package org.apache.kylin.rest.security;

import java.io.Serializable;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.rest.service.AclService;
import org.apache.kylin.rest.util.AclPermissionUtil;
import org.springframework.security.acls.AclPermissionEvaluator;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/apache/kylin/rest/security/KylinAclPermissionEvaluator.class */
public class KylinAclPermissionEvaluator extends AclPermissionEvaluator {
    private PermissionFactory permissionFactory;

    public KylinAclPermissionEvaluator(AclService aclService, PermissionFactory permissionFactory) {
        super(aclService);
        super.setPermissionFactory(permissionFactory);
        this.permissionFactory = permissionFactory;
    }

    @Override // org.springframework.security.acls.AclPermissionEvaluator, org.springframework.security.access.PermissionEvaluator
    public boolean hasPermission(Authentication authentication, Object obj, Object obj2) {
        if (Objects.isNull(obj)) {
            return false;
        }
        if (obj instanceof String) {
            obj = NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(obj.toString());
        }
        ExternalAclProvider externalAclProvider = ExternalAclProvider.getInstance();
        if (Objects.isNull(externalAclProvider)) {
            return super.hasPermission(authentication, obj, obj2);
        }
        AclEntity aclEntity = (AclEntity) obj;
        return checkExternalPermission(externalAclProvider, authentication, aclEntity.getClass().getSimpleName(), aclEntity.getId(), obj2);
    }

    private boolean checkExternalPermission(ExternalAclProvider externalAclProvider, Authentication authentication, String str, String str2, Object obj) {
        String name = authentication.getName();
        List<String> transformAuthorities = AclPermissionUtil.transformAuthorities(authentication.getAuthorities());
        Iterator<Permission> it2 = resolveKylinPermission(obj).iterator();
        while (it2.hasNext()) {
            if (externalAclProvider.checkPermission(name, transformAuthorities, str, str2, it2.next())) {
                return true;
            }
        }
        return false;
    }

    private List<Permission> resolveKylinPermission(Object obj) {
        Permission buildFromName;
        if (obj instanceof Integer) {
            return Arrays.asList(this.permissionFactory.buildFromMask(((Integer) obj).intValue()));
        }
        if (obj instanceof Permission) {
            return Arrays.asList((Permission) obj);
        }
        if (obj instanceof Permission[]) {
            return Arrays.asList((Permission[]) obj);
        }
        if (obj instanceof String) {
            String str = (String) obj;
            try {
                buildFromName = this.permissionFactory.buildFromName(str);
            } catch (IllegalArgumentException e) {
                buildFromName = this.permissionFactory.buildFromName(str.toUpperCase(Locale.ROOT));
            }
            if (Objects.nonNull(buildFromName)) {
                return Collections.singletonList(buildFromName);
            }
        }
        throw new IllegalArgumentException("Unsupported permission: " + obj);
    }

    @Override // org.springframework.security.acls.AclPermissionEvaluator, org.springframework.security.access.PermissionEvaluator
    public boolean hasPermission(Authentication authentication, Serializable serializable, String str, Object obj) {
        ExternalAclProvider externalAclProvider = ExternalAclProvider.getInstance();
        return Objects.isNull(externalAclProvider) ? super.hasPermission(authentication, serializable, str, obj) : checkExternalPermission(externalAclProvider, authentication, str, serializable.toString(), obj);
    }
}
