package org.apache.kylin.rest.service;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.exception.code.ErrorCodeServer;
import org.apache.kylin.common.msg.Message;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.common.persistence.transaction.AccessBatchGrantEventNotifier;
import org.apache.kylin.common.persistence.transaction.AccessGrantEventNotifier;
import org.apache.kylin.common.persistence.transaction.AccessRevokeEventNotifier;
import org.apache.kylin.common.util.JsonUtil;
import org.apache.kylin.common.util.Pair;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.metadata.project.ProjectInstance;
import org.apache.kylin.metadata.user.ManagedUser;
import org.apache.kylin.rest.aspect.Transaction;
import org.apache.kylin.rest.request.AccessRequest;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.response.SidPermissionWithAclResponse;
import org.apache.kylin.rest.security.AclEntityFactory;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.security.AclRecord;
import org.apache.kylin.rest.security.CompositeAclPermission;
import org.apache.kylin.rest.security.ExternalAclProvider;
import org.apache.kylin.rest.security.MutableAclRecord;
import org.apache.kylin.rest.security.ObjectIdentityImpl;
import org.apache.kylin.rest.util.AclPermissionUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AlreadyExistsException;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

@Component("accessService")
/* loaded from: input_file:org/apache/kylin/rest/service/AccessService.class */
public class AccessService extends BasicService {
    private static final Logger logger = LoggerFactory.getLogger(AccessService.class);

    @Autowired
    @Qualifier("aclService")
    private AclService aclService;

    @Autowired
    @Qualifier("userService")
    protected UserService userService;

    @Autowired(required = false)
    @Qualifier("aclTCRService")
    private AclTCRServiceSupporter aclTCRService;

    @Autowired
    @Qualifier("userAclService")
    private UserAclService userAclService;

    @Transaction
    public MutableAclRecord init(AclEntity aclEntity, Permission permission) {
        MutableAclRecord readAcl;
        ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(aclEntity);
        try {
            readAcl = (MutableAclRecord) this.aclService.createAcl(objectIdentityImpl);
        } catch (AlreadyExistsException e) {
            readAcl = this.aclService.readAcl(objectIdentityImpl);
        }
        if (null != permission) {
            readAcl = grant(aclEntity, permission, new PrincipalSid(SecurityContextHolder.getContext().getAuthentication()));
        }
        return readAcl;
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void batchGrant(List<AccessRequest> list, AclEntity aclEntity) {
        batchGrant(aclEntity, (Map<Sid, Permission>) list.stream().map(accessRequest -> {
            Sid sid = getSid(accessRequest.getSid(), accessRequest.isPrincipal());
            Permission permission = AclPermissionFactory.getPermission(accessRequest.getPermission());
            if (Objects.nonNull(sid) && ObjectUtils.isNotEmpty(permission)) {
                return new AbstractMap.SimpleEntry(sid, convertToCompositeAclPermission(permission));
            }
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        })));
    }

    private Permission convertToCompositeAclPermission(Permission permission) {
        return KylinConfig.getInstanceFromEnv().isDataPermissionDefaultEnabled() ? new CompositeAclPermission(permission, Collections.singletonList(AclPermission.DATA_QUERY)) : permission;
    }

    @Transaction
    void batchGrant(AclEntity aclEntity, Map<Sid, Permission> map) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        if (map == null) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, msg.getAclPermissionRequired());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        if (Objects.isNull(readAcl)) {
            readAcl = init(aclEntity, null);
        }
        Iterator<Sid> it = map.keySet().iterator();
        while (it.hasNext()) {
            secureOwner(readAcl, it.next());
        }
        this.aclService.batchUpsertAce(readAcl, map);
    }

