package org.openmetadata.service.security;

import at.favre.lib.crypto.bcrypt.BCrypt;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.jdbi.v3.core.Jdbi;
import org.openmetadata.schema.api.configuration.airflow.AirflowConfiguration;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.email.SmtpSettings;
import org.openmetadata.schema.entity.Bot;
import org.openmetadata.schema.entity.BotType;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.schema.teams.authn.BasicAuthMechanism;
import org.openmetadata.schema.teams.authn.JWTAuthMechanism;
import org.openmetadata.schema.teams.authn.JWTTokenExpiry;
import org.openmetadata.schema.teams.authn.SSOAuthMechanism;
import org.openmetadata.schema.type.EntityReference;
import org.openmetadata.schema.type.Permission;
import org.openmetadata.schema.type.ResourcePermission;
import org.openmetadata.service.Entity;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.exception.EntityNotFoundException;
import org.openmetadata.service.jdbi3.BotRepository;
import org.openmetadata.service.jdbi3.EntityRepository;
import org.openmetadata.service.jdbi3.UserRepository;
import org.openmetadata.service.resources.teams.UserResource;
import org.openmetadata.service.secrets.SecretsManager;
import org.openmetadata.service.secrets.SecretsManagerFactory;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.security.policyevaluator.OperationContext;
import org.openmetadata.service.security.policyevaluator.PolicyCache;
import org.openmetadata.service.security.policyevaluator.PolicyEvaluator;
import org.openmetadata.service.security.policyevaluator.ResourceContextInterface;
import org.openmetadata.service.security.policyevaluator.RoleCache;
import org.openmetadata.service.security.policyevaluator.SubjectCache;
import org.openmetadata.service.security.policyevaluator.SubjectContext;
import org.openmetadata.service.util.EmailUtil;
import org.openmetadata.service.util.EntityUtil;
import org.openmetadata.service.util.PasswordUtil;
import org.openmetadata.service.util.RestUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/security/DefaultAuthorizer.class */
public class DefaultAuthorizer implements Authorizer {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizer.class);
    private static final String COLON_DELIMITER = ":";
    private static final String DEFAULT_ADMIN = "admin";
    private Set<String> adminUsers;
    private Set<String> botPrincipalUsers;
    private Set<String> testUsers;
    private String principalDomain;
    private String providerType;
    private boolean isSmtpEnabled;

    @Override // org.openmetadata.service.security.Authorizer
    public void init(OpenMetadataApplicationConfig openMetadataApplicationConfig, Jdbi jdbi) {
        LOG.info("Initializing DefaultAuthorizer with config {}", openMetadataApplicationConfig.getAuthorizerConfiguration());
        this.adminUsers = new HashSet(openMetadataApplicationConfig.getAuthorizerConfiguration().getAdminPrincipals());
        this.botPrincipalUsers = new HashSet(openMetadataApplicationConfig.getAuthorizerConfiguration().getBotPrincipals());
        this.testUsers = new HashSet(openMetadataApplicationConfig.getAuthorizerConfiguration().getTestPrincipals());
        this.principalDomain = openMetadataApplicationConfig.getAuthorizerConfiguration().getPrincipalDomain();
        this.providerType = openMetadataApplicationConfig.getAuthenticationConfiguration().getProvider();
        SmtpSettings smtpSettings = openMetadataApplicationConfig.getSmtpSettings();
        this.isSmtpEnabled = smtpSettings != null && smtpSettings.getEnableSmtpServer().booleanValue();
        SubjectCache.initialize();
        PolicyCache.initialize();
        RoleCache.initialize();
        LOG.debug("Admin users: {}", this.adminUsers);
        initializeUsers(openMetadataApplicationConfig);
    }

    private void initializeUsers(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        BotType botType;
        LOG.debug("Checking user entries for admin users");
        String str = this.principalDomain.isEmpty() ? SecurityUtil.DEFAULT_PRINCIPAL_DOMAIN : this.principalDomain;
        if (this.providerType.equals(SSOAuthMechanism.SsoServiceType.BASIC.value())) {
            try {
                handleBasicAuth(this.adminUsers, str);
            } catch (IOException e) {
                LOG.error("Failed in Basic Auth Setup. Reason : {}", e.getMessage());
            }
        } else {
            for (String str2 : this.adminUsers) {
                addOrUpdateUser(user(str2, str, str2).withIsAdmin(true));
            }
        }
        LOG.debug("Checking user entries for bot users");
        Set<String> set = (Set) Arrays.stream(BotType.values()).map((v0) -> {
            return v0.value();
        }).collect(Collectors.toSet());
        set.remove(BotType.BOT.value());
        set.addAll(this.botPrincipalUsers);
        for (String str3 : set) {
            User addOrUpdateBotUser = addOrUpdateBotUser(user(str3, str, str3).withIsBot(true).withIsAdmin(false), openMetadataApplicationConfig);
            if (addOrUpdateBotUser != null) {
                try {
                    botType = BotType.fromValue(str3);
                } catch (IllegalArgumentException e2) {
                    botType = BotType.BOT;
                }
                addOrUpdateBot(bot(addOrUpdateBotUser).withBotUser(addOrUpdateBotUser.getEntityReference()).withBotType(botType));
            }
        }
        LOG.debug("Checking user entries for test users");
        for (String str4 : this.testUsers) {
            addOrUpdateUser(user(str4, str, str4));
        }
    }

