package org.apache.kylin.rest.service;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import org.apache.commons.lang.StringUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.metadata.project.ProjectInstance;
import org.apache.kylin.metadata.project.ProjectManager;
import org.apache.kylin.rest.constant.Constant;
import org.apache.kylin.rest.exception.BadRequestException;
import org.apache.kylin.rest.exception.ForbiddenException;
import org.apache.kylin.rest.msg.Message;
import org.apache.kylin.rest.msg.MsgPicker;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.security.AclEntityFactory;
import org.apache.kylin.rest.security.AclEntityType;
import org.apache.kylin.rest.security.AclPermissionType;
import org.apache.kylin.rest.security.springacl.AclRecord;
import org.apache.kylin.rest.security.springacl.MutableAclRecord;
import org.apache.kylin.rest.security.springacl.ObjectIdentityImpl;
import org.apache.kylin.shaded.com.google.common.base.Preconditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AlreadyExistsException;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Transactional;

@Component("accessService")
/* loaded from: input_file:org/apache/kylin/rest/service/AccessService.class */
public class AccessService {
    private static final Logger logger = LoggerFactory.getLogger(AccessService.class);

    @Autowired
    @Qualifier("aclService")
    private AclService aclService;

    @Transactional
    public MutableAclRecord init(AclEntity aclEntity, Permission permission) {
        MutableAclRecord readAcl;
        ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(aclEntity);
        try {
            readAcl = (MutableAclRecord) this.aclService.createAcl(objectIdentityImpl);
        } catch (AlreadyExistsException e) {
            readAcl = this.aclService.readAcl(objectIdentityImpl);
        }
        if (null != permission) {
            readAcl = grant(aclEntity, permission, new PrincipalSid(SecurityContextHolder.getContext().getAuthentication()));
        }
        return readAcl;
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void batchGrant(AclEntity aclEntity, Map<Sid, Permission> map) {
        MutableAclRecord init;
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND());
        }
        if (map == null) {
            throw new BadRequestException(msg.getACL_PERMISSION_REQUIRED());
        }
        try {
            init = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        } catch (NotFoundException e) {
            init = init(aclEntity, null);
        }
        Iterator<Sid> it = map.keySet().iterator();
        while (it.hasNext()) {
            secureOwner(init, it.next());
        }
        this.aclService.batchUpsertAce(init, map);
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public MutableAclRecord grant(AclEntity aclEntity, Permission permission, Sid sid) {
        MutableAclRecord init;
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND());
        }
        if (permission == null) {
            throw new BadRequestException(msg.getACL_PERMISSION_REQUIRED());
        }
        if (sid == null) {
            throw new BadRequestException(msg.getSID_REQUIRED());
        }
        try {
            init = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        } catch (NotFoundException e) {
            init = init(aclEntity, null);
        }
        secureOwner(init, sid);
        return this.aclService.upsertAce(init, sid, permission);
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public MutableAclRecord update(AclEntity aclEntity, int i, Permission permission) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND());
        }
        if (permission == null) {
            throw new BadRequestException(msg.getACL_PERMISSION_REQUIRED());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        Sid sid = readAcl.getAclRecord().getAccessControlEntryAt(i).getSid();
        secureOwner(readAcl, sid);
        return this.aclService.upsertAce(readAcl, sid, permission);
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public MutableAclRecord revoke(AclEntity aclEntity, int i) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        Sid sid = readAcl.getAclRecord().getAccessControlEntryAt(i).getSid();
        secureOwner(readAcl, sid);
        return this.aclService.upsertAce(readAcl, sid, null);
    }