    @Transaction
    MutableAclRecord grant(AclEntity aclEntity, Permission permission, Sid sid) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        if (permission == null) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, msg.getAclPermissionRequired());
        }
        if (sid == null) {
            throw new KylinException(ServerErrorCode.EMPTY_USER_NAME, msg.getSidRequired());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        if (Objects.isNull(readAcl)) {
            readAcl = init(aclEntity, null);
        }
        secureOwner(readAcl, sid);
        return this.aclService.upsertAce(readAcl, sid, convertToCompositeAclPermission(permission));
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void grant(AclEntity aclEntity, String str, Boolean bool, String str2) {
        grant(aclEntity, AclPermissionFactory.getPermission(str2), getSid(str, bool.booleanValue()));
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public MutableAclRecord update(AclEntity aclEntity, int i, Permission permission) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        if (permission == null) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, msg.getAclPermissionRequired());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        Sid sid = readAcl.getAclRecord().getAccessControlEntryAt(i).getSid();
        secureOwner(readAcl, sid);
        return this.aclService.upsertAce(readAcl, sid, AclPermissionUtil.modifyBasePermission(readAcl.getAclRecord().getAccessControlEntryAt(i).getPermission(), permission));
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or (hasPermission(#ae, 'DATA_QUERY') and hasPermission(#ae, 'ADMINISTRATION'))")
    public MutableAclRecord updateExtensionPermission(AclEntity aclEntity, AccessRequest accessRequest) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        if (SecurityContextHolder.getContext().getAuthentication().getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN")) && !this.userAclService.canAdminUserQuery()) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, msg.getAclPermissionRequired());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        Sid sid = getSid(accessRequest.getSid(), accessRequest.isPrincipal());
        Permission permission = getPermission(accessRequest, readAcl);
        if (Objects.isNull(permission)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, msg.getAclPermissionRequired());
        }
        if (accessRequest.getAccessEntryId() != null) {
            sid = readAcl.getAclRecord().getAccessControlEntryAt(accessRequest.getAccessEntryId().intValue()).getSid();
        }
        secureOwner(readAcl, sid);
        return this.aclService.upsertAce(readAcl, sid, new CompositeAclPermission(AclPermissionUtil.convertToBasePermission(permission), AclPermissionFactory.getExtPermissions(accessRequest.getExtPermissions())));
    }

    private Permission getPermission(AccessRequest accessRequest, MutableAclRecord mutableAclRecord) {
        Sid sid = getSid(accessRequest.getSid(), accessRequest.isPrincipal());
        if (accessRequest.getAccessEntryId() != null) {
            return mutableAclRecord.getAclRecord().getAccessControlEntryAt(accessRequest.getAccessEntryId().intValue()).getPermission();
        }
        Optional findFirst = mutableAclRecord.getEntries().stream().filter(accessControlEntry -> {
            return accessControlEntry.getSid().equals(sid);
        }).findFirst();
        if (findFirst.isPresent()) {
            return ((AccessControlEntry) findFirst.get()).getPermission();
        }
        return null;
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public MutableAclRecord revoke(AclEntity aclEntity, int i) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        Sid sid = readAcl.getAclRecord().getAccessControlEntryAt(i).getSid();
        secureOwner(readAcl, sid);
        return this.aclService.upsertAce(readAcl, sid, (Permission) null);
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public MutableAclRecord revokeWithSid(AclEntity aclEntity, String str, boolean z) {
        Message msg = MsgPicker.getMsg();
        if (Objects.isNull(aclEntity)) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        Sid aceBySidAndPrincipal = readAcl.getAclRecord().getAceBySidAndPrincipal(str, z);
        secureOwner(readAcl, aceBySidAndPrincipal);
        return this.aclService.upsertAce(readAcl, aceBySidAndPrincipal, (Permission) null);
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void batchRevoke(AclEntity aclEntity, List<AccessRequest> list) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        Permission permission = BasePermission.READ;
        Map<Sid, Permission> map = (Map) list.stream().map(accessRequest -> {
            return new AbstractMap.SimpleEntry(getSid(accessRequest.getSid(), accessRequest.isPrincipal()), permission);
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        map.entrySet().forEach(entry -> {
        });
        batchGrant(aclEntity, map);
    }

    void inherit(AclEntity aclEntity, AclEntity aclEntity2) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        if (aclEntity2 == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getParentAclNotFound());
        }
        MutableAclRecord readAcl = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
        if (Objects.isNull(readAcl)) {
            readAcl = init(aclEntity, null);
        }
        MutableAclRecord readAcl2 = this.aclService.readAcl(new ObjectIdentityImpl(aclEntity2));
        if (Objects.isNull(readAcl2)) {
            readAcl2 = init(aclEntity2, null);
        }
        if (null == readAcl || null == readAcl2) {
            return;
        }
        this.aclService.inherit(readAcl, readAcl2);
    }

