package org.apache.ranger.plugin.policyengine;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.ListUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.math3.geometry.VectorFormat;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil;
import org.apache.ranger.plugin.util.RangerResourceTrie;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.eclipse.persistence.internal.xr.Util;

/* loaded from: input_file:org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.class */
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
    private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
    private static final Log PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init");
    private static final Log PERF_POLICYENGINE_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyengine.request");
    private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit");
    private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request");
    private static final Log PERF_POLICYENGINE_REBALANCE_LOG = RangerPerfTracer.getPerfLogger("policyengine.rebalance");
    private static final Log PERF_POLICYENGINE_USAGE_LOG = RangerPerfTracer.getPerfLogger("policyengine.usage");
    private static final Log PERF_POLICYENGINE_GET_ACLS_LOG = RangerPerfTracer.getPerfLogger("policyengine.getResourceACLs");
    private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 100;
    private final RangerPolicyRepository policyRepository;
    private final RangerPolicyRepository tagPolicyRepository;
    private boolean isPolicyRepositoryShared;
    private boolean isTagPolicyRepositoryShared;
    private List<RangerContextEnricher> allContextEnrichers;
    private boolean useForwardedIPAddress;
    private String[] trustedProxyAddresses;
    private Map<String, RangerPolicyRepository> policyRepositories;
    private Map<String, RangerResourceTrie> trieMap;
    private Map<String, String> zoneTagServiceMap;
    private final Map<String, Set<String>> userRoleMapping;
    private final Map<String, Set<String>> groupRoleMapping;
    private final RangerPluginContext rangerPluginContext;

    public RangerPolicyEngineImpl(RangerPolicyEngineImpl rangerPolicyEngineImpl, ServicePolicies servicePolicies) {
        this(rangerPolicyEngineImpl, servicePolicies, (RangerPluginContext) null);
    }

    public RangerPolicyEngineImpl(RangerPolicyEngineImpl rangerPolicyEngineImpl, ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext) {
        List<RangerContextEnricher> arrayList;
        RangerPolicyRepository rangerPolicyRepository;
        this.isPolicyRepositoryShared = false;
        this.isTagPolicyRepositoryShared = false;
        this.policyRepositories = new HashMap();
        List<RangerPolicyDelta> policyDeltas = servicePolicies.getPolicyDeltas();
        long longValue = servicePolicies.getPolicyVersion().longValue();
        this.useForwardedIPAddress = rangerPolicyEngineImpl.useForwardedIPAddress;
        this.trustedProxyAddresses = rangerPolicyEngineImpl.trustedProxyAddresses;
        ArrayList arrayList2 = new ArrayList();
        ArrayList<RangerPolicyDelta> arrayList3 = new ArrayList();
        if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
            HashMap hashMap = new HashMap();
            buildZoneTrie(servicePolicies);
            Iterator<Map.Entry<String, ServicePolicies.SecurityZoneInfo>> it = servicePolicies.getSecurityZones().entrySet().iterator();
            while (it.hasNext()) {
                hashMap.put(it.next().getKey(), new ArrayList());
            }
            for (RangerPolicyDelta rangerPolicyDelta : policyDeltas) {
                String zoneName = rangerPolicyDelta.getZoneName();
                if (StringUtils.isNotEmpty(zoneName)) {
                    List list = (List) hashMap.get(zoneName);
                    if (list != null) {
                        list.add(rangerPolicyDelta);
                    }
                } else if (servicePolicies.getServiceDef().getName().equals(rangerPolicyDelta.getServiceType())) {
                    arrayList2.add(rangerPolicyDelta);
                } else {
                    arrayList3.add(rangerPolicyDelta);
                }
            }
            Iterator<Map.Entry<String, ServicePolicies.SecurityZoneInfo>> it2 = servicePolicies.getSecurityZones().entrySet().iterator();
            while (it2.hasNext()) {
                String key = it2.next().getKey();
                List<RangerPolicyDelta> list2 = (List) hashMap.get(key);
                RangerPolicyRepository rangerPolicyRepository2 = rangerPolicyEngineImpl.policyRepositories.get(key);
                if (!CollectionUtils.isNotEmpty(list2)) {
                    rangerPolicyRepository = rangerPolicyRepository2;
                } else if (rangerPolicyRepository2 == null) {
                    ArrayList arrayList4 = new ArrayList();
                    for (RangerPolicyDelta rangerPolicyDelta2 : list2) {
                        if (rangerPolicyDelta2.getChangeType().intValue() == 0) {
                            arrayList4.add(rangerPolicyDelta2.getPolicy());
                        } else {
                            LOG.warn("Expected changeType:[0], found policy-change-delta:[" + rangerPolicyDelta2 + "]");
                        }
                    }
                    servicePolicies.getSecurityZones().get(key).setPolicies(arrayList4);
                    rangerPolicyRepository = new RangerPolicyRepository(rangerPolicyEngineImpl.policyRepository.getAppId(), servicePolicies, rangerPolicyEngineImpl.policyRepository.getOptions(), key);
                } else {
                    rangerPolicyRepository = new RangerPolicyRepository(rangerPolicyRepository2, (List<RangerPolicyDelta>) list2, longValue);
                }
                this.policyRepositories.put(key, rangerPolicyRepository);
            }
        } else {
            for (RangerPolicyDelta rangerPolicyDelta3 : policyDeltas) {
                if (servicePolicies.getServiceDef().getName().equals(rangerPolicyDelta3.getServiceType())) {
                    arrayList2.add(rangerPolicyDelta3);
                } else {
                    arrayList3.add(rangerPolicyDelta3);
                }
            }
        }
        if (rangerPolicyEngineImpl.policyRepository == null || !CollectionUtils.isNotEmpty(arrayList2)) {
            this.policyRepository = rangerPolicyEngineImpl.policyRepository;
            rangerPolicyEngineImpl.isPolicyRepositoryShared = true;
        } else {
            this.policyRepository = new RangerPolicyRepository(rangerPolicyEngineImpl.policyRepository, arrayList2, longValue);
        }
        if (servicePolicies.getTagPolicies() == null) {
            this.tagPolicyRepository = null;
            if (rangerPolicyEngineImpl.tagPolicyRepository != null) {
                rangerPolicyEngineImpl.isTagPolicyRepositoryShared = false;
            }
        } else if (!CollectionUtils.isNotEmpty(arrayList3)) {
            this.tagPolicyRepository = rangerPolicyEngineImpl.tagPolicyRepository;
            rangerPolicyEngineImpl.isTagPolicyRepositoryShared = true;
        } else if (rangerPolicyEngineImpl.tagPolicyRepository != null) {
            this.tagPolicyRepository = new RangerPolicyRepository(rangerPolicyEngineImpl.tagPolicyRepository, arrayList3, longValue);
        } else {
            ArrayList arrayList5 = new ArrayList();
            for (RangerPolicyDelta rangerPolicyDelta4 : arrayList3) {
                if (rangerPolicyDelta4.getChangeType().intValue() == 0) {
                    arrayList5.add(rangerPolicyDelta4.getPolicy());
                } else {
                    LOG.warn("Expected changeType:[0], found policy-change-delta:[" + rangerPolicyDelta4 + "]");
                }
            }
            servicePolicies.getTagPolicies().setPolicies(arrayList5);
            this.tagPolicyRepository = new RangerPolicyRepository(rangerPolicyEngineImpl.policyRepository.getAppId(), servicePolicies.getTagPolicies(), rangerPolicyEngineImpl.policyRepository.getOptions(), servicePolicies.getServiceDef(), servicePolicies.getServiceName());
        }
        this.rangerPluginContext = rangerPluginContext != null ? rangerPluginContext : null;
        List<RangerContextEnricher> contextEnrichers = this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getContextEnrichers();
        List<RangerContextEnricher> contextEnrichers2 = this.policyRepository.getContextEnrichers();
        if (CollectionUtils.isEmpty(contextEnrichers)) {
            arrayList = contextEnrichers2;
        } else if (CollectionUtils.isEmpty(contextEnrichers2)) {
            arrayList = contextEnrichers;
        } else {
            arrayList = new ArrayList(contextEnrichers);
            arrayList.addAll(contextEnrichers2);
        }
        this.allContextEnrichers = arrayList;
        this.userRoleMapping = MapUtils.isNotEmpty(servicePolicies.getUserRoles()) ? servicePolicies.getUserRoles() : null;
        this.groupRoleMapping = MapUtils.isNotEmpty(servicePolicies.getGroupRoles()) ? servicePolicies.getGroupRoles() : null;
        reorderPolicyEvaluators();
    }

