package org.apache.hadoop.hdfs.server.namenode;

import io.hops.exception.StorageException;
import io.hops.exception.TransactionContextException;
import io.hops.metadata.hdfs.entity.ProjectedINode;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Stack;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.fs.UnresolvedLinkException;
import org.apache.hadoop.fs.permission.AclEntry;
import org.apache.hadoop.fs.permission.AclEntryScope;
import org.apache.hadoop.fs.permission.AclEntryType;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.15-EE-RC0.jar:org/apache/hadoop/hdfs/server/namenode/FSPermissionChecker.class */
public class FSPermissionChecker {
    static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
    private final String user;
    private final Set<String> groups;
    private final boolean isSuper;

    private static String toAccessControlString(INode iNode) throws StorageException, TransactionContextException, IOException {
        return "\"" + iNode.getLocalName() + "\":" + iNode.getUserName() + ":" + iNode.getGroupName() + ":" + (iNode.isDirectory() ? "d" : "-") + iNode.getFsPermission();
    }

    private static String toAccessControlString(ProjectedINode projectedINode) throws StorageException, TransactionContextException, IOException {
        return "\"" + projectedINode.getName() + "\":" + projectedINode.getUserName() + ":" + projectedINode.getGroupName() + ":" + (projectedINode.isDirectory() ? "d" : "-") + new FsPermission(projectedINode.getPermission());
    }

    private String toAccessControlString(INode iNode, FsAction fsAction, FsPermission fsPermission) throws IOException {
        return toAccessControlString(iNode, fsAction, fsPermission, null);
    }

    private String toAccessControlString(INode iNode, FsAction fsAction, FsPermission fsPermission, List<AclEntry> list) throws TransactionContextException, IOException {
        return toAccessControlString(iNode, fsAction, fsPermission, list, false);
    }

    private String toAccessControlString(INode iNode, FsAction fsAction, FsPermission fsPermission, List<AclEntry> list, boolean z) throws StorageException, TransactionContextException, IOException {
        StringBuilder append = new StringBuilder("Permission denied: ").append("user=").append(this.user).append(", ").append("access=").append(fsAction).append(", ").append("inode=\"").append(iNode.getFullPathName()).append("\":").append(iNode.getUserName()).append(':').append(iNode.getGroupName()).append(':').append(iNode.isDirectory() ? 'd' : '-').append(fsPermission);
        if (list != null) {
            append.append(':').append(StringUtils.join(",", list));
        }
        if (z) {
            append.append("+");
        }
        return append.toString();
    }

    private String toAccessControlString(ProjectedINode projectedINode, FsAction fsAction, FsPermission fsPermission, List<AclEntry> list, boolean z) throws IOException {
        StringBuilder append = new StringBuilder("Permission denied: ").append("user=").append(this.user).append(", ").append("access=").append(fsAction).append(", ").append("projectedInode=\"").append(projectedINode.getName()).append("\":").append(projectedINode.getUserName()).append(':').append(projectedINode.getGroupName()).append(':').append(projectedINode.isDirectory() ? 'd' : '-').append(fsPermission);
        if (list != null) {
            append.append(':').append(StringUtils.join(",", list));
        }
        if (z) {
            append.append("+");
        }
        return append.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FSPermissionChecker(String str, String str2, UserGroupInformation userGroupInformation) {
        this.groups = Collections.unmodifiableSet(new HashSet(Arrays.asList(userGroupInformation.getGroupNames())));
        this.user = userGroupInformation.getShortUserName();
        this.isSuper = this.user.equals(str) || this.groups.contains(str2);
    }

    public boolean containsGroup(String str) {
        return this.groups.contains(str);
    }

    public String getUser() {
        return this.user;
    }

    public boolean isSuperUser() {
        return this.isSuper;
    }

    public void checkSuperuserPrivilege() throws AccessControlException {
        if (!this.isSuper) {
            throw new AccessControlException("Access denied for user " + this.user + ". Superuser privilege is required");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkPermission(INodesInPath iNodesInPath, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException, StorageException, TransactionContextException, IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ACCESS CHECK: " + this + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2);
        }
        int length = iNodesInPath.length();
        INode lastINode = length > 0 ? iNodesInPath.getLastINode() : null;
        INode iNode = length > 1 ? iNodesInPath.getINode(-2) : null;
        checkTraverse(iNodesInPath);
        if (fsAction2 != null && fsAction2.implies(FsAction.WRITE) && length > 1 && lastINode != null) {
            checkStickyBit(iNode, lastINode);
        }
        if (fsAction != null && length > 1) {
            List<INode> readOnlyINodes = iNodesInPath.getReadOnlyINodes();
            INode iNode2 = null;
            for (int size = readOnlyINodes.size() - 2; size >= 0; size--) {
                INode iNode3 = readOnlyINodes.get(size);
                iNode2 = iNode3;
                if (iNode3 != null) {
                    break;
                }
            }
            check(iNode2, fsAction);
        }
        if (fsAction2 != null && length > 1 && iNode != null) {
            check(iNode, fsAction2);
        }
        if (fsAction3 != null) {
            check(lastINode, fsAction3);
        }
        if (fsAction4 != null) {
            checkSubAccess(lastINode, fsAction4, z2);
        }
        if (z) {
            checkOwner(lastINode);
        }
    }

