package org.apache.kylin.rest.controller;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import io.swagger.annotations.ApiOperation;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections.CollectionUtils;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.exception.code.ErrorCodeServer;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.metadata.model.NDataModel;
import org.apache.kylin.metadata.model.NDataModelManager;
import org.apache.kylin.rest.request.AccessRequest;
import org.apache.kylin.rest.request.BatchAccessRequest;
import org.apache.kylin.rest.request.GlobalAccessRequest;
import org.apache.kylin.rest.request.GlobalBatchAccessRequest;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.response.CompositePermissionResponse;
import org.apache.kylin.rest.response.DataResult;
import org.apache.kylin.rest.response.EnvelopeResponse;
import org.apache.kylin.rest.response.UserAccessEntryResponse;
import org.apache.kylin.rest.security.AclPermissionEnum;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.service.AccessService;
import org.apache.kylin.rest.service.AclTCRService;
import org.apache.kylin.rest.service.IUserGroupService;
import org.apache.kylin.rest.service.ProjectService;
import org.apache.kylin.rest.service.UserAclService;
import org.apache.kylin.rest.service.UserService;
import org.apache.kylin.rest.util.PagingUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.acls.model.Permission;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@RequestMapping(value = {"/api/access"}, produces = {"application/vnd.apache.kylin-v4+json"})
@Controller
/* loaded from: input_file:org/apache/kylin/rest/controller/NAccessController.class */
public class NAccessController extends NBasicController {

    @Autowired
    @Qualifier("accessService")
    private AccessService accessService;

    @Autowired
    @Qualifier("userService")
    protected UserService userService;

    @Autowired
    @Qualifier("userGroupService")
    private IUserGroupService userGroupService;

    @Autowired
    @Qualifier("aclTCRService")
    private AclTCRService aclTCRService;

    @Autowired(required = false)
    @Qualifier("userAclService")
    private UserAclService userAclService;

    @Autowired
    @Qualifier("projectService")
    private ProjectService projectService;

    @GetMapping(value = {"/permission/project_permission"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "access control APIs", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<String> getUserPermissionInPrj(@RequestParam("project") String str) {
        checkProjectName(str);
        return new EnvelopeResponse<>("000", this.accessService.getGroupsOfCurrentUser().contains("ROLE_ADMIN") ? "GLOBAL_ADMIN" : AclPermissionEnum.convertToAclPermission(this.accessService.getCurrentNormalUserPermissionInProject(str)), "");
    }

    @GetMapping(value = {"/permission/project_ext_permission"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "access control APIs", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<CompositePermissionResponse> getUserExtPermissionInPrj(@RequestParam("project") String str) {
        checkProjectName(str);
        List groupsOfCurrentUser = this.accessService.getGroupsOfCurrentUser();
        CompositePermissionResponse compositePermissionResponse = new CompositePermissionResponse();
        compositePermissionResponse.setPermission(groupsOfCurrentUser.contains("ROLE_ADMIN") ? "GLOBAL_ADMIN" : AclPermissionEnum.convertToAclPermission(this.accessService.getCurrentNormalUserPermissionInProject(str)));
        compositePermissionResponse.setExtPermissions(this.accessService.getUserNormalExtPermissions(str));
        return new EnvelopeResponse<>("000", compositePermissionResponse, "");
    }