    public RangerPolicyEngineImpl(String str, ServicePolicies servicePolicies, RangerPolicyEngineOptions rangerPolicyEngineOptions) {
        this(str, servicePolicies, rangerPolicyEngineOptions, null);
    }

    public RangerPolicyEngineImpl(String str, ServicePolicies servicePolicies, RangerPolicyEngineOptions rangerPolicyEngineOptions, RangerPluginContext rangerPluginContext) {
        List<RangerContextEnricher> arrayList;
        this.isPolicyRepositoryShared = false;
        this.isTagPolicyRepositoryShared = false;
        this.policyRepositories = new HashMap();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl(" + str + ", " + servicePolicies + ", " + rangerPolicyEngineOptions + ", " + rangerPluginContext + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.init(appId=" + str + ",hashCode=" + Integer.toHexString(System.identityHashCode(this)) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            long freeMemory = Runtime.getRuntime().freeMemory();
            PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (Runtime.getRuntime().totalMemory() - freeMemory) + ", Free memory:" + freeMemory);
        }
        rangerPolicyEngineOptions = rangerPolicyEngineOptions == null ? new RangerPolicyEngineOptions() : rangerPolicyEngineOptions;
        this.rangerPluginContext = rangerPluginContext != null ? rangerPluginContext : null;
        if (StringUtils.isBlank(rangerPolicyEngineOptions.evaluatorType) || StringUtils.equalsIgnoreCase(rangerPolicyEngineOptions.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
            if (servicePolicies.getPolicies().size() + (servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getPolicies().size() : 0) > RangerConfiguration.getInstance().getInt("ranger.plugin." + servicePolicies.getServiceDef().getName() + ".policyengine.evaluator.auto.maximum.policycount.for.cache.type", 100)) {
                rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
            } else {
                rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
            }
        } else if (StringUtils.equalsIgnoreCase(rangerPolicyEngineOptions.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
            rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
        } else {
            rangerPolicyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
        }
        this.policyRepository = new RangerPolicyRepository(str, servicePolicies, rangerPolicyEngineOptions);
        ServicePolicies.TagPolicies tagPolicies = servicePolicies.getTagPolicies();
        if (rangerPolicyEngineOptions.disableTagPolicyEvaluation || tagPolicies == null || StringUtils.isEmpty(tagPolicies.getServiceName()) || tagPolicies.getServiceDef() == null || CollectionUtils.isEmpty(tagPolicies.getPolicies())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerPolicyEngineImpl : No tag-policy-repository for service " + servicePolicies.getServiceName());
            }
            this.tagPolicyRepository = null;
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerPolicyEngineImpl : Building tag-policy-repository for tag-service " + tagPolicies.getServiceName());
            }
            this.tagPolicyRepository = new RangerPolicyRepository(str, tagPolicies, rangerPolicyEngineOptions, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
        }
        List<RangerContextEnricher> contextEnrichers = this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getContextEnrichers();
        List<RangerContextEnricher> contextEnrichers2 = this.policyRepository.getContextEnrichers();
        if (CollectionUtils.isEmpty(contextEnrichers)) {
            arrayList = contextEnrichers2;
        } else if (CollectionUtils.isEmpty(contextEnrichers2)) {
            arrayList = contextEnrichers;
        } else {
            arrayList = new ArrayList(contextEnrichers);
            arrayList.addAll(contextEnrichers2);
        }
        this.allContextEnrichers = arrayList;
        if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
            buildZoneTrie(servicePolicies);
            for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) {
                this.policyRepositories.put(entry.getKey(), new RangerPolicyRepository(str, servicePolicies, rangerPolicyEngineOptions, entry.getKey()));
            }
        }
        this.userRoleMapping = MapUtils.isNotEmpty(servicePolicies.getUserRoles()) ? servicePolicies.getUserRoles() : null;
        this.groupRoleMapping = MapUtils.isNotEmpty(servicePolicies.getGroupRoles()) ? servicePolicies.getGroupRoles() : null;
        RangerPerfTracer.log(rangerPerfTracer);
        if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
            long freeMemory2 = Runtime.getRuntime().freeMemory();
            PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (Runtime.getRuntime().totalMemory() - freeMemory2) + ", Free memory:" + freeMemory2);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl()");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerPolicyEngine cloneWithDelta(ServicePolicies servicePolicies) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> cloneWithDelta(" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " + servicePolicies.getPolicyVersion() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cloneWithDelta()");
        }
        RangerServiceDef serviceDef = getServiceDef();
        RangerPolicyEngineImpl rangerPolicyEngineImpl = (CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) && RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(), serviceDef != null ? serviceDef.getName() : "")) ? new RangerPolicyEngineImpl(this, servicePolicies, this.rangerPluginContext) : null;
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== cloneWithDelta(" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + ", " + servicePolicies.getPolicyVersion() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        return rangerPolicyEngineImpl;
    }