    void checkPermission(INode iNode, boolean z, FsAction fsAction, FsAction fsAction2, boolean z2) throws AccessControlException, UnresolvedLinkException, StorageException, TransactionContextException, IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ACCESS CHECK: " + this + ", doCheckOwner=" + z + ", access=" + fsAction + ", subAccess=" + fsAction2 + ", ignoreEmptyDir=" + z2);
        }
        if (fsAction != null) {
            check(iNode, fsAction);
        }
        if (fsAction2 != null) {
            checkSubAccess(iNode, fsAction2, z2);
        }
        if (z) {
            checkOwner(iNode);
        }
    }

    private void checkOwner(INode iNode) throws IOException {
        if (iNode == null || !this.user.equals(iNode.getUserName())) {
            throw new AccessControlException("Permission denied. user=" + this.user + " is not the owner of inode=" + iNode);
        }
    }

    private void checkTraverse(INodesInPath iNodesInPath) throws IOException {
        INode iNode;
        List<INode> readOnlyINodes = iNodesInPath.getReadOnlyINodes();
        for (int i = 0; i < readOnlyINodes.size() - 1 && (iNode = readOnlyINodes.get(i)) != null; i++) {
            check(iNode, FsAction.EXECUTE);
        }
    }

    private void checkSubAccess(INode iNode, FsAction fsAction, boolean z) throws IOException {
        if (iNode == null || !iNode.isDirectory()) {
            return;
        }
        Stack stack = new Stack();
        stack.push(iNode.asDirectory());
        while (!stack.isEmpty()) {
            INodeDirectory iNodeDirectory = (INodeDirectory) stack.pop();
            List<INode> childrenList = iNodeDirectory.getChildrenList();
            if (!childrenList.isEmpty() || !z) {
                check(iNodeDirectory, fsAction);
            }
            for (INode iNode2 : childrenList) {
                if (iNode2.isDirectory()) {
                    stack.push(iNode2.asDirectory());
                }
            }
        }
    }

    void check(INode iNode, FsAction fsAction) throws IOException {
        if (iNode == null) {
            return;
        }
        FsPermission fsPermission = iNode.getFsPermission();
        AclFeature aclFeature = iNode.getAclFeature();
        if (aclFeature != null) {
            List<AclEntry> entries = aclFeature.getEntries();
            if (entries.get(0).getScope() == AclEntryScope.ACCESS) {
                checkAccessAcl(iNode, fsAction, fsPermission, entries);
                return;
            }
        }
        check(iNode, fsAction, fsPermission, iNode.getUserName(), iNode.getGroupName());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void check(INode iNode, FsAction fsAction, List<AclEntry> list) throws IOException {
        if (iNode == null) {
            return;
        }
        FsPermission fsPermission = iNode.getFsPermission();
        if (list == null || list.isEmpty() || list.get(0).getScope() != AclEntryScope.ACCESS) {
            check(iNode, fsAction, fsPermission, iNode.getUserName(), iNode.getGroupName());
        } else {
            checkAccessAcl(iNode, fsAction, fsPermission, list);
        }
    }

    private void checkAccessAcl(INode iNode, FsAction fsAction, FsPermission fsPermission, List<AclEntry> list) throws IOException {
        boolean z = false;
        if (this.user.equals(iNode.getUserName())) {
            if (fsPermission.getUserAction().implies(fsAction)) {
                return;
            } else {
                z = true;
            }
        }
        if (!z) {
            Iterator<AclEntry> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AclEntry next = it.next();
                if (next.getScope() == AclEntryScope.DEFAULT) {
                    break;
                }
                AclEntryType type = next.getType();
                String name = next.getName();
                if (type == AclEntryType.USER) {
                    if (this.user.equals(name)) {
                        if (next.getPermission().and(fsPermission.getGroupAction()).implies(fsAction)) {
                            return;
                        } else {
                            z = true;
                        }
                    }
                } else if (type != AclEntryType.GROUP) {
                    continue;
                } else {
                    if (!this.groups.contains(name == null ? iNode.getGroupName() : name)) {
                        continue;
                    } else if (next.getPermission().and(fsPermission.getGroupAction()).implies(fsAction)) {
                        return;
                    } else {
                        z = true;
                    }
                }
            }
        }
        if (z || !fsPermission.getOtherAction().implies(fsAction)) {
            throw new AccessControlException(toAccessControlString(iNode, fsAction, fsPermission, list, true));
        }
    }

