package org.apache.tez.common.security;

import com.google.common.annotations.VisibleForTesting;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
import org.apache.tez.dag.api.TezConfiguration;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/tez/common/security/ACLManager.class */
public class ACLManager {
    private static final Log LOG = LogFactory.getLog(ACLManager.class);
    public static final String WILDCARD_ACL_VALUE = "*";
    private final String dagUser;
    private final String amUser;
    private final Map<ACLType, Set<String>> users;
    private final Map<ACLType, Set<String>> groups;
    private final boolean aclsEnabled;

    public ACLManager(String str) {
        this(str, new Configuration(false));
    }

    public ACLManager(String str, Configuration configuration) {
        this.amUser = str;
        this.dagUser = null;
        this.users = new HashMap();
        this.groups = new HashMap();
        this.aclsEnabled = configuration.getBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, true);
        if (this.aclsEnabled) {
            ACLConfigurationParser aCLConfigurationParser = new ACLConfigurationParser(configuration);
            if (aCLConfigurationParser.getAllowedUsers() != null) {
                this.users.putAll(aCLConfigurationParser.getAllowedUsers());
            }
            if (aCLConfigurationParser.getAllowedGroups() != null) {
                this.groups.putAll(aCLConfigurationParser.getAllowedGroups());
            }
        }
    }

    public ACLManager(ACLManager aCLManager, String str, Configuration configuration) {
        this.amUser = aCLManager.amUser;
        this.dagUser = str;
        this.users = aCLManager.users;
        this.groups = aCLManager.groups;
        this.aclsEnabled = aCLManager.aclsEnabled;
        if (this.aclsEnabled) {
            ACLConfigurationParser aCLConfigurationParser = new ACLConfigurationParser(configuration, true);
            if (aCLConfigurationParser.getAllowedUsers() != null) {
                this.users.putAll(aCLConfigurationParser.getAllowedUsers());
            }
            if (aCLConfigurationParser.getAllowedGroups() != null) {
                this.groups.putAll(aCLConfigurationParser.getAllowedGroups());
            }
        }
    }

    public boolean isAclsEnabled() {
        return this.aclsEnabled;
    }

    @VisibleForTesting
    boolean checkAccess(UserGroupInformation userGroupInformation, ACLType aCLType) {
        Set<String> set;
        Set<String> set2;
        if (!this.aclsEnabled) {
            return true;
        }
        String shortUserName = userGroupInformation.getShortUserName();
        if (this.amUser.equals(shortUserName)) {
            return true;
        }
        if (EnumSet.of(ACLType.DAG_MODIFY_ACL, ACLType.DAG_VIEW_ACL).contains(aCLType) && this.dagUser != null && this.dagUser.equals(shortUserName)) {
            return true;
        }
        if (this.users != null && !this.users.isEmpty() && (set2 = this.users.get(aCLType)) != null && (set2.contains(WILDCARD_ACL_VALUE) || set2.contains(shortUserName))) {
            return true;
        }
        List asList = Arrays.asList(userGroupInformation.getGroupNames());
        if (asList == null || asList.isEmpty() || this.groups == null || this.groups.isEmpty() || (set = this.groups.get(aCLType)) == null) {
            return false;
        }
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            if (set.contains((String) it.next())) {
                return true;
            }
        }
        return false;
    }

    public boolean checkAMViewAccess(UserGroupInformation userGroupInformation) {
        return checkAccess(userGroupInformation, ACLType.AM_VIEW_ACL);
    }

    public boolean checkAMModifyAccess(UserGroupInformation userGroupInformation) {
        return checkAccess(userGroupInformation, ACLType.AM_MODIFY_ACL);
    }

    public boolean checkDAGViewAccess(UserGroupInformation userGroupInformation) {
        return checkAccess(userGroupInformation, ACLType.AM_VIEW_ACL) || checkAccess(userGroupInformation, ACLType.DAG_VIEW_ACL);
    }

