package org.apache.hadoop.ozone.security.acl;

import java.util.Collection;
import java.util.Collections;
import java.util.Objects;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.ozone.om.BucketManager;
import org.apache.hadoop.ozone.om.KeyManager;
import org.apache.hadoop.ozone.om.PrefixManager;
import org.apache.hadoop.ozone.om.VolumeManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceStability.Evolving
@InterfaceAudience.LimitedPrivate({"HDFS", "Yarn", "Ranger", "Hive", "HBase"})
/* loaded from: input_file:org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer.class */
public class OzoneNativeAuthorizer implements IAccessAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger(OzoneNativeAuthorizer.class);
    private VolumeManager volumeManager;
    private BucketManager bucketManager;
    private KeyManager keyManager;
    private PrefixManager prefixManager;
    private Collection<String> ozAdmins;

    /* renamed from: org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/ozone/security/acl/OzoneNativeAuthorizer$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$ozone$security$acl$OzoneObj$ResourceType = new int[OzoneObj.ResourceType.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$OzoneObj$ResourceType[OzoneObj.ResourceType.VOLUME.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$OzoneObj$ResourceType[OzoneObj.ResourceType.BUCKET.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$OzoneObj$ResourceType[OzoneObj.ResourceType.KEY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$OzoneObj$ResourceType[OzoneObj.ResourceType.PREFIX.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public OzoneNativeAuthorizer() {
    }

    public OzoneNativeAuthorizer(VolumeManager volumeManager, BucketManager bucketManager, KeyManager keyManager, PrefixManager prefixManager, Collection<String> collection) {
        this.volumeManager = volumeManager;
        this.bucketManager = bucketManager;
        this.keyManager = keyManager;
        this.prefixManager = prefixManager;
        this.ozAdmins = collection;
    }

    public boolean checkAccess(IOzoneObj iOzoneObj, RequestContext requestContext) throws OMException {
        Objects.requireNonNull(iOzoneObj);
        Objects.requireNonNull(requestContext);
        boolean z = requestContext.getAclRights() == IAccessAuthorizer.ACLType.CREATE;
        boolean z2 = requestContext.getAclRights() == IAccessAuthorizer.ACLType.DELETE;
        if (!(iOzoneObj instanceof OzoneObjInfo)) {
            throw new OMException("Unexpected input received. OM native acls are configured to work with OzoneObjInfo type only.", OMException.ResultCodes.INVALID_REQUEST);
        }
        OzoneObj ozoneObj = (OzoneObjInfo) iOzoneObj;
        if (isAdmin(requestContext.getClientUgi())) {
            return true;
        }
        boolean z3 = requestContext.getAclRights() == IAccessAuthorizer.ACLType.LIST && ozoneObj.getVolumeName().equals("/");
        RequestContext build = (z || z2) ? RequestContext.newBuilder().setClientUgi(requestContext.getClientUgi()).setIp(requestContext.getIp()).setAclType(requestContext.getAclType()).setAclRights(IAccessAuthorizer.ACLType.WRITE).build() : requestContext;
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$ozone$security$acl$OzoneObj$ResourceType[ozoneObj.getResourceType().ordinal()]) {
            case 1:
                LOG.trace("Checking access for volume: {}", ozoneObj);
                if (z || z3) {
                    return false;
                }
                return this.volumeManager.checkAccess(ozoneObj, requestContext);
            case 2:
                LOG.trace("Checking access for bucket: {}", ozoneObj);
                return (z || this.bucketManager.checkAccess(ozoneObj, requestContext)) && this.volumeManager.checkAccess(ozoneObj, build);
            case 3:
                LOG.trace("Checking access for Key: {}", ozoneObj);
                return (z || this.keyManager.checkAccess(ozoneObj, requestContext)) && this.prefixManager.checkAccess(ozoneObj, build) && this.bucketManager.checkAccess(ozoneObj, build) && this.volumeManager.checkAccess(ozoneObj, build);
            case 4:
                LOG.trace("Checking access for Prefix: {}", ozoneObj);
                return (z || this.prefixManager.checkAccess(ozoneObj, requestContext)) && this.bucketManager.checkAccess(ozoneObj, build) && this.volumeManager.checkAccess(ozoneObj, build);
            default:
                throw new OMException("Unexpected object type:" + ozoneObj.getResourceType(), OMException.ResultCodes.INVALID_REQUEST);
        }
    }

    public void setVolumeManager(VolumeManager volumeManager) {
        this.volumeManager = volumeManager;
    }

    public void setBucketManager(BucketManager bucketManager) {
        this.bucketManager = bucketManager;
    }

    public void setKeyManager(KeyManager keyManager) {
        this.keyManager = keyManager;
    }

    public void setPrefixManager(PrefixManager prefixManager) {
        this.prefixManager = prefixManager;
    }

    public void setOzoneAdmins(Collection<String> collection) {
        this.ozAdmins = collection;
    }

    public Collection<String> getOzoneAdmins() {
        return Collections.unmodifiableCollection(this.ozAdmins);
    }

    private boolean isAdmin(UserGroupInformation userGroupInformation) {
        if (this.ozAdmins == null) {
            return false;
        }
        return this.ozAdmins.contains(userGroupInformation.getShortUserName()) || this.ozAdmins.contains(userGroupInformation.getUserName()) || this.ozAdmins.contains("*");
    }
}