    @GetMapping({"/available/{sid_type:.+}/{uuid:.+}"})
    @ApiOperation(value = "getAvailableSids", tags = {"MID"}, notes = "Update Param: sid_type, is_case_sensitive, page_offset, page_size; Update Response: total_size")
    @ResponseBody
    public EnvelopeResponse<DataResult<List<String>>> getAvailableSids(@PathVariable("uuid") String str, @PathVariable("sid_type") String str2, @RequestParam(value = "project", required = false) String str3, @RequestParam(value = "name", required = false) String str4, @RequestParam(value = "is_case_sensitive", required = false) boolean z, @RequestParam(value = "page_offset", required = false, defaultValue = "0") Integer num, @RequestParam(value = "page_size", required = false, defaultValue = "10") Integer num2) throws IOException {
        RootPersistentEntity aclEntity = this.accessService.getAclEntity("ProjectInstance", str);
        ArrayList newArrayList = Lists.newArrayList();
        if (str2.equalsIgnoreCase("user")) {
            newArrayList.addAll(this.userService.listNormalUsers());
            newArrayList.removeAll(this.accessService.getAllAclSids(aclEntity, "user"));
        } else {
            newArrayList.addAll(getAllUserGroups());
            newArrayList.removeAll(this.accessService.getAllAclSids(aclEntity, "group"));
            newArrayList.remove("ROLE_ADMIN");
        }
        List identifierAfterFuzzyMatching = PagingUtil.getIdentifierAfterFuzzyMatching(str4, z, newArrayList);
        return new EnvelopeResponse<>("000", DataResult.get(PagingUtil.cutPage(identifierAfterFuzzyMatching, num.intValue(), num2.intValue()), identifierAfterFuzzyMatching), "");
    }

    @GetMapping({"/available/{entity_type:.+}"})
    @ApiOperation(value = "access control APIs", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<DataResult<List<String>>> getAvailableUsers(@PathVariable("entity_type") String str, @RequestParam("project") String str2, @RequestParam(value = "model", required = false) String str3, @RequestParam(value = "name", required = false) String str4, @RequestParam(value = "is_case_sensitive", required = false) boolean z, @RequestParam(value = "page_offset", required = false, defaultValue = "0") Integer num, @RequestParam(value = "page_size", required = false, defaultValue = "10") Integer num2) throws IOException {
        checkProjectName(str2);
        ArrayList newArrayList = Lists.newArrayList();
        if ("ProjectInstance".equals(str)) {
            newArrayList.addAll(this.accessService.getProjectAdminUsers(str2));
            newArrayList.remove(getProject(str2).getOwner());
        } else {
            checkRequiredArg("model", str3);
            newArrayList.addAll(this.accessService.getProjectManagementUsers(str2));
            NDataModel dataModelDesc = ((NDataModelManager) this.projectService.getManager(NDataModelManager.class, str2)).getDataModelDesc(str3);
            if (Objects.isNull(dataModelDesc) || dataModelDesc.isBroken()) {
                throw new KylinException(ErrorCodeServer.MODEL_ID_NOT_EXIST, new Object[]{str3});
            }
            newArrayList.remove(dataModelDesc.getOwner());
        }
        List identifierAfterFuzzyMatching = PagingUtil.getIdentifierAfterFuzzyMatching(str4, z, newArrayList);
        return new EnvelopeResponse<>("000", DataResult.get(PagingUtil.cutPage(identifierAfterFuzzyMatching, num.intValue(), num2.intValue()), identifierAfterFuzzyMatching), "");
    }

    @GetMapping(value = {"/global/permission/{permissionType:.+}/{sid:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "getGlobalUserAccessEntities", tags = {"MID"}, notes = "Update Param: sid")
    @ResponseBody
    public EnvelopeResponse<Map<String, Boolean>> getGlobalUserAccessEntities(@PathVariable("permissionType") String str, @PathVariable("sid") String str2) {
        return new EnvelopeResponse<>("000", Collections.singletonMap("enabled", Boolean.valueOf(this.userAclService.isSuperAdmin(str2) || this.userAclService.hasUserAclPermission(str2, AclPermissionFactory.getPermission(str.toUpperCase(Locale.ROOT))))), "");
    }

    @PutMapping(value = {"/global/permission/{permissionType:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "addGlobalUserAccessEntities", tags = {"MID"}, notes = "Update Body: sid")
    @ResponseBody
    public EnvelopeResponse<String> addGlobalUserAccessEntities(@PathVariable("permissionType") String str, @RequestBody GlobalAccessRequest globalAccessRequest) {
        checkRequiredArg("username", globalAccessRequest.getUsername());
        if (globalAccessRequest.isEnabled()) {
            this.userAclService.grantUserAclPermission(globalAccessRequest, str);
        } else {
            this.userAclService.revokeUserAclPermission(globalAccessRequest, str);
        }
        return new EnvelopeResponse<>("000", "", "");
    }