    @Transaction
    public void revokeProjectPermission(String str, String str2) {
        PrincipalSid grantedAuthoritySid;
        if (str2.equalsIgnoreCase("user")) {
            grantedAuthoritySid = new PrincipalSid(str);
        } else if (!str2.equalsIgnoreCase("group")) {
            return;
        } else {
            grantedAuthoritySid = new GrantedAuthoritySid(str);
        }
        Iterator it = ((NProjectManager) getManager(NProjectManager.class)).listAllProjects().iterator();
        while (it.hasNext()) {
            MutableAclRecord acl = getAcl(getAclEntity("ProjectInstance", ((ProjectInstance) it.next()).getUuid()));
            if (!Objects.isNull(acl) && acl.getAclRecord().getPermission(grantedAuthoritySid) != null) {
                secureOwner(acl, grantedAuthoritySid);
                this.aclService.upsertAce(acl, grantedAuthoritySid, (Permission) null);
            }
        }
    }

    @Transaction
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void clean(AclEntity aclEntity, boolean z) {
        Message msg = MsgPicker.getMsg();
        if (aclEntity == null) {
            throw new KylinException(ServerErrorCode.INVALID_PARAMETER, msg.getAclDomainNotFound());
        }
        if (aclEntity.getId() == null) {
            return;
        }
        try {
            this.aclService.deleteAcl(new ObjectIdentityImpl(aclEntity), z);
        } catch (NotFoundException e) {
        }
    }

    public RootPersistentEntity getAclEntity(String str, String str2) {
        if (null == str2) {
            return null;
        }
        return AclEntityFactory.createAclEntity(str, str2);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION') or hasPermission(#ae, 'MANAGEMENT') or hasPermission(#ae, 'OPERATION') or hasPermission(#ae, 'READ')")
    public MutableAclRecord getAcl(AclEntity aclEntity) {
        if (null == aclEntity) {
            return null;
        }
        return this.aclService.readAcl(new ObjectIdentityImpl(aclEntity));
    }

    public Sid getSid(String str, boolean z) {
        return z ? new PrincipalSid(str) : new GrantedAuthoritySid(str);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public List<AccessEntryResponse> generateAceResponsesByFuzzMatching(AclEntity aclEntity, String str, boolean z) throws IOException {
        Map map = (Map) generateAceResponsesByFuzzMatching((Acl) getAcl(aclEntity), str, z).stream().collect(Collectors.partitioningBy(accessEntryResponse -> {
            return accessEntryResponse.getSid() instanceof GrantedAuthoritySid;
        }));
        Stream filter = ((List) map.get(true)).stream().filter(accessEntryResponse2 -> {
            return !StringUtils.equalsIgnoreCase(accessEntryResponse2.getSid().getGrantedAuthority(), "ROLE_ADMIN");
        });
        Map map2 = (Map) ((List) map.get(false)).stream().collect(Collectors.toMap(accessEntryResponse3 -> {
            return accessEntryResponse3.getSid().getPrincipal();
        }, Function.identity(), (accessEntryResponse4, accessEntryResponse5) -> {
            return accessEntryResponse4;
        }));
        Set<String> retainsNormalUser = this.userService.retainsNormalUser(map2.keySet());
        return (List) Stream.concat(filter, map2.entrySet().stream().filter(entry -> {
            return retainsNormalUser.contains(entry.getKey());
        }).map((v0) -> {
            return v0.getValue();
        })).collect(Collectors.toList());
    }

    private List<AccessEntryResponse> generateAceResponsesByFuzzMatching(Acl acl, String str, boolean z) {
        if (Objects.isNull(acl)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (AccessControlEntry accessControlEntry : acl.getEntries()) {
            if (!nameSegNotMatch(accessControlEntry, str, z) && !sidNotExists(accessControlEntry)) {
                arrayList.add(new AccessEntryResponse(accessControlEntry.getId(), accessControlEntry.getSid(), accessControlEntry.getPermission(), accessControlEntry.isGranting()));
            }
        }
        return arrayList;
    }

    private boolean nameSegNotMatch(AccessControlEntry accessControlEntry, String str, boolean z) {
        return StringUtils.isNotEmpty(str) && !needAdd(str, z, getName(accessControlEntry.getSid()));
    }

    private boolean sidNotExists(AccessControlEntry accessControlEntry) {
        return isPrincipalSidNotExists(accessControlEntry.getSid()) || isGrantedAuthoritySidNotExists(accessControlEntry.getSid());
    }

