package org.apache.kylin.tool.upgrade;

import java.io.File;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.io.FileUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.persistence.ResourceStore;
import org.apache.kylin.common.util.CliCommandExecutor;
import org.apache.kylin.common.util.ExecutableApplication;
import org.apache.kylin.common.util.OptionBuilder;
import org.apache.kylin.common.util.OptionsHelper;
import org.apache.kylin.common.util.ShellException;
import org.apache.kylin.helper.UpdateUserAclToolHelper;
import org.apache.kylin.job.shaded.org.apache.commons.lang3.StringUtils;
import org.apache.kylin.metadata.project.EnhancedUnitOfWork;
import org.apache.kylin.metadata.upgrade.GlobalAclVersion;
import org.apache.kylin.metadata.upgrade.GlobalAclVersionManager;
import org.apache.kylin.metadata.user.NKylinUserManager;
import org.apache.kylin.rest.constant.Constant;
import org.apache.kylin.rest.security.AclManager;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.security.KylinPermissionGrantingStrategy;
import org.apache.kylin.rest.security.UserAcl;
import org.apache.kylin.rest.security.UserAclManager;
import org.apache.kylin.rest.util.AclPermissionUtil;
import org.apache.kylin.shaded.influxdb.org.influxdb.querybuilder.time.DurationLiteral;
import org.apache.kylin.tool.MaintainModeTool;
import org.apache.kylin.tool.util.ScreenPrintUtil;
import org.postgresql.util.DriverInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.acls.domain.ConsoleAuditLogger;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:org/apache/kylin/tool/upgrade/UpdateUserAclTool.class */
public class UpdateUserAclTool extends ExecutableApplication {
    public static final String UPGRADE = "upgrade";

    @Generated
    private static final Logger log = LoggerFactory.getLogger(UpdateUserAclTool.class);
    private static final Option OPTION_SCRIPT = OptionBuilder.getInstance().hasArg(true).withDescription("the identify of script").isRequired(true).withLongOpt("script").create(DurationLiteral.SECOND);
    private static final Option OPTION_OLD_KYLIN_VERSION = OptionBuilder.getInstance().hasArg(true).withDescription("old kylin version").isRequired(false).withLongOpt("old_kylin_version").create("v");
    private static final Option OPTION_KYLIN_HOME = OptionBuilder.getInstance().hasArg(true).withDescription("kylin home").isRequired(true).withLongOpt("kylin_home").create(DurationLiteral.HOUR);
    public static final String ROLLBACK = "rollback";
    private static final Option OPTION_ROLLBACK = OptionBuilder.getInstance().hasArg(false).withDescription("rollback the user acl").isRequired(false).withLongOpt(ROLLBACK).create("r");
    private static final Option OPTION_FORCE_UPGRADE = OptionBuilder.getInstance().hasArg(false).withDescription("force upgrade").isRequired(false).withLongOpt("force").create("f");
    private static final Pattern VERSION_PATTERN = Pattern.compile("\\d+\\.\\d+.*");

    public static void main(String[] strArr) {
        try {
            UpdateUserAclTool updateUserAclTool = new UpdateUserAclTool();
            if (updateUserAclTool.matchUpgradeCondition(strArr)) {
                log.info("Start update user acl metadata.");
                updateUserAclTool.execute(strArr);
                log.info("Update user acl metadata successfully.");
            } else {
                log.info("Skip update the acl metadata.");
            }
        } catch (Throwable th) {
            log.error("Update user acl metadata failed.", th);
            ScreenPrintUtil.systemExitWhenMainThread(1);
        }
        ScreenPrintUtil.systemExitWhenMainThread(0);
    }

    public boolean matchUpgradeCondition(String[] strArr) {
        if (KylinConfig.getInstanceFromEnv().isQueryNodeOnly()) {
            log.info("Only job/all node can update user acl.");
            return false;
        }
        OptionsHelper convertToOptionsHelper = convertToOptionsHelper(strArr);
        String optionValue = convertToOptionsHelper.getOptionValue(OPTION_SCRIPT);
        log.info("scriptIdentify={}", optionValue);
        if ("migrate".equalsIgnoreCase(optionValue)) {
            String optionValue2 = convertToOptionsHelper.getOptionValue(OPTION_OLD_KYLIN_VERSION);
            String optionValue3 = convertToOptionsHelper.getOptionValue(OPTION_KYLIN_HOME);
            log.info("oldKylinVersion={}", optionValue2);
            log.info("newKylinHome={}", optionValue3);
            if (VERSION_PATTERN.matcher(optionValue2.trim()).matches()) {
                return isDataPermissionSeparateVersion(optionValue3) && compareVersion(optionValue2, DriverInfo.JDBC_VERSION) >= 0 && compareVersion(optionValue2, "4.5.19") < 0;
            }
            throw new IllegalArgumentException("oldKylinVersion=" + optionValue2);
        }
        if (!UPGRADE.equalsIgnoreCase(optionValue)) {
            throw new IllegalArgumentException("unknown script identify=" + optionValue);
        }
        try {
            String optionValue4 = convertToOptionsHelper.getOptionValue(OPTION_KYLIN_HOME);
            log.info("kylinHome={}", optionValue4);
            File file = new File(optionValue4 + ResourceStore.VERSION_FILE);
            String parseVersion = parseVersion(FileUtils.readFileToString(file, StandardCharsets.UTF_8));
            log.info("version={}", parseVersion);
            if (file.exists() && compareVersion(parseVersion, DriverInfo.JDBC_VERSION) >= 0) {
                if (!isDataPermissionSeparateVersion(optionValue4)) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            log.error("matchUpgradeCondition error", e);
            return false;
        }
    }

