package org.apache.kylin.rest.service;

import io.kyligence.kap.guava20.shaded.common.base.Preconditions;
import io.kyligence.kap.guava20.shaded.common.collect.Sets;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.util.CaseInsensitiveStringSet;
import org.apache.kylin.metadata.epoch.EpochManager;
import org.apache.kylin.metadata.project.EnhancedUnitOfWork;
import org.apache.kylin.rest.aspect.Transaction;
import org.apache.kylin.rest.request.GlobalAccessRequest;
import org.apache.kylin.rest.request.GlobalBatchAccessRequest;
import org.apache.kylin.rest.response.UserAccessEntryResponse;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.security.AdminUserSyncEventNotifier;
import org.apache.kylin.rest.security.ExternalAclProvider;
import org.apache.kylin.rest.security.UserAcl;
import org.apache.kylin.rest.security.UserAclManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

@Component("userAclService")
/* loaded from: input_file:org/apache/kylin/rest/service/UserAclService.class */
public class UserAclService extends BasicService implements UserAclServiceSupporter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(UserAclService.class);

    @Autowired
    @Qualifier("userService")
    protected UserService userService;

    public boolean hasUserAclPermission(String str, Permission permission) {
        UserAcl userAcl = ((UserAclManager) getManager(UserAclManager.class)).get(str);
        return !Objects.isNull(userAcl) && CollectionUtils.isNotEmpty(userAcl.getPermissionMasks()) && userAcl.getPermissionMasks().contains(Integer.valueOf(permission.getMask()));
    }

    @Override // org.apache.kylin.rest.service.UserAclServiceSupporter
    public boolean hasUserAclPermissionInProject(String str) {
        try {
            String loginUsername = getLoginUsername();
            if (this.userService.isGlobalAdmin(loginUsername)) {
                if (hasUserAclPermissionInProject(loginUsername, str)) {
                    return true;
                }
            }
            return false;
        } catch (IOException e) {
            throw e;
        }
    }

    public boolean hasUserAclPermissionInProject(String str, String str2) {
        UserAcl userAcl = ((UserAclManager) getManager(UserAclManager.class)).get(str);
        return !Objects.isNull(userAcl) && CollectionUtils.isNotEmpty(userAcl.getDataQueryProjects()) && userAcl.getDataQueryProjects().contains(str2);
    }

    private void checkAclPermission(String str, String str2) {
        Preconditions.checkArgument("DATA_QUERY".equalsIgnoreCase(str2), "unknown PermissionType " + str2);
        if (isSuperAdmin(str)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getModifyPermissionOfSuperAdminFailed());
        }
        checkAdminUser(str);
        if (str.equalsIgnoreCase(getLoginUsername())) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getModifyOwnPermissionFailed());
        }
    }

    private void checkLoginUserPermission() {
        if (!canAdminUserQuery()) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getGrantPermissionFailedByIllegalAuthorizingUser());
        }
    }

    private void checkLoginUserPermissionInPrj(String str) {
        if (!canAdminUserQuery() && !hasUserAclPermissionInProject(str)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getGrantPermissionFailedByIllegalAuthorizingUser());
        }
    }

    @Transaction
    public void grantUserAclPermission(GlobalBatchAccessRequest globalBatchAccessRequest, String str) {
        globalBatchAccessRequest.getUsernameList().forEach(str2 -> {
            grantUserAclPermission(str2, str);
        });
    }

    @Transaction
    public void grantUserAclPermission(GlobalAccessRequest globalAccessRequest, String str) {
        grantUserAclPermission(globalAccessRequest.getUsername(), str);
    }

    @Transaction
    public void grantUserAclPermission(String str, String str2) {
        checkAclPermission(str, str2);
        checkLoginUserPermission();
        ((UserAclManager) getManager(UserAclManager.class)).addPermission(str, AclPermissionFactory.getPermission(str2.toUpperCase(Locale.ROOT)));
    }

    @Transaction
    public void addProjectToUserAcl(GlobalAccessRequest globalAccessRequest, String str) {
        checkAclPermission(globalAccessRequest.getUsername(), str);
        checkLoginUserPermissionInPrj(globalAccessRequest.getProject());
        ((UserAclManager) getManager(UserAclManager.class)).addDataQueryProject(globalAccessRequest.getUsername(), globalAccessRequest.getProject());
    }

    @Transaction
    public void revokeUserAclPermission(GlobalBatchAccessRequest globalBatchAccessRequest, String str) {
        globalBatchAccessRequest.getUsernameList().forEach(str2 -> {
            revokeUserAclPermission(str2, str);
        });
    }

    @Transaction
    public void revokeUserAclPermission(GlobalAccessRequest globalAccessRequest, String str) {
        revokeUserAclPermission(globalAccessRequest.getUsername(), str);
    }

    @Transaction
    public void revokeUserAclPermission(String str, String str2) {
        checkAclPermission(str, str2);
        checkLoginUserPermission();
        UserAclManager userAclManager = (UserAclManager) getManager(UserAclManager.class);
        userAclManager.deletePermission(str, AclPermissionFactory.getPermission(str2.toUpperCase(Locale.ROOT)));
        if (userAclManager.exists(str)) {
            return;
        }
        userAclManager.addPermission(str, Collections.emptySet());
    }

