package org.apache.kylin.rest.service;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.rest.exception.ForbiddenException;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.security.AclEntityFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AlreadyExistsException;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;

@Component("accessService")
/* loaded from: input_file:WEB-INF/lib/kylin-server-base-1.5.3.jar:org/apache/kylin/rest/service/AccessService.class */
public class AccessService {

    @Autowired
    private AclService aclService;

    @Autowired
    UserService userService;

    @Transactional
    public Acl init(AclEntity aclEntity, Permission permission) {
        Acl acl;
        ObjectIdentityImpl objectIdentityImpl = new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId());
        try {
            acl = this.aclService.createAcl(objectIdentityImpl);
        } catch (AlreadyExistsException e) {
            acl = (MutableAcl) this.aclService.readAclById(objectIdentityImpl);
        }
        if (null != permission) {
            acl = grant(aclEntity, permission, new PrincipalSid(SecurityContextHolder.getContext().getAuthentication()));
        }
        return acl;
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public Acl grant(AclEntity aclEntity, Permission permission, Sid sid) {
        MutableAcl mutableAcl;
        Assert.notNull(aclEntity, "Acl domain object required");
        Assert.notNull(permission, "Acl permission required");
        Assert.notNull(sid, "Sid required");
        try {
            mutableAcl = (MutableAcl) this.aclService.readAclById(new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId()));
        } catch (NotFoundException e) {
            mutableAcl = (MutableAcl) init(aclEntity, null);
        }
        int i = -1;
        for (int i2 = 0; i2 < mutableAcl.getEntries().size(); i2++) {
            if (mutableAcl.getEntries().get(i2).getSid().equals(sid)) {
                i = i2;
            }
        }
        if (i != -1) {
            secureOwner(mutableAcl, i);
            mutableAcl.updateAce(i, permission);
        } else {
            mutableAcl.insertAce(mutableAcl.getEntries().size(), permission, sid, true);
        }
        return this.aclService.updateAcl(mutableAcl);
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public Acl update(AclEntity aclEntity, Long l, Permission permission) {
        Assert.notNull(aclEntity, "Acl domain object required");
        Assert.notNull(l, "Ace id required");
        Assert.notNull(permission, "Acl permission required");
        MutableAcl mutableAcl = (MutableAcl) this.aclService.readAclById(new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId()));
        int i = -1;
        int i2 = 0;
        while (true) {
            if (i2 >= mutableAcl.getEntries().size()) {
                break;
            }
            if (mutableAcl.getEntries().get(i2).getId().equals(l)) {
                i = i2;
                break;
            }
            i2++;
        }
        if (i != -1) {
            secureOwner(mutableAcl, i);
            try {
                mutableAcl.updateAce(i, permission);
                mutableAcl = this.aclService.updateAcl(mutableAcl);
            } catch (NotFoundException e) {
            }
        }
        return mutableAcl;
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public Acl revoke(AclEntity aclEntity, Long l) {
        Assert.notNull(aclEntity, "Acl domain object required");
        Assert.notNull(l, "Ace id required");
        MutableAcl mutableAcl = (MutableAcl) this.aclService.readAclById(new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId()));
        int i = -1;
        int i2 = 0;
        while (true) {
            if (i2 >= mutableAcl.getEntries().size()) {
                break;
            }
            if (((Long) mutableAcl.getEntries().get(i2).getId()).equals(l)) {
                i = i2;
                break;
            }
            i2++;
        }
        if (i != -1) {
            secureOwner(mutableAcl, i);
            try {
                mutableAcl.deleteAce(i);
                mutableAcl = this.aclService.updateAcl(mutableAcl);
            } catch (NotFoundException e) {
            }
        }
        return mutableAcl;
    }

    @Transactional
    public void inherit(AclEntity aclEntity, AclEntity aclEntity2) {
        MutableAcl mutableAcl;
        MutableAcl mutableAcl2;
        Assert.notNull(aclEntity, "Acl domain object required");
        Assert.notNull(aclEntity2, "Parent acl required");
        try {
            mutableAcl = (MutableAcl) this.aclService.readAclById(new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId()));
        } catch (NotFoundException e) {
            mutableAcl = (MutableAcl) init(aclEntity, null);
        }
        try {
            mutableAcl2 = (MutableAcl) this.aclService.readAclById(new ObjectIdentityImpl(aclEntity2.getClass(), aclEntity2.getId()));
        } catch (NotFoundException e2) {
            mutableAcl2 = (MutableAcl) init(aclEntity2, null);
        }
        if (null == mutableAcl || null == mutableAcl2) {
            return;
        }
        mutableAcl.setEntriesInheriting(true);
        mutableAcl.setParent(mutableAcl2);
        this.aclService.updateAcl(mutableAcl);
    }

    @Transactional
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#ae, 'ADMINISTRATION')")
    public void clean(AclEntity aclEntity, boolean z) {
        Assert.notNull(aclEntity, "Acl domain object required");
        if (aclEntity.getId() == null) {
            return;
        }
        try {
            this.aclService.deleteAcl(new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId()), z);
        } catch (NotFoundException e) {
        }
    }

    public RootPersistentEntity getAclEntity(String str, String str2) {
        if (null == str2) {
            return null;
        }
        return AclEntityFactory.createAclEntity(str, str2);
    }

    public Acl getAcl(AclEntity aclEntity) {
        if (null == aclEntity) {
            return null;
        }
        MutableAcl mutableAcl = null;
        try {
            mutableAcl = (MutableAcl) this.aclService.readAclById(new ObjectIdentityImpl(aclEntity.getClass(), aclEntity.getId()));
        } catch (NotFoundException e) {
        }
        return mutableAcl;
    }

    public Sid getSid(String str, boolean z) {
        return z ? new PrincipalSid(str) : new GrantedAuthoritySid(str);
    }

    public List<AccessEntryResponse> generateAceResponses(Acl acl) {
        if (null == acl) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (AccessControlEntry accessControlEntry : acl.getEntries()) {
            arrayList.add(new AccessEntryResponse(accessControlEntry.getId(), accessControlEntry.getSid(), accessControlEntry.getPermission(), accessControlEntry.isGranting()));
        }
        return arrayList;
    }

    private void secureOwner(MutableAcl mutableAcl, int i) {
        if (mutableAcl.getOwner().equals(mutableAcl.getEntries().get(i).getSid()) && BasePermission.ADMINISTRATION.equals(mutableAcl.getEntries().get(i).getPermission())) {
            throw new ForbiddenException("Can't revoke admin permission of owner.");
        }
    }
}
