RangerPolicyItem(rangerPolicyItem5.getAccesses(), rangerPolicyItem5.getUsers(), rangerPolicyItem5.getGroups(), rangerPolicyItem5.getRoles(), rangerPolicyItem5.getConditions(), rangerPolicyItem5.getDelegateAdmin());
            getPolicyItemWithRolesResolved(rangerPolicyItem6, rangerPolicyItem5);
            arrayList3.add(rangerPolicyItem6);
        }
        rangerPolicy2.setAllowExceptions(arrayList3);
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem7 : rangerPolicy.getDenyExceptions()) {
            RangerPolicy.RangerPolicyItem rangerPolicyItem8 = new RangerPolicy.RangerPolicyItem(rangerPolicyItem7.getAccesses(), rangerPolicyItem7.getUsers(), rangerPolicyItem7.getGroups(), rangerPolicyItem7.getRoles(), rangerPolicyItem7.getConditions(), rangerPolicyItem7.getDelegateAdmin());
            getPolicyItemWithRolesResolved(rangerPolicyItem8, rangerPolicyItem7);
            arrayList4.add(rangerPolicyItem8);
        }
        rangerPolicy2.setDenyExceptions(arrayList4);
        for (RangerPolicy.RangerDataMaskPolicyItem rangerDataMaskPolicyItem : rangerPolicy.getDataMaskPolicyItems()) {
            RangerPolicy.RangerDataMaskPolicyItem rangerDataMaskPolicyItem2 = new RangerPolicy.RangerDataMaskPolicyItem(rangerDataMaskPolicyItem.getAccesses(), rangerDataMaskPolicyItem.getDataMaskInfo(), rangerDataMaskPolicyItem.getUsers(), rangerDataMaskPolicyItem.getGroups(), rangerDataMaskPolicyItem.getRoles(), rangerDataMaskPolicyItem.getConditions(), rangerDataMaskPolicyItem.getDelegateAdmin());
            getPolicyItemWithRolesResolved(rangerDataMaskPolicyItem2, rangerDataMaskPolicyItem);
            arrayList5.add(rangerDataMaskPolicyItem2);
        }
        rangerPolicy2.setDataMaskPolicyItems(arrayList5);
        for (RangerPolicy.RangerRowFilterPolicyItem rangerRowFilterPolicyItem : rangerPolicy.getRowFilterPolicyItems()) {
            RangerPolicy.RangerRowFilterPolicyItem rangerRowFilterPolicyItem2 = new RangerPolicy.RangerRowFilterPolicyItem(rangerRowFilterPolicyItem.getRowFilterInfo(), rangerRowFilterPolicyItem.getAccesses(), rangerRowFilterPolicyItem.getUsers(), rangerRowFilterPolicyItem.getGroups(), rangerRowFilterPolicyItem.getRoles(), rangerRowFilterPolicyItem.getConditions(), rangerRowFilterPolicyItem.getDelegateAdmin());
            getPolicyItemWithRolesResolved(rangerRowFilterPolicyItem2, rangerRowFilterPolicyItem);
            arrayList6.add(rangerRowFilterPolicyItem2);
        }
        rangerPolicy2.setRowFilterPolicyItems(arrayList6);
        return rangerPolicy2;
    }

    private void getPolicyItemWithRolesResolved(RangerPolicy.RangerPolicyItem rangerPolicyItem, RangerPolicy.RangerPolicyItem rangerPolicyItem2) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (String str : rangerPolicyItem2.getRoles()) {
            Set<String> set = getPluginContext().getAuthContext().getRangerRolesUtil().getRoleToUserMapping().get(str);
            Set<String> set2 = getPluginContext().getAuthContext().getRangerRolesUtil().getRoleToGroupMapping().get(str);
            if (CollectionUtils.isNotEmpty(set)) {
                hashSet.addAll(set);
            }
            if (CollectionUtils.isNotEmpty(set2)) {
                hashSet2.addAll(set2);
            }
            if (CollectionUtils.isNotEmpty(hashSet) || CollectionUtils.isNotEmpty(hashSet2)) {
                hashSet.addAll(rangerPolicyItem2.getUsers());
                hashSet2.addAll(rangerPolicyItem2.getGroups());
                rangerPolicyItem.setUsers(new ArrayList(hashSet));
                rangerPolicyItem.setGroups(new ArrayList(hashSet2));
                rangerPolicyItem.setRoles(null);
            }
        }
    }

