package alluxio.master.file;

import alluxio.Configuration;
import alluxio.exception.AccessControlException;
import alluxio.exception.ExceptionMessage;
import alluxio.exception.InvalidPathException;
import alluxio.exception.PreconditionMessage;
import alluxio.master.file.meta.Inode;
import alluxio.master.file.meta.InodeTree;
import alluxio.master.file.meta.LockedInodePath;
import alluxio.master.file.meta.MountTable;
import alluxio.security.User;
import alluxio.security.authentication.AuthenticatedClientUser;
import alluxio.security.authorization.Mode;
import alluxio.security.group.GroupMappingService;
import alluxio.util.io.PathUtils;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.List;
import javax.annotation.concurrent.NotThreadSafe;

@NotThreadSafe
/* loaded from: input_file:alluxio/master/file/PermissionChecker.class */
public final class PermissionChecker {
    private final InodeTree mInodeTree;
    private final boolean mPermissionCheckEnabled = Configuration.getBoolean("alluxio.security.authorization.permission.enabled");
    private final String mFileSystemSuperGroup = Configuration.get("alluxio.security.authorization.permission.supergroup");
    private final GroupMappingService mGroupMappingService = GroupMappingService.Factory.getUserToGroupsMappingService();

    public PermissionChecker(InodeTree inodeTree) {
        this.mInodeTree = (InodeTree) Preconditions.checkNotNull(inodeTree);
    }

    public void checkParentPermission(Mode.Bits bits, LockedInodePath lockedInodePath) throws AccessControlException, InvalidPathException {
        if (this.mPermissionCheckEnabled && !PathUtils.isRoot(lockedInodePath.getUri().getPath())) {
            List<Inode<?>> inodeList = lockedInodePath.getInodeList();
            String clientUser = getClientUser();
            List<String> groups = getGroups(clientUser);
            if (lockedInodePath.fullPathExists()) {
                inodeList.remove(inodeList.size() - 1);
            }
            checkInodeList(clientUser, groups, bits, lockedInodePath.getUri().getPath(), inodeList, false);
        }
    }

    public void checkPermission(Mode.Bits bits, LockedInodePath lockedInodePath) throws AccessControlException, InvalidPathException {
        if (this.mPermissionCheckEnabled) {
            List<Inode<?>> inodeList = lockedInodePath.getInodeList();
            String clientUser = getClientUser();
            checkInodeList(clientUser, getGroups(clientUser), bits, lockedInodePath.getUri().getPath(), inodeList, false);
        }
    }

    public void checkSetAttributePermission(LockedInodePath lockedInodePath, boolean z, boolean z2) throws AccessControlException, InvalidPathException {
        if (this.mPermissionCheckEnabled) {
            if (z) {
                checkSuperUser();
            }
            if (z2) {
                checkOwner(lockedInodePath);
            }
            checkPermission(Mode.Bits.WRITE, lockedInodePath);
        }
    }

    private String getClientUser() throws AccessControlException {
        try {
            User user = AuthenticatedClientUser.get();
            if (user == null) {
                throw new AccessControlException(ExceptionMessage.AUTHORIZED_CLIENT_USER_IS_NULL.getMessage(new Object[0]));
            }
            return user.getName();
        } catch (IOException e) {
            throw new AccessControlException(e.getMessage());
        }
    }

    private List<String> getGroups(String str) throws AccessControlException {
        try {
            return this.mGroupMappingService.getGroups(str);
        } catch (IOException e) {
            throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage(new Object[]{e.getMessage()}));
        }
    }

    private void checkOwner(LockedInodePath lockedInodePath) throws AccessControlException, InvalidPathException {
        List<Inode<?>> inodeList = lockedInodePath.getInodeList();
        String clientUser = getClientUser();
        List<String> groups = getGroups(clientUser);
        if (isPrivilegedUser(clientUser, groups)) {
            return;
        }
        checkInodeList(clientUser, groups, null, lockedInodePath.getUri().getPath(), inodeList, true);
    }

    private void checkSuperUser() throws AccessControlException {
        String clientUser = getClientUser();
        if (!isPrivilegedUser(clientUser, getGroups(clientUser))) {
            throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage(new Object[]{clientUser + " is not a super user or in super group"}));
        }
    }

    private void checkInodeList(String str, List<String> list, Mode.Bits bits, String str2, List<Inode<?>> list2, boolean z) throws AccessControlException {
        int size = list2.size();
        Preconditions.checkArgument(size > 0, PreconditionMessage.EMPTY_FILE_INFO_LIST_FOR_PERMISSION_CHECK);
        if (isPrivilegedUser(str, list)) {
            return;
        }
        for (int i = 0; i < size - 1; i++) {
            checkInode(str, list, list2.get(i), Mode.Bits.EXECUTE, str2);
        }
        Inode<?> inode = list2.get(list2.size() - 1);
        if (!z) {
            checkInode(str, list, inode, bits, str2);
        } else if (inode != null && !str.equals(inode.getOwner())) {
            throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage(new Object[]{"user=" + str + " is not the owner of path=" + str2}));
        }
    }

    private void checkInode(String str, List<String> list, Inode inode, Mode.Bits bits, String str2) throws AccessControlException {
        if (inode == null) {
            return;
        }
        short mode = inode.getMode();
        if (str.equals(inode.getOwner()) && Mode.extractOwnerBits(mode).imply(bits)) {
            return;
        }
        if ((!list.contains(inode.getGroup()) || !Mode.extractGroupBits(mode).imply(bits)) && !Mode.extractOtherBits(mode).imply(bits)) {
            throw new AccessControlException(ExceptionMessage.PERMISSION_DENIED.getMessage(new Object[]{toExceptionMessage(str, bits, str2, inode)}));
        }
    }

    private boolean isPrivilegedUser(String str, List<String> list) {
        return str.equals(this.mInodeTree.getRootUserName()) || list.contains(this.mFileSystemSuperGroup);
    }

    private static String toExceptionMessage(String str, Mode.Bits bits, String str2, Inode inode) {
        return "user=" + str + ", access=" + bits + ", path=" + str2 + ": failed at " + (inode.getName().equals("") ? MountTable.ROOT : inode.getName());
    }
}