    private boolean isDataPermissionSeparateVersion(String str) {
        try {
            String format = String.format(Locale.ROOT, "grep %s %s/server/jars/*.jar", UserAcl.class.getName(), str);
            log.info("command = {}", format);
            return new CliCommandExecutor().execute(format, null).getCode() == 0;
        } catch (ShellException e) {
            log.warn("execute command failed.", e);
            return false;
        }
    }

    @Override // org.apache.kylin.common.util.ExecutableApplication
    protected Options getOptions() {
        Options options = new Options();
        options.addOption(OPTION_SCRIPT);
        options.addOption(OPTION_OLD_KYLIN_VERSION);
        options.addOption(OPTION_KYLIN_HOME);
        options.addOption(OPTION_ROLLBACK);
        options.addOption(OPTION_FORCE_UPGRADE);
        return options;
    }

    @Override // org.apache.kylin.common.util.ExecutableApplication
    protected void execute(OptionsHelper optionsHelper) throws Exception {
        if (UpdateUserAclToolHelper.getInstance().isUpgraded() && !optionsHelper.hasOption(OPTION_ROLLBACK) && !optionsHelper.hasOption(OPTION_FORCE_UPGRADE)) {
            log.info("The acl related metadata have been upgraded.");
            return;
        }
        MaintainModeTool maintainModeTool = new MaintainModeTool("update user acl");
        try {
            maintainModeTool.init();
            maintainModeTool.markEpochs();
            if (optionsHelper.hasOption(OPTION_ROLLBACK)) {
                updateAdminUserAcl(ROLLBACK, getAdminUsers());
                updateProjectAcl(ROLLBACK);
                removeAclVersion();
            } else {
                updateAdminUserAcl(UPGRADE, getAdminUsers());
                updateProjectAcl(UPGRADE);
                addAclVersion();
            }
        } finally {
            maintainModeTool.releaseEpochs();
        }
    }

    public boolean isAdminUserUpgraded() {
        return UserAclManager.getInstance(KylinConfig.getInstanceFromEnv()).listAclUsernames().size() > 0;
    }

    private Set<String> getAdminUsers() {
        String lowerCase = KylinConfig.getInstanceFromEnv().getSecurityProfile().toLowerCase(Locale.ROOT);
        HashSet hashSet = new HashSet();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1422446064:
                if (lowerCase.equals("testing")) {
                    z = false;
                    break;
                }
                break;
            case -1349088399:
                if (lowerCase.equals("custom")) {
                    z = 2;
                    break;
                }
                break;
            case 3316647:
                if (lowerCase.equals("ldap")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                hashSet.addAll(getKylinAdminUsers());
                break;
            case true:
                hashSet.addAll(getLdapAdminUsers());
                break;
            case true:
                break;
            default:
                throw new IllegalArgumentException("Unsupported kylin.security.profile=" + lowerCase);
        }
        return hashSet;
    }

    public void updateAdminUserAcl(String str, Set<String> set) {
        if (set.isEmpty()) {
            return;
        }
        log.info("start to {} query permission for system admin user.", str);
        UserAcl userAcl = new UserAcl("");
        EnhancedUnitOfWork.doInTransactionWithCheckAndRetry(() -> {
            UserAclManager userAclManager = UserAclManager.getInstance(KylinConfig.getInstanceFromEnv());
            set.forEach(str2 -> {
                UserAcl userAcl2 = (UserAcl) Optional.ofNullable(userAclManager.get(str2)).orElse(userAcl);
                if (UPGRADE.equalsIgnoreCase(str) && !userAcl2.hasPermission(AclPermission.DATA_QUERY)) {
                    log.info("add query permission for sys admin user {}", str2);
                    userAclManager.add(str2);
                } else if (ROLLBACK.equalsIgnoreCase(str) && userAcl2.hasPermission(AclPermission.DATA_QUERY)) {
                    log.info("remove query permission for sys admin user {}", str2);
                    userAclManager.delete(str2);
                }
            });
            return null;
        }, "_global", 1);
        log.info("{} query permission for system admin user successfully.", StringUtils.capitalize(str));
    }