    @Transactional
    public void inherit(AclEntity aclEntity, AclEntity aclEntity2) {
        MutableAclRecord init;
        MutableAclRecord init2;
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND());
        }
        if (aclEntity2 == null) {
            throw new BadRequestException(msg.getPARENT_ACL_NOT_FOUND());
        }
        try {
            init = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        } catch (NotFoundException e) {
            init = init(aclEntity, null);
        }
        try {
            init2 = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity2));
        } catch (NotFoundException e2) {
            init2 = init(aclEntity2, null);
        }
        if (null == init || null == init2) {
            return;
        }
        this.aclService.inherit(init, init2);
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void clean(AclEntity aclEntity, boolean z) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND());
        }
        if (aclEntity.getId() == null) {
            return;
        }
        try {
            this.aclService.deleteAcl(new ObjectIdentityImpl(aclEntity), z);
        } catch (NotFoundException e) {
        }
    }

    public RootPersistentEntity getAclEntity(String str, String str2) {
        if (null == str2) {
            return null;
        }
        return AclEntityFactory.createAclEntity(str, str2);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION') or hasPermission(#ae, 'MANAGEMENT') or hasPermission(#ae, 'OPERATION') or hasPermission(#ae, 'READ')")
    public MutableAclRecord getAcl(AclEntity aclEntity) {
        if (null == aclEntity) {
            return null;
        }
        MutableAclRecord mutableAclRecord = null;
        try {
            mutableAclRecord = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        } catch (NotFoundException e) {
        }
        return mutableAclRecord;
    }

    public Sid getSid(String str, boolean z) {
        return z ? new PrincipalSid(str) : new GrantedAuthoritySid(str);
    }

    public List<AccessEntryResponse> generateAceResponsesByFuzzMatching(Acl acl, String str, boolean z) {
        if (null == acl) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (AccessControlEntry accessControlEntry : acl.getEntries()) {
            if (str == null || needAdd(str, z, getName(accessControlEntry.getSid()))) {
                arrayList.add(new AccessEntryResponse(accessControlEntry.getId(), accessControlEntry.getSid(), accessControlEntry.getPermission(), accessControlEntry.isGranting()));
            }
        }
        return arrayList;
    }

    private boolean needAdd(String str, boolean z, String str2) {
        return (z && StringUtils.contains(str2, str)) || (!z && StringUtils.containsIgnoreCase(str2, str));
    }

    private static String getName(Sid sid) {
        return sid instanceof PrincipalSid ? ((PrincipalSid) sid).getPrincipal() : ((GrantedAuthoritySid) sid).getGrantedAuthority();
    }

    public List<AccessEntryResponse> generateAceResponses(Acl acl) {
        return generateAceResponsesByFuzzMatching(acl, null, false);
    }

    public List<String> getAllAclSids(Acl acl, String str) {
        if (null == acl) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (AccessControlEntry accessControlEntry : acl.getEntries()) {
            String str2 = null;
            if (str.equalsIgnoreCase(Constant.IDENTITY_USER) && (accessControlEntry.getSid() instanceof PrincipalSid)) {
                str2 = accessControlEntry.getSid().getPrincipal();
            }
            if (str.equalsIgnoreCase("group") && (accessControlEntry.getSid() instanceof GrantedAuthoritySid)) {
                str2 = accessControlEntry.getSid().getGrantedAuthority();
            }
            if (!StringUtils.isBlank(str2)) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    private void secureOwner(MutableAclRecord mutableAclRecord, Sid sid) {
        Message msg = MsgPicker.getMsg();
        AclRecord aclRecord = mutableAclRecord.getAclRecord();
        if (aclRecord.getOwner().equals(sid) && BasePermission.ADMINISTRATION.equals(aclRecord.getPermission(sid))) {
            throw new ForbiddenException(msg.getREVOKE_ADMIN_PERMISSION());
        }
    }

    public Object generateAllAceResponses(Acl acl) {
        ArrayList arrayList = new ArrayList();
        while (acl != null) {
            for (AccessControlEntry accessControlEntry : acl.getEntries()) {
                arrayList.add(new AccessEntryResponse(accessControlEntry.getId(), accessControlEntry.getSid(), accessControlEntry.getPermission(), accessControlEntry.isGranting()));
            }
            acl = acl.getParentAcl();
        }
        return arrayList;
    }