    private boolean hasPublicGroupAndUserInException(List<RangerPolicy.RangerPolicyItem> list, List<RangerPolicy.RangerPolicyItem> list2) {
        boolean z = false;
        if (CollectionUtils.isNotEmpty(list2)) {
            boolean z2 = false;
            for (RangerPolicy.RangerPolicyItem rangerPolicyItem : list) {
                if (rangerPolicyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC) || rangerPolicyItem.getUsers().contains(RangerPolicyEngine.USER_CURRENT)) {
                    z2 = true;
                    break;
                }
            }
            if (z2) {
                boolean z3 = false;
                for (RangerPolicy.RangerPolicyItem rangerPolicyItem2 : list2) {
                    if (rangerPolicyItem2.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC) || rangerPolicyItem2.getUsers().contains(RangerPolicyEngine.USER_CURRENT)) {
                        z3 = true;
                        break;
                    }
                }
                if (!z3) {
                    z = true;
                }
            }
        }
        return z;
    }

    protected void evaluatePolicyItems(RangerAccessRequest rangerAccessRequest, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + rangerAccessRequest + ", " + rangerAccessResult + ", " + matchType + ")");
        }
        if (this.useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType().intValue() == 0)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getPolicyId() + "]");
            }
            Integer num = null;
            if (rangerAccessRequest.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(rangerAccessRequest.getContext()).booleanValue()) {
                num = lookupPolicyACLSummary(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups(), rangerAccessRequest.getUserRoles(), RangerPolicyEngine.ANY_ACCESS);
            } else {
                Set<String> allRequestedAccessTypes = RangerAccessRequestUtil.getAllRequestedAccessTypes(rangerAccessRequest);
                if (CollectionUtils.isNotEmpty(allRequestedAccessTypes)) {
                    Iterator<String> it = allRequestedAccessTypes.iterator();
                    while (it.hasNext()) {
                        num = lookupPolicyACLSummary(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups(), rangerAccessRequest.getUserRoles(), it.next());
                        if (num == null) {
                            break;
                        }
                    }
                } else {
                    num = lookupPolicyACLSummary(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups(), rangerAccessRequest.getUserRoles(), rangerAccessRequest.getAccessType());
                }
            }
            if (num != null) {
                updateAccessResult(rangerAccessResult, matchType, num.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
            } else if (getPolicy().getIsDenyAllElse().booleanValue()) {
                updateAccessResult(rangerAccessResult, matchType, false, "matched deny-all-else policy");
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getPolicyId() + "]");
            }
            Set<String> allRequestedAccessTypes2 = RangerAccessRequestUtil.getAllRequestedAccessTypes(rangerAccessRequest);
            if (CollectionUtils.isNotEmpty(allRequestedAccessTypes2)) {
                RangerAccessResult rangerAccessResult2 = null;
                RangerAccessResult rangerAccessResult3 = null;
                boolean z = false;
                Iterator<String> it2 = allRequestedAccessTypes2.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    RangerAccessRequestWrapper rangerAccessRequestWrapper = new RangerAccessRequestWrapper(rangerAccessRequest, it2.next());
                    RangerAccessResult rangerAccessResult4 = new RangerAccessResult(rangerAccessResult.getPolicyType(), rangerAccessResult.getServiceName(), rangerAccessResult.getServiceDef(), rangerAccessRequestWrapper);
                    rangerAccessResult4.setAuditResultFrom(rangerAccessResult);
                    RangerPolicyItemEvaluator matchingPolicyItem = getMatchingPolicyItem(rangerAccessRequestWrapper, rangerAccessResult4);
                    if (matchingPolicyItem != null) {
                        matchingPolicyItem.updateAccessResult(this, rangerAccessResult4, matchType);
                    } else if (getPolicy().getIsDenyAllElse().booleanValue() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType().intValue() == 0)) {
                        updateAccessResult(rangerAccessResult4, matchType, false, "matched deny-all-else policy");
                    }
                    if (!rangerAccessRequest.isAccessTypeAny()) {
                        if (rangerAccessResult4.getIsAccessDetermined() && !rangerAccessResult4.getIsAllowed()) {
                            rangerAccessResult2 = rangerAccessResult4;
                            rangerAccessResult3 = null;
                            break;
                        } else if (rangerAccessResult4.getIsAllowed()) {
                            rangerAccessResult3 = z ? null : rangerAccessResult4;
                        } else {
                            z = true;
                            rangerAccessResult3 = null;
                        }
                    } else if (rangerAccessResult4.getIsAllowed()) {
                        rangerAccessResult3 = rangerAccessResult4;
                        rangerAccessResult2 = null;
                        break;
                    } else if (!rangerAccessResult4.getIsAccessDetermined()) {
                        z = true;
                        rangerAccessResult2 = null;
                    } else if (!z && rangerAccessResult2 == null) {
                        rangerAccessResult2 = rangerAccessResult4;
                    }
                }
                if (rangerAccessResult3 != null) {
                    rangerAccessResult.setAccessResultFrom(rangerAccessResult3);
                } else if (rangerAccessResult2 != null) {
                    rangerAccessResult.setAccessResultFrom(rangerAccessResult2);
                }
            } else {
                RangerPolicyItemEvaluator matchingPolicyItem2 = getMatchingPolicyItem(rangerAccessRequest, rangerAccessResult);
                if (matchingPolicyItem2 != null) {
                    matchingPolicyItem2.updateAccessResult(this, rangerAccessResult, matchType);
                } else if (getPolicy().getIsDenyAllElse().booleanValue() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType().intValue() == 0)) {
                    updateAccessResult(rangerAccessResult, matchType, false, "matched deny-all-else policy");
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + rangerAccessRequest + ", " + rangerAccessResult + ", " + matchType + ")");
        }
    }

