package org.apache.ranger.authorization.hive.authorizer;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.class */
public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
    public static final String ACCESS_TYPE_ROWFILTER = "ROW_FILTER";
    public static final String ACCESS_TYPE_INSERT = "INSERT";
    public static final String ACCESS_TYPE_UPDATE = "UPDATE";
    public static final String ACCESS_TYPE_DELETE = "DELETE";
    public static final String ACCESS_TYPE_TRUNCATE = "TRUNCATE";
    public static final String ACTION_TYPE_METADATA_OPERATION = "METADATA OPERATION";
    public static final String URL_RESOURCE_TYPE = "url";
    public static final String CONF_AUDIT_QUERY_REQUEST_SIZE = "xasecure.audit.solr.limit.query.req.size";
    public static final int DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE = Integer.MAX_VALUE;
    private final int requestQuerySize;
    private final Collection<AuthzAuditEvent> auditEvents;
    private boolean deniedExists;
    private static final Logger LOG = LoggerFactory.getLogger(RangerDefaultAuditHandler.class);
    private static final Set<String> ROLE_OPS = new HashSet();

    public RangerHiveAuditHandler() {
        this.auditEvents = new ArrayList();
        this.deniedExists = false;
        this.requestQuerySize = DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE;
    }

    public RangerHiveAuditHandler(Configuration configuration) {
        super(configuration);
        this.auditEvents = new ArrayList();
        this.deniedExists = false;
        int i = configuration.getInt(CONF_AUDIT_QUERY_REQUEST_SIZE, DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE);
        this.requestQuerySize = i < 1 ? DEFAULT_CONF_AUDIT_QUERY_REQUEST_SIZE : i;
    }

    AuthzAuditEvent createAuditEvent(RangerAccessResult rangerAccessResult, String str, String str2) {
        RangerHiveAccessRequest accessRequest = rangerAccessResult.getAccessRequest();
        RangerHiveResource resource = accessRequest.getResource();
        String leafName = resource != null ? resource.getLeafName() : null;
        AuthzAuditEvent authzEvents = super.getAuthzEvents(rangerAccessResult);
        String str3 = str2;
        if ("url".equals(leafName)) {
            str3 = getURLPathString(resource, str3);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("requestQuerySize = " + this.requestQuerySize);
        }
        if (!StringUtils.isNotBlank(accessRequest.getRequestData()) || accessRequest.getRequestData().length() <= this.requestQuerySize) {
            authzEvents.setRequestData(accessRequest.getRequestData());
        } else {
            authzEvents.setRequestData(accessRequest.getRequestData().substring(0, this.requestQuerySize));
        }
        authzEvents.setAccessType(str);
        authzEvents.setResourcePath(str3);
        authzEvents.setResourceType("@" + leafName);
        if ((accessRequest instanceof RangerHiveAccessRequest) && (resource instanceof RangerHiveResource)) {
            RangerHiveAccessRequest rangerHiveAccessRequest = accessRequest;
            RangerHiveResource rangerHiveResource = resource;
            HiveAccessType hiveAccessType = rangerHiveAccessRequest.getHiveAccessType();
            if (hiveAccessType == HiveAccessType.USE && rangerHiveResource.getObjectType() == HiveObjectType.DATABASE && StringUtils.isBlank(rangerHiveResource.getDatabase())) {
                authzEvents.setTags((Set) null);
            }
            if (hiveAccessType == HiveAccessType.REPLADMIN) {
                authzEvents.setAccessType(getReplCmd(accessRequest.getRequestData()));
            }
            if (hiveAccessType == HiveAccessType.SERVICEADMIN) {
                String action = accessRequest.getAction();
                String requestData = accessRequest.getRequestData();
                if (HiveOperationType.KILL_QUERY.name().equalsIgnoreCase(action)) {
                    String serviceAdminQueryId = getServiceAdminQueryId(requestData);
                    if (!StringUtils.isEmpty(serviceAdminQueryId)) {
                        authzEvents.setRequestData(serviceAdminQueryId);
                    }
                    requestData = getServiceAdminCmd(requestData);
                    if (StringUtils.isEmpty(requestData)) {
                        requestData = hiveAccessType.name();
                    }
                }
                authzEvents.setAccessType(requestData);
            }
            String action2 = accessRequest.getAction();
            if (rangerHiveResource.getObjectType() == HiveObjectType.GLOBAL && ROLE_OPS.contains(action2)) {
                authzEvents.setAccessType(action2);
            }
        }
        return authzEvents;
    }