    protected void finalize() throws Throwable {
        try {
            cleanup();
        } finally {
            super.finalize();
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("RangerPolicyEngineImpl={");
        sb.append("serviceName={").append(getServiceName()).append("} ");
        sb.append(this.policyRepository);
        sb.append(VectorFormat.DEFAULT_SUFFIX);
        return sb.toString();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setUseForwardedIPAddress(boolean z) {
        this.useForwardedIPAddress = z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void setTrustedProxyAddresses(String[] strArr) {
        this.trustedProxyAddresses = strArr;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean getUseForwardedIPAddress() {
        return this.useForwardedIPAddress;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public String[] getTrustedProxyAddresses() {
        return this.trustedProxyAddresses;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerServiceDef getServiceDef() {
        return this.policyRepository.getServiceDef();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public long getPolicyVersion() {
        return this.policyRepository.getPolicyVersion();
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void preProcess(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + rangerAccessRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        setResourceServiceDef(rangerAccessRequest);
        if (rangerAccessRequest instanceof RangerAccessRequestImpl) {
            RangerAccessRequestImpl rangerAccessRequestImpl = (RangerAccessRequestImpl) rangerAccessRequest;
            rangerAccessRequestImpl.extractAndSetClientIPAddress(this.useForwardedIPAddress, this.trustedProxyAddresses);
            if (this.rangerPluginContext != null) {
                rangerAccessRequestImpl.setClusterName(this.rangerPluginContext.getClusterName());
                rangerAccessRequestImpl.setClusterType(this.rangerPluginContext.getClusterType());
            }
        }
        RangerAccessRequestUtil.setCurrentUserInContext(rangerAccessRequest.getContext(), rangerAccessRequest.getUser());
        Set<String> rolesFromUserAndGroups = getRolesFromUserAndGroups(rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups());
        if (CollectionUtils.isNotEmpty(rolesFromUserAndGroups)) {
            RangerAccessRequestUtil.setCurrentUserRolesInContext(rangerAccessRequest.getContext(), rolesFromUserAndGroups);
        }
        List<RangerContextEnricher> list = this.allContextEnrichers;
        if (!CollectionUtils.isEmpty(list)) {
            for (RangerContextEnricher rangerContextEnricher : list) {
                RangerPerfTracer rangerPerfTracer = null;
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_REQUEST_LOG)) {
                    rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_REQUEST_LOG, "RangerContextEnricher.enrich(requestHashCode=" + Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + ", enricherName=" + rangerContextEnricher.getName() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
                }
                rangerContextEnricher.enrich(rangerAccessRequest);
                RangerPerfTracer.log(rangerPerfTracer);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + rangerAccessRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void preProcess(Collection<RangerAccessRequest> collection) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.preProcess(" + collection + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        if (CollectionUtils.isNotEmpty(collection)) {
            Iterator<RangerAccessRequest> it = collection.iterator();
            while (it.hasNext()) {
                preProcess(it.next());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + collection + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerAccessResult evaluatePolicies(RangerAccessRequest rangerAccessRequest, int i, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + rangerAccessRequest + ", policyType=" + i + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            String str = Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + Util.UNDERSCORE_STR + Integer.toString(i);
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.evaluatePolicies(requestHashCode=" + str + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            LOG.info("RangerPolicyEngineImpl.evaluatePolicies(" + str + ", " + rangerAccessRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerAccessResult zoneAwareAccessEvaluationWithNoAudit = zoneAwareAccessEvaluationWithNoAudit(rangerAccessRequest, i);
        updatePolicyUsageCounts(rangerAccessRequest, zoneAwareAccessEvaluationWithNoAudit);
        if (rangerAccessResultProcessor != null) {
            RangerPerfTracer rangerPerfTracer2 = null;
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
                rangerPerfTracer2 = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + (Integer.toHexString(System.identityHashCode(rangerAccessRequest)) + Util.UNDERSCORE_STR + Integer.toString(i)) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
            }
            rangerAccessResultProcessor.processResult(zoneAwareAccessEvaluationWithNoAudit);
            RangerPerfTracer.log(rangerPerfTracer2);
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluatePolicies(" + rangerAccessRequest + ", policyType=" + i + "): " + zoneAwareAccessEvaluationWithNoAudit);
        }
        return zoneAwareAccessEvaluationWithNoAudit;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> collection, int i, RangerAccessResultProcessor rangerAccessResultProcessor) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePolicies(" + collection + ", policyType=" + i + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        ArrayList arrayList = new ArrayList();
        if (collection != null) {
            Iterator<RangerAccessRequest> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(zoneAwareAccessEvaluationWithNoAudit(it.next(), i));
            }
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.processResults(arrayList);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluatePolicies(" + collection + ", policyType=" + i + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest) {
        RangerPolicyEvaluator.PolicyACLSummary policyACLSummary;
        Integer valueOf;
        Integer valueOf2;
        Integer valueOf3;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getResourceACLs(request=" + rangerAccessRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerResourceACLs rangerResourceACLs = new RangerResourceACLs();
        RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_GET_ACLS_LOG) ? RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_GET_ACLS_LOG, "RangerPolicyEngine.getResourceACLs(requestHashCode=" + rangerAccessRequest.getResource().getAsString() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END) : null;
        String matchedZoneName = this.trieMap == null ? null : getMatchedZoneName(rangerAccessRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + matchedZoneName + "]");
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isNotEmpty(matchedZoneName)) {
            RangerPolicyRepository rangerPolicyRepository = this.policyRepositories.get(matchedZoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + matchedZoneName + "] is null!! ERROR!");
            } else {
                arrayList.add(rangerPolicyRepository);
            }
        } else {
            arrayList.add(this.policyRepository);
            arrayList.addAll(this.policyRepositories.values());
        }
        ArrayList<RangerPolicyEvaluator> arrayList2 = new ArrayList();
        HashMap hashMap = null;
        HashSet hashSet = null;
        List<PolicyEvaluatorForTag> likelyMatchPolicyEvaluators = this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getLikelyMatchPolicyEvaluators(RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext()), 0, null);
        if (CollectionUtils.isNotEmpty(likelyMatchPolicyEvaluators)) {
            hashMap = new HashMap();
            for (PolicyEvaluatorForTag policyEvaluatorForTag : likelyMatchPolicyEvaluators) {
                RangerPolicyEvaluator evaluator = policyEvaluatorForTag.getEvaluator();
                RangerTagForEval tag = policyEvaluatorForTag.getTag();
                arrayList2.add(evaluator);
                hashMap.put(Long.valueOf(evaluator.getId()), tag.getMatchType());
                if (CollectionUtils.isNotEmpty(tag.getValidityPeriods())) {
                    if (hashSet == null) {
                        hashSet = new HashSet();
                    }
                    hashSet.add(Long.valueOf(evaluator.getId()));
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            arrayList2.addAll(((RangerPolicyRepository) it.next()).getLikelyMatchPolicyEvaluators(rangerAccessRequest.getResource(), 0));
        }
        arrayList2.sort(RangerPolicyEvaluator.EVAL_ORDER_COMPARATOR);
        if (CollectionUtils.isNotEmpty(arrayList2)) {
            Integer num = null;
            for (RangerPolicyEvaluator rangerPolicyEvaluator : arrayList2) {
                if (num == null) {
                    num = Integer.valueOf(rangerPolicyEvaluator.getPolicyPriority());
                }
                if (num.intValue() != rangerPolicyEvaluator.getPolicyPriority()) {
                    rangerResourceACLs.finalizeAcls();
                    num = Integer.valueOf(rangerPolicyEvaluator.getPolicyPriority());
                }
                RangerPolicyResourceMatcher.MatchType matchType = hashMap != null ? (RangerPolicyResourceMatcher.MatchType) hashMap.get(Long.valueOf(rangerPolicyEvaluator.getId())) : null;
                if (matchType == null) {
                    matchType = rangerPolicyEvaluator.getPolicyResourceMatcher().getMatchType(rangerAccessRequest.getResource(), rangerAccessRequest.getContext());
                }
                if ((rangerAccessRequest.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS ? matchType != RangerPolicyResourceMatcher.MatchType.NONE : matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR_WITH_WILDCARDS) && (policyACLSummary = rangerPolicyEvaluator.getPolicyACLSummary()) != null) {
                    boolean z = (hashSet != null && hashSet.contains(Long.valueOf(rangerPolicyEvaluator.getId()))) || rangerPolicyEvaluator.getValidityScheduleEvaluatorsCount() != 0;
                    for (Map.Entry<String, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> entry : policyACLSummary.getUsersAccessInfo().entrySet()) {
                        String key = entry.getKey();
                        for (Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> entry2 : entry.getValue().entrySet()) {
                            if (z) {
                                valueOf3 = RangerPolicyEvaluator.ACCESS_CONDITIONAL;
                            } else {
                                valueOf3 = Integer.valueOf(entry2.getValue().getResult());