    private Integer lookupPolicyACLSummary(String str, Set<String> set, Set<String> set2, String str2) {
        Integer lookupAccess = lookupAccess(str, str2, this.aclSummary.getUsersAccessInfo().get(str));
        if (lookupAccess == null) {
            HashSet<String> hashSet = new HashSet();
            hashSet.add(RangerPolicyEngine.GROUP_PUBLIC);
            hashSet.addAll(set);
            for (String str3 : hashSet) {
                lookupAccess = lookupAccess(str3, str2, this.aclSummary.getGroupsAccessInfo().get(str3));
                if (lookupAccess != null) {
                    break;
                }
            }
            if (lookupAccess == null && set2 != null) {
                for (String str4 : set2) {
                    lookupAccess = lookupAccess(str4, str2, this.aclSummary.getRolesAccessInfo().get(str4));
                    if (lookupAccess != null) {
                        break;
                    }
                }
            }
        }
        return lookupAccess;
    }

    private Integer lookupAccess(String str, String str2, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> map) {
        Integer num = null;
        if (map != null) {
            if (str2.equals(RangerPolicyEngine.ANY_ACCESS)) {
                num = getAccessResultForAnyAccess(map);
            } else {
                RangerPolicyEvaluator.PolicyACLSummary.AccessResult accessResult = map.get(str2);
                if (accessResult != null) {
                    if (accessResult.getResult() == RangerPolicyEvaluator.ACCESS_CONDITIONAL.intValue()) {
                        LOG.error("Access should not be conditional at this point! user=[" + str + "], accessType=[" + str2 + "]");
                    } else {
                        num = Integer.valueOf(accessResult.getResult());
                    }
                }
            }
        }
        return num;
    }

    private Integer getAccessResultForAnyAccess(Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> map) {
        int i = 0;
        int i2 = 0;
        Iterator<Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> it = map.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> next = it.next();
            if (!StringUtils.equals(next.getKey(), RangerPolicyEngine.ADMIN_ACCESS)) {
                RangerPolicyEvaluator.PolicyACLSummary.AccessResult value = next.getValue();
                if (value.getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED.intValue()) {
                    i = 0 + 1;
                    break;
                }
                if (value.getResult() == RangerPolicyEvaluator.ACCESS_DENIED.intValue()) {
                    i2++;
                }
            }
        }
        return i > 0 ? RangerPolicyEvaluator.ACCESS_ALLOWED : i2 == getServiceDef().getAccessTypes().size() ? RangerPolicyEvaluator.ACCESS_DENIED : null;
    }

    protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String str, Set<String> set, Set<String> set2, String str2, String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + str + ", " + set + ", " + set2 + ", " + str2 + ", " + str3 + ")");
        }
        RangerPolicyItemEvaluator matchingPolicyItem = getMatchingPolicyItem(str, set, set2, str2, str3, this.denyEvaluators, this.denyExceptionEvaluators);
        if (matchingPolicyItem == null) {
            matchingPolicyItem = getMatchingPolicyItem(str, set, set2, str2, str3, this.allowEvaluators, this.allowExceptionEvaluators);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + str + ", " + set + ", " + set2 + ", " + str2 + ", " + str3 + "): " + matchingPolicyItem);
        }
        return matchingPolicyItem;
    }