    private void handleBasicAuth(Set<String> set, String str) throws IOException {
        for (String str2 : set) {
            if (str2.contains(COLON_DELIMITER)) {
                String[] split = str2.split(COLON_DELIMITER);
                addUserForBasicAuth(split[0], split[1], str);
            } else {
                boolean equals = str2.equals("admin");
                String generateRandomPassword = PasswordUtil.generateRandomPassword();
                if (equals || !this.isSmtpEnabled) {
                    generateRandomPassword = "admin";
                }
                addUserForBasicAuth(str2, generateRandomPassword, str);
            }
        }
    }

    private void addUserForBasicAuth(String str, String str2, String str3) throws IOException {
        EntityRepository entityRepository = Entity.getEntityRepository(Entity.USER);
        try {
            List<String> allowedFieldsCopy = entityRepository.getAllowedFieldsCopy();
            allowedFieldsCopy.add(UserResource.USER_PROTECTED_FIELDS);
            User user = (User) entityRepository.getByName(null, str, new EntityUtil.Fields(allowedFieldsCopy, String.join(",", allowedFieldsCopy)));
            if (user.getAuthenticationMechanism() == null) {
                updateUserWithHashedPwd(user, str2);
            }
            addOrUpdateUser(user);
        } catch (EntityNotFoundException e) {
            User withIsEmailVerified = user(str, str3, str).withIsAdmin(true).withIsEmailVerified(true);
            updateUserWithHashedPwd(withIsEmailVerified, str2);
            addOrUpdateUser(withIsEmailVerified);
            if (this.isSmtpEnabled) {
                sendInviteMailToAdmin(withIsEmailVerified, str2);
            }
        }
    }

    private void sendInviteMailToAdmin(User user, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put(EmailUtil.ENTITY, EmailUtil.getInstance().getEmailingEntity());
        hashMap.put(EmailUtil.SUPPORT_URL, EmailUtil.getInstance().getSupportUrl());
        hashMap.put(EmailUtil.USERNAME, user.getName());
        hashMap.put(EmailUtil.PASSWORD, str);
        hashMap.put(EmailUtil.APPLICATION_LOGIN_LINK, EmailUtil.getInstance().getOMUrl());
        try {
            EmailUtil.getInstance().sendMail(EmailUtil.getInstance().getEmailInviteSubject(), hashMap, user.getEmail(), EmailUtil.EMAIL_TEMPLATE_BASEPATH, EmailUtil.INVITE_RANDOM_PWD);
        } catch (Exception e) {
            LOG.error("Failed in sending Mail to user [{}]. Reason : {}", user.getEmail(), e.getMessage());
        }
    }

    private void updateUserWithHashedPwd(User user, String str) {
        user.setAuthenticationMechanism(new AuthenticationMechanism().withAuthType(AuthenticationMechanism.AuthType.BASIC).withConfig(new BasicAuthMechanism().withPassword(BCrypt.withDefaults().hashToString(12, str.toCharArray()))));
    }

    private User user(String str, String str2, String str3) {
        return new User().withId(UUID.randomUUID()).withName(str).withFullyQualifiedName(str).withEmail(str + "@" + str2).withUpdatedBy(str3).withUpdatedAt(Long.valueOf(System.currentTimeMillis())).withIsBot(false);
    }

    private Bot bot(User user) {
        return new Bot().withId(UUID.randomUUID()).withName(user.getName()).withFullyQualifiedName(user.getName()).withUpdatedBy(user.getUpdatedBy()).withUpdatedAt(Long.valueOf(System.currentTimeMillis())).withDisplayName(user.getName());
    }

