package org.apache.kylin.rest.controller.open;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import io.swagger.annotations.ApiOperation;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.exception.code.ErrorCodeServer;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.rest.aspect.InsensitiveNameAspect;
import org.apache.kylin.rest.controller.NBasicController;
import org.apache.kylin.rest.request.AccessRequest;
import org.apache.kylin.rest.request.BatchProjectPermissionRequest;
import org.apache.kylin.rest.request.ProjectPermissionRequest;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.response.DataResult;
import org.apache.kylin.rest.response.EnvelopeResponse;
import org.apache.kylin.rest.response.ProjectPermissionResponse;
import org.apache.kylin.rest.response.SidPermissionWithAclResponse;
import org.apache.kylin.rest.security.AclPermissionEnum;
import org.apache.kylin.rest.security.ExternalAclProvider;
import org.apache.kylin.rest.service.AccessService;
import org.apache.kylin.rest.service.AclTCRService;
import org.apache.kylin.rest.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@RequestMapping(value = {"/api/access"}, produces = {"application/vnd.apache.kylin-v4-public+json"})
@Controller
/* loaded from: input_file:org/apache/kylin/rest/controller/open/OpenAccessController.class */
public class OpenAccessController extends NBasicController {

    @Autowired
    @Qualifier("accessService")
    private AccessService accessService;

    @Autowired
    @Qualifier("aclTCRService")
    private AclTCRService aclTCRService;

    @Autowired
    @Qualifier("userService")
    protected UserService userService;

    @GetMapping({"/project"})
    @ApiOperation(value = "getProjectAccessPermissions", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<DataResult<List<ProjectPermissionResponse>>> getProjectAccessPermissions(@RequestParam("project") String str, @RequestParam(value = "name", required = false) String str2, @RequestParam(value = "is_case_sensitive", required = false) boolean z, @RequestParam(value = "page_offset", required = false, defaultValue = "0") Integer num, @RequestParam(value = "page_size", required = false, defaultValue = "10") Integer num2) throws IOException {
        return new EnvelopeResponse<>("000", DataResult.get(convertAceResponseToProjectPermissionResponse(this.accessService.generateAceResponsesByFuzzMatching(this.accessService.getAclEntity("ProjectInstance", getProjectUuid(checkProjectName(str))), str2, z)), num.intValue(), num2.intValue()), "");
    }

    @PostMapping({"/project"})
    @ApiOperation(value = "grantProjectPermission", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<String> grantProjectPermission(@RequestBody BatchProjectPermissionRequest batchProjectPermissionRequest) throws IOException {
        batchProjectPermissionRequest.setProject(checkProjectName(batchProjectPermissionRequest.getProject()));
        checkType(batchProjectPermissionRequest.getType());
        checkNames(batchProjectPermissionRequest.getNames());
        updateRequestCaseInsentive(batchProjectPermissionRequest);
        ExternalAclProvider.checkExternalPermission(batchProjectPermissionRequest.getPermission());
        String projectUuid = getProjectUuid(batchProjectPermissionRequest.getProject());
        RootPersistentEntity aclEntity = this.accessService.getAclEntity("ProjectInstance", projectUuid);
        List<AccessRequest> convertBatchPermissionRequestToAccessRequests = convertBatchPermissionRequestToAccessRequests(aclEntity, batchProjectPermissionRequest);
        this.accessService.checkAccessRequestList(convertBatchPermissionRequestToAccessRequests);
        this.accessService.remoteBatchGrantAccess(convertBatchPermissionRequestToAccessRequests, aclEntity);
        this.aclTCRService.updateAclTCR(projectUuid, convertBatchPermissionRequestToAccessRequests);
        return new EnvelopeResponse<>("000", "", "");
    }

