package com.cloudera.cmf.service.hive;

import com.cloudera.cmf.model.DbRole;
import com.cloudera.cmf.model.DbService;
import com.cloudera.cmf.model.Enums;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.service.AbstractValidator;
import com.cloudera.cmf.service.DependencyUtils;
import com.cloudera.cmf.service.ServiceHandlerRegistry;
import com.cloudera.cmf.service.Validation;
import com.cloudera.cmf.service.ValidationContext;
import com.cloudera.cmf.service.config.BooleanParamSpec;
import com.cloudera.cmf.service.config.ParamParseException;
import com.cloudera.cmf.service.config.StringParamSpec;
import com.cloudera.cmf.service.hive.HiveServiceHandler;
import com.cloudera.cmf.service.impala.ImpalaParams;
import com.cloudera.cmf.service.impala.ImpalaServiceHandler;
import com.cloudera.cmf.version.Release;
import com.cloudera.enterprise.MessageWithArgs;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/cloudera/cmf/service/hive/HiveSentryValidator.class */
public class HiveSentryValidator extends AbstractValidator {

    @VisibleForTesting
    static final String MESSAGE_AUTHSECURE_WARNING_KEY = "message.hive.sentry.secureClusterValidator.validationWarning";
    static final String MESSAGE_AUTHSECURE_OBJSTORE_KEY = "message.hive.sentry.objstore.secureClusterValidator.validationFailure";
    static final String MESSAGE_AUTHENFORCEMENT_WARNING_KEY = "message.hive.sentry.enforcementValidator.validationWarning";
    static final String MESSAGE_AUTHIMPERSONATE_KEY = "message.hive.sentry.impersonationValidator.validationFailure";
    static final String MESSAGE_AUTHSERVERNAME_ERROR_KEY = "message.hive.sentry.serverName.validationFailure";
    static final String MESSAGE_AUTHPOLICYFILENAME_ERROR_KEY = "message.hive.sentry.policyFileName.validationFailure";
    static final String MESSAGE_SENTRYSERVICE_ERROR_KEY = "message.hive.sentry.service.validationFailure";
    private static final BooleanParamSpec HS2_IMPERSONATE_USER = HiveParams.HS2_IMPERSONATE_USER;
    private static final StringParamSpec SENTRY_PROVIDER_RESOURCE = HiveParams.SENTRY_PROVIDER_RESOURCE;
    private static final StringParamSpec SENTRY_SERVER = HiveParams.SENTRY_SERVER;

    public HiveSentryValidator() {
        super(true, "hive_sentry_validator");
    }

    @Override // com.cloudera.cmf.service.Validator
    public Collection<Validation> validate(ServiceHandlerRegistry serviceHandlerRegistry, ValidationContext validationContext) {
        DbService service;
        if (Enums.ConfigScope.SERVICE == validationContext.getLevel() && (service = validationContext.getService()) != null) {
            ArrayList newArrayList = Lists.newArrayList();
            Map<String, String> serviceConfigsMap = service.getServiceConfigsMap();
            Release serviceVersion = service.getServiceVersion();
            try {
                boolean z = HiveParams.SENTRY_ENABLED.supportsVersion(serviceVersion) && HiveParams.SENTRY_ENABLED.extractFromStringMap(serviceConfigsMap, serviceVersion).booleanValue();
                boolean z2 = DependencyUtils.getDependencyService(service, serviceHandlerRegistry.get(service), serviceHandlerRegistry, HiveParams.SENTRY, CmfEntityManager.currentCmfEntityManager()) != null;
                if (!z2 && !z) {
                    return Collections.emptyList();
                }
                if (z && z2) {
                    newArrayList.add(Validation.error(validationContext, MessageWithArgs.of(MESSAGE_SENTRYSERVICE_ERROR_KEY, new String[0])));
                    return newArrayList;
                }
                DbService service2 = validationContext.getService();
                CmfEntityManager currentCmfEntityManager = CmfEntityManager.currentCmfEntityManager();
                if (!serviceHandlerRegistry.get(service2).requiresCredentials(currentCmfEntityManager, service2)) {
                    newArrayList.add(Validation.warning(validationContext, MessageWithArgs.of(MESSAGE_AUTHSECURE_WARNING_KEY, new String[0])));
                }
                Set<DbRole> rolesWithType = service2.getRolesWithType(HiveServiceHandler.RoleNames.HIVESERVER2.name());
                if (rolesWithType.isEmpty()) {
                    boolean z3 = false;
                    Iterator<DbService> it = DependencyUtils.getDependentServicesOfType(currentCmfEntityManager, serviceHandlerRegistry, service2, ImpalaServiceHandler.SERVICE_TYPE).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        DbService next = it.next();
                        Map<String, String> serviceConfigsMap2 = next.getServiceConfigsMap();
                        if (ImpalaParams.SENTRY_ENABLED.supportsVersion(next.getServiceVersion()) && ImpalaParams.SENTRY_ENABLED.extractFromStringMap(serviceConfigsMap2, next.getServiceVersion()).booleanValue()) {
                            z3 = true;
                            break;
                        }
                    }
                    if (!z3) {
                        newArrayList.add(Validation.warning(validationContext, MessageWithArgs.of(MESSAGE_AUTHENFORCEMENT_WARNING_KEY, new String[0]), ImpalaParams.SENTRY_ENABLED));
                    }
                }
                for (DbRole dbRole : rolesWithType) {
                    if (HS2_IMPERSONATE_USER.extractFromStringMap(dbRole.getConfigsMap(), service2.getServiceVersion()).booleanValue()) {
                        if (z) {
                            newArrayList.add(Validation.warning(validationContext, buildImpersonateValidationMessage(dbRole.getDisplayName()), HS2_IMPERSONATE_USER));
                        } else {
                            newArrayList.add(Validation.error(validationContext, buildImpersonateValidationMessage(dbRole.getDisplayName()), HS2_IMPERSONATE_USER));
                        }
                    }
                }
                if (SENTRY_SERVER.extractFromStringMap(serviceConfigsMap, serviceVersion).trim().isEmpty()) {
                    newArrayList.add(Validation.error(validationContext, MessageWithArgs.of(MESSAGE_AUTHSERVERNAME_ERROR_KEY, new String[0]), SENTRY_SERVER));
                }
                if (z && SENTRY_PROVIDER_RESOURCE.extractFromStringMap(serviceConfigsMap, serviceVersion).trim().isEmpty()) {
                    newArrayList.add(Validation.error(validationContext, MessageWithArgs.of(MESSAGE_AUTHPOLICYFILENAME_ERROR_KEY, new String[0]), SENTRY_PROVIDER_RESOURCE));
                }
                return newArrayList;
            } catch (ParamParseException e) {
                throw new RuntimeException(e);
            }
        }
        return Collections.emptyList();
    }

    @VisibleForTesting
    public static MessageWithArgs buildImpersonateValidationMessage(String str) {
        return MessageWithArgs.of(MESSAGE_AUTHIMPERSONATE_KEY, new String[]{str});
    }
}