    private boolean needAdd(String str, boolean z, String str2) {
        return (z && StringUtils.contains(str2, str)) || (!z && StringUtils.containsIgnoreCase(str2, str));
    }

    public static String getName(Sid sid) {
        return sid instanceof PrincipalSid ? ((PrincipalSid) sid).getPrincipal() : ((GrantedAuthoritySid) sid).getGrantedAuthority();
    }

    public boolean isPrincipalSidNotExists(Sid sid) {
        return (sid instanceof PrincipalSid) && !this.userService.userExists(((PrincipalSid) sid).getPrincipal());
    }

    public boolean isGrantedAuthoritySidNotExists(Sid sid) {
        try {
            if (sid instanceof GrantedAuthoritySid) {
                if (!this.userGroupService.exists(((GrantedAuthoritySid) sid).getGrantedAuthority())) {
                    return true;
                }
            }
            return false;
        } catch (IOException e) {
            return true;
        }
    }

    public List<AccessEntryResponse> generateAceResponses(Acl acl) {
        return generateAceResponsesByFuzzMatching(acl, (String) null, false);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public Map<String, List<String>> getProjectUsersAndGroups(AclEntity aclEntity) throws IOException {
        HashMap newHashMap = Maps.newHashMap();
        ArrayList arrayList = new ArrayList();
        List<String> allAclSids = getAllAclSids(aclEntity, "user");
        Set<String> globalAdmin = this.userService.getGlobalAdmin();
        globalAdmin.getClass();
        allAclSids.removeIf((v1) -> {
            return r1.contains(v1);
        });
        arrayList.addAll(allAclSids);
        arrayList.addAll(globalAdmin);
        newHashMap.put("user", arrayList);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.addAll(getAllAclSids(aclEntity, "group"));
        arrayList2.add("ROLE_ADMIN");
        newHashMap.put("group", arrayList2);
        return newHashMap;
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public List<String> getAllAclSids(AclEntity aclEntity, String str) {
        MutableAclRecord acl = getAcl(aclEntity);
        if (null == acl) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (AccessControlEntry accessControlEntry : acl.getEntries()) {
            String str2 = null;
            boolean z = false;
            if (str.equalsIgnoreCase("user") && (accessControlEntry.getSid() instanceof PrincipalSid)) {
                str2 = accessControlEntry.getSid().getPrincipal();
                z = isPrincipalSidNotExists(accessControlEntry.getSid());
            }
            if (str.equalsIgnoreCase("group") && (accessControlEntry.getSid() instanceof GrantedAuthoritySid)) {
                str2 = accessControlEntry.getSid().getGrantedAuthority();
                z = isGrantedAuthoritySidNotExists(accessControlEntry.getSid());
            }
            if (!StringUtils.isBlank(str2) && !z) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    private void secureOwner(MutableAclRecord mutableAclRecord, Sid sid) {
        Message msg = MsgPicker.getMsg();
        AclRecord aclRecord = mutableAclRecord.getAclRecord();
        if (aclRecord.getOwner().equals(sid) && BasePermission.ADMINISTRATION.equals(aclRecord.getPermission(sid))) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, msg.getRevokeAdminPermission());
        }
    }

    private String getUserPermissionInProject(String str, String str2) throws IOException {
        return (String) getUserMaximumPermissionWithSourceInProject(str, str2).getFirst();
    }

    private Pair<String, Pair<Boolean, String>> getUserMaximumPermissionWithSourceInProject(String str, String str2) throws IOException {
        return isGlobalAdmin(str2) ? Pair.newPair("ADMIN", Pair.newPair(Boolean.FALSE, (Object) null)) : hasGlobalAdminGroup(str2) ? Pair.newPair("ADMIN", Pair.newPair(Boolean.TRUE, "ROLE_ADMIN")) : getUserNormalPermission(getProjectPermission(str), getGroupsOfUser(str2), str2);
    }

    public Pair<String, Pair<Boolean, String>> getUserNormalPermission(String str, UserDetails userDetails) {
        return getUserNormalPermission(getProjectPermission(str), (List) userDetails.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList()), userDetails.getUsername());
    }

    public Pair<String, Pair<Boolean, String>> getUserNormalPermission(String str, String str2) {
        return getUserNormalPermission(getProjectUuidPermission(str), getGroupsOfUser(str2), str2);
    }