    private void getResourceAccessInfo(RangerAccessRequest rangerAccessRequest, List<? extends RangerPolicyItemEvaluator> list, Set<String> set, Set<String> set2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + list + ", " + set + ", " + set2 + ")");
        }
        if (CollectionUtils.isNotEmpty(list)) {
            for (RangerPolicyItemEvaluator rangerPolicyItemEvaluator : list) {
                if (rangerPolicyItemEvaluator.matchAccessType(rangerAccessRequest.getAccessType()) && rangerPolicyItemEvaluator.matchCustomConditions(rangerAccessRequest)) {
                    if (CollectionUtils.isNotEmpty(rangerPolicyItemEvaluator.getPolicyItem().getUsers())) {
                        set.addAll(rangerPolicyItemEvaluator.getPolicyItem().getUsers());
                    }
                    if (CollectionUtils.isNotEmpty(rangerPolicyItemEvaluator.getPolicyItem().getGroups())) {
                        set2.addAll(rangerPolicyItemEvaluator.getPolicyItem().getGroups());
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + rangerAccessRequest + ", " + list + ", " + set + ", " + set2 + ")");
        }
    }

    protected boolean isMatch(RangerPolicy rangerPolicy, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + rangerPolicy.getId() + ", " + map + ")");
        }
        boolean isMatch = isMatch(rangerPolicy.getResources(), map);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + rangerPolicy.getId() + ", " + map + "): " + isMatch);
        }
        return isMatch;
    }

    protected boolean isMatch(Map<String, RangerPolicy.RangerPolicyResource> map, Map<String, Object> map2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + map + ", " + map2 + ")");
        }
        boolean z = false;
        Iterator<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> it = getResourceEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicyResourceMatcher policyResourceMatcher = it.next().getPolicyResourceMatcher();
            z = policyResourceMatcher != null && policyResourceMatcher.isMatch(map, map2);
            if (z) {
                break;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + map + ", " + map2 + "): " + z);
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAccessAllowed(String str, Set<String> set, Set<String> set2, String str2, String str3) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + str + ", " + set + ", " + set2 + ", " + str2 + ", " + str3 + ")");
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + this.perfTag + ")");
        }
        if (this.useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType().intValue() == 0)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getPolicyId() + "]");
            }
            Integer lookupPolicyACLSummary = StringUtils.isEmpty(str3) ? null : lookupPolicyACLSummary(str, set, set2, str3);
            if (lookupPolicyACLSummary != null && lookupPolicyACLSummary.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
                z = true;
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Using policyItemEvaluators for checking if access is allowed. PolicyId=[" + getPolicyId() + "]");
            }
            RangerPolicyItemEvaluator determiningPolicyItem = getDeterminingPolicyItem(str, set, set2, str2, str3);
            if (determiningPolicyItem != null && determiningPolicyItem.getPolicyItemType() == 0) {
                z = true;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + str + ", " + set + ", " + set2 + ", " + str2 + ", " + str3 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyevaluator.RangerAbstractPolicyEvaluator
    public StringBuilder toString(StringBuilder sb) {
        sb.append("RangerDefaultPolicyEvaluator={");
        super.toString(sb);
        Iterator<RangerPolicyEvaluator.RangerPolicyResourceEvaluator> it = getResourceEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicyResourceMatcher policyResourceMatcher = it.next().getPolicyResourceMatcher();
            sb.append("resourceMatcher={");
            if (policyResourceMatcher != null) {
                policyResourceMatcher.toString(sb);
            }
            sb.append("} ");
        }
        sb.append("}");
        return sb;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void preprocessPolicy(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef) {
        Map<String, Collection<String>> impliedAccessGrants;
        if (rangerPolicy != null) {
            if ((!hasAllow() && !hasDeny()) || rangerServiceDef == null || (impliedAccessGrants = getImpliedAccessGrants(rangerServiceDef)) == null || impliedAccessGrants.isEmpty()) {
                return;
            }
            preprocessPolicyItems(rangerPolicy.getPolicyItems(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getDenyPolicyItems(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getAllowExceptions(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getDenyExceptions(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getDataMaskPolicyItems(), impliedAccessGrants);
            preprocessPolicyItems(rangerPolicy.getRowFilterPolicyItems(), impliedAccessGrants);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void preprocessPolicyItems(List<? extends RangerPolicy.RangerPolicyItem> list, Map<String, Collection<String>> map) {
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem : list) {
            if (!CollectionUtils.isEmpty(rangerPolicyItem.getAccesses())) {
                for (Map.Entry<String, Collection<String>> entry : map.entrySet()) {
                    String key = entry.getKey();
                    Collection<String> value = entry.getValue();
                    RangerPolicy.RangerPolicyItemAccess access = getAccess(rangerPolicyItem, key);
                    if (access != null) {
                        for (String str : value) {
                            RangerPolicy.RangerPolicyItemAccess access2 = getAccess(rangerPolicyItem, str);
                            if (access2 == null) {
                                rangerPolicyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(str, access.getIsAllowed()));
                            } else if (!access2.getIsAllowed().booleanValue()) {
                                access2.setIsAllowed(access.getIsAllowed());
                            }
                        }
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef rangerServiceDef) {
        HashMap hashMap = null;
        if (rangerServiceDef != null && !CollectionUtils.isEmpty(rangerServiceDef.getAccessTypes())) {
            for (RangerServiceDef.RangerAccessTypeDef rangerAccessTypeDef : rangerServiceDef.getAccessTypes()) {
                if (!CollectionUtils.isEmpty(rangerAccessTypeDef.getImpliedGrants())) {
                    if (hashMap == null) {
                        hashMap = new HashMap();
                    }
                    Collection<String> collection = hashMap.get(rangerAccessTypeDef.getName());
                    if (collection == null) {
                        collection = new HashSet();
                        hashMap.put(rangerAccessTypeDef.getName(), collection);
                    }
                    collection.addAll(rangerAccessTypeDef.getImpliedGrants());
                }
            }
        }
        return hashMap;
    }

