package org.apache.kylin.rest.security;

import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.persistence.ResourceStore;
import org.apache.kylin.guava30.shaded.common.collect.Maps;
import org.apache.kylin.metadata.cachesync.CachedCrudAssist;
import org.apache.kylin.rest.util.AclPermissionUtil;
import org.apache.kylin.rest.util.SpringContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.acls.domain.ConsoleAuditLogger;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AlreadyExistsException;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/apache/kylin/rest/security/AclManager.class */
public class AclManager {
    private static final Logger logger = LoggerFactory.getLogger(AclManager.class);
    private final PermissionGrantingStrategy permissionGrantingStrategy = new KylinPermissionGrantingStrategy(new ConsoleAuditLogger());
    private final PermissionFactory aclPermissionFactory = new AclPermissionFactory();
    private KylinConfig config;
    private CachedCrudAssist<AclRecord> crud;

    /* loaded from: input_file:org/apache/kylin/rest/security/AclManager$AclRecordUpdater.class */
    public interface AclRecordUpdater {
        void update(AclRecord aclRecord);
    }

    public static AclManager getInstance(KylinConfig kylinConfig) {
        return (AclManager) kylinConfig.getManager(AclManager.class);
    }

    static AclManager newInstance(KylinConfig kylinConfig) {
        return new AclManager(kylinConfig);
    }

    public AclManager(KylinConfig kylinConfig) {
        this.config = kylinConfig;
        this.crud = new CachedCrudAssist<AclRecord>(ResourceStore.getKylinMetaStore(kylinConfig), "/_global/acl", "", AclRecord.class) { // from class: org.apache.kylin.rest.security.AclManager.1
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.apache.kylin.metadata.cachesync.CachedCrudAssist
            public AclRecord initEntityAfterReload(AclRecord aclRecord, String str) {
                aclRecord.init(null, (PermissionFactory) SpringContext.getBean(PermissionFactory.class), (PermissionGrantingStrategy) SpringContext.getBean(PermissionGrantingStrategy.class));
                return aclRecord;
            }
        };
        this.crud.reloadAll();
    }

    public AclManager(KylinConfig kylinConfig, final PermissionFactory permissionFactory, final PermissionGrantingStrategy permissionGrantingStrategy) {
        this.config = kylinConfig;
        this.crud = new CachedCrudAssist<AclRecord>(ResourceStore.getKylinMetaStore(kylinConfig), "/_global/acl", "", AclRecord.class) { // from class: org.apache.kylin.rest.security.AclManager.2
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.apache.kylin.metadata.cachesync.CachedCrudAssist
            public AclRecord initEntityAfterReload(AclRecord aclRecord, String str) {
                aclRecord.init(null, permissionFactory, permissionGrantingStrategy);
                return aclRecord;
            }
        };
        this.crud.reloadAll();
    }

    public KylinConfig getConfig() {
        return this.config;
    }

    public List<AclRecord> listAll() {
        return this.crud.listAll();
    }

    public void save(AclRecord aclRecord) {
        this.crud.save(aclRecord);
    }

    public void delete(String str) {
        this.crud.delete(str);
    }

    public AclRecord get(String str) {
        return this.crud.get(str);
    }

    public AclRecord copyForWrite(AclRecord aclRecord) {
        return this.crud.copyForWrite(aclRecord);
    }

    public List<ObjectIdentity> findChildren(ObjectIdentity objectIdentity) {
        return (List) this.crud.listAll().stream().filter(aclRecord -> {
            return aclRecord.getParentDomainObjectInfo() != null && aclRecord.getParentDomainObjectInfo().equals(objectIdentity);
        }).map((v0) -> {
            return v0.getObjectIdentity();
        }).collect(Collectors.toList());
    }

    public MutableAclRecord readAcl(ObjectIdentity objectIdentity) {
        try {
            return (MutableAclRecord) readAclById(objectIdentity);
        } catch (NotFoundException e) {
            logger.warn("[UNEXPECTED_THINGS_HAPPENED] acl not found for {}", objectIdentity);
            return null;
        }
    }

    public Acl readAclById(ObjectIdentity objectIdentity) {
        return readAclsById(Collections.singletonList(objectIdentity)).get(objectIdentity);
    }

