package org.apache.kylin.rest.util;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections.CollectionUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.QueryContext;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.rest.constant.Constant;
import org.apache.kylin.rest.security.AclEntityFactory;
import org.apache.kylin.rest.security.AclEntityType;
import org.apache.kylin.rest.security.AclManager;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.security.CompositeAclPermission;
import org.apache.kylin.rest.security.MutableAclRecord;
import org.apache.kylin.rest.security.ObjectIdentityImpl;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/apache/kylin/rest/util/AclPermissionUtil.class */
public class AclPermissionUtil {
    private AclPermissionUtil() {
    }

    public static List<String> transformAuthorities(Collection<? extends GrantedAuthority> collection) {
        ArrayList newArrayList = Lists.newArrayList();
        for (GrantedAuthority grantedAuthority : collection) {
            if (!newArrayList.contains(grantedAuthority.getAuthority())) {
                newArrayList.add(grantedAuthority.getAuthority());
            }
        }
        return newArrayList;
    }

    public static String getCurrentUsername() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (Objects.isNull(authentication)) {
            return null;
        }
        return authentication.getName();
    }

    public static MutableAclRecord getProjectAcl(String str) {
        return AclManager.getInstance(KylinConfig.getInstanceFromEnv()).readAcl(new ObjectIdentityImpl((AclEntity) AclEntityFactory.createAclEntity(AclEntityType.PROJECT_INSTANCE, NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str).getUuid())));
    }

    public static Set<String> filterGroupsInProject(Set<String> set, MutableAclRecord mutableAclRecord) {
        if (Objects.isNull(mutableAclRecord)) {
            return set;
        }
        HashSet newHashSet = Sets.newHashSet();
        Iterator<AccessControlEntry> it = mutableAclRecord.getEntries().iterator();
        while (it.hasNext()) {
            Sid sid = it.next().getSid();
            if (!(sid instanceof PrincipalSid)) {
                newHashSet.add(getName(sid));
            }
        }
        Stream<String> stream = set.stream();
        newHashSet.getClass();
        return (Set) stream.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toSet());
    }

    public static Set<String> filterGroupsInProject(MutableAclRecord mutableAclRecord) {
        return Objects.isNull(mutableAclRecord) ? Collections.emptySet() : (Set) mutableAclRecord.getEntries().parallelStream().filter(accessControlEntry -> {
            return !(accessControlEntry.getSid() instanceof PrincipalSid);
        }).map(accessControlEntry2 -> {
            return getName(accessControlEntry2.getSid());
        }).collect(Collectors.toSet());
    }

    public static boolean isAdmin(Set<String> set) {
        if (Objects.nonNull(set)) {
            Stream<String> stream = set.stream();
            String str = Constant.ROLE_ADMIN;
            if (stream.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    public static boolean isProjectAdminPermission(String str) {
        return AclPermission.ADMINISTRATION.equals(AclPermissionFactory.getPermission(str));
    }

    public static boolean isAdmin() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (Objects.nonNull(authentication)) {
            Stream map = authentication.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            });
            String str = Constant.ROLE_ADMIN;
            if (map.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    public static boolean canUseACLGreenChannel(String str, Set<String> set) {
        return !KylinConfig.getInstanceFromEnv().isAclTCREnabled() || hasProjectAdminPermission(str, set);
    }

    public static boolean hasProjectAdminPermission(String str, Set<String> set) {
        return isAdmin() || isAdminInProject(str, set);
    }

    public static boolean isAdminInProject(String str, Set<String> set) {
        return isSpecificPermissionInProject(str, set, BasePermission.ADMINISTRATION);
    }

    public static boolean isSpecificPermissionInProject(String str, Set<String> set, Permission permission) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (Objects.isNull(authentication)) {
            return false;
        }
        MutableAclRecord projectAcl = getProjectAcl(str);
        return isSpecificPermissionInProject(authentication.getName(), filterGroupsInProject(set, projectAcl), permission, projectAcl);
    }