    @Override // org.openmetadata.service.security.Authorizer
    public List<ResourcePermission> listPermissions(SecurityContext securityContext, String str) {
        SubjectContext changeSubjectContext = changeSubjectContext(str, getSubjectContext(securityContext));
        return (changeSubjectContext.isAdmin() || changeSubjectContext.isBot()) ? PolicyEvaluator.getResourcePermissions(Permission.Access.ALLOW) : PolicyEvaluator.listPermission(changeSubjectContext);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public ResourcePermission getPermission(SecurityContext securityContext, String str, String str2) {
        SubjectContext changeSubjectContext = changeSubjectContext(str, getSubjectContext(securityContext));
        return (changeSubjectContext.isAdmin() || changeSubjectContext.isBot()) ? PolicyEvaluator.getResourcePermission(str2, Permission.Access.ALLOW) : PolicyEvaluator.getPermission(changeSubjectContext, str2);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public ResourcePermission getPermission(SecurityContext securityContext, String str, ResourceContextInterface resourceContextInterface) {
        SubjectContext changeSubjectContext = changeSubjectContext(str, getSubjectContext(securityContext));
        return (changeSubjectContext.isAdmin() || changeSubjectContext.isBot()) ? PolicyEvaluator.getResourcePermission(resourceContextInterface.getResource(), Permission.Access.ALLOW) : PolicyEvaluator.getPermission(changeSubjectContext, resourceContextInterface);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public boolean isOwner(SecurityContext securityContext, EntityReference entityReference) {
        if (entityReference == null) {
            return false;
        }
        try {
            return getSubjectContext(securityContext).isOwner(entityReference);
        } catch (EntityNotFoundException e) {
            return false;
        }
    }

    @Override // org.openmetadata.service.security.Authorizer
    public void authorize(SecurityContext securityContext, OperationContext operationContext, ResourceContextInterface resourceContextInterface, boolean z) throws IOException {
        SubjectContext subjectContext = getSubjectContext(securityContext);
        if (subjectContext.isAdmin()) {
            return;
        }
        if (z && subjectContext.isBot()) {
            return;
        }
        PolicyEvaluator.hasPermission(subjectContext, resourceContextInterface, operationContext);
    }

    @Override // org.openmetadata.service.security.Authorizer
    public void authorizeAdmin(SecurityContext securityContext, boolean z) {
        SubjectContext subjectContext = getSubjectContext(securityContext);
        if (subjectContext.isAdmin()) {
            return;
        }
        if (!z || !subjectContext.isBot()) {
            throw new AuthorizationException(CatalogExceptionMessage.notAdmin(securityContext.getUserPrincipal().getName()));
        }
    }

    private User addOrUpdateUser(User user) {
        try {
            RestUtil.PutResponse createOrUpdate = Entity.getEntityRepository(Entity.USER).createOrUpdate(null, user);
            LOG.debug("Added user entry: {}", ((User) createOrUpdate.getEntity()).getName());
            return (User) createOrUpdate.getEntity();
        } catch (Exception e) {
            LOG.debug("Caught exception: {}", ExceptionUtils.getStackTrace(e));
            user.setAuthenticationMechanism((AuthenticationMechanism) null);
            LOG.debug("User entry: {} already exists.", user.getName());
            return null;
        }
    }

    private User addOrUpdateBotUser(User user, OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        User retrieveAuthMechanism = retrieveAuthMechanism(user);
        AuthenticationMechanism authenticationMechanism = retrieveAuthMechanism != null ? retrieveAuthMechanism.getAuthenticationMechanism() : null;
        if (authenticationMechanism == null) {
            AuthenticationConfiguration authenticationConfiguration = openMetadataApplicationConfig.getAuthenticationConfiguration();
            AirflowConfiguration airflowConfiguration = openMetadataApplicationConfig.getAirflowConfiguration();
            if ("openmetadata".equals(airflowConfiguration.getAuthProvider()) && !"basic".equals(authenticationConfiguration.getProvider())) {
                authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.JWT, new JWTAuthMechanism().withJWTToken(airflowConfiguration.getAuthConfig().getOpenmetadata().getJwtToken()).withJWTTokenExpiry(JWTTokenExpiry.Unlimited));
            } else if (airflowConfiguration.getAuthConfig() != null && !"basic".equals(authenticationConfiguration.getProvider())) {
                String provider = authenticationConfiguration.getProvider();
                boolean z = -1;
                switch (provider.hashCode()) {
                    case -1823858507:
                        if (provider.equals("custom-oidc")) {
                            z = 5;
                            break;
                        }
                        break;
                    case -1240244679:
                        if (provider.equals("google")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 3413321:
                        if (provider.equals("okta")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 93181832:
                        if (provider.equals("auth0")) {
                            z = 4;
                            break;
                        }
                        break;
                    case 93332111:
                        if (provider.equals("azure")) {
                            z = true;
                            break;
                        }
                        break;
                    case 2063557172:
                        if (provider.equals("no-auth")) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        break;
                    case true:
                        authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.SSO, buildAuthMechanismConfig(SSOAuthMechanism.SsoServiceType.AZURE, airflowConfiguration.getAuthConfig().getAzure()));
                        break;
                    case true:
                        authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.SSO, buildAuthMechanismConfig(SSOAuthMechanism.SsoServiceType.GOOGLE, airflowConfiguration.getAuthConfig().getGoogle()));
                        break;
                    case true:
                        authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.SSO, buildAuthMechanismConfig(SSOAuthMechanism.SsoServiceType.OKTA, airflowConfiguration.getAuthConfig().getOkta()));
                        break;
                    case true:
                        authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.SSO, buildAuthMechanismConfig(SSOAuthMechanism.SsoServiceType.AUTH_0, airflowConfiguration.getAuthConfig().getAuth0()));
                        break;
                    case true:
                        authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.SSO, buildAuthMechanismConfig(SSOAuthMechanism.SsoServiceType.CUSTOM_OIDC, airflowConfiguration.getAuthConfig().getCustomOidc()));
                        break;
                    default:
                        throw new IllegalArgumentException(String.format("Unexpected auth provider [%s] for bot [%s]", authenticationConfiguration.getProvider(), user.getName()));
                }
            } else if ("basic".equals(authenticationConfiguration.getProvider())) {
                authenticationMechanism = buildAuthMechanism(AuthenticationMechanism.AuthType.JWT, JWTTokenGenerator.getInstance().generateJWTToken(user, JWTTokenExpiry.Unlimited));
            }
        }
        user.setAuthenticationMechanism(authenticationMechanism);
        user.setDescription(user.getDescription());
        user.setDisplayName(user.getDisplayName());
        return addOrUpdateUser(user);
    }