    private RangerPolicy.RangerPolicyItemAccess getAccess(RangerPolicy.RangerPolicyItem rangerPolicyItem, String str) {
        RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess = null;
        if (rangerPolicyItem != null && CollectionUtils.isNotEmpty(rangerPolicyItem.getAccesses())) {
            Iterator<RangerPolicy.RangerPolicyItemAccess> it = rangerPolicyItem.getAccesses().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerPolicy.RangerPolicyItemAccess next = it.next();
                if (next != null && StringUtils.equalsIgnoreCase(next.getType(), str)) {
                    rangerPolicyItemAccess = next;
                    break;
                }
            }
        }
        return rangerPolicyItemAccess;
    }

    private List<RangerValidityScheduleEvaluator> createValidityScheduleEvaluators(RangerPolicy rangerPolicy) {
        List<RangerValidityScheduleEvaluator> emptyList;
        if (CollectionUtils.isNotEmpty(rangerPolicy.getValiditySchedules())) {
            emptyList = new ArrayList();
            Iterator<RangerValiditySchedule> it = rangerPolicy.getValiditySchedules().iterator();
            while (it.hasNext()) {
                emptyList.add(new RangerValidityScheduleEvaluator(it.next()));
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private List<RangerPolicyItemEvaluator> createPolicyItemEvaluators(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions, int i) {
        List<RangerPolicyItemEvaluator> emptyList;
        List<RangerPolicy.RangerPolicyItem> list = null;
        if (isPolicyItemTypeEnabled(rangerServiceDef, i)) {
            if (i == 0) {
                list = rangerPolicy.getPolicyItems();
            } else if (i == 1) {
                list = rangerPolicy.getDenyPolicyItems();
            } else if (i == 2) {
                list = rangerPolicy.getAllowExceptions();
            } else if (i == 3) {
                list = rangerPolicy.getDenyExceptions();
            }
        }
        if (CollectionUtils.isNotEmpty(list)) {
            emptyList = new ArrayList();
            int i2 = 1;
            Iterator<RangerPolicy.RangerPolicyItem> it = list.iterator();
            while (it.hasNext()) {
                int i3 = i2;
                i2++;
                RangerDefaultPolicyItemEvaluator rangerDefaultPolicyItemEvaluator = new RangerDefaultPolicyItemEvaluator(rangerServiceDef, rangerPolicy, it.next(), i, i3, rangerPolicyEngineOptions);
                rangerDefaultPolicyItemEvaluator.init();
                emptyList.add(rangerDefaultPolicyItemEvaluator);
                if (CollectionUtils.isNotEmpty(rangerDefaultPolicyItemEvaluator.getConditionEvaluators())) {
                    this.customConditionsCount += rangerDefaultPolicyItemEvaluator.getConditionEvaluators().size();
                }
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private List<RangerDataMaskPolicyItemEvaluator> createDataMaskPolicyItemEvaluators(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions, List<RangerPolicy.RangerDataMaskPolicyItem> list) {
        List<RangerDataMaskPolicyItemEvaluator> emptyList;
        if (CollectionUtils.isNotEmpty(list)) {
            emptyList = new ArrayList();
            int i = 1;
            Iterator<RangerPolicy.RangerDataMaskPolicyItem> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                RangerDefaultDataMaskPolicyItemEvaluator rangerDefaultDataMaskPolicyItemEvaluator = new RangerDefaultDataMaskPolicyItemEvaluator(rangerServiceDef, rangerPolicy, it.next(), i2, rangerPolicyEngineOptions);
