package org.apache.hadoop.security.authorize;

import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.flink.shaded.hadoop2.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.MachineList;

@InterfaceAudience.Public
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/security/authorize/DefaultImpersonationProvider.class */
public class DefaultImpersonationProvider implements ImpersonationProvider {
    private static final String CONF_HOSTS = ".hosts";
    private static final String CONF_USERS = ".users";
    private static final String CONF_GROUPS = ".groups";
    private Map<String, AccessControlList> proxyUserAcl = new HashMap();
    private Map<String, MachineList> proxyHosts = new HashMap();
    private Configuration conf;
    private static DefaultImpersonationProvider testProvider;
    private String configPrefix;

    public static synchronized DefaultImpersonationProvider getTestProvider() {
        if (testProvider == null) {
            testProvider = new DefaultImpersonationProvider();
            testProvider.setConf(new Configuration());
            testProvider.init(ProxyUsers.CONF_HADOOP_PROXYUSER);
        }
        return testProvider;
    }

    @Override // org.apache.hadoop.conf.Configurable
    public void setConf(Configuration configuration) {
        this.conf = configuration;
    }

    @Override // org.apache.hadoop.security.authorize.ImpersonationProvider
    public void init(String str) {
        this.configPrefix = str + (str.endsWith(Path.CUR_DIR) ? "" : Path.CUR_DIR);
        String replace = this.configPrefix.replace(Path.CUR_DIR, "\\.");
        String str2 = replace + "[\\S]*(" + Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
        String str3 = replace + "[\\S]*" + Pattern.quote(CONF_HOSTS);
        Map<String, String> valByRegex = this.conf.getValByRegex(str2);
        Iterator<Map.Entry<String, String>> it = valByRegex.entrySet().iterator();
        while (it.hasNext()) {
            String aclKey = getAclKey(it.next().getKey());
            if (!this.proxyUserAcl.containsKey(aclKey)) {
                this.proxyUserAcl.put(aclKey, new AccessControlList(valByRegex.get(aclKey + CONF_USERS), valByRegex.get(aclKey + CONF_GROUPS)));
            }
        }
        for (Map.Entry<String, String> entry : this.conf.getValByRegex(str3).entrySet()) {
            this.proxyHosts.put(entry.getKey(), new MachineList(entry.getValue()));
        }
    }

    @Override // org.apache.hadoop.conf.Configurable
    public Configuration getConf() {
        return this.conf;
    }

    @Override // org.apache.hadoop.security.authorize.ImpersonationProvider
    public void authorize(UserGroupInformation userGroupInformation, String str) throws AuthorizationException {
        if (userGroupInformation == null) {
            throw new IllegalArgumentException("user is null.");
        }
        UserGroupInformation realUser = userGroupInformation.getRealUser();
        if (realUser == null) {
            return;
        }
        AccessControlList accessControlList = this.proxyUserAcl.get(this.configPrefix + realUser.getShortUserName());
        if (accessControlList == null || !accessControlList.isUserAllowed(userGroupInformation)) {
            throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + userGroupInformation.getUserName());
        }
        MachineList machineList = this.proxyHosts.get(getProxySuperuserIpConfKey(realUser.getShortUserName()));
        if (machineList == null || !machineList.includes(str)) {
            throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + str);
        }
    }

    private String getAclKey(String str) {
        int lastIndexOf = str.lastIndexOf(Path.CUR_DIR);
        return lastIndexOf != -1 ? str.substring(0, lastIndexOf) : str;
    }

    public String getProxySuperuserUserConfKey(String str) {
        return this.configPrefix + str + CONF_USERS;
    }

    public String getProxySuperuserGroupConfKey(String str) {
        return this.configPrefix + str + CONF_GROUPS;
    }

    public String getProxySuperuserIpConfKey(String str) {
        return this.configPrefix + str + CONF_HOSTS;
    }

    @VisibleForTesting
    public Map<String, Collection<String>> getProxyGroups() {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, AccessControlList> entry : this.proxyUserAcl.entrySet()) {
            hashMap.put(entry.getKey() + CONF_GROUPS, entry.getValue().getGroups());
        }
        return hashMap;
    }

    @VisibleForTesting
    public Map<String, Collection<String>> getProxyHosts() {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, MachineList> entry : this.proxyHosts.entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue().getCollection());
        }
        return hashMap;
    }
}
