package org.openmetadata.service.security.policyevaluator;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import lombok.NonNull;
import org.openmetadata.schema.type.EntityReference;
import org.openmetadata.schema.type.MetadataOperation;
import org.openmetadata.schema.type.Permission;
import org.openmetadata.schema.type.ResourceDescriptor;
import org.openmetadata.schema.type.ResourcePermission;
import org.openmetadata.service.ResourceRegistry;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.security.AuthorizationException;
import org.openmetadata.service.security.auth.BotTokenCache;
import org.openmetadata.service.security.policyevaluator.SubjectContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/policyevaluator/PolicyEvaluator.class */
public class PolicyEvaluator {
    private static final Logger LOG = LoggerFactory.getLogger(PolicyEvaluator.class);

    private PolicyEvaluator() {
    }

    public static void hasPermission(@NonNull SubjectContext subjectContext, @NonNull ResourceContextInterface resourceContextInterface, @NonNull OperationContext operationContext) {
        if (subjectContext == null) {
            throw new NullPointerException("subjectContext is marked non-null but is null");
        }
        if (resourceContextInterface == null) {
            throw new NullPointerException("resourceContext is marked non-null but is null");
        }
        if (operationContext == null) {
            throw new NullPointerException("operationContext is marked non-null but is null");
        }
        evaluateDenySubjectPolicies(subjectContext, resourceContextInterface, operationContext);
        evaluateAllowSubjectPolicies(subjectContext, resourceContextInterface, operationContext);
        if (!operationContext.getOperations().isEmpty()) {
            throw new AuthorizationException(CatalogExceptionMessage.permissionNotAllowed(subjectContext.user().getName(), operationContext.getOperations()));
        }
    }

    private static void evaluateDenySubjectPolicies(SubjectContext subjectContext, ResourceContextInterface resourceContextInterface, OperationContext operationContext) {
        evaluatePolicies(subjectContext.getPolicies(resourceContextInterface.getOwner()), subjectContext, resourceContextInterface, operationContext, true);
    }

    private static void evaluateAllowSubjectPolicies(SubjectContext subjectContext, ResourceContextInterface resourceContextInterface, OperationContext operationContext) {
        evaluatePolicies(subjectContext.getPolicies(resourceContextInterface.getOwner()), subjectContext, resourceContextInterface, operationContext, false);
    }

    private static void evaluatePolicies(Iterator<SubjectContext.PolicyContext> it, SubjectContext subjectContext, ResourceContextInterface resourceContextInterface, OperationContext operationContext, boolean z) {
        while (it.hasNext() && !operationContext.getOperations().isEmpty()) {
            SubjectContext.PolicyContext next = it.next();
            for (CompiledRule compiledRule : next.getRules()) {
                Logger logger = LOG;
                Object[] objArr = new Object[4];
                objArr[0] = z ? "deny" : "allow";
                objArr[1] = next.getRoleName();
                objArr[2] = next.getPolicyName();
                objArr[3] = compiledRule.getName();
                logger.debug("evaluating policy for {} {}:{}:{}", objArr);
                if (z) {
                    compiledRule.evaluateDenyRule(operationContext, subjectContext, resourceContextInterface, next);
                } else {
                    compiledRule.evaluateAllowRule(operationContext, subjectContext, resourceContextInterface, next);
                }
            }
        }
    }

    public static List<ResourcePermission> listPermission(@NonNull SubjectContext subjectContext) {
        if (subjectContext == null) {
            throw new NullPointerException("subjectContext is marked non-null but is null");
        }
        Map<String, ResourcePermission> initResourcePermissions = initResourcePermissions();
        Iterator<SubjectContext.PolicyContext> policies = subjectContext.getPolicies(null);
        while (policies.hasNext()) {
            SubjectContext.PolicyContext next = policies.next();
            for (CompiledRule compiledRule : next.getRules()) {
                LOG.debug("evaluating {}:{}:{}\n", new Object[]{next.getRoleName(), next.getPolicyName(), compiledRule.getName()});
                compiledRule.evaluatePermission(initResourcePermissions, next);
            }
        }
        return trimResourcePermissions(new ArrayList(initResourcePermissions.values()));
    }

    public static List<ResourcePermission> listPermission(@NonNull List<EntityReference> list) {
        if (list == null) {
            throw new NullPointerException("policies is marked non-null but is null");
        }
        Map<String, ResourcePermission> initResourcePermissions = initResourcePermissions();
        SubjectContext.PolicyIterator policyIterator = new SubjectContext.PolicyIterator(BotTokenCache.EMPTY_STRING, BotTokenCache.EMPTY_STRING, null, list);
        while (policyIterator.hasNext()) {
            SubjectContext.PolicyContext next = policyIterator.next();
            for (CompiledRule compiledRule : next.getRules()) {
                LOG.debug("Evaluating {}:{}:{}\n", new Object[]{next.getRoleName(), next.getPolicyName(), compiledRule.getName()});
                compiledRule.evaluatePermission(initResourcePermissions, next);
            }
        }
        return trimResourcePermissions(new ArrayList(initResourcePermissions.values()));
    }