    private SSOAuthMechanism buildAuthMechanismConfig(SSOAuthMechanism.SsoServiceType ssoServiceType, Object obj) {
        return new SSOAuthMechanism().withSsoServiceType(ssoServiceType).withAuthConfig(obj);
    }

    private AuthenticationMechanism buildAuthMechanism(AuthenticationMechanism.AuthType authType, Object obj) {
        return new AuthenticationMechanism().withAuthType(authType).withConfig(obj);
    }

    private User retrieveAuthMechanism(User user) {
        try {
            User byName = ((EntityRepository) UserRepository.class.cast(Entity.getEntityRepository(Entity.USER))).getByName(null, user.getName(), new EntityUtil.Fields(List.of(UserResource.USER_PROTECTED_FIELDS)));
            AuthenticationMechanism authenticationMechanism = byName.getAuthenticationMechanism();
            SecretsManager secretsManager = SecretsManagerFactory.getSecretsManager();
            if (authenticationMechanism != null) {
                Object encryptOrDecryptBotUserCredentials = secretsManager.encryptOrDecryptBotUserCredentials(user.getName(), authenticationMechanism.getConfig(), false);
                authenticationMechanism.setConfig(encryptOrDecryptBotUserCredentials != null ? encryptOrDecryptBotUserCredentials : authenticationMechanism.getConfig());
            }
            return byName;
        } catch (IOException | EntityNotFoundException e) {
            LOG.debug("Bot entity: {} does not exists.", user);
            return null;
        }
    }

    private void addOrUpdateBot(Bot bot) {
        EntityRepository entityRepository = (EntityRepository) BotRepository.class.cast(Entity.getEntityRepository("bot"));
        try {
            bot.setBotUser(entityRepository.getByName(null, bot.getName(), EntityUtil.Fields.EMPTY_FIELDS).getBotUser());
        } catch (Exception e) {
        }
        try {
            LOG.debug("Added bot entry: {}", ((Bot) entityRepository.createOrUpdate(null, bot).getEntity()).getName());
        } catch (Exception e2) {
            LOG.debug("Caught exception: {}", ExceptionUtils.getStackTrace(e2));
            LOG.debug("Bot entry: {} already exists.", bot.getName());
        }
    }

    private SubjectContext getSubjectContext(SecurityContext securityContext) {
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            throw new AuthenticationException("No principal in security context");
        }
        return getSubjectContext(SecurityUtil.getUserName(securityContext.getUserPrincipal()));
    }

    private SubjectContext getSubjectContext(String str) {
        return SubjectCache.getInstance().getSubjectContext(str);
    }

    private SubjectContext changeSubjectContext(String str, SubjectContext subjectContext) {
        if (str == null || subjectContext.getUser().getName().equals(str)) {
            return subjectContext;
        }
        if (!subjectContext.isAdmin()) {
            throw new AuthorizationException(CatalogExceptionMessage.notAdmin(subjectContext.getUser().getName()));
        }
        LOG.debug("Changing subject context from logged-in user to {}", str);
        return getSubjectContext(str);
    }
}
