package org.apache.hadoop.security.authorize;

import java.io.IOException;
import java.net.InetAddress;
import java.util.IdentityHashMap;
import java.util.Map;
import java.util.Set;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.util.MachineList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:paimon-plugin-s3.jar:org/apache/hadoop/security/authorize/ServiceAuthorizationManager.class */
public class ServiceAuthorizationManager {
    static final String BLOCKED = ".blocked";
    static final String HOSTS = ".hosts";
    private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
    private volatile Map<Class<?>, AccessControlList[]> protocolToAcls = new IdentityHashMap();
    private volatile Map<Class<?>, MachineList[]> protocolToMachineLists = new IdentityHashMap();

    @Deprecated
    public static final String SERVICE_AUTHORIZATION_CONFIG = "hadoop.security.authorization";
    public static final Logger AUDITLOG = LoggerFactory.getLogger("SecurityLogger." + ServiceAuthorizationManager.class.getName());
    private static final String AUTHZ_SUCCESSFUL_FOR = "Authorization successful for ";
    private static final String AUTHZ_FAILED_FOR = "Authorization failed for ";

    public void authorize(UserGroupInformation userGroupInformation, Class<?> cls, Configuration configuration, InetAddress inetAddress) throws AuthorizationException {
        AccessControlList[] accessControlListArr = this.protocolToAcls.get(cls);
        MachineList[] machineListArr = this.protocolToMachineLists.get(cls);
        if (accessControlListArr == null || machineListArr == null) {
            throw new AuthorizationException("Protocol " + cls + " is not known.");
        }
        String str = null;
        if (UserGroupInformation.isSecurityEnabled()) {
            str = SecurityUtil.getClientPrincipal(cls, configuration);
            if (str != null) {
                try {
                    str = SecurityUtil.getServerPrincipal(str, inetAddress);
                } catch (IOException e) {
                    throw ((AuthorizationException) new AuthorizationException("Can't figure out Kerberos principal name for connection from " + inetAddress + " for user=" + userGroupInformation + " protocol=" + cls).initCause(e));
                }
            }
        }
        if ((str != null && !str.equals(userGroupInformation.getUserName())) || accessControlListArr.length != 2 || !accessControlListArr[0].isUserAllowed(userGroupInformation) || accessControlListArr[1].isUserAllowed(userGroupInformation)) {
            String str2 = str != null ? ": this service is only accessible by " + str : ": denied by configured ACL";
            AUDITLOG.warn(AUTHZ_FAILED_FOR + userGroupInformation + " for protocol=" + cls + str2);
            throw new AuthorizationException("User " + userGroupInformation + " is not authorized for protocol " + cls + str2);
        }
        if (inetAddress != null) {
            String hostAddress = inetAddress.getHostAddress();
            if (machineListArr.length != 2 || !machineListArr[0].includes(hostAddress) || machineListArr[1].includes(hostAddress)) {
                AUDITLOG.warn("Authorization failed for  for protocol=" + cls + " from host = " + hostAddress);
                throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + cls);
            }
        }
        AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + userGroupInformation + " for protocol=" + cls);
    }

    public void refresh(Configuration configuration, PolicyProvider policyProvider) {
        String property = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE);
        Configuration configuration2 = new Configuration(configuration);
        configuration2.addResource(property);
        refreshWithLoadedConfiguration(configuration2, policyProvider);
    }

    @InterfaceAudience.Private
    public void refreshWithLoadedConfiguration(Configuration configuration, PolicyProvider policyProvider) {
        IdentityHashMap identityHashMap = new IdentityHashMap();
        IdentityHashMap identityHashMap2 = new IdentityHashMap();
        String str = configuration.get(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL, "*");
        String str2 = configuration.get(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, "");
        String hostKey = getHostKey(CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_ACL);
        String str3 = configuration.get(hostKey, "*");
        String str4 = configuration.get(hostKey + BLOCKED, "");
        Service[] services = policyProvider.getServices();
        if (services != null) {
            for (Service service : services) {
                identityHashMap.put(service.getProtocol(), new AccessControlList[]{new AccessControlList(configuration.get(service.getServiceKey(), str)), new AccessControlList(configuration.get(service.getServiceKey() + BLOCKED, str2))});
                String hostKey2 = getHostKey(service.getServiceKey());
                identityHashMap2.put(service.getProtocol(), new MachineList[]{new MachineList(configuration.get(hostKey2, str3)), new MachineList(configuration.get(hostKey2 + BLOCKED, str4))});
            }
        }
        this.protocolToAcls = identityHashMap;
        this.protocolToMachineLists = identityHashMap2;
    }

    private String getHostKey(String str) {
        int lastIndexOf = str.lastIndexOf(".");
        return lastIndexOf != -1 ? str.substring(0, lastIndexOf) + HOSTS : str;
    }

    @VisibleForTesting
    public Set<Class<?>> getProtocolsWithAcls() {
        return this.protocolToAcls.keySet();
    }

    @VisibleForTesting
    public AccessControlList getProtocolsAcls(Class<?> cls) {
        return this.protocolToAcls.get(cls)[0];
    }

    @VisibleForTesting
    public AccessControlList getProtocolsBlockedAcls(Class<?> cls) {
        return this.protocolToAcls.get(cls)[1];
    }

    @VisibleForTesting
    public Set<Class<?>> getProtocolsWithMachineLists() {
        return this.protocolToMachineLists.keySet();
    }

    @VisibleForTesting
    public MachineList getProtocolsMachineList(Class<?> cls) {
        return this.protocolToMachineLists.get(cls)[0];
    }

    @VisibleForTesting
    public MachineList getProtocolsBlockedMachineList(Class<?> cls) {
        return this.protocolToMachineLists.get(cls)[1];
    }
}