                                if (valueOf3.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
                                    valueOf3 = RangerPolicyEvaluator.ACCESS_DENIED;
                                }
                            }
                            rangerResourceACLs.setUserAccessInfo(key, entry2.getKey(), valueOf3, rangerPolicyEvaluator.getPolicy());
                        }
                    }
                    for (Map.Entry<String, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> entry3 : policyACLSummary.getGroupsAccessInfo().entrySet()) {
                        String key2 = entry3.getKey();
                        for (Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> entry4 : entry3.getValue().entrySet()) {
                            if (z) {
                                valueOf2 = RangerPolicyEvaluator.ACCESS_CONDITIONAL;
                            } else {
                                valueOf2 = Integer.valueOf(entry4.getValue().getResult());
                                if (valueOf2.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
                                    valueOf2 = RangerPolicyEvaluator.ACCESS_DENIED;
                                }
                            }
                            rangerResourceACLs.setGroupAccessInfo(key2, entry4.getKey(), valueOf2, rangerPolicyEvaluator.getPolicy());
                        }
                    }
                    for (Map.Entry<String, Map<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult>> entry5 : policyACLSummary.getRolesAccessInfo().entrySet()) {
                        String key3 = entry5.getKey();
                        for (Map.Entry<String, RangerPolicyEvaluator.PolicyACLSummary.AccessResult> entry6 : entry5.getValue().entrySet()) {
                            if (z) {
                                valueOf = RangerPolicyEvaluator.ACCESS_CONDITIONAL;
                            } else {
                                valueOf = Integer.valueOf(entry6.getValue().getResult());
                                if (valueOf.equals(RangerPolicyEvaluator.ACCESS_UNDETERMINED)) {
                                    valueOf = RangerPolicyEvaluator.ACCESS_DENIED;
                                }
                            }
                            rangerResourceACLs.setRoleAccessInfo(key3, entry6.getKey(), valueOf, rangerPolicyEvaluator.getPolicy());
                        }
                    }
                }
            }
            rangerResourceACLs.finalizeAcls();
        }
        RangerPerfTracer.logAlways(perfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getResourceACLs(request=" + rangerAccessRequest + ") : ret=" + rangerResourceACLs);
        }
        return rangerResourceACLs;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean preCleanup() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.preCleanup()");
        }
        if (this.policyRepository != null && !this.isPolicyRepositoryShared) {
            this.policyRepository.preCleanup();
        }
        if (this.tagPolicyRepository != null && !this.isTagPolicyRepositoryShared) {
            this.tagPolicyRepository.preCleanup();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.preCleanup() : result=true");
        }
        return true;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void cleanup() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.cleanup()");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        preCleanup();
        if (this.policyRepository != null && !this.isPolicyRepositoryShared) {
            this.policyRepository.cleanup();
        }
        if (this.tagPolicyRepository != null && !this.isTagPolicyRepositoryShared) {
            this.tagPolicyRepository.cleanup();
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.cleanup()");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public void reorderPolicyEvaluators() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> reorderEvaluators()");
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REBALANCE_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REBALANCE_LOG, "RangerPolicyEngine.reorderEvaluators()");
        }
        if (this.tagPolicyRepository != null && MapUtils.isNotEmpty(this.tagPolicyRepository.getPolicyEvaluatorsMap())) {
            Iterator<Map.Entry<Long, RangerPolicyEvaluator>> it = this.tagPolicyRepository.getPolicyEvaluatorsMap().entrySet().iterator();
            while (it.hasNext()) {
                it.next().getValue().setUsageCountImmutable();
            }
        }
        if (this.policyRepository != null && MapUtils.isNotEmpty(this.policyRepository.getPolicyEvaluatorsMap())) {
            Iterator<Map.Entry<Long, RangerPolicyEvaluator>> it2 = this.policyRepository.getPolicyEvaluatorsMap().entrySet().iterator();
            while (it2.hasNext()) {
                it2.next().getValue().setUsageCountImmutable();
            }
        }
        if (this.tagPolicyRepository != null) {
            this.tagPolicyRepository.reorderPolicyEvaluators();
        }
        if (this.policyRepository != null) {
            this.policyRepository.reorderPolicyEvaluators();
        }
        if (this.tagPolicyRepository != null && MapUtils.isNotEmpty(this.tagPolicyRepository.getPolicyEvaluatorsMap())) {
            Iterator<Map.Entry<Long, RangerPolicyEvaluator>> it3 = this.tagPolicyRepository.getPolicyEvaluatorsMap().entrySet().iterator();
            while (it3.hasNext()) {
                it3.next().getValue().resetUsageCount();
            }
        }
        if (this.policyRepository != null && MapUtils.isNotEmpty(this.policyRepository.getPolicyEvaluatorsMap())) {
            Iterator<Map.Entry<Long, RangerPolicyEvaluator>> it4 = this.policyRepository.getPolicyEvaluatorsMap().entrySet().iterator();
            while (it4.hasNext()) {
                it4.next().getValue().resetUsageCount();
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== reorderEvaluators()");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean isAccessAllowed(RangerAccessResource rangerAccessResource, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + set + ", " + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + ",accessType=" + str2 + "resource=" + rangerAccessResource.getAsString() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        String matchedZoneName = this.trieMap == null ? null : getMatchedZoneName(rangerAccessResource);
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + matchedZoneName + "]");
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isNotEmpty(matchedZoneName)) {
            RangerPolicyRepository rangerPolicyRepository = this.policyRepositories.get(matchedZoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + matchedZoneName + "] is null!! ERROR!");
            } else {
                arrayList.add(rangerPolicyRepository);
            }
        } else {
            arrayList.add(this.policyRepository);
        }
        Set<String> rolesFromUserAndGroups = getRolesFromUserAndGroups(str, set);
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            Iterator<RangerPolicyEvaluator> it2 = ((RangerPolicyRepository) it.next()).getLikelyMatchPolicyEvaluators(rangerAccessResource, 0).iterator();
            while (it2.hasNext()) {
                z = it2.next().isAccessAllowed(rangerAccessResource, str, set, rolesFromUserAndGroups, str2);
                if (z) {
                    break;
                }
            }
            if (z) {
                break;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + rangerAccessResource + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean isAccessAllowed(RangerPolicy rangerPolicy, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + rangerPolicy.getId() + ", " + str + ", " + set + ", " + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean isAccessAllowed = isAccessAllowed(rangerPolicy, str, set, null, str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + rangerPolicy.getId() + ", " + str + ", " + set + ", " + str2 + ") : " + isAccessAllowed);
        }
        return isAccessAllowed;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean isAccessAllowed(RangerPolicy rangerPolicy, String str, Set<String> set, Set<String> set2, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + rangerPolicy.getId() + ", " + str + ", " + set + ", " + set2 + ", " + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + "," + set + ", roles=" + set2 + ",accessType=" + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        String zoneName = this.trieMap == null ? null : rangerPolicy.getZoneName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + zoneName + "]");
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isNotEmpty(zoneName)) {
            RangerPolicyRepository rangerPolicyRepository = this.policyRepositories.get(zoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + zoneName + "] is null!! ERROR!");
            } else {
                arrayList.add(rangerPolicyRepository);
            }
        } else {
            arrayList.add(this.policyRepository);
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            Iterator<RangerPolicyEvaluator> it2 = ((RangerPolicyRepository) it.next()).getPolicyEvaluators().iterator();
            while (it2.hasNext()) {
                z = it2.next().isAccessAllowed(rangerPolicy, str, set, set2, str2);
                if (z) {
                    break;
                }
            }
            if (z) {
                break;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + rangerPolicy.getId() + ", " + str + ", " + set + ", " + set2 + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource rangerAccessResource, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + rangerAccessResource + ", " + map + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        ArrayList arrayList = null;
        RangerPolicyRepository rangerPolicyRepository = this.policyRepository;
        String matchedZoneName = this.trieMap == null ? null : getMatchedZoneName(rangerAccessResource);
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + matchedZoneName + "]");
        }
        if (StringUtils.isNotEmpty(matchedZoneName)) {
            rangerPolicyRepository = this.policyRepositories.get(matchedZoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + matchedZoneName + "] is null!! ERROR!");
            }
        }
        if (rangerPolicyRepository != null) {
            for (RangerPolicyEvaluator rangerPolicyEvaluator : rangerPolicyRepository.getPolicyEvaluators()) {
                if (rangerPolicyEvaluator.isCompleteMatch(rangerAccessResource, map)) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.add(rangerPolicyEvaluator.getPolicy());