    AuthzAuditEvent createAuditEvent(RangerAccessResult rangerAccessResult) {
        AuthzAuditEvent authzAuditEvent;
        RangerHiveAccessRequest accessRequest = rangerAccessResult.getAccessRequest();
        RangerAccessResource resource = accessRequest.getResource();
        String asString = resource != null ? resource.getAsString() : null;
        int policyType = rangerAccessResult.getPolicyType();
        if (policyType == 1 && rangerAccessResult.isMaskEnabled()) {
            authzAuditEvent = createAuditEvent(rangerAccessResult, rangerAccessResult.getMaskType(), asString);
        } else if (policyType == 2) {
            authzAuditEvent = createAuditEvent(rangerAccessResult, ACCESS_TYPE_ROWFILTER, asString);
        } else if (policyType == 0) {
            String str = null;
            if (accessRequest instanceof RangerHiveAccessRequest) {
                str = accessRequest.getHiveAccessType().toString();
                if (ACTION_TYPE_METADATA_OPERATION.equals(accessRequest.getAction())) {
                    str = ACTION_TYPE_METADATA_OPERATION;
                } else if (HiveAccessType.UPDATE.toString().equalsIgnoreCase(str)) {
                    String requestData = accessRequest.getRequestData();
                    if (StringUtils.isNotBlank(requestData)) {
                        if (StringUtils.startsWithIgnoreCase(requestData, ACCESS_TYPE_INSERT)) {
                            str = ACCESS_TYPE_INSERT;
                        } else if (StringUtils.startsWithIgnoreCase(requestData, ACCESS_TYPE_UPDATE)) {
                            str = ACCESS_TYPE_UPDATE;
                        } else if (StringUtils.startsWithIgnoreCase(requestData, ACCESS_TYPE_DELETE)) {
                            str = ACCESS_TYPE_DELETE;
                        } else if (StringUtils.startsWithIgnoreCase(requestData, ACCESS_TYPE_TRUNCATE)) {
                            str = ACCESS_TYPE_TRUNCATE;
                        }
                    }
                }
            }
            if (StringUtils.isEmpty(str)) {
                str = accessRequest.getAccessType();
            }
            authzAuditEvent = createAuditEvent(rangerAccessResult, str, asString);
        } else {
            authzAuditEvent = null;
        }
        return authzAuditEvent;
    }

    List<AuthzAuditEvent> createAuditEvents(Collection<RangerAccessResult> collection) {
        HashMap hashMap = new HashMap();
        Iterator<RangerAccessResult> it = collection.iterator();
        AuthzAuditEvent authzAuditEvent = null;
        while (it.hasNext() && authzAuditEvent == null) {
            RangerAccessResult next = it.next();
            if (next.getIsAudited()) {
                if (next.getIsAllowed()) {
                    long policyId = next.getPolicyId();
                    if (hashMap.containsKey(Long.valueOf(policyId))) {
                        AuthzAuditEvent authzAuditEvent2 = (AuthzAuditEvent) hashMap.get(Long.valueOf(policyId));
                        RangerHiveAccessRequest accessRequest = next.getAccessRequest();
                        authzAuditEvent2.setResourcePath(authzAuditEvent2.getResourcePath() + "," + accessRequest.getResource().getColumn());
                        Set tags = getTags(accessRequest);
                        if (tags != null) {
                            authzAuditEvent2.getTags().addAll(tags);
                        }
                    } else {
                        AuthzAuditEvent createAuditEvent = createAuditEvent(next);
                        if (createAuditEvent != null) {
                            hashMap.put(Long.valueOf(policyId), createAuditEvent);
                        }
                    }
                } else {
                    authzAuditEvent = createAuditEvent(next);
                }
            }
        }
        return authzAuditEvent == null ? new ArrayList<>(hashMap.values()) : Collections.singletonList(authzAuditEvent);
    }