    public Pair<String, Pair<Boolean, String>> getUserNormalPermission(Map<Sid, Integer> map, List<String> list, String str) {
        Integer num = map.get(getSid(str, true));
        String str2 = null;
        for (String str3 : list) {
            if (Objects.nonNull(num) && num.intValue() == BasePermission.ADMINISTRATION.getMask()) {
                break;
            }
            Integer greaterPermissionMask = getGreaterPermissionMask(map.get(getSid(str3, false)), num);
            if (!greaterPermissionMask.equals(num)) {
                str2 = str3;
                num = greaterPermissionMask;
            }
        }
        Pair newPair = Pair.newPair(Boolean.FALSE, (Object) null);
        if (Objects.nonNull(str2)) {
            newPair.setKey(Boolean.TRUE);
            newPair.setValue(str2);
        }
        return Pair.newPair(ExternalAclProvider.convertToExternalPermission(num.intValue()), newPair);
    }

    public String getCurrentUserPermissionInProject(String str) throws IOException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (Objects.nonNull(authentication)) {
            return getUserPermissionInProject(str, authentication.getName());
        }
        return null;
    }

    public String getCurrentNormalUserPermissionInProject(String str) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (Objects.nonNull(authentication)) {
            return (String) getUserNormalPermission(str, this.userService.loadUserByUsername(authentication.getName())).getFirst();
        }
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v16, types: [java.util.Map] */
    private Map<Sid, Set<Integer>> getProjectExtPermissions(String str) {
        HashMap hashMap = new HashMap();
        AclRecord aclRecord = getAcl(getAclEntity("ProjectInstance", str)).getAclRecord();
        if (aclRecord != null && aclRecord.getEntries() != null) {
            hashMap = (Map) aclRecord.getEntries().stream().filter(accessControlEntry -> {
                return AclPermissionUtil.hasExtPermission(accessControlEntry.getPermission());
            }).collect(Collectors.toMap((v0) -> {
                return v0.getSid();
            }, accessControlEntry2 -> {
                return new HashSet(AclPermissionUtil.convertToCompositePermission(accessControlEntry2.getPermission()).getExtMasks());
            }));
        }
        return hashMap;
    }

    public Set<String> getUserNormalExtPermissions(String str) {
        try {
            String uuid = NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str).getUuid();
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (!Objects.nonNull(authentication)) {
                return new HashSet();
            }
            String name = authentication.getName();
            return this.userAclService.canAdminUserQuery(name) ? Collections.singleton("DATA_QUERY") : this.userService.isGlobalAdmin(name) ? this.userAclService.hasUserAclPermissionInProject(name, str) ? Collections.singleton("DATA_QUERY") : Collections.emptySet() : (Set) getUserNormalExtPermissions(uuid, name).stream().map((v0) -> {
                return ExternalAclProvider.convertToExternalPermission(v0);
            }).collect(Collectors.toSet());
        } catch (IOException e) {
            throw e;
        }
    }

    public Set<Integer> getUserNormalExtPermissions(String str, String str2) {
        return getUserNormalExtPermissions(getProjectExtPermissions(str), getGroupsOfUser(str2), str2);
    }

    public Set<Integer> getUserNormalExtPermissions(Map<Sid, Set<Integer>> map, List<String> list, String str) {
        Set<Integer> set = map.get(getSid(str, true));
        if (CollectionUtils.isEmpty(set)) {
            set = new HashSet();
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            Set<Integer> set2 = map.get(getSid(it.next(), false));
            if (!CollectionUtils.isEmpty(set2)) {
                set.addAll(set2);
            }
        }
        return set;
    }

    private String getGroupPermissionInProject(String str, String str2) throws IOException {
        checkSid(str2, false);
        return "ROLE_ADMIN".equals(str2) ? "ADMIN" : ExternalAclProvider.convertToExternalPermission(getProjectPermission(str).get(getSid(str2, false)).intValue());
    }

    private Map<Sid, Integer> getProjectPermission(String str) {
        return getProjectUuidPermission(NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str).getUuid());
    }

