package org.apache.drill.exec.rpc.user;

import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.drill.common.exceptions.DrillRuntimeException;
import org.apache.drill.common.exceptions.UserException;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.proto.UserBitShared;
import org.apache.drill.exec.server.options.OptionManager;
import org.apache.drill.exec.server.options.OptionValue;
import org.apache.drill.exec.server.options.TypeValidators;
import org.apache.drill.exec.util.ImpersonationUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/rpc/user/InboundImpersonationManager.class */
public class InboundImpersonationManager {
    private static final String STAR = "*";
    private List<ImpersonationPolicy> impersonationPolicies;
    private String policiesString;
    private static final Logger logger = LoggerFactory.getLogger(InboundImpersonationManager.class);
    private static final ObjectMapper impersonationPolicyMapper = new ObjectMapper();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/drill/exec/rpc/user/InboundImpersonationManager$ImpersonationPolicy.class */
    public static class ImpersonationPolicy {
        public UserGroupDefinition proxy_principals = new UserGroupDefinition();
        public UserGroupDefinition target_principals = new UserGroupDefinition();

        private ImpersonationPolicy() {
        }
    }

    /* loaded from: input_file:org/apache/drill/exec/rpc/user/InboundImpersonationManager$InboundImpersonationPolicyValidator.class */
    public static class InboundImpersonationPolicyValidator extends TypeValidators.StringValidator {
        public InboundImpersonationPolicyValidator(String str, String str2) {
            super(str, str2, true);
        }

        @Override // org.apache.drill.exec.server.options.TypeValidators.TypeValidator, org.apache.drill.exec.server.options.OptionValidator
        public void validate(OptionValue optionValue, OptionManager optionManager) {
            super.validate(optionValue, optionManager);
            try {
                for (ImpersonationPolicy impersonationPolicy : InboundImpersonationManager.deserializeImpersonationPolicies(optionValue.string_val)) {
                    if (impersonationPolicy.proxy_principals.users.contains("*") || impersonationPolicy.proxy_principals.groups.contains("*")) {
                        throw UserException.validationError().message("Proxy principals cannot have a wildcard entry.", new Object[0]).build(InboundImpersonationManager.logger);
                    }
                }
            } catch (IOException e) {
                throw UserException.validationError().message("Invalid impersonation policies.\nDetails: %s", new Object[]{e.getMessage()}).build(InboundImpersonationManager.logger);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/drill/exec/rpc/user/InboundImpersonationManager$UserGroupDefinition.class */
    public static class UserGroupDefinition {
        public Set<String> users;
        public Set<String> groups;

        private UserGroupDefinition() {
            this.users = Sets.newHashSet();
            this.groups = Sets.newHashSet();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<ImpersonationPolicy> deserializeImpersonationPolicies(String str) throws IOException {
        return (List) impersonationPolicyMapper.readValue(str, new TypeReference<List<ImpersonationPolicy>>() { // from class: org.apache.drill.exec.rpc.user.InboundImpersonationManager.1
        });
    }

    private static boolean hasImpersonationPrivileges(String str, String str2, List<ImpersonationPolicy> list) {
        HashSet newHashSet = Sets.newHashSet(ImpersonationUtil.createProxyUgi(str).getGroupNames());
        HashSet newHashSet2 = Sets.newHashSet(ImpersonationUtil.createProxyUgi(str2).getGroupNames());
        for (ImpersonationPolicy impersonationPolicy : list) {
            if (impersonationPolicy.proxy_principals.users.contains(str) || !Sets.intersection(impersonationPolicy.proxy_principals.groups, newHashSet).isEmpty()) {
                if (impersonationPolicy.target_principals.users.contains(str2) || impersonationPolicy.target_principals.users.contains("*") || !Sets.intersection(impersonationPolicy.target_principals.groups, newHashSet2).isEmpty() || impersonationPolicy.target_principals.groups.contains("*")) {
                    return true;
                }
            }
        }
        return false;
    }

    @VisibleForTesting
    public static boolean hasImpersonationPrivileges(String str, String str2, String str3) throws IOException {
        return hasImpersonationPrivileges(str, str2, deserializeImpersonationPolicies(str3));
    }

    public void replaceUserOnSession(String str, UserSession userSession) {
        String option = userSession.getOptions().getOption(ExecConstants.IMPERSONATION_POLICY_VALIDATOR);
        if (!option.equals(this.policiesString)) {
            try {
                this.impersonationPolicies = deserializeImpersonationPolicies(option);
                this.policiesString = option;
            } catch (IOException e) {
                logger.warn("Impersonation policies must have been validated.");
                throw new DrillRuntimeException("Failure while checking for impersonation policies.", e);
            }
        }
        String userName = userSession.getCredentials().getUserName();
        if (!hasImpersonationPrivileges(userName, str, this.impersonationPolicies)) {
            throw UserException.permissionError().message("Proxy user '%s' is not authorized to impersonate target user '%s'.", new Object[]{userName, str}).build(logger);
        }
        userSession.replaceUserCredentials(this, UserBitShared.UserCredentials.newBuilder().setUserName(str).build());
    }

    static {
        impersonationPolicyMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false);
        impersonationPolicyMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);
    }
}