    public void processResult(RangerAccessResult rangerAccessResult) {
        AuthzAuditEvent createAuditEvent;
        if (!rangerAccessResult.getIsAudited() || skipFilterOperationAuditing(rangerAccessResult) || (createAuditEvent = createAuditEvent(rangerAccessResult)) == null) {
            return;
        }
        addAuthzAuditEvent(createAuditEvent);
    }

    public void processResults(Collection<RangerAccessResult> collection) {
        Iterator<AuthzAuditEvent> it = createAuditEvents(collection).iterator();
        while (it.hasNext()) {
            addAuthzAuditEvent(it.next());
        }
    }

    public void logAuditEventForDfs(String str, String str2, boolean z, int i, String str3) {
        AuthzAuditEvent authzAuditEvent = new AuthzAuditEvent();
        authzAuditEvent.setAclEnforcer(this.moduleName);
        authzAuditEvent.setResourceType("@dfs");
        authzAuditEvent.setAccessType("DFS");
        authzAuditEvent.setAction("DFS");
        authzAuditEvent.setUser(str);
        authzAuditEvent.setAccessResult((short) (z ? 1 : 0));
        authzAuditEvent.setEventTime(new Date());
        authzAuditEvent.setRepositoryType(i);
        authzAuditEvent.setRepositoryName(str3);
        authzAuditEvent.setRequestData(str2);
        authzAuditEvent.setResourcePath(str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Logging DFS event " + authzAuditEvent.toString());
        }
        addAuthzAuditEvent(authzAuditEvent);
    }

    public void flushAudit() {
        for (AuthzAuditEvent authzAuditEvent : this.auditEvents) {
            if (!this.deniedExists || authzAuditEvent.getAccessResult() == 0) {
                super.logAuthzAudit(authzAuditEvent);
            }
        }
    }

    private void addAuthzAuditEvent(AuthzAuditEvent authzAuditEvent) {
        if (authzAuditEvent != null) {
            this.auditEvents.add(authzAuditEvent);
            if (authzAuditEvent.getAccessResult() == 0) {
                this.deniedExists = true;
            }
        }
    }

    private String getReplCmd(String str) {
        String str2 = "REPL";
        if (str != null) {
            String[] split = str.trim().split("\\s+");
            if (!ArrayUtils.isEmpty(split) && split.length > 2) {
                str2 = split[0] + " " + split[1];
            }
        }
        return str2;
    }

    private String getServiceAdminCmd(String str) {
        String str2 = "SERVICE ADMIN";
        if (str != null) {
            String[] split = str.trim().split("\\s+");
            if (!ArrayUtils.isEmpty(split) && split.length > 1) {
                str2 = split[0] + " " + split[1];
            }
        }
        return str2;
    }

    private String getServiceAdminQueryId(String str) {
        String str2 = "QUERY ID = ";
        if (str != null) {
            String[] split = str.trim().split("\\s+");
            if (!ArrayUtils.isEmpty(split) && split.length > 2) {
                str2 = str2 + split[2];
            }
        }
        return str2;
    }

    private boolean skipFilterOperationAuditing(RangerAccessResult rangerAccessResult) {
        boolean z = false;
        RangerAccessRequest accessRequest = rangerAccessResult.getAccessRequest();
        if (accessRequest != null && ACTION_TYPE_METADATA_OPERATION.equals(accessRequest.getAction()) && !rangerAccessResult.getIsAllowed()) {
            z = true;
        }
        return z;
    }

    private String getURLPathString(RangerAccessResource rangerAccessResource, String str) {
        String str2 = str;
        Object value = rangerAccessResource.getValue("url");
        if (value instanceof List) {
            List list = (List) value;
            if (CollectionUtils.isNotEmpty(list)) {
                str2 = (String) list.iterator().next();
            }
        }
        return str2;
    }

    static {
        Iterator it = EnumSet.of(HiveOperationType.CREATEROLE, HiveOperationType.DROPROLE, HiveOperationType.SHOW_ROLES, HiveOperationType.SHOW_ROLE_GRANT, HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveOperationType.GRANT_ROLE, HiveOperationType.REVOKE_ROLE).iterator();
        while (it.hasNext()) {
            ROLE_OPS.add(((HiveOperationType) it.next()).name());
        }
    }
}