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + rangerAccessResource + ", " + map + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getExactMatchPolicies(RangerPolicy rangerPolicy, Map<String, Object> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getExactMatchPolicies(" + rangerPolicy + ", " + map + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        ArrayList arrayList = null;
        RangerPolicyRepository rangerPolicyRepository = this.policyRepository;
        String zoneName = this.trieMap == null ? null : rangerPolicy.getZoneName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + zoneName + "]");
        }
        if (StringUtils.isNotEmpty(zoneName)) {
            rangerPolicyRepository = this.policyRepositories.get(zoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + zoneName + "] is null!! ERROR!");
            }
        }
        if (rangerPolicyRepository != null) {
            Map<String, RangerPolicy.RangerPolicyResource> resources = rangerPolicy.getResources();
            for (RangerPolicyEvaluator rangerPolicyEvaluator : rangerPolicyRepository.getPolicyEvaluators()) {
                if (rangerPolicyEvaluator.isCompleteMatch(resources, map)) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.add(rangerPolicyEvaluator.getPolicy());
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getExactMatchPolicies(" + rangerPolicy + ", " + map + "): " + arrayList);
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getMatchingPolicies(RangerAccessResource rangerAccessResource) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getMatchingPolicies(" + rangerAccessResource + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerAccessResource, RangerPolicyEngine.ANY_ACCESS, null, null);
        preProcess(rangerAccessRequestImpl);
        List<RangerPolicy> matchingPolicies = getMatchingPolicies(rangerAccessRequestImpl);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getMatchingPolicies(" + rangerAccessResource + ") : " + matchingPolicies.size());
        }
        return matchingPolicies;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getMatchingPolicies(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getMatchingPolicies(" + rangerAccessRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        ArrayList arrayList = new ArrayList();
        String matchedZoneName = this.trieMap == null ? null : getMatchedZoneName(rangerAccessRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + matchedZoneName + "]");
        }
        ArrayList<RangerPolicyRepository> arrayList2 = new ArrayList();
        if (StringUtils.isNotEmpty(matchedZoneName)) {
            RangerPolicyRepository rangerPolicyRepository = this.policyRepositories.get(matchedZoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + matchedZoneName + "] is null!! ERROR!");
            } else {
                arrayList2.add(rangerPolicyRepository);
            }
        } else {
            arrayList2.add(this.policyRepository);
            arrayList2.addAll(this.policyRepositories.values());
        }
        if (hasTagPolicies(this.tagPolicyRepository)) {
            Set<RangerTagForEval> requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
            if (CollectionUtils.isNotEmpty(requestTagsFromContext)) {
                Iterator<RangerTagForEval> it = requestTagsFromContext.iterator();
                while (it.hasNext()) {
                    RangerAccessResource resource = new RangerTagAccessRequest(it.next(), this.tagPolicyRepository.getServiceDef(), rangerAccessRequest).getResource();
                    for (RangerPolicyEvaluator rangerPolicyEvaluator : this.tagPolicyRepository.getLikelyMatchPolicyEvaluators(resource)) {
                        RangerPolicyResourceMatcher policyResourceMatcher = rangerPolicyEvaluator.getPolicyResourceMatcher();
                        if (policyResourceMatcher != null) {
                            if (rangerAccessRequest.isAccessTypeAny()) {
                                if (policyResourceMatcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.ANY, (Map<String, Object>) null)) {
                                    arrayList.add(rangerPolicyEvaluator.getPolicy());
                                }
                            } else if (policyResourceMatcher.isMatch(resource, (Map<String, Object>) null)) {
                                arrayList.add(rangerPolicyEvaluator.getPolicy());
                            }
                        }
                    }
                }
            }
        }
        for (RangerPolicyRepository rangerPolicyRepository2 : arrayList2) {
            if (hasResourcePolicies(rangerPolicyRepository2)) {
                for (RangerPolicyEvaluator rangerPolicyEvaluator2 : rangerPolicyRepository2.getLikelyMatchPolicyEvaluators(rangerAccessRequest.getResource())) {
                    RangerPolicyResourceMatcher policyResourceMatcher2 = rangerPolicyEvaluator2.getPolicyResourceMatcher();
                    if (policyResourceMatcher2 != null) {
                        if (rangerAccessRequest.isAccessTypeAny()) {
                            if (policyResourceMatcher2.isMatch(rangerAccessRequest.getResource(), RangerPolicyResourceMatcher.MatchScope.ANY, (Map<String, Object>) null)) {
                                arrayList.add(rangerPolicyEvaluator2.getPolicy());
                            }
                        } else if (policyResourceMatcher2.isMatch(rangerAccessRequest.getResource(), (Map<String, Object>) null)) {
                            arrayList.add(rangerPolicyEvaluator2.getPolicy());
                        }
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getMatchingPolicies(" + rangerAccessRequest + ") : " + arrayList.size());
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + rangerAccessRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerResourceAccessInfo rangerResourceAccessInfo = new RangerResourceAccessInfo(rangerAccessRequest);
        String matchedZoneName = this.trieMap == null ? null : getMatchedZoneName(rangerAccessRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + matchedZoneName + "]");
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isNotEmpty(matchedZoneName)) {
            RangerPolicyRepository rangerPolicyRepository = this.policyRepositories.get(matchedZoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + matchedZoneName + "] is null!! ERROR!");
            } else {
                arrayList.add(rangerPolicyRepository);
            }
        } else {
            arrayList.add(this.policyRepository);
            arrayList.addAll(this.policyRepositories.values());
        }
        if (CollectionUtils.isNotEmpty(this.tagPolicyRepository == null ? null : this.tagPolicyRepository.getPolicyEvaluators())) {
            Set<RangerTagForEval> requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
            if (CollectionUtils.isNotEmpty(requestTagsFromContext)) {
                Iterator<RangerTagForEval> it = requestTagsFromContext.iterator();
                while (it.hasNext()) {
                    RangerTagAccessRequest rangerTagAccessRequest = new RangerTagAccessRequest(it.next(), this.tagPolicyRepository.getServiceDef(), rangerAccessRequest);
                    Iterator<RangerPolicyEvaluator> it2 = this.tagPolicyRepository.getLikelyMatchPolicyEvaluators(rangerTagAccessRequest.getResource(), 0).iterator();
                    while (it2.hasNext()) {
                        it2.next().getResourceAccessInfo(rangerTagAccessRequest, rangerResourceAccessInfo);
                    }
                }
            }
        }
        Iterator it3 = arrayList.iterator();
        while (it3.hasNext()) {
            List<RangerPolicyEvaluator> likelyMatchPolicyEvaluators = ((RangerPolicyRepository) it3.next()).getLikelyMatchPolicyEvaluators(rangerAccessRequest.getResource(), 0);
            if (CollectionUtils.isNotEmpty(likelyMatchPolicyEvaluators)) {
                Iterator<RangerPolicyEvaluator> it4 = likelyMatchPolicyEvaluators.iterator();
                while (it4.hasNext()) {
                    it4.next().getResourceAccessInfo(rangerAccessRequest, rangerResourceAccessInfo);
                }
            }
            rangerResourceAccessInfo.getAllowedUsers().removeAll(rangerResourceAccessInfo.getDeniedUsers());
            rangerResourceAccessInfo.getAllowedGroups().removeAll(rangerResourceAccessInfo.getDeniedGroups());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + rangerAccessRequest + "): " + rangerResourceAccessInfo);
        }
        return rangerResourceAccessInfo;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public boolean isAccessAllowed(Map<String, RangerPolicy.RangerPolicyResource> map, String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        boolean z = false;
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + str + "," + set + ",accessType=" + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        Iterator<RangerPolicyEvaluator> it = this.policyRepository.getPolicyEvaluators().iterator();
        while (it.hasNext()) {
            z = it.next().isAccessAllowed(map, str, set, str2);
            if (z) {
                break;
            }
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + map + ", " + str + ", " + set + ", " + str2 + "): " + z);
        }
        return z;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public List<RangerPolicy> getAllowedPolicies(String str, Set<String> set, String str2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getAllowedPolicies(" + str + ", " + set + ", " + str2 + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        ArrayList arrayList = new ArrayList();
        Iterator<RangerPolicyEvaluator> it = this.policyRepository.getPolicyEvaluators().iterator();
        while (it.hasNext()) {
            RangerPolicy policy = it.next().getPolicy();
            if (isAccessAllowed(policy.getResources(), str, set, str2)) {
                arrayList.add(policy);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getAllowedPolicies(" + str + ", " + set + ", " + str2 + "): policyCount=" + arrayList.size());
        }
        return arrayList;
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public Set<String> getRolesFromUserAndGroups(String str, Set<String> set) {
        HashSet hashSet = new HashSet();
        if (MapUtils.isNotEmpty(this.userRoleMapping) && StringUtils.isNotEmpty(str)) {
            Set<String> set2 = this.userRoleMapping.get(str);
            if (CollectionUtils.isNotEmpty(set2)) {
                hashSet.addAll(set2);
            }
        }
        if (MapUtils.isNotEmpty(this.groupRoleMapping)) {
            if (CollectionUtils.isNotEmpty(set)) {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    Set<String> set3 = this.groupRoleMapping.get(it.next());
                    if (CollectionUtils.isNotEmpty(set3)) {
                        hashSet.addAll(set3);
                    }
                }
            }
            Set<String> set4 = this.groupRoleMapping.get("public");
            if (CollectionUtils.isNotEmpty(set4)) {
                hashSet.addAll(set4);
            }
        }
        return hashSet;
    }