    @PutMapping({"/project"})
    @ApiOperation(value = "updateProjectPermission", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<String> updateProjectPermission(@RequestBody ProjectPermissionRequest projectPermissionRequest) throws IOException {
        projectPermissionRequest.setProject(checkProjectName(projectPermissionRequest.getProject()));
        checkType(projectPermissionRequest.getType());
        checkName(projectPermissionRequest.getName());
        updateRequestCaseInsentive(projectPermissionRequest);
        ExternalAclProvider.checkExternalPermission(projectPermissionRequest.getPermission());
        AccessRequest convertPermissionRequestToAccessRequest = convertPermissionRequestToAccessRequest(projectPermissionRequest);
        this.accessService.checkAccessRequestList(Lists.newArrayList(new AccessRequest[]{convertPermissionRequestToAccessRequest}));
        String projectUuid = getProjectUuid(projectPermissionRequest.getProject());
        this.accessService.remoteGrantAccess(this.accessService.getAclEntity("ProjectInstance", projectUuid), convertPermissionRequestToAccessRequest.getSid(), Boolean.valueOf(convertPermissionRequestToAccessRequest.isPrincipal()), convertPermissionRequestToAccessRequest.getPermission());
        this.aclTCRService.updateAclTCR(projectUuid, Lists.newArrayList(new AccessRequest[]{convertPermissionRequestToAccessRequest}));
        return new EnvelopeResponse<>("000", "", "");
    }

    @DeleteMapping({"/project"})
    @ApiOperation(value = "revokeProjectPermission", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<String> revokeProjectPermission(@RequestParam("project") String str, @RequestParam("type") String str2, @RequestParam("name") String str3) throws IOException {
        String projectUuid = getProjectUuid(checkProjectName(str));
        checkType(str2);
        checkSidExists(str2, str3);
        checkSidGranted(projectUuid, str3);
        boolean equalsIgnoreCase = "user".equalsIgnoreCase(str2);
        if (equalsIgnoreCase) {
            this.accessService.checkGlobalAdmin(str3);
        }
        this.accessService.remoteRevokeAccess(this.accessService.getAclEntity("ProjectInstance", projectUuid), str3, equalsIgnoreCase);
        this.aclTCRService.revokeAclTCR(projectUuid, str3, equalsIgnoreCase);
        return new EnvelopeResponse<>("000", "", "");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v19, types: [java.util.List] */
    @GetMapping({"/acls"})
    @ApiOperation(value = "getUserOrGroupAclPermissions", tags = {"MID"})
    @ResponseBody
    public EnvelopeResponse<List<SidPermissionWithAclResponse>> getUserOrGroupAclPermissions(@RequestParam("type") String str, @RequestParam("name") String str2, @RequestParam(value = "project", required = false) String str3) throws IOException {
        UserDetails loadUserByUsername;
        String checkProjectName = StringUtils.isNotBlank(str3) ? checkProjectName(str3) : "";
        checkType(str);
        checkSidExists(str, str2);
        boolean equalsIgnoreCase = "user".equalsIgnoreCase(str);
        if (equalsIgnoreCase && (loadUserByUsername = this.userService.loadUserByUsername(str2)) != null) {
            str2 = loadUserByUsername.getUsername();
        }
        ArrayList arrayList = new ArrayList();
        if (StringUtils.isBlank(str3)) {
            arrayList = this.accessService.getGrantedProjectsOfUserOrGroup(str2, equalsIgnoreCase);
        } else {
            arrayList.add(checkProjectName);
        }
        return new EnvelopeResponse<>("000", this.accessService.getUserOrGroupAclPermissions(arrayList, str2, equalsIgnoreCase), "");
    }

    private void updateRequestCaseInsentive(BatchProjectPermissionRequest batchProjectPermissionRequest) {
        batchProjectPermissionRequest.setType(InsensitiveNameAspect.getCaseInsentiveType(batchProjectPermissionRequest.getType()));
        if ("user".equalsIgnoreCase(batchProjectPermissionRequest.getType())) {
            batchProjectPermissionRequest.setNames(makeUserNameCaseInSentive(batchProjectPermissionRequest.getNames()));
        }
    }

    private void updateRequestCaseInsentive(ProjectPermissionRequest projectPermissionRequest) {
        projectPermissionRequest.setType(InsensitiveNameAspect.getCaseInsentiveType(projectPermissionRequest.getType()));
        if ("user".equalsIgnoreCase(projectPermissionRequest.getType())) {
            projectPermissionRequest.setName(makeUserNameCaseInSentive(projectPermissionRequest.getName()));
        }
    }

    private void checkSidExists(String str, String str2) throws IOException {
        this.accessService.checkSid(str2, "user".equalsIgnoreCase(str));
    }