    private static List<String> getKylinAdminUsers() {
        return (List) NKylinUserManager.getInstance(KylinConfig.getInstanceFromEnv()).list().stream().filter(managedUser -> {
            return managedUser.getAuthorities().contains(new SimpleGrantedAuthority(Constant.ROLE_ADMIN));
        }).map((v0) -> {
            return v0.getUsername();
        }).collect(Collectors.toList());
    }

    public Set<String> getLdapAdminUsers() {
        return UpdateUserAclToolHelper.getInstance().getLdapAdminUsers();
    }

    public void updateProjectAcl(String str) {
        EnhancedUnitOfWork.doInTransactionWithCheckAndRetry(() -> {
            AclManager createAclManager = createAclManager();
            createAclManager.listAll().forEach(aclRecord -> {
                log.info("start to {} query permission for _global/acl/{}.", str, aclRecord.getUuid());
                List<AccessControlEntry> entries = aclRecord.getEntries();
                HashMap hashMap = new HashMap();
                entries.forEach(accessControlEntry -> {
                    boolean hasQueryPermission = AclPermissionUtil.hasQueryPermission(accessControlEntry.getPermission());
                    if (UPGRADE.equalsIgnoreCase(str) && !hasQueryPermission) {
                        hashMap.putIfAbsent(accessControlEntry.getSid(), AclPermissionUtil.addExtPermission(accessControlEntry.getPermission(), AclPermission.DATA_QUERY));
                    } else if (ROLLBACK.equalsIgnoreCase(str) && hasQueryPermission) {
                        hashMap.putIfAbsent(accessControlEntry.getSid(), AclPermissionUtil.convertToBasePermission(accessControlEntry.getPermission()));
                    }
                });
                createAclManager.batchUpsertAce(createAclManager.readAcl(aclRecord.getObjectIdentity()), hashMap);
                log.info("{} query permission for _global/acl/{} successfully.", StringUtils.capitalize(str), aclRecord.getUuid());
            });
            return null;
        }, "_global", 1);
    }

    public void addAclVersion() {
        EnhancedUnitOfWork.doInTransactionWithCheckAndRetry(() -> {
            GlobalAclVersionManager globalAclVersionManager = GlobalAclVersionManager.getInstance(KylinConfig.getInstanceFromEnv());
            GlobalAclVersion globalAclVersion = new GlobalAclVersion();
            globalAclVersion.setAclVersion(GlobalAclVersion.DATA_PERMISSION_SEPARATE);
            globalAclVersionManager.save(globalAclVersion);
            return null;
        }, "_global", 1);
    }

    public void removeAclVersion() {
        EnhancedUnitOfWork.doInTransactionWithCheckAndRetry(() -> {
            GlobalAclVersionManager.getInstance(KylinConfig.getInstanceFromEnv()).delete();
            return null;
        }, "_global", 1);
    }

    private AclManager createAclManager() {
        return new AclManager(KylinConfig.getInstanceFromEnv(), new AclPermissionFactory(), new KylinPermissionGrantingStrategy(new ConsoleAuditLogger()));
    }

    public String parseVersion(String str) {
        return str.substring(str.indexOf("Enterprise") + 11, str.lastIndexOf("-") == -1 ? str.length() : str.lastIndexOf("-")).trim();
    }

    public int compareVersion(String str, String str2) {
        if (StringUtils.isEmpty(str)) {
            return -1;
        }
        if (StringUtils.isEmpty(str2)) {
            return 1;
        }
        String[] split = str.split("[._]");
        String[] split2 = str2.split("[._]");
        int min = Math.min(split.length, split2.length);
        long j = 0;
        int i = 0;
        while (i < min) {
            long parseLong = Long.parseLong(split[i]) - Long.parseLong(split2[i]);
            j = parseLong;
            if (parseLong != 0) {
                break;
            }
            i++;
        }
        if (j != 0) {
            return j > 0 ? 1 : -1;
        }
        for (int i2 = i; i2 < split.length; i2++) {
            if (Long.parseLong(split[i2]) > 0) {
                return 1;
            }
        }
        for (int i3 = i; i3 < split2.length; i3++) {
            if (Long.parseLong(split2[i3]) > 0) {
                return -1;
            }
        }
        return 0;
    }
}