    public List<RangerPolicy> getResourcePolicies(String str) {
        RangerPolicyRepository rangerPolicyRepository = this.policyRepositories.get(str);
        return rangerPolicyRepository == null ? ListUtils.EMPTY_LIST : rangerPolicyRepository.getPolicies();
    }

    public List<RangerPolicy> getResourcePolicies() {
        return this.policyRepository == null ? ListUtils.EMPTY_LIST : this.policyRepository.getPolicies();
    }

    public List<RangerPolicy> getTagPolicies() {
        return this.tagPolicyRepository == null ? ListUtils.EMPTY_LIST : this.tagPolicyRepository.getPolicies();
    }

    private RangerAccessResult zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequest rangerAccessRequest, int i) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + rangerAccessRequest + ", policyType =" + i + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerAccessResult rangerAccessResult = null;
        RangerPolicyRepository rangerPolicyRepository = this.policyRepository;
        RangerPolicyRepository rangerPolicyRepository2 = this.tagPolicyRepository;
        String matchedZoneName = this.trieMap == null ? null : getMatchedZoneName(rangerAccessRequest.getResource());
        if (LOG.isDebugEnabled()) {
            LOG.debug("zoneName:[" + matchedZoneName + "]");
        }
        if (StringUtils.isNotEmpty(matchedZoneName)) {
            rangerPolicyRepository = this.policyRepositories.get(matchedZoneName);
            if (rangerPolicyRepository == null) {
                LOG.error("policyRepository for zoneName:[" + matchedZoneName + "] is null!! ERROR!");
            }
        }
        if (rangerPolicyRepository != null) {
            rangerAccessResult = evaluatePoliciesNoAudit(rangerAccessRequest, i, matchedZoneName, rangerPolicyRepository, rangerPolicyRepository2);
            rangerAccessResult.setZoneName(matchedZoneName);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(" + rangerAccessRequest + ", policyType =" + i + "): " + rangerAccessResult);
        }
        return rangerAccessResult;
    }

    private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest rangerAccessRequest, int i, String str, RangerPolicyRepository rangerPolicyRepository, RangerPolicyRepository rangerPolicyRepository2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        RangerAccessResult createAccessResult = createAccessResult(rangerAccessRequest, i);
        Date accessTime = rangerAccessRequest.getAccessTime() != null ? rangerAccessRequest.getAccessTime() : new Date();
        if (createAccessResult != null && rangerAccessRequest != null) {
            evaluateTagPolicies(rangerAccessRequest, i, str, rangerPolicyRepository2, createAccessResult);
            if (LOG.isDebugEnabled() && createAccessResult.getIsAccessDetermined() && createAccessResult.getIsAuditedDetermined()) {
                if (createAccessResult.getIsAllowed()) {
                    LOG.debug("RangerPolicyEngineImpl.evaluatePoliciesNoAudit() - audit determined and access allowed by a tag policy. Same or higher priority resource policies will be evaluated to check for deny, request=" + rangerAccessRequest + ", result=" + createAccessResult);
                } else {
                    LOG.debug("RangerPolicyEngineImpl.evaluatePoliciesNoAudit() - audit determined and access denied by a tag policy. Higher priority resource policies will be evaluated to check for allow, request=" + rangerAccessRequest + ", result=" + createAccessResult);
                }
            }
            boolean z = createAccessResult.getIsAccessDetermined() && createAccessResult.getIsAllowed();
            boolean z2 = createAccessResult.getIsAccessDetermined() && !createAccessResult.getIsAllowed();
            if (hasResourcePolicies(rangerPolicyRepository)) {
                boolean z3 = !createAccessResult.getIsAuditedDetermined();
                boolean z4 = z3 && rangerPolicyRepository.setAuditEnabledFromCache(rangerAccessRequest, createAccessResult);
                createAccessResult.setIsAccessDetermined(false);
                for (RangerPolicyEvaluator rangerPolicyEvaluator : rangerPolicyRepository.getLikelyMatchPolicyEvaluators(rangerAccessRequest.getResource(), i)) {
                    if (rangerPolicyEvaluator.isApplicable(accessTime)) {
                        if (z2) {
                            if (createAccessResult.getPolicyPriority() >= rangerPolicyEvaluator.getPolicyPriority()) {
                                createAccessResult.setIsAccessDetermined(true);
                            }
                        } else if (z && createAccessResult.getPolicyPriority() > rangerPolicyEvaluator.getPolicyPriority()) {
                            createAccessResult.setIsAccessDetermined(true);
                        }
                        createAccessResult.incrementEvaluatedPoliciesCount();
                        rangerPolicyEvaluator.evaluate(rangerAccessRequest, createAccessResult);
                        if (createAccessResult.getIsAllowed() && !rangerPolicyEvaluator.hasDeny()) {
                            createAccessResult.setIsAccessDetermined(true);
                        }
                        if (createAccessResult.getIsAuditedDetermined() && createAccessResult.getIsAccessDetermined()) {
                            break;
                        }
                    }
                }
                if (!createAccessResult.getIsAccessDetermined()) {
                    if (z2) {
                        createAccessResult.setIsAllowed(false);
                    } else if (z) {
                        createAccessResult.setIsAllowed(true);
                    }
                }
                if (createAccessResult.getIsAllowed()) {
                    createAccessResult.setIsAccessDetermined(true);
                }
                if (z3 && !z4) {
                    rangerPolicyRepository.storeAuditEnabledInCache(rangerAccessRequest, createAccessResult);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + "): " + createAccessResult);
        }
        return createAccessResult;
    }