    private Map<Sid, Integer> getProjectUuidPermission(String str) {
        HashMap hashMap = new HashMap();
        RootPersistentEntity aclEntity = getAclEntity("ProjectInstance", str);
        if (getAcl(aclEntity) != null && getAcl(aclEntity).getEntries() != null) {
            for (AccessControlEntry accessControlEntry : getAcl(aclEntity).getAclRecord().getEntries()) {
                hashMap.put(accessControlEntry.getSid(), Integer.valueOf(AclPermissionUtil.convertToBasePermission(accessControlEntry.getPermission()).getMask()));
            }
        }
        return hashMap;
    }

    public boolean hasProjectPermission(String str, String str2, boolean z) {
        return getProjectPermission(str).containsKey(getSid(str2, z));
    }

    public List<String> getGrantedProjectsOfUser(String str) throws IOException {
        return getGrantedProjectsOfUserOrGroup(str, true);
    }

    public List<String> getGrantedProjectsOfUserOrGroup(String str, boolean z) throws IOException {
        checkSid(str, z);
        List<ProjectInstance> listAllProjects = NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).listAllProjects();
        boolean z2 = z && (isGlobalAdmin(str) || hasGlobalAdminGroup(str));
        boolean z3 = !z && "ROLE_ADMIN".equals(str);
        if (z2 || z3) {
            return (List) listAllProjects.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toList());
        }
        List<String> groupsOfUser = z ? getGroupsOfUser(str) : Collections.emptyList();
        HashSet hashSet = new HashSet();
        for (ProjectInstance projectInstance : listAllProjects) {
            Map<Sid, Integer> projectPermission = getProjectPermission(projectInstance.getName());
            if (projectPermission.containsKey(getSid(str, z))) {
                hashSet.add(projectInstance.getName());
            } else if (groupsOfUser.stream().anyMatch(str2 -> {
                return projectPermission.containsKey(getSid(str2, false));
            })) {
                hashSet.add(projectInstance.getName());
            }
        }
        return Lists.newArrayList(hashSet);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public List<SidPermissionWithAclResponse> getUserOrGroupAclPermissions(List<String> list, String str, boolean z) throws IOException {
        checkSid(str, z);
        ArrayList arrayList = new ArrayList();
        for (String str2 : list) {
            arrayList.add(z ? getUserPermissionWithAclResponse(str2, str) : getGroupPermissionWithAclResponse(str2, str));
        }
        return arrayList;
    }

    private SidPermissionWithAclResponse getUserPermissionWithAclResponse(String str, String str2) throws IOException {
        Pair<String, Pair<Boolean, String>> userMaximumPermissionWithSourceInProject = getUserMaximumPermissionWithSourceInProject(str, str2);
        if (!Boolean.FALSE.equals(((Pair) userMaximumPermissionWithSourceInProject.getSecond()).getFirst())) {
            return getGroupPermissionWithAclResponse(str, (String) ((Pair) userMaximumPermissionWithSourceInProject.getSecond()).getSecond());
        }
        return new SidPermissionWithAclResponse(str, (String) userMaximumPermissionWithSourceInProject.getFirst(), this.aclTCRService.getAclTCRResponse(str, str2, true, false));
    }

    private SidPermissionWithAclResponse getGroupPermissionWithAclResponse(String str, String str2) throws IOException {
        return new SidPermissionWithAclResponse(str, getGroupPermissionInProject(str, str2), this.aclTCRService.getAclTCRResponse(str, str2, false, false));
    }