    public boolean checkDAGModifyAccess(UserGroupInformation userGroupInformation) {
        return checkAccess(userGroupInformation, ACLType.AM_MODIFY_ACL) || checkAccess(userGroupInformation, ACLType.DAG_MODIFY_ACL);
    }

    public Map<ApplicationAccessType, String> toYARNACls() {
        HashMap hashMap = new HashMap(2);
        if (!this.aclsEnabled) {
            hashMap.put(ApplicationAccessType.VIEW_APP, WILDCARD_ACL_VALUE);
            hashMap.put(ApplicationAccessType.MODIFY_APP, WILDCARD_ACL_VALUE);
            return hashMap;
        }
        hashMap.put(ApplicationAccessType.VIEW_APP, this.amUser);
        hashMap.put(ApplicationAccessType.MODIFY_APP, this.amUser);
        boolean z = false;
        boolean z2 = false;
        if (this.users != null && !this.users.isEmpty()) {
            for (Map.Entry<ACLType, Set<String>> entry : this.users.entrySet()) {
                if (entry.getKey().equals(ACLType.AM_VIEW_ACL)) {
                    if (entry.getValue().contains(WILDCARD_ACL_VALUE)) {
                        hashMap.put(ApplicationAccessType.VIEW_APP, WILDCARD_ACL_VALUE);
                        z = true;
                    } else if (!entry.getValue().isEmpty()) {
                        String str = (String) hashMap.get(ApplicationAccessType.VIEW_APP);
                        String commaSeparatedString = toCommaSeparatedString(entry.getValue());
                        if (!commaSeparatedString.isEmpty()) {
                            str = str + "," + commaSeparatedString;
                        }
                        hashMap.put(ApplicationAccessType.VIEW_APP, str);
                    }
                } else if (entry.getKey().equals(ACLType.AM_MODIFY_ACL)) {
                    if (entry.getValue().contains(WILDCARD_ACL_VALUE)) {
                        hashMap.put(ApplicationAccessType.MODIFY_APP, WILDCARD_ACL_VALUE);
                        z2 = true;
                    } else if (!entry.getValue().isEmpty()) {
                        String str2 = (String) hashMap.get(ApplicationAccessType.MODIFY_APP);
                        String commaSeparatedString2 = toCommaSeparatedString(entry.getValue());
                        if (!commaSeparatedString2.isEmpty()) {
                            str2 = str2 + "," + commaSeparatedString2;
                        }
                        hashMap.put(ApplicationAccessType.MODIFY_APP, str2);
                    }
                }
            }
        }
        if (this.groups != null && !this.groups.isEmpty()) {
            for (Map.Entry<ACLType, Set<String>> entry2 : this.groups.entrySet()) {
                if (entry2.getKey().equals(ACLType.AM_VIEW_ACL) && !z && !entry2.getValue().isEmpty()) {
                    hashMap.put(ApplicationAccessType.VIEW_APP, (hashMap.containsKey(ApplicationAccessType.VIEW_APP) ? (String) hashMap.get(ApplicationAccessType.VIEW_APP) : "") + " " + toCommaSeparatedString(entry2.getValue()));
                } else if (entry2.getKey().equals(ACLType.AM_MODIFY_ACL) && !z2 && !entry2.getValue().isEmpty()) {
                    hashMap.put(ApplicationAccessType.MODIFY_APP, (hashMap.containsKey(ApplicationAccessType.MODIFY_APP) ? (String) hashMap.get(ApplicationAccessType.MODIFY_APP) : "") + " " + toCommaSeparatedString(entry2.getValue()));
                }
            }
        }
        return hashMap;
    }

    public static String toCommaSeparatedString(Collection<String> collection) {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str : collection) {
            if (z) {
                z = false;
            } else {
                sb.append(",");
            }
            sb.append(str);
        }
        return sb.toString();
    }
}