    private void evaluateTagPolicies(RangerAccessRequest rangerAccessRequest, int i, String str, RangerPolicyRepository rangerPolicyRepository, RangerAccessResult rangerAccessResult) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + ", " + rangerAccessResult + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        if (StringUtils.isNotEmpty(str) && rangerPolicyRepository != null && (this.zoneTagServiceMap == null || this.zoneTagServiceMap.get(str) == null)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Accessed resource is in a zone:[" + str + "] which is not associated with the tag-service:[" + rangerPolicyRepository.getServiceName() + "]. Evaluating unzoned tag policies of this service");
            }
            str = null;
        }
        List<PolicyEvaluatorForTag> likelyMatchPolicyEvaluators = rangerPolicyRepository == null ? null : rangerPolicyRepository.getLikelyMatchPolicyEvaluators(RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext()), i, rangerAccessRequest.getAccessTime() != null ? rangerAccessRequest.getAccessTime() : new Date());
        if (CollectionUtils.isNotEmpty(likelyMatchPolicyEvaluators)) {
            for (PolicyEvaluatorForTag policyEvaluatorForTag : likelyMatchPolicyEvaluators) {
                RangerPolicyEvaluator evaluator = policyEvaluatorForTag.getEvaluator();
                String zoneName = evaluator.getPolicy().getZoneName();
                if ((StringUtils.isEmpty(zoneName) && StringUtils.isEmpty(str)) || StringUtils.equals(str, zoneName)) {
                    RangerTagForEval tag = policyEvaluatorForTag.getTag();
                    RangerTagAccessRequest rangerTagAccessRequest = new RangerTagAccessRequest(tag, rangerPolicyRepository.getServiceDef(), rangerAccessRequest);
                    RangerAccessResult createAccessResult = createAccessResult(rangerTagAccessRequest, i);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
                    }
                    createAccessResult.setAccessResultFrom(rangerAccessResult);
                    createAccessResult.setAuditResultFrom(rangerAccessResult);
                    rangerAccessResult.incrementEvaluatedPoliciesCount();
                    evaluator.evaluate(rangerTagAccessRequest, createAccessResult);
                    if (createAccessResult.getIsAllowed() && !evaluator.hasDeny()) {
                        createAccessResult.setIsAccessDetermined(true);
                    }
                    if (createAccessResult.getIsAudited()) {
                        rangerAccessResult.setAuditResultFrom(createAccessResult);
                    }
                    if (!rangerAccessResult.getIsAccessDetermined()) {
                        if (createAccessResult.getIsAccessDetermined()) {
                            rangerAccessResult.setAccessResultFrom(createAccessResult);
                        } else if (!rangerAccessResult.getIsAllowed() && createAccessResult.getIsAllowed()) {
                            rangerAccessResult.setAccessResultFrom(createAccessResult);
                        }
                    }
                    if (rangerAccessResult.getIsAuditedDetermined() && rangerAccessResult.getIsAccessDetermined()) {
                        break;
                    }
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug("Tag policy [zone:" + zoneName + "] does not belong to the zone:[" + str + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
                }
            }
        }
        if (rangerAccessResult.getIsAllowed()) {
            rangerAccessResult.setIsAccessDetermined(true);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + rangerAccessRequest + ", policyType =" + i + ", zoneName=" + str + ", " + rangerAccessResult + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
    }

    private String getServiceName() {
        return this.policyRepository.getServiceName();
    }

    private RangerPolicyEvaluator getPolicyEvaluator(Long l) {
        RangerPolicyEvaluator policyEvaluator = this.policyRepository.getPolicyEvaluator(l);
        if (policyEvaluator == null && this.tagPolicyRepository != null) {
            policyEvaluator = this.tagPolicyRepository.getPolicyEvaluator(l);
        }
        return policyEvaluator;
    }

    private RangerAccessResult createAccessResult(RangerAccessRequest rangerAccessRequest, int i) {
        RangerAccessResult rangerAccessResult = new RangerAccessResult(i, getServiceName(), this.policyRepository.getServiceDef(), rangerAccessRequest);
        switch (this.policyRepository.getAuditModeEnum()) {
            case AUDIT_ALL:
                rangerAccessResult.setIsAudited(true);
                break;
            case AUDIT_NONE:
                rangerAccessResult.setIsAudited(false);
                break;
            default:
                if (CollectionUtils.isEmpty(this.policyRepository.getPolicies()) && this.tagPolicyRepository == null) {
                    rangerAccessResult.setIsAudited(true);
                    break;
                }
                break;
        }
        return rangerAccessResult;
    }

    private void setResourceServiceDef(RangerAccessRequest rangerAccessRequest) {
        RangerAccessResource resource = rangerAccessRequest.getResource();
        if (resource.getServiceDef() == null) {
            if (resource instanceof RangerMutableResource) {
                ((RangerMutableResource) resource).setServiceDef(getServiceDef());
            } else {
                LOG.debug("RangerPolicyEngineImpl.setResourceServiceDef(): Cannot set ServiceDef in RangerMutableResource.");
            }
        }
    }

    private boolean hasTagPolicies(RangerPolicyRepository rangerPolicyRepository) {
        return rangerPolicyRepository != null && CollectionUtils.isNotEmpty(rangerPolicyRepository.getPolicies());
    }

    private boolean hasResourcePolicies(RangerPolicyRepository rangerPolicyRepository) {
        return rangerPolicyRepository != null && CollectionUtils.isNotEmpty(rangerPolicyRepository.getPolicies());
    }

    private void updatePolicyUsageCounts(RangerAccessRequest rangerAccessRequest, RangerAccessResult rangerAccessResult) {
        RangerPolicyEvaluator policyEvaluator;
        boolean z = false;
        if (rangerAccessResult.getIsAccessDetermined() && (policyEvaluator = getPolicyEvaluator(Long.valueOf(rangerAccessResult.getPolicyId()))) != null) {
            if (policyEvaluator.getPolicy().getIsAuditEnabled().booleanValue()) {
                updateUsageCount(policyEvaluator, 2);
                rangerAccessResult.setAuditPolicyId(rangerAccessResult.getPolicyId());
                z = true;
            } else {
                updateUsageCount(policyEvaluator, 1);
            }
        }
        if (!z && rangerAccessResult.getIsAuditedDetermined()) {
            long auditPolicyId = rangerAccessResult.getAuditPolicyId();
            updateUsageCount(auditPolicyId == -1 ? null : getPolicyEvaluator(Long.valueOf(auditPolicyId)), 1);
        }
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_USAGE_LOG)) {
            RangerAccessRequestImpl rangerAccessRequestImpl = (RangerAccessRequestImpl) rangerAccessRequest;
            RangerPerfTracer.logAlways(RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_USAGE_LOG, "RangerPolicyEngine.usage(accessingUser=" + rangerAccessRequestImpl.getUser() + ",accessedResource=" + rangerAccessRequestImpl.getResource().getAsString() + ",accessType=" + rangerAccessRequestImpl.getAccessType() + ",evaluatedPoliciesCount=" + rangerAccessResult.getEvaluatedPoliciesCount() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END));
        }
    }