    public static boolean isSpecificPermissionInProject(String str, Set<String> set, Permission permission, MutableAclRecord mutableAclRecord) {
        if (Objects.isNull(mutableAclRecord)) {
            return false;
        }
        for (AccessControlEntry accessControlEntry : mutableAclRecord.getEntries()) {
            if ((accessControlEntry.getPermission().getMask() & permission.getMask()) != 0) {
                Sid sid = accessControlEntry.getSid();
                if (isCurrentUser(sid, str) || isCurrentGroup(sid, set)) {
                    return true;
                }
            }
        }
        return false;
    }

    public static boolean isSpecificPermissionInProject(String str, String str2, Permission permission) {
        return isSpecificPermissionInProject(str, permission, getProjectAcl(str2));
    }

    public static boolean isSpecificPermissionInProject(String str, Permission permission, MutableAclRecord mutableAclRecord) {
        if (Objects.isNull(mutableAclRecord)) {
            return false;
        }
        for (AccessControlEntry accessControlEntry : mutableAclRecord.getEntries()) {
            if ((accessControlEntry.getPermission().getMask() & permission.getMask()) != 0 && isCurrentGroup(accessControlEntry.getSid(), Sets.newHashSet(new String[]{str}))) {
                return true;
            }
        }
        return false;
    }

    private static boolean isCurrentUser(Sid sid, String str) {
        return (sid instanceof PrincipalSid) && str.equals(((PrincipalSid) sid).getPrincipal());
    }

    private static boolean isCurrentGroup(Sid sid, Set<String> set) {
        if (!(sid instanceof GrantedAuthoritySid)) {
            return false;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().equals(((GrantedAuthoritySid) sid).getGrantedAuthority())) {
                return true;
            }
        }
        return false;
    }

    public static String objID(ObjectIdentity objectIdentity) {
        return String.valueOf(objectIdentity.getIdentifier());
    }

    public static String getName(Sid sid) {
        return sid instanceof PrincipalSid ? ((PrincipalSid) sid).getPrincipal() : ((GrantedAuthoritySid) sid).getGrantedAuthority();
    }

    public static boolean isAclUpdatable(String str, Set<String> set) {
        return isAdmin() || (isAdminInProject(str, set) && KylinConfig.getInstanceFromEnv().isAllowedProjectAdminGrantAcl());
    }

    public static void checkAclUpdatable(String str, Set<String> set) {
        if (isAclUpdatable(str, set)) {
            return;
        }
        checkIfAllowedProjectAdminGrantAcl(KylinConfig.getInstanceFromEnv().isAllowedProjectAdminGrantAcl());
    }

    private static void checkIfAllowedProjectAdminGrantAcl(boolean z) {
        if (!z) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getAccessDenyOnlyAdmin());
        }
        throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getAccessDenyOnlyAdminAndProjectAdmin());
    }

    public static QueryContext.AclInfo createAclInfo(String str, Set<String> set) {
        return new QueryContext.AclInfo(getCurrentUsername(), set, isAdminInProject(str, set));
    }

    public static boolean hasExtPermission(Permission permission) {
        return (permission instanceof CompositeAclPermission) && CollectionUtils.isNotEmpty(((CompositeAclPermission) permission).getExtMasks());
    }

    public static Permission modifyBasePermission(Permission permission, Permission permission2) {
        Permission permission3 = permission2;
        if (permission instanceof CompositeAclPermission) {
            permission3 = new CompositeAclPermission(permission2, ((CompositeAclPermission) permission).getExtPermissions());
        }
        return permission3;
    }

    public static Permission addExtPermission(Permission permission, Permission permission2) {
        CompositeAclPermission convertToCompositePermission = convertToCompositePermission(permission);
        convertToCompositePermission.addExtPermission(permission2);
        return convertToCompositePermission;
    }

    public static CompositeAclPermission convertToCompositePermission(Permission permission) {
        return permission instanceof CompositeAclPermission ? (CompositeAclPermission) permission : new CompositeAclPermission(permission);
    }

    public static Permission convertToBasePermission(Permission permission) {
        return permission instanceof CompositeAclPermission ? ((CompositeAclPermission) permission).getBasePermission() : permission;
    }

    public static boolean hasQueryPermission(Permission permission) {
        return (permission.getMask() & AclPermission.DATA_QUERY.getMask()) != 0;
    }
}