    @PostMapping(value = {"/global/permission/project/{permissionType:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ResponseBody
    public EnvelopeResponse<String> addProjectToUserAcl(@PathVariable("permissionType") String str, @RequestBody GlobalAccessRequest globalAccessRequest) {
        checkRequiredArg("username", globalAccessRequest.getUsername());
        checkProjectName(globalAccessRequest.getProject());
        this.userAclService.addProjectToUserAcl(globalAccessRequest, str);
        return new EnvelopeResponse<>("000", "", "");
    }

    @DeleteMapping(value = {"/global/permission/project/{permissionType:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ResponseBody
    public EnvelopeResponse<String> deleteProjectFromUserAcl(@PathVariable("permissionType") String str, @RequestBody GlobalAccessRequest globalAccessRequest) {
        checkRequiredArg("username", globalAccessRequest.getUsername());
        checkProjectName(globalAccessRequest.getProject());
        this.userAclService.deleteProjectFromUserAcl(globalAccessRequest, str);
        return new EnvelopeResponse<>("000", "", "");
    }

    @PutMapping(value = {"/global/batch/permission/{permissionType:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "batchAddGlobalUserAccessEntities", tags = {"MID"}, notes = "Update Body: sid")
    @ResponseBody
    public EnvelopeResponse<String> batchAddGlobalUserAccessEntities(@PathVariable("permissionType") String str, @RequestBody GlobalBatchAccessRequest globalBatchAccessRequest) {
        checkRequiredArg("usernames", globalBatchAccessRequest.getUsernameList());
        if (globalBatchAccessRequest.isEnabled()) {
            this.userAclService.grantUserAclPermission(globalBatchAccessRequest, str);
        } else {
            this.userAclService.revokeUserAclPermission(globalBatchAccessRequest, str);
        }
        return new EnvelopeResponse<>("000", "", "");
    }

    @GetMapping(value = {"/global/permission/user_acls"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "getAllGlobalUsersAccessEntities", tags = {"MID"}, notes = "Update Param: sid")
    @ResponseBody
    public EnvelopeResponse<List<UserAccessEntryResponse>> getAllGlobalUsersAccessEntities() {
        return new EnvelopeResponse<>("000", this.userAclService.listUserAcl(), "");
    }

    @GetMapping(value = {"/{type:.+}/{uuid:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "getAccessEntities", tags = {"MID"}, notes = "Update Param: is_case_sensitive, page_offset, page_size; Update Response: total_size")
    @ResponseBody
    public EnvelopeResponse<DataResult<List<AccessEntryResponse>>> getAccessEntities(@PathVariable("type") String str, @PathVariable("uuid") String str2, @RequestParam(value = "name", required = false) String str3, @RequestParam(value = "is_case_sensitive", required = false) boolean z, @RequestParam(value = "page_offset", required = false, defaultValue = "0") Integer num, @RequestParam(value = "page_size", required = false, defaultValue = "10") Integer num2) throws IOException {
        List generateAceResponsesByFuzzMatching = this.accessService.generateAceResponsesByFuzzMatching(this.accessService.getAclEntity(str, str2), str3, z);
        return new EnvelopeResponse<>("000", DataResult.get(PagingUtil.cutPage(generateAceResponsesByFuzzMatching, num.intValue(), num2.intValue()), generateAceResponsesByFuzzMatching), "");
    }

    @GetMapping(value = {"/{uuid:.+}/all"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "get users and groups for project", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<Map<String, List<String>>> getProjectUsersAndGroups(@PathVariable("uuid") String str) throws IOException {
        return new EnvelopeResponse<>("000", this.accessService.getProjectUsersAndGroups(this.accessService.getAclEntity("ProjectInstance", str)), "");
    }