    public void revokeProjectPermission(String str, String str2) {
        PrincipalSid grantedAuthoritySid;
        MutableAclRecord acl;
        if (str2.equalsIgnoreCase(Constant.IDENTITY_USER)) {
            grantedAuthoritySid = new PrincipalSid(str);
        } else if (!str2.equalsIgnoreCase("group")) {
            return;
        } else {
            grantedAuthoritySid = new GrantedAuthoritySid(str);
        }
        Iterator it = ProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).listAllProjects().iterator();
        while (it.hasNext() && (acl = getAcl(getAclEntity(AclEntityType.PROJECT_INSTANCE, ((ProjectInstance) it.next()).getUuid()))) != null) {
            if (acl.getAclRecord().getPermission(grantedAuthoritySid) != null) {
                secureOwner(acl, grantedAuthoritySid);
                this.aclService.upsertAce(acl, grantedAuthoritySid, null);
            }
        }
    }

    public String getUserPermissionInPrj(String str) {
        String str2;
        List<String> groupsFromCurrentUser = getGroupsFromCurrentUser();
        if (groupsFromCurrentUser.contains(Constant.ROLE_ADMIN)) {
            return "GLOBAL_ADMIN";
        }
        Map<String, Integer> projectPermission = getProjectPermission(str);
        Integer num = projectPermission.get(SecurityContextHolder.getContext().getAuthentication().getName());
        Iterator<String> it = groupsFromCurrentUser.iterator();
        while (it.hasNext()) {
            num = (Integer) Preconditions.checkNotNull(getGreaterPerm(projectPermission.get(it.next()), num));
        }
        switch (num.intValue()) {
            case 0:
                str2 = "EMPTY";
                break;
            case 1:
                str2 = AclPermissionType.READ;
                break;
            case 16:
                str2 = AclPermissionType.ADMINISTRATION;
                break;
            case 32:
                str2 = "MANAGEMENT";
                break;
            case 64:
                str2 = "OPERATION";
                break;
            default:
                throw new RuntimeException("invalid permission state:" + num);
        }
        return str2;
    }

    private Map<String, Integer> getProjectPermission(String str) {
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        MutableAclRecord acl = getAcl(getAclEntity(AclEntityType.PROJECT_INSTANCE, ProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str).getUuid()));
        if (acl != null && acl.getEntries() != null) {
            for (AccessControlEntry accessControlEntry : acl.getEntries()) {
                PrincipalSid sid = accessControlEntry.getSid();
                if (sid instanceof PrincipalSid) {
                    treeMap.put(sid.getPrincipal(), Integer.valueOf(accessControlEntry.getPermission().getMask()));
                }
                if (sid instanceof GrantedAuthoritySid) {
                    treeMap.put(((GrantedAuthoritySid) sid).getGrantedAuthority(), Integer.valueOf(accessControlEntry.getPermission().getMask()));
                }
            }
        }
        return treeMap;
    }

    private List<String> getGroupsFromCurrentUser() {
        ArrayList arrayList = new ArrayList();
        Iterator it = SecurityContextHolder.getContext().getAuthentication().getAuthorities().iterator();
        while (it.hasNext()) {
            arrayList.add(((GrantedAuthority) it.next()).getAuthority());
        }
        return arrayList;
    }

    private Integer getGreaterPerm(Integer num, Integer num2) {
        if (num == null && num2 == null) {
            return 0;
        }
        if (num != null && num2 == null) {
            return num;
        }
        if (num == null && num2 != null) {
            return num2;
        }
        if (num.intValue() == 16 || num2.intValue() == 16) {
            return 16;
        }
        if (num.intValue() == 32 || num2.intValue() == 32) {
            return 32;
        }
        if (num.intValue() == 64 || num2.intValue() == 64) {
            return 64;
        }
        return (num.intValue() == 1 || num2.intValue() == 1) ? 1 : null;
    }
}