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public Set<String> getProjectAdminUsers(String str) throws IOException {
        MutableAclRecord projectAcl = AclPermissionUtil.getProjectAcl(str);
        Set filterGroupsInProject = AclPermissionUtil.filterGroupsInProject(projectAcl);
        return (Set) this.userService.listUsers().parallelStream().filter(managedUser -> {
            Stream map = managedUser.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            });
            filterGroupsInProject.getClass();
            String str2 = "ROLE_ADMIN";
            return managedUser.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            }).anyMatch((v1) -> {
                return r1.equals(v1);
            }) || AclPermissionUtil.isSpecificPermissionInProject(managedUser.getUsername(), (Set) map.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toSet()), BasePermission.ADMINISTRATION, projectAcl);
        }).map((v0) -> {
            return v0.getUsername();
        }).collect(Collectors.toSet());
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#project, 'ADMINISTRATION')")
    public Set<String> getProjectManagementUsers(String str) throws IOException {
        MutableAclRecord projectAcl = AclPermissionUtil.getProjectAcl(str);
        Set filterGroupsInProject = AclPermissionUtil.filterGroupsInProject(projectAcl);
        AclPermissionUtil.filterGroupsInProject(projectAcl);
        return (Set) this.userService.listUsers().parallelStream().filter(managedUser -> {
            Stream map = managedUser.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            });
            filterGroupsInProject.getClass();
            Set set = (Set) map.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toSet());
            String str2 = "ROLE_ADMIN";
            return managedUser.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            }).anyMatch((v1) -> {
                return r1.equals(v1);
            }) || AclPermissionUtil.isSpecificPermissionInProject(managedUser.getUsername(), set, BasePermission.ADMINISTRATION, projectAcl) || AclPermissionUtil.isSpecificPermissionInProject(managedUser.getUsername(), set, AclPermission.MANAGEMENT, projectAcl);
        }).map((v0) -> {
            return v0.getUsername();
        }).collect(Collectors.toSet());
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public boolean remoteGrantAccess(AclEntity aclEntity, String str, Boolean bool, String str2) {
        return remoteRequest(new AccessGrantEventNotifier("_global", aclEntity.getId(), str, bool, str2), null);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public boolean remoteBatchGrantAccess(List<AccessRequest> list, AclEntity aclEntity) throws JsonProcessingException {
        return remoteRequest(new AccessBatchGrantEventNotifier("_global", aclEntity.getId(), JsonUtil.writeValueAsString(list)), null);
    }

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public boolean remoteRevokeAccess(AclEntity aclEntity, String str, boolean z) {
        return remoteRequest(new AccessRevokeEventNotifier("_global", aclEntity.getId(), str, z), null);
    }

    @Transaction
    public void updateAccessFromRemote(AccessGrantEventNotifier accessGrantEventNotifier, AccessBatchGrantEventNotifier accessBatchGrantEventNotifier, AccessRevokeEventNotifier accessRevokeEventNotifier) throws IOException {
        if (accessGrantEventNotifier != null) {
            grant(getAclEntity("ProjectInstance", accessGrantEventNotifier.getEntityId()), accessGrantEventNotifier.getIdentifier(), accessGrantEventNotifier.getIsPrincipal(), accessGrantEventNotifier.getPermission());
        }
        if (accessBatchGrantEventNotifier != null) {
            batchGrant((List<AccessRequest>) JsonUtil.readValue(accessBatchGrantEventNotifier.getRawAclTCRRequests(), new TypeReference<List<AccessRequest>>() { // from class: org.apache.kylin.rest.service.AccessService.1
            }), (AclEntity) getAclEntity("ProjectInstance", accessBatchGrantEventNotifier.getEntityId()));
        }
        if (accessRevokeEventNotifier != null) {
            revokeWithSid(getAclEntity("ProjectInstance", accessRevokeEventNotifier.getEntityId()), accessRevokeEventNotifier.getName(), accessRevokeEventNotifier.isPrincipal());
        }
    }

    public List<String> getGroupsOfCurrentUser() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return Objects.nonNull(authentication) ? getGroupsOfUser(authentication.getName()) : Lists.newArrayList();
    }

    public Set<String> getGroupsOfExecuteUser(String str) {
        return Objects.nonNull(str) ? new HashSet(getGroupsOfUser(str)) : Sets.newHashSet();
    }

    private List<String> getGroupsOfUser(String str) {
        ManagedUser managedUser = getManagedUser(str);
        if (!Objects.isNull(managedUser)) {
            return (List) managedUser.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            }).collect(Collectors.toList());
        }
        throw new KylinException(ServerErrorCode.USER_NOT_EXIST, String.format(Locale.ROOT, MsgPicker.getMsg().getUserNotFound(), str));
    }

    private ManagedUser getManagedUser(String str) {
        ManagedUser loadUserByUsername = this.userService.loadUserByUsername(str);
        if (loadUserByUsername == null) {
            return null;
        }
        return loadUserByUsername;
    }

    private Integer getGreaterPermissionMask(Integer num, Integer num2) {
        if (num == null && num2 == null) {
            return 0;
        }
        if (num != null && num2 == null) {
            return num;
        }
        if (num == null && num2 != null) {
            return num2;
        }
        if (num.intValue() == 16 || num2.intValue() == 16) {
            return 16;
        }
        if (num.intValue() == 32 || num2.intValue() == 32) {
            return 32;
        }
        if (num.intValue() == 64 || num2.intValue() == 64) {
            return 64;
        }
        return (num.intValue() == 1 || num2.intValue() == 1) ? 1 : 0;
    }