    public static ResourcePermission getPermission(@NonNull SubjectContext subjectContext, String str) {
        if (subjectContext == null) {
            throw new NullPointerException("subjectContext is marked non-null but is null");
        }
        ResourcePermission resourcePermission = getResourcePermission(str, Permission.Access.NOT_ALLOW);
        Iterator<SubjectContext.PolicyContext> policies = subjectContext.getPolicies(null);
        while (policies.hasNext()) {
            SubjectContext.PolicyContext next = policies.next();
            for (CompiledRule compiledRule : next.getRules()) {
                LOG.debug("evaluating {}:{}:{}\n", new Object[]{next.getRoleName(), next.getPolicyName(), compiledRule.getName()});
                compiledRule.evaluatePermission(str, resourcePermission, next);
            }
        }
        return trimResourcePermission(resourcePermission);
    }

    public static ResourcePermission getPermission(@NonNull SubjectContext subjectContext, ResourceContextInterface resourceContextInterface) {
        if (subjectContext == null) {
            throw new NullPointerException("subjectContext is marked non-null but is null");
        }
        ResourcePermission resourcePermission = getResourcePermission(resourceContextInterface.getResource(), Permission.Access.NOT_ALLOW);
        Iterator<SubjectContext.PolicyContext> policies = subjectContext.getPolicies(resourceContextInterface.getOwner());
        while (policies.hasNext()) {
            SubjectContext.PolicyContext next = policies.next();
            for (CompiledRule compiledRule : next.getRules()) {
                LOG.debug("evaluating {}:{}:{}\n", new Object[]{next.getRoleName(), next.getPolicyName(), compiledRule.getName()});
                compiledRule.evaluatePermission(subjectContext, resourceContextInterface, resourcePermission, next);
            }
        }
        return trimResourcePermission(resourcePermission);
    }

    public static List<ResourcePermission> getResourcePermissions(Permission.Access access) {
        ArrayList arrayList = new ArrayList();
        for (ResourceDescriptor resourceDescriptor : ResourceRegistry.listResourceDescriptors()) {
            ArrayList arrayList2 = new ArrayList();
            Iterator it = resourceDescriptor.getOperations().iterator();
            while (it.hasNext()) {
                arrayList2.add(new Permission().withOperation((MetadataOperation) it.next()).withAccess(access));
            }
            arrayList.add(new ResourcePermission().withResource(resourceDescriptor.getName()).withPermissions(arrayList2));
        }
        return trimResourcePermissions(arrayList);
    }

    public static ResourcePermission getResourcePermission(String str, Permission.Access access) {
        ResourceDescriptor resourceDescriptor = ResourceRegistry.getResourceDescriptor(str);
        ArrayList arrayList = new ArrayList();
        Iterator it = resourceDescriptor.getOperations().iterator();
        while (it.hasNext()) {
            arrayList.add(new Permission().withOperation((MetadataOperation) it.next()).withAccess(access));
        }
        return trimResourcePermission(new ResourcePermission().withResource(resourceDescriptor.getName()).withPermissions(arrayList));
    }

    public static Map<String, ResourcePermission> initResourcePermissions() {
        List<ResourcePermission> resourcePermissions = getResourcePermissions(Permission.Access.NOT_ALLOW);
        HashMap hashMap = new HashMap();
        resourcePermissions.forEach(resourcePermission -> {
            hashMap.put(resourcePermission.getResource(), resourcePermission);
        });
        return hashMap;
    }

    public static List<Permission> trimPermissions(List<Permission> list) {
        boolean z = false;
        boolean z2 = false;
        for (Permission permission : list) {
            if (permission.getOperation().equals(MetadataOperation.VIEW_ALL) && (permission.getAccess().equals(Permission.Access.ALLOW) || permission.getAccess().equals(Permission.Access.DENY))) {
                z = true;
            } else if (permission.getOperation().equals(MetadataOperation.EDIT_ALL) && (permission.getAccess().equals(Permission.Access.ALLOW) || permission.getAccess().equals(Permission.Access.DENY))) {
                z2 = true;
            }
        }
        ListIterator<Permission> listIterator = list.listIterator();
        while (listIterator.hasNext()) {
            Permission next = listIterator.next();
            if (z && next.getOperation() != MetadataOperation.VIEW_ALL && next.getOperation().value().startsWith("View")) {
                listIterator.remove();
            } else if (z2 && next.getOperation() != MetadataOperation.EDIT_ALL && next.getOperation().value().startsWith("Edit")) {
                listIterator.remove();
            }
        }
        return list;
    }

    public static ResourcePermission trimResourcePermission(ResourcePermission resourcePermission) {
        return resourcePermission.withPermissions(trimPermissions(resourcePermission.getPermissions()));
    }

    public static List<ResourcePermission> trimResourcePermissions(List<ResourcePermission> list) {
        Iterator<ResourcePermission> it = list.iterator();
        while (it.hasNext()) {
            trimResourcePermission(it.next());
        }
        return list;
    }
}