    private void updateUsageCount(RangerPolicyEvaluator rangerPolicyEvaluator, int i) {
        if (rangerPolicyEvaluator != null) {
            rangerPolicyEvaluator.incrementUsageCount(i);
        }
    }

    private void buildZoneTrie(ServicePolicies servicePolicies) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.buildZoneTrie()");
        }
        Map<String, ServicePolicies.SecurityZoneInfo> securityZones = servicePolicies.getSecurityZones();
        if (MapUtils.isNotEmpty(securityZones)) {
            RangerServiceDef serviceDef = servicePolicies.getServiceDef();
            ArrayList arrayList = new ArrayList();
            this.zoneTagServiceMap = new HashMap();
            for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : securityZones.entrySet()) {
                String key = entry.getKey();
                ServicePolicies.SecurityZoneInfo value = entry.getValue();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Building matchers for zone:[" + key + "]");
                }
                for (HashMap<String, List<String>> hashMap : value.getResources()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Building matcher for resource:[" + hashMap + "] in zone:[" + key + "]");
                    }
                    HashMap hashMap2 = new HashMap();
                    for (Map.Entry<String, List<String>> entry2 : hashMap.entrySet()) {
                        String key2 = entry2.getKey();
                        List<String> value2 = entry2.getValue();
                        RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
                        rangerPolicyResource.setIsExcludes(false);
                        rangerPolicyResource.setIsRecursive(Boolean.valueOf(StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME)));
                        rangerPolicyResource.setValues(value2);
                        hashMap2.put(key2, rangerPolicyResource);
                    }
                    arrayList.add(new RangerZoneResourceMatcher(key, hashMap2, serviceDef));
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Built matcher for resource:[" + hashMap + "] in zone:[" + key + "]");
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Built all matchers for zone:[" + key + "]");
                }
                if (value.getContainsAssociatedTagService().booleanValue()) {
                    this.zoneTagServiceMap.put(key, key);
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Built matchers for all Zones");
            }
            this.trieMap = new HashMap();
            for (RangerServiceDef.RangerResourceDef rangerResourceDef : serviceDef.getResources()) {
                this.trieMap.put(rangerResourceDef.getName(), new RangerResourceTrie(rangerResourceDef, arrayList));
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.buildZoneTrie()");
        }
    }

    @Override // org.apache.ranger.plugin.policyengine.RangerPolicyEngine
    public String getMatchedZoneName(GrantRevokeRequest grantRevokeRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getMatchedZoneName(" + grantRevokeRequest + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        String str = null;
        if (this.trieMap != null) {
            Map<String, String> resource = grantRevokeRequest.getResource();
            str = getMatchedZoneName(convertFromSingleResource(resource), convertToAccessResource(resource));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getMatchedZoneName(" + grantRevokeRequest + ") : " + str);
        }
        return str;
    }

    private String getMatchedZoneName(RangerAccessResource rangerAccessResource) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getMatchedZoneName(" + rangerAccessResource + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        String str = null;
        if (this.trieMap != null) {
            str = getMatchedZoneName(convertFromAccessResource(rangerAccessResource), rangerAccessResource);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getMatchedZoneName(" + rangerAccessResource + ") : " + str);
        }
        return str;
    }

    private String getMatchedZoneName(Map<String, List<String>> map, RangerAccessResource rangerAccessResource) {
        List<RangerZoneResourceMatcher> list;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerPolicyEngineImpl.getMatchedZoneName(" + map + ", " + rangerAccessResource + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        }
        String str = null;
        if (this.trieMap != null) {
            ArrayList<List> arrayList = null;
            List list2 = null;
            Iterator<Map.Entry<String, List<String>>> it = map.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map.Entry<String, List<String>> next = it.next();
                String key = next.getKey();
                List<String> value = next.getValue();
                RangerResourceTrie rangerResourceTrie = this.trieMap.get(key);
                if (rangerResourceTrie != null) {
                    List evaluatorsForResource = rangerResourceTrie.getEvaluatorsForResource(value);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("ResourceDefName:[" + key + "], values:[" + value + "], matched-zones:[" + evaluatorsForResource + "]");
                    }
                    if (CollectionUtils.isEmpty(evaluatorsForResource)) {
                        arrayList = null;
                        list2 = null;
                        break;
                    }
                    if (list2 == null) {
                        list2 = evaluatorsForResource;
                    } else {
                        if (arrayList == null) {
                            arrayList = new ArrayList();
                            arrayList.add(list2);
                        }
                        arrayList.add(evaluatorsForResource);
                        if (list2.size() > evaluatorsForResource.size()) {
                            list2 = evaluatorsForResource;
                        }
                    }
                }
            }
            if (list2 != null) {
                if (arrayList != null) {
                    list = new ArrayList(list2);
                    for (List list3 : arrayList) {
                        if (list3 != list2) {
                            list.retainAll(list3);
                            if (CollectionUtils.isEmpty(list)) {
                                break;
                            }
                        }
                    }
                } else {
                    list = list2;
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Resource:[" + map + "], matched-zones:[" + list + "]");
                }
                if (list.size() > 0) {
                    HashSet hashSet = new HashSet();
                    for (RangerZoneResourceMatcher rangerZoneResourceMatcher : list) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Trying to match resource:[" + rangerAccessResource + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                        }
                        if (rangerZoneResourceMatcher.getPolicyResourceMatcher().isMatch(rangerAccessResource, RangerPolicyResourceMatcher.MatchScope.ANY, (Map<String, Object>) null)) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Matched resource:[" + rangerAccessResource + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                            }
                            hashSet.add(rangerZoneResourceMatcher.getSecurityZoneName());
                        } else if (LOG.isDebugEnabled()) {
                            LOG.debug("Did not match resource:[" + rangerAccessResource + "] using zoneMatcher:[" + rangerZoneResourceMatcher + "]");
                        }
                    }
                    LOG.info("The following zone-names matched resource:[" + rangerAccessResource + "]: " + hashSet);
                    if (hashSet.size() == 1) {
                        String[] strArr = new String[1];
                        hashSet.toArray(strArr);
                        str = strArr[0];
                    } else {
                        LOG.error("Internal error, multiple zone-names are matched. The following zone-names matched resource:[" + map + "]: " + hashSet);
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerPolicyEngineImpl.getMatchedZoneName(" + map + ", " + rangerAccessResource + ") : " + str);
        }
        return str;
    }

    private static Map<String, List<String>> convertFromAccessResource(RangerAccessResource rangerAccessResource) {
        return convertFromSingleResource(rangerAccessResource.getAsMap());
    }

    private static Map<String, List<String>> convertFromSingleResource(Map<String, ? extends Object> map) {
        ArrayList arrayList;
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, ? extends Object> entry : map.entrySet()) {
            if ((entry.getValue() instanceof Collection) && CollectionUtils.isNotEmpty((Collection) entry.getValue())) {
                arrayList = new ArrayList((Collection) entry.getValue());
            } else if (entry.getValue() instanceof String) {
                arrayList = new ArrayList();
                arrayList.add((String) entry.getValue());
            } else {
                LOG.error("access-resource contains value of unknown type : [" + entry.getValue().getClass().getCanonicalName() + "]");
                arrayList = new ArrayList();
            }
            hashMap.put(entry.getKey(), arrayList);
        }
        return hashMap;
    }

    private RangerAccessResource convertToAccessResource(Map<String, ? extends Object> map) {
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessResourceImpl.setServiceDef(getServiceDef());
        for (Map.Entry<String, ? extends Object> entry : map.entrySet()) {
            rangerAccessResourceImpl.setValue(entry.getKey(), entry.getValue());
        }
        return rangerAccessResourceImpl;
    }
}