    private void checkAccessAcl(ProjectedINode projectedINode, FsAction fsAction, FsPermission fsPermission, List<AclEntry> list) throws IOException {
        boolean z = false;
        if (this.user.equals(projectedINode.getUserName())) {
            if (fsPermission.getUserAction().implies(fsAction)) {
                return;
            } else {
                z = true;
            }
        }
        if (!z) {
            Iterator<AclEntry> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AclEntry next = it.next();
                if (next.getScope() == AclEntryScope.DEFAULT) {
                    break;
                }
                AclEntryType type = next.getType();
                String name = next.getName();
                if (type == AclEntryType.USER) {
                    if (this.user.equals(name)) {
                        if (next.getPermission().and(fsPermission.getGroupAction()).implies(fsAction)) {
                            return;
                        } else {
                            z = true;
                        }
                    }
                } else if (type != AclEntryType.GROUP) {
                    continue;
                } else {
                    if (!this.groups.contains(name == null ? projectedINode.getGroupName() : name)) {
                        continue;
                    } else if (next.getPermission().and(fsPermission.getGroupAction()).implies(fsAction)) {
                        return;
                    } else {
                        z = true;
                    }
                }
            }
        }
        if (z || !fsPermission.getOtherAction().implies(fsAction)) {
            throw new AccessControlException(toAccessControlString(projectedINode, fsAction, fsPermission, list, true));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void check(ProjectedINode projectedINode, FsAction fsAction, List<AclEntry> list) throws IOException {
        if (projectedINode == null) {
            return;
        }
        FsPermission fsPermission = new FsPermission(projectedINode.getPermission());
        if (list != null && !list.isEmpty() && list.get(0).getScope() == AclEntryScope.ACCESS) {
            checkAccessAcl(projectedINode, fsAction, fsPermission, list);
        } else if (!check(projectedINode.getId(), fsAction, fsPermission, projectedINode.getUserName(), projectedINode.getGroupName())) {
            throw new AccessControlException("Permission denied: user=" + this.user + ", access=" + fsAction + ", inode=" + toAccessControlString(projectedINode));
        }
    }

    void check(INode iNode, FsAction fsAction, FsPermission fsPermission, String str, String str2) throws AccessControlException, TransactionContextException, IOException {
        if (!check(iNode.getId(), fsAction, fsPermission, str, str2)) {
            throw new AccessControlException("Permission denied: user=" + this.user + ", access=" + fsAction + ", inode=" + toAccessControlString(iNode));
        }
    }

    boolean check(long j, FsAction fsAction, FsPermission fsPermission, String str, String str2) throws AccessControlException, TransactionContextException, IOException {
        return this.user.equals(str) ? fsPermission.getUserAction().implies(fsAction) : this.groups.contains(str2) ? fsPermission.getGroupAction().implies(fsAction) : fsPermission.getOtherAction().implies(fsAction);
    }

    private void checkStickyBit(INode iNode, INode iNode2) throws IOException {
        if (iNode.getFsPermission().getStickyBit() && !iNode.getUserName().equals(this.user)) {
            if (iNode2.getUserName() == null || this.user == null) {
                System.out.println("");
            }
            if (!iNode2.getUserName().equals(this.user)) {
                throw new AccessControlException("Permission denied by sticky bit setting: user=" + this.user + ", inode=" + iNode2);
            }
        }
    }

    public void checkPermission(CachePool cachePool, FsAction fsAction) throws AccessControlException {
        FsPermission mode = cachePool.getMode();
        if (isSuperUser()) {
            return;
        }
        if (this.user.equals(cachePool.getOwnerName()) && mode.getUserAction().implies(fsAction)) {
            return;
        }
        if ((!this.groups.contains(cachePool.getGroupName()) || !mode.getGroupAction().implies(fsAction)) && !mode.getOtherAction().implies(fsAction)) {
            throw new AccessControlException("Permission denied while accessing pool " + cachePool.getPoolName() + ": user " + this.user + " does not have " + fsAction.toString() + " permissions.");
        }
    }
}