                rangerDefaultDataMaskPolicyItemEvaluator.init();
                emptyList.add(rangerDefaultDataMaskPolicyItemEvaluator);
                if (CollectionUtils.isNotEmpty(rangerDefaultDataMaskPolicyItemEvaluator.getConditionEvaluators())) {
                    this.customConditionsCount += rangerDefaultDataMaskPolicyItemEvaluator.getConditionEvaluators().size();
                }
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private List<RangerRowFilterPolicyItemEvaluator> createRowFilterPolicyItemEvaluators(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions, List<RangerPolicy.RangerRowFilterPolicyItem> list) {
        List<RangerRowFilterPolicyItemEvaluator> emptyList;
        if (CollectionUtils.isNotEmpty(list)) {
            emptyList = new ArrayList();
            int i = 1;
            Iterator<RangerPolicy.RangerRowFilterPolicyItem> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                RangerDefaultRowFilterPolicyItemEvaluator rangerDefaultRowFilterPolicyItemEvaluator = new RangerDefaultRowFilterPolicyItemEvaluator(rangerServiceDef, rangerPolicy, it.next(), i2, rangerPolicyEngineOptions);
                rangerDefaultRowFilterPolicyItemEvaluator.init();
                emptyList.add(rangerDefaultRowFilterPolicyItemEvaluator);
                if (CollectionUtils.isNotEmpty(rangerDefaultRowFilterPolicyItemEvaluator.getConditionEvaluators())) {
                    this.customConditionsCount += rangerDefaultRowFilterPolicyItemEvaluator.getConditionEvaluators().size();
                }
            }
        } else {
            emptyList = Collections.emptyList();
        }
        return emptyList;
    }

    private boolean isPolicyItemTypeEnabled(RangerServiceDef rangerServiceDef, int i) {
        boolean z = true;
        if (i == 1 || i == 2 || i == 3) {
            z = ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(rangerServiceDef, this.pluginContext);
        }
        return z;
    }

    private static boolean hasNonPublicGroupOrConditions(List<RangerPolicy.RangerPolicyItem> list) {
        boolean z = false;
        Iterator<RangerPolicy.RangerPolicyItem> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RangerPolicy.RangerPolicyItem next = it.next();
            if (!CollectionUtils.isNotEmpty(next.getConditions())) {
                List<String> groups = next.getGroups();
                if (CollectionUtils.isNotEmpty(groups) && !groups.contains(RangerPolicyEngine.GROUP_PUBLIC)) {
                    z = true;
                    break;
                }
            } else {
                z = true;
                break;
            }
        }
        return z;
    }

    protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyItemEvaluator rangerPolicyItemEvaluator = null;
        Integer policyType = getPolicy().getPolicyType();
        if (policyType == null) {
            policyType = 0;
        }
        switch (policyType.intValue()) {
            case 0:
                rangerPolicyItemEvaluator = getMatchingPolicyItemForAccessPolicyForSpecificAccess(rangerAccessRequest, rangerAccessResult);
                break;
            case 1:
                rangerPolicyItemEvaluator = getMatchingPolicyItem(rangerAccessRequest, this.dataMaskEvaluators);
                break;
            case 2:
                rangerPolicyItemEvaluator = getMatchingPolicyItem(rangerAccessRequest, this.rowFilterEvaluators);
                break;
        }
        return rangerPolicyItemEvaluator;
    }