    public void checkGlobalAdmin(String str) throws IOException {
        checkGlobalAdmin(Collections.singletonList(str));
    }

    public void checkGlobalAdmin(List<String> list) throws IOException {
        if (this.userService.containsGlobalAdmin(new HashSet(list))) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getChangeGlobaladmin());
        }
    }

    public void checkDefaultAdmin(String str, boolean z) {
        List<String> listSuperAdminUsers = this.userService.listSuperAdminUsers();
        if (org.springframework.util.CollectionUtils.isEmpty(listSuperAdminUsers) || ((List) listSuperAdminUsers.stream().filter(str2 -> {
            return str2.equalsIgnoreCase(str);
        }).collect(Collectors.toList())).size() <= 0) {
            return;
        }
        String currentUsername = AclPermissionUtil.getCurrentUsername();
        if (!z || !listSuperAdminUsers.stream().anyMatch(str3 -> {
            return str3.equalsIgnoreCase(currentUsername);
        })) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getChangeDefaultadmin());
        }
    }

    public void checkAccessRequestList(List<AccessRequest> list) throws IOException {
        checkSid(list);
        checkGlobalAdmin((List<String>) list.stream().filter((v0) -> {
            return v0.isPrincipal();
        }).map((v0) -> {
            return v0.getSid();
        }).collect(Collectors.toList()));
    }

    public void checkSid(List<AccessRequest> list) throws IOException {
        if (CollectionUtils.isEmpty(list)) {
            return;
        }
        List<String> allUserGroups = this.userGroupService.getAllUserGroups();
        if (CollectionUtils.isEmpty(allUserGroups)) {
            throw new KylinException(ServerErrorCode.EMPTY_USERGROUP_NAME, MsgPicker.getMsg().getEmptySid());
        }
        HashSet newHashSet = Sets.newHashSet(allUserGroups);
        for (AccessRequest accessRequest : list) {
            batchCheckSid(accessRequest.getSid(), accessRequest.isPrincipal(), newHashSet);
        }
    }

    public void checkSidNotEmpty(String str, boolean z) {
        if (StringUtils.isEmpty(str)) {
            if (!z) {
                throw new KylinException(ServerErrorCode.EMPTY_USERGROUP_NAME, MsgPicker.getMsg().getEmptySid());
            }
            throw new KylinException(ServerErrorCode.EMPTY_USER_NAME, MsgPicker.getMsg().getEmptySid());
        }
    }

    private void checkUserValid(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new KylinException(ServerErrorCode.EMPTY_USER_NAME, MsgPicker.getMsg().getEmptySid());
        }
        if (!this.userService.userExists(str)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, String.format(Locale.ROOT, MsgPicker.getMsg().getOperationFailedByUserNotExist(), str));
        }
    }

    private void checkGroupValid(String str, Collection<String> collection) {
        if (StringUtils.isEmpty(str) || CollectionUtils.isEmpty(collection)) {
            throw new KylinException(ServerErrorCode.EMPTY_USERGROUP_NAME, MsgPicker.getMsg().getEmptySid());
        }
        if (!collection.contains(str)) {
            throw new KylinException(ErrorCodeServer.USER_GROUP_NOT_EXIST, new Object[]{str});
        }
    }

    public void batchCheckSid(String str, boolean z, Collection<String> collection) {
        if (z) {
            checkUserValid(str);
        } else {
            checkGroupValid(str, collection);
        }
    }

    public void checkSid(String str, boolean z) throws IOException {
        checkSidNotEmpty(str, z);
        if (z && !this.userService.userExists(str)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, String.format(Locale.ROOT, MsgPicker.getMsg().getOperationFailedByUserNotExist(), str));
        }
        if (!z && !this.userGroupService.exists(str)) {
            throw new KylinException(ErrorCodeServer.USER_GROUP_NOT_EXIST, new Object[]{str});
        }
    }

    public boolean isGlobalAdmin(String str) throws IOException {
        return this.userService.getGlobalAdmin().contains(str);
    }

    public boolean hasGlobalAdminGroup(String str) {
        return getGroupsOfUser(str).contains("ROLE_ADMIN");
    }
}