    @Transaction
    public void deleteProjectFromUserAcl(GlobalAccessRequest globalAccessRequest, String str) {
        checkAclPermission(globalAccessRequest.getUsername(), str);
        checkLoginUserPermissionInPrj(globalAccessRequest.getProject());
        ((UserAclManager) getManager(UserAclManager.class)).deleteDataQueryProject(globalAccessRequest.getUsername(), globalAccessRequest.getProject());
    }

    public List<UserAccessEntryResponse> listUserAcl() {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.addAll(this.userService.listAdminUsers());
            Map map = (Map) ((List) ((UserAclManager) getManager(UserAclManager.class)).listUserAcl().stream().filter(userAcl -> {
                return arrayList.stream().anyMatch(str -> {
                    return str.equalsIgnoreCase(userAcl.getUsername());
                });
            }).collect(Collectors.toList())).stream().collect(Collectors.toMap((v0) -> {
                return v0.getUsername();
            }, this::createUserAccessEntryResponse));
            new CaseInsensitiveStringSet(new HashSet(this.userService.listSuperAdminUsers())).forEach(str -> {
            });
            return (List) map.values().stream().collect(Collectors.toList());
        } catch (IOException e) {
            log.error("listAdminUsers error", e);
            return Collections.emptyList();
        }
    }

    private UserAccessEntryResponse createUserAccessEntryResponse(UserAcl userAcl) {
        return new UserAccessEntryResponse(userAcl.getUsername(), CollectionUtils.isEmpty(userAcl.getPermissionMasks()) ? Collections.emptyList() : (List) userAcl.getPermissionMasks().stream().map((v0) -> {
            return ExternalAclProvider.convertToExternalPermission(v0);
        }).collect(Collectors.toList()), userAcl.getDataQueryProjects());
    }

    private void checkAdminUser(String str) {
        try {
            if (StringUtils.isEmpty(str)) {
                throw new KylinException(ServerErrorCode.EMPTY_USER_NAME, MsgPicker.getMsg().getEmptySid());
            }
            if (!this.userService.userExists(str)) {
                throw new KylinException(ServerErrorCode.PERMISSION_DENIED, String.format(Locale.ROOT, MsgPicker.getMsg().getOperationFailedByUserNotExist(), str));
            }
            if (!this.userService.isGlobalAdmin(str)) {
                throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getGrantPermissionFailedByNonSystemAdmin());
            }
        } catch (IOException e) {
            throw e;
        }
    }

    @Override // org.apache.kylin.rest.service.UserAclServiceSupporter
    public boolean isSuperAdmin(String str) {
        List<String> listSuperAdminUsers = this.userService.listSuperAdminUsers();
        if (CollectionUtils.isEmpty(listSuperAdminUsers)) {
            return false;
        }
        return listSuperAdminUsers.stream().anyMatch(str2 -> {
            return str2.equalsIgnoreCase(str);
        });
    }

    @Override // org.apache.kylin.rest.service.UserAclServiceSupporter
    public boolean canAdminUserQuery() {
        return canAdminUserQuery(getLoginUsername());
    }

    /* JADX WARN: Code restructure failed: missing block: B:7:0x001d, code lost:
    
        if (hasUserAclPermission(r5, org.apache.kylin.rest.security.AclPermission.DATA_QUERY) != false) goto L8;
     */
    @Override // org.apache.kylin.rest.service.UserAclServiceSupporter
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean canAdminUserQuery(java.lang.String r5) {
        /*
            r4 = this;
            r0 = r4
            r1 = r5
            boolean r0 = r0.isSuperAdmin(r1)     // Catch: java.io.IOException -> L26
            if (r0 != 0) goto L20
            r0 = r4
            org.apache.kylin.rest.service.UserService r0 = r0.userService     // Catch: java.io.IOException -> L26
            r1 = r5
            boolean r0 = r0.isGlobalAdmin(r1)     // Catch: java.io.IOException -> L26
            if (r0 == 0) goto L24
            r0 = r4
            r1 = r5
            org.springframework.security.acls.model.Permission r2 = org.apache.kylin.rest.security.AclPermission.DATA_QUERY     // Catch: java.io.IOException -> L26
            boolean r0 = r0.hasUserAclPermission(r1, r2)     // Catch: java.io.IOException -> L26
            if (r0 == 0) goto L24
        L20:
            r0 = 1
            goto L25
        L24:
            r0 = 0
        L25:
            return r0
        L26:
            r6 = move-exception
            r0 = r6
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.kylin.rest.service.UserAclService.canAdminUserQuery(java.lang.String):boolean");
    }

    private String getLoginUsername() {
        return SecurityContextHolder.getContext().getAuthentication().getName();
    }