    protected RangerPolicyItemEvaluator getMatchingPolicyItemForAccessPolicyForSpecificAccess(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyItemEvaluator matchingPolicyItem = getMatchingPolicyItem(rangerAccessRequest, this.denyEvaluators, this.denyExceptionEvaluators);
        if (matchingPolicyItem == null && !rangerAccessResult.getIsAccessDetermined()) {
            matchingPolicyItem = getMatchingPolicyItem(rangerAccessRequest, this.allowEvaluators, this.allowExceptionEvaluators);
        }
        return matchingPolicyItem;
    }

    protected <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(RangerAccessRequest rangerAccessRequest, List<T> list) {
        return (T) getMatchingPolicyItem(rangerAccessRequest, list, null);
    }

    private <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(RangerAccessRequest rangerAccessRequest, List<T> list, List<T> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + rangerAccessRequest + ")");
        }
        T t = null;
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator<T> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                T next = it.next();
                if (next.isMatch(rangerAccessRequest)) {
                    t = next;
                    break;
                }
            }
        }
        if (t != null && CollectionUtils.isNotEmpty(list2)) {
            Iterator<T> it2 = list2.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                T next2 = it2.next();
                if (next2.isMatch(rangerAccessRequest)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + rangerAccessRequest + "): found exception policyItem(" + next2.getPolicyItem() + "); ignoring the matchedPolicyItem(" + t.getPolicyItem() + ")");
                    }
                    t = null;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + rangerAccessRequest + "): " + t);
        }
        return t;
    }

    private <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(String str, Set<String> set, Set<String> set2, String str2, String str3, List<T> list, List<T> list2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + str + ", " + set + ", " + set2 + ", " + str2 + ", " + str3 + ")");
        }
        T t = null;
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator<T> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                T next = it.next();
                if (next.matchUserGroupAndOwner(str, set, set2, str2) && next.matchAccessType(str3)) {
                    t = next;
                    break;
                }
            }
        }
        if (t != null && CollectionUtils.isNotEmpty(list2)) {
            Iterator<T> it2 = list2.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                T next2 = it2.next();
                if (next2.matchUserGroupAndOwner(str, set, set2, str2) && next2.matchAccessType(str3)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + str + ", " + set + ", " + str3 + "): found exception policyItem(" + next2.getPolicyItem() + "); ignoring the matchedPolicyItem(" + t.getPolicyItem() + ")");
                    }
                    t = null;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + str + ", " + set + ", " + set2 + ", " + str2 + ", " + str3 + "): " + t);
        }
        return t;
    }

    private boolean matchPolicyCustomConditions(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerDefaultPolicyEvaluator.matchPolicyCustomConditions(" + rangerAccessRequest + ")");
        }
        boolean z = true;
        if (CollectionUtils.isNotEmpty(this.conditionEvaluators)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerDefaultPolicyEvaluator.matchPolicyCustomConditions(): conditionCount=" + this.conditionEvaluators.size());
            }
            Iterator<RangerConditionEvaluator> it = this.conditionEvaluators.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerConditionEvaluator next = it.next();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("evaluating condition: " + next);
                }
                RangerPerfTracer rangerPerfTracer = null;
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_REQUEST_LOG)) {
                    String str = null;
                    if (next instanceof RangerAbstractConditionEvaluator) {
                        str = ((RangerAbstractConditionEvaluator) next).getPolicyItemCondition().getType();
                    }
                    rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getPolicyId() + ",policyConditionType=" + str + ")");
                }
                boolean isMatched = next.isMatched(rangerAccessRequest);
                RangerPerfTracer.log(rangerPerfTracer);
                if (!isMatched) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(next + " returned false");
                    }
                    z = false;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerDefaultPolicyEvaluator.matchCustomConditions(" + rangerAccessRequest + "): " + z);
        }
        return z;
    }

    private List<RangerConditionEvaluator> createRangerPolicyConditionEvaluator(RangerPolicy rangerPolicy, RangerServiceDef rangerServiceDef, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        List<RangerConditionEvaluator> rangerPolicyConditionEvaluator = new RangerCustomConditionEvaluator().getRangerPolicyConditionEvaluator(rangerPolicy, rangerServiceDef, rangerPolicyEngineOptions);
        if (rangerPolicyConditionEvaluator != null) {
            this.customConditionsCount += rangerPolicyConditionEvaluator.size();
        }
        return rangerPolicyConditionEvaluator;
    }
}