    private void checkSidGranted(String str, String str2) throws IOException {
        if (CollectionUtils.isEmpty(this.accessService.generateAceResponsesByFuzzMatching(this.accessService.getAclEntity("ProjectInstance", str), str2, false))) {
            throw new KylinException(ServerErrorCode.UNAUTHORIZED_ENTITY, MsgPicker.getMsg().getUnauthorizedSid());
        }
    }

    private void checkType(String str) {
        if (!"user".equalsIgnoreCase(str) && !"group".equalsIgnoreCase(str)) {
            throw new KylinException(ErrorCodeServer.PARAMETER_INVALID_SUPPORT_LIST, new Object[]{"type", "user, group"});
        }
    }

    private void checkNames(List<String> list) {
        if (CollectionUtils.isEmpty(list) || list.stream().anyMatch((v0) -> {
            return StringUtils.isBlank(v0);
        })) {
            throw new KylinException(ServerErrorCode.EMPTY_PARAMETER, MsgPicker.getMsg().getEmptySid());
        }
    }

    private void checkName(String str) {
        if (StringUtils.isBlank(str)) {
            throw new KylinException(ServerErrorCode.EMPTY_PARAMETER, MsgPicker.getMsg().getEmptySid());
        }
    }

    private String getProjectUuid(String str) {
        return NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str).getUuid();
    }

    private AccessRequest convertPermissionRequestToAccessRequest(ProjectPermissionRequest projectPermissionRequest) {
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setPrincipal("user".equalsIgnoreCase(projectPermissionRequest.getType()));
        accessRequest.setSid(projectPermissionRequest.getName());
        accessRequest.setPermission(AclPermissionEnum.convertToAclPermission(projectPermissionRequest.getPermission().toUpperCase(Locale.ROOT)));
        return accessRequest;
    }

    @VisibleForTesting
    public List<AccessRequest> convertBatchPermissionRequestToAccessRequests(AclEntity aclEntity, BatchProjectPermissionRequest batchProjectPermissionRequest) {
        ArrayList arrayList = new ArrayList();
        String type = batchProjectPermissionRequest.getType();
        String convertToAclPermission = AclPermissionEnum.convertToAclPermission(batchProjectPermissionRequest.getPermission().toUpperCase(Locale.ROOT));
        for (String str : batchProjectPermissionRequest.getNames()) {
            AccessRequest accessRequest = new AccessRequest();
            accessRequest.setPermission(convertToAclPermission);
            accessRequest.setPrincipal("user".equalsIgnoreCase(type));
            accessRequest.setSid(str);
            arrayList.add(accessRequest);
        }
        if ("user".equalsIgnoreCase(type)) {
            List allAclSids = this.accessService.getAllAclSids(aclEntity, type);
            arrayList.forEach(accessRequest2 -> {
                Iterator it = allAclSids.iterator();
                while (it.hasNext()) {
                    String str2 = (String) it.next();
                    if (accessRequest2.getSid().equalsIgnoreCase(str2)) {
                        accessRequest2.setSid(str2);
                    }
                }
            });
        }
        return arrayList;
    }

    private List<ProjectPermissionResponse> convertAceResponseToProjectPermissionResponse(List<AccessEntryResponse> list) {
        ArrayList arrayList = new ArrayList();
        for (AccessEntryResponse accessEntryResponse : list) {
            String str = "";
            String str2 = "";
            PrincipalSid sid = accessEntryResponse.getSid();
            if (sid instanceof PrincipalSid) {
                str = "user";
                str2 = sid.getPrincipal();
            } else if (sid instanceof GrantedAuthoritySid) {
                str = "group";
                str2 = ((GrantedAuthoritySid) sid).getGrantedAuthority();
            }
            arrayList.add(new ProjectPermissionResponse(str, str2, ExternalAclProvider.convertToExternalPermission(accessEntryResponse.getPermission()), CollectionUtils.isEmpty(accessEntryResponse.getExtPermissions()) ? Collections.EMPTY_LIST : (List) accessEntryResponse.getExtPermissions().stream().map(ExternalAclProvider::convertToExternalPermission).collect(Collectors.toList())));
        }
        return arrayList;
    }
}