    public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> list) {
        HashMap newHashMap = Maps.newHashMap();
        for (ObjectIdentity objectIdentity : list) {
            AclRecord aclRecordByCache = getAclRecordByCache(AclPermissionUtil.objID(objectIdentity));
            if (aclRecordByCache == null) {
                throw new NotFoundException(String.format(Locale.ROOT, MsgPicker.getMsg().getAclInfoNotFound(), objectIdentity));
            }
            Acl acl = null;
            if (aclRecordByCache.isEntriesInheriting() && aclRecordByCache.getParentDomainObjectInfo() != null) {
                acl = readAclById(aclRecordByCache.getParentDomainObjectInfo());
            }
            AclRecord copyForWrite = this.crud.copyForWrite(aclRecordByCache);
            copyForWrite.init(acl, this.aclPermissionFactory, this.permissionGrantingStrategy);
            newHashMap.put(objectIdentity, new MutableAclRecord(copyForWrite));
        }
        return newHashMap;
    }

    public MutableAcl createAcl(ObjectIdentity objectIdentity) {
        if (getAclRecordByCache(AclPermissionUtil.objID(objectIdentity)) != null) {
            throw new AlreadyExistsException(String.format(Locale.ROOT, "ACL of %s exists!", objectIdentity));
        }
        this.crud.save(newAclRecord(objectIdentity));
        logger.debug("ACL of {} created successfully.", objectIdentity);
        return readAclById(objectIdentity);
    }

    public void deleteAcl(ObjectIdentity objectIdentity, boolean z) {
        List<ObjectIdentity> findChildren = findChildren(objectIdentity);
        if (!z && !findChildren.isEmpty()) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, String.format(Locale.ROOT, MsgPicker.getMsg().getIdentityExistChildren(), objectIdentity));
        }
        Iterator<ObjectIdentity> it = findChildren.iterator();
        while (it.hasNext()) {
            deleteAcl(it.next(), z);
        }
        this.crud.delete(AclPermissionUtil.objID(objectIdentity));
        logger.debug("ACL of {} deleted successfully.", objectIdentity);
    }

    public MutableAcl updateAcl(MutableAcl mutableAcl) {
        this.crud.save(((MutableAclRecord) mutableAcl).getAclRecord());
        logger.debug("ACL of {} updated successfully.", mutableAcl.getObjectIdentity());
        return mutableAcl;
    }

    public MutableAclRecord upsertAce(MutableAclRecord mutableAclRecord, Sid sid, Permission permission) {
        return updateAcl(mutableAclRecord, aclRecord -> {
            aclRecord.upsertAce(permission, sid);
        });
    }

    public void batchUpsertAce(MutableAclRecord mutableAclRecord, Map<Sid, Permission> map) {
        updateAcl(mutableAclRecord, aclRecord -> {
            for (Map.Entry entry : map.entrySet()) {
                aclRecord.upsertAce((Permission) entry.getValue(), (Sid) entry.getKey());
            }
        });
    }

    public MutableAclRecord inherit(MutableAclRecord mutableAclRecord, MutableAclRecord mutableAclRecord2) {
        return updateAcl(mutableAclRecord, aclRecord -> {
            aclRecord.setEntriesInheriting(true);
            aclRecord.setParent(mutableAclRecord2);
        });
    }

    public AclRecord getAclRecordByCache(String str) {
        return this.crud.get(str);
    }

    public AclRecord newAclRecord(ObjectIdentity objectIdentity) {
        AclRecord aclRecord = new AclRecord(objectIdentity, getCurrentSid());
        aclRecord.init(null, this.aclPermissionFactory, this.permissionGrantingStrategy);
        aclRecord.updateRandomUuid();
        return aclRecord;
    }

    private Sid getCurrentSid() {
        return new PrincipalSid(SecurityContextHolder.getContext().getAuthentication());
    }

    private MutableAclRecord updateAcl(MutableAclRecord mutableAclRecord, AclRecordUpdater aclRecordUpdater) {
        AclRecord copyForWrite = this.crud.copyForWrite(mutableAclRecord.getAclRecord());
        aclRecordUpdater.update(copyForWrite);
        this.crud.save(copyForWrite);
        return readAcl(mutableAclRecord.getObjectIdentity());
    }
}