    @PostMapping({"/{entity_type:.+}/{uuid:.+}"})
    @ApiOperation(value = "grant", tags = {"MID"}, notes = "Update URL: {entity_type}; Update Body: access_entry_id")
    @ResponseBody
    public EnvelopeResponse<String> grant(@PathVariable("entity_type") String str, @PathVariable("uuid") String str2, @RequestBody AccessRequest accessRequest) throws IOException {
        checkSid(accessRequest);
        if (accessRequest.isPrincipal()) {
            this.accessService.checkGlobalAdmin(accessRequest.getSid());
        }
        this.accessService.grant(this.accessService.getAclEntity(str, str2), accessRequest.getSid(), Boolean.valueOf(accessRequest.isPrincipal()), accessRequest.getPermission());
        if ("ProjectInstance".equals(str)) {
            this.aclTCRService.remoteGrantACL(str2, Lists.newArrayList(new AccessRequest[]{accessRequest}));
        }
        return new EnvelopeResponse<>("000", "", "");
    }

    @PostMapping(value = {"/batch/{entity_type:.+}/{uuid:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "batchGrant", tags = {"MID"}, notes = "Update URL: {entity_type}; Update Body: access_entry_id")
    @ResponseBody
    public EnvelopeResponse<String> batchGrant(@PathVariable("entity_type") String str, @PathVariable("uuid") String str2, @RequestParam(value = "init_acl", required = false, defaultValue = "true") boolean z, @RequestBody List<BatchAccessRequest> list) throws IOException {
        List<AccessRequest> transform = transform(list);
        this.accessService.checkAccessRequestList(transform);
        this.accessService.batchGrant(transform, this.accessService.getAclEntity(str, str2));
        if ("ProjectInstance".equals(str) && z) {
            this.aclTCRService.remoteGrantACL(str2, transform);
        }
        return new EnvelopeResponse<>("000", "", "");
    }

    @PutMapping(value = {"/{type:.+}/{uuid:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "batchGrant", tags = {"MID"}, notes = "Update Body: access_entry_id")
    @ResponseBody
    public EnvelopeResponse<Boolean> updateAcl(@PathVariable("type") String str, @PathVariable("uuid") String str2, @RequestBody AccessRequest accessRequest) throws IOException {
        checkSid(accessRequest);
        RootPersistentEntity aclEntity = this.accessService.getAclEntity(str, str2);
        Permission permission = AclPermissionFactory.getPermission(accessRequest.getPermission());
        if (Objects.isNull(permission)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, "Operation failed, unknown permission:" + accessRequest.getPermission());
        }
        if (accessRequest.isPrincipal()) {
            this.accessService.checkGlobalAdmin(accessRequest.getSid());
        }
        this.accessService.update(aclEntity, accessRequest.getAccessEntryId().intValue(), permission);
        return new EnvelopeResponse<>("000", Boolean.valueOf(CollectionUtils.isNotEmpty(this.projectService.getAdminProjects())), "");
    }

    @DeleteMapping({"/{entity_type:.+}/{uuid:.+}"})
    @ApiOperation(value = "revokeAcl", tags = {"MID"}, notes = "URL: entity_type; Update Param: entity_type; Update Body: access_entry_id")
    @ResponseBody
    public EnvelopeResponse<Boolean> revokeAcl(@PathVariable("entity_type") String str, @PathVariable("uuid") String str2, @RequestParam("access_entry_id") Integer num, @RequestParam("sid") String str3, @RequestParam("principal") boolean z) throws IOException {
        this.accessService.checkSidNotEmpty(str3, z);
        if (z) {
            this.accessService.checkGlobalAdmin(str3);
        }
        this.accessService.revoke(this.accessService.getAclEntity(str, str2), num.intValue());
        if ("ProjectInstance".equals(str)) {
            this.aclTCRService.remoteRevokeACL(str2, str3, z);
        }
        return new EnvelopeResponse<>("000", Boolean.valueOf(CollectionUtils.isNotEmpty(this.projectService.getAdminProjects())), "");
    }