    @Override // org.apache.kylin.rest.service.UserAclServiceSupporter
    public void checkAdminUserPermission(String str) {
        try {
            String loginUsername = getLoginUsername();
            if (!this.userService.isGlobalAdmin(loginUsername) || hasUserAclPermission(loginUsername, AclPermission.DATA_QUERY) || hasUserAclPermissionInProject(loginUsername, str)) {
            } else {
                throw new AccessDeniedException("");
            }
        } catch (IOException e) {
            throw e;
        }
    }

    @Transaction
    public void updateUserAclPermission(UserDetails userDetails, Permission permission) {
        UserAclManager userAclManager = (UserAclManager) getManager(UserAclManager.class);
        if (!isRoleAdmin(userDetails) && userAclManager.exists(userDetails.getUsername())) {
            userAclManager.delete(userDetails.getUsername());
        } else {
            if (!isRoleAdmin(userDetails) || userAclManager.exists(userDetails.getUsername())) {
                return;
            }
            userAclManager.addPermission(userDetails.getUsername(), KylinConfig.getInstanceFromEnv().isDataPermissionDefaultEnabled() ? Sets.newHashSet(new Permission[]{permission}) : Collections.emptySet());
        }
    }

    private boolean isRoleAdmin(UserDetails userDetails) {
        return userDetails.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN"));
    }

    @Transaction
    public void deleteUserAcl(String str) {
        ((UserAclManager) getManager(UserAclManager.class)).delete(str);
    }

    public void remoteSyncAdminUserAcl(AdminUserSyncEventNotifier adminUserSyncEventNotifier) {
        adminUserSyncEventNotifier.setProject("_global");
        remoteRequest(adminUserSyncEventNotifier, "");
    }

    private static boolean isCustomProfile() {
        return "custom".equals(KylinConfig.getInstanceFromEnv().getSecurityProfile());
    }

    public void syncAdminUserAcl() {
        try {
            KylinConfig instanceFromEnv = KylinConfig.getInstanceFromEnv();
            if (isCustomProfile()) {
                this.userService.listAdminUsers();
            } else if ("ldap".equals(instanceFromEnv.getSecurityProfile())) {
                syncSuperAdminUserAcl();
                syncAdminUserAcl(this.userService.listAdminUsers(), true);
            } else {
                syncSuperAdminUserAcl();
            }
        } catch (IOException e) {
            throw e;
        }
    }

    public void syncSuperAdminUserAcl() {
        List<String> listSuperAdminUsers = this.userService.listSuperAdminUsers();
        if (CollectionUtils.isEmpty(listSuperAdminUsers) || !EpochManager.getInstance().checkEpochOwner("_global") || listSuperAdminUsers.stream().allMatch(str -> {
            return hasUserAclPermission(str, AclPermission.DATA_QUERY);
        }) || !CollectionUtils.isNotEmpty(listSuperAdminUsers)) {
            return;
        }
        EnhancedUnitOfWork.doInTransactionWithCheckAndRetry(() -> {
            UserAclManager userAclManager = UserAclManager.getInstance(KylinConfig.getInstanceFromEnv());
            Stream filter = listSuperAdminUsers.stream().filter(str2 -> {
                return !hasUserAclPermission(str2, AclPermission.DATA_QUERY);
            });
            userAclManager.getClass();
            filter.forEach(userAclManager::add);
            return null;
        }, "_global", 1);
    }

    public void syncAdminUserAcl(List<String> list, boolean z) {
        List listAclUsernames = UserAclManager.getInstance(KylinConfig.getInstanceFromEnv()).listAclUsernames();
        if (CollectionUtils.isEmpty(list) || !EpochManager.getInstance().checkEpochOwner("_global")) {
            return;
        }
        EnhancedUnitOfWork.doInTransactionWithCheckAndRetry(() -> {
            List<String> intersect = getIntersect(list, listAclUsernames);
            if (CollectionUtils.isNotEmpty(intersect)) {
                KylinConfig instanceFromEnv = KylinConfig.getInstanceFromEnv();
                UserAclManager userAclManager = UserAclManager.getInstance(instanceFromEnv);
                log.info("adminUserAclAddList:{}", intersect);
                intersect.stream().filter(str -> {
                    return !userAclManager.exists(str);
                }).forEach(str2 -> {
                    if (isSuperAdmin(str2) || !z || instanceFromEnv.isDataPermissionDefaultEnabled()) {
                        userAclManager.add(str2);
                    } else {
                        userAclManager.addPermission(str2, Collections.emptySet());
                    }
                });
            }
            List<String> intersect2 = getIntersect(listAclUsernames, list);
            if (!CollectionUtils.isNotEmpty(intersect2)) {
                return null;
            }
            UserAclManager userAclManager2 = UserAclManager.getInstance(KylinConfig.getInstanceFromEnv());
            log.info("adminUserAclRemoveList:{}", intersect2);
            intersect2.stream().forEach(str3 -> {
                userAclManager2.delete(str3);
            });
            return null;
        }, "_global", 1);
    }

    private List<String> getIntersect(List<String> list, List<String> list2) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        arrayList.removeAll(list2);
        return arrayList;
    }
}