    @PostMapping(value = {"/{entity_type:.+}/{uuid:.+}/deletion"}, produces = {"application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "batch revoke Acl", tags = {"MID"}, notes = "")
    @ResponseBody
    public EnvelopeResponse<Boolean> deleteAces(@PathVariable("entity_type") String str, @PathVariable("uuid") String str2, @RequestBody List<AccessRequest> list) throws IOException {
        this.accessService.checkSid(list);
        this.accessService.checkGlobalAdmin((List) list.stream().filter((v0) -> {
            return v0.isPrincipal();
        }).map((v0) -> {
            return v0.getSid();
        }).collect(Collectors.toList()));
        this.accessService.batchRevoke(this.accessService.getAclEntity(str, str2), list);
        if ("ProjectInstance".equals(str)) {
            list.forEach(accessRequest -> {
                this.aclTCRService.remoteRevokeACL(str2, accessRequest.getSid(), accessRequest.isPrincipal());
            });
        }
        return new EnvelopeResponse<>("000", Boolean.valueOf(CollectionUtils.isNotEmpty(this.projectService.getAdminProjects())), "");
    }

    @PutMapping(value = {"/extension/{type:.+}/{uuid:.+}"}, produces = {"application/vnd.apache.kylin-v4+json", "application/vnd.apache.kylin-v4-public+json"})
    @ApiOperation(value = "updateExtensionAcl", tags = {"MID"}, notes = "Update Body: access_entry_id")
    @ResponseBody
    public EnvelopeResponse<Boolean> updateExtensionAcl(@PathVariable("type") String str, @PathVariable("uuid") String str2, @RequestBody AccessRequest accessRequest) throws IOException {
        checkSid(accessRequest);
        RootPersistentEntity aclEntity = this.accessService.getAclEntity(str, str2);
        if (accessRequest.isPrincipal()) {
            this.accessService.checkGlobalAdmin(accessRequest.getSid());
        }
        this.accessService.updateExtensionPermission(aclEntity, accessRequest);
        return new EnvelopeResponse<>("000", Boolean.valueOf(CollectionUtils.isNotEmpty(this.projectService.getAdminProjects())), "");
    }

    private List<String> getAllUserGroups() throws IOException {
        return this.userGroupService.getAllUserGroups();
    }

    private void checkSid(AccessRequest accessRequest) throws IOException {
        this.accessService.checkSid(Lists.newArrayList(new AccessRequest[]{accessRequest}));
    }

    private List<AccessRequest> transform(List<BatchAccessRequest> list) {
        List<AccessRequest> list2 = (List) ((Stream) Optional.ofNullable(list).map((v0) -> {
            return v0.stream();
        }).orElseGet(Stream::empty)).map(batchAccessRequest -> {
            return (List) ((Stream) Optional.ofNullable(batchAccessRequest.getSids()).map((v0) -> {
                return v0.stream();
            }).orElseGet(Stream::empty)).map(str -> {
                AccessRequest accessRequest = new AccessRequest();
                accessRequest.setAccessEntryId(Integer.valueOf(batchAccessRequest.getAccessEntryId()));
                accessRequest.setPermission(batchAccessRequest.getPermission());
                accessRequest.setExtPermissions(batchAccessRequest.getExtPermissions());
                accessRequest.setPrincipal(batchAccessRequest.isPrincipal());
                if (batchAccessRequest.isPrincipal()) {
                    accessRequest.setSid(makeUserNameCaseInSentive(str));
                } else {
                    accessRequest.setSid(str);
                }
                return accessRequest;
            }).collect(Collectors.toList());
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toList());
        HashSet newHashSet = Sets.newHashSet();
        list2.stream().filter(accessRequest -> {
            return !newHashSet.add(new StringBuilder().append(accessRequest.getSid()).append(accessRequest.isPrincipal()).toString());
        }).findAny().ifPresent(accessRequest2 -> {
            throw new KylinException(ServerErrorCode.DUPLICATE_USER_NAME, "Operation failed, duplicated sid: " + accessRequest2.getSid());
        });
        return list2;
    }
}
