package org.apache.kylin.rest.controller;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.common.util.Pair;
import org.apache.kylin.metadata.MetadataConstants;
import org.apache.kylin.rest.request.AccessRequest;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.security.AclEntityType;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.security.ExternalAclProvider;
import org.apache.kylin.rest.security.ManagedUser;
import org.apache.kylin.rest.security.springacl.MutableAclRecord;
import org.apache.kylin.rest.service.AccessService;
import org.apache.kylin.rest.service.ProjectService;
import org.apache.kylin.rest.service.TableACLService;
import org.apache.kylin.rest.service.UserService;
import org.apache.kylin.rest.util.AclPermissionUtil;
import org.apache.kylin.rest.util.ValidateUtil;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@RequestMapping({"/access"})
@Controller
/* loaded from: input_file:WEB-INF/lib/kylin-server-base-2.5.0.jar:org/apache/kylin/rest/controller/AccessController.class */
public class AccessController extends BasicController implements InitializingBean {

    @Autowired
    @Qualifier("accessService")
    private AccessService accessService;

    @Autowired
    @Qualifier("projectService")
    private ProjectService projectService;

    @Autowired
    @Qualifier("TableAclService")
    private TableACLService tableACLService;

    @Autowired
    @Qualifier("userService")
    private UserService userService;

    @Autowired
    @Qualifier("validateUtil")
    private ValidateUtil validateUtil;

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        ExternalAclProvider.getInstance();
    }

    @RequestMapping(value = {"/user/permission/{project}"}, method = {RequestMethod.GET}, produces = {"application/json"})
    @ResponseBody
    public String getUserPermissionInPrj(@PathVariable("project") String str) {
        return this.accessService.getUserPermissionInPrj(str);
    }

    @RequestMapping(value = {"/{type}/{uuid}"}, method = {RequestMethod.GET}, produces = {"application/json"})
    @ResponseBody
    public List<AccessEntryResponse> getAccessEntities(@PathVariable String str, @PathVariable String str2) throws IOException {
        ExternalAclProvider externalAclProvider = ExternalAclProvider.getInstance();
        if (externalAclProvider == null) {
            return this.accessService.generateAceResponses(this.accessService.getAcl(this.accessService.getAclEntity(str, str2)));
        }
        ArrayList arrayList = new ArrayList();
        List<Pair<String, AclPermission>> acl = externalAclProvider.getAcl(str, str2);
        if (acl != null) {
            for (Pair<String, AclPermission> pair : acl) {
                arrayList.add(new AccessEntryResponse(null, new PrincipalSid(pair.getFirst()), pair.getSecond(), true));
            }
        } else {
            for (ManagedUser managedUser : this.userService.listUsers()) {
                PrincipalSid principalSid = new PrincipalSid(managedUser.getUsername());
                List<String> transformAuthorities = AclPermissionUtil.transformAuthorities(managedUser.getAuthorities());
                for (Permission permission : AclPermissionFactory.getPermissions()) {
                    if (externalAclProvider.checkPermission(managedUser.getUsername(), transformAuthorities, str, str2, permission)) {
                        arrayList.add(new AccessEntryResponse(null, principalSid, permission, true));
                    }
                }
            }
        }
        return arrayList;
    }

    @RequestMapping(value = {"/{type}/{uuid}"}, method = {RequestMethod.POST}, produces = {"application/json"})
    @ResponseBody
    public List<AccessEntryResponse> grant(@PathVariable String str, @PathVariable String str2, @RequestBody AccessRequest accessRequest) throws IOException {
        boolean isPrincipal = accessRequest.isPrincipal();
        String sid = accessRequest.getSid();
        this.validateUtil.checkIdentifiersExists(sid, isPrincipal);
        RootPersistentEntity aclEntity = this.accessService.getAclEntity(str, str2);
        Sid sid2 = this.accessService.getSid(sid, isPrincipal);
        return this.accessService.generateAceResponses(this.accessService.grant(aclEntity, AclPermissionFactory.getPermission(accessRequest.getPermission()), sid2));
    }

    @RequestMapping(value = {"batch/{type}/{uuid}"}, method = {RequestMethod.POST}, produces = {"application/json"})
    @ResponseBody
    public void batchGrant(@PathVariable String str, @PathVariable String str2, @RequestBody List<Object[]> list) throws IOException {
        HashMap hashMap = new HashMap();
        RootPersistentEntity aclEntity = this.accessService.getAclEntity(str, str2);
        for (Object[] objArr : list) {
            Preconditions.checkArgument(objArr.length == 3, "error access requests.");
            String str3 = (String) objArr[0];
            boolean booleanValue = ((Boolean) objArr[1]).booleanValue();
            this.validateUtil.checkIdentifiersExists(str3, booleanValue);
            hashMap.put(this.accessService.getSid(str3, booleanValue), AclPermissionFactory.getPermission((String) objArr[2]));
        }
        this.accessService.batchGrant(aclEntity, hashMap);
    }

    @RequestMapping(value = {"/{type}/{uuid}"}, method = {RequestMethod.PUT}, produces = {"application/json"})
    @ResponseBody
    public List<AccessEntryResponse> update(@PathVariable String str, @PathVariable String str2, @RequestBody AccessRequest accessRequest) {
        return this.accessService.generateAceResponses(this.accessService.update(this.accessService.getAclEntity(str, str2), accessRequest.getAccessEntryId(), AclPermissionFactory.getPermission(accessRequest.getPermission())));
    }

    @RequestMapping(value = {"/{type}/{uuid}"}, method = {RequestMethod.DELETE}, produces = {"application/json"})
    public List<AccessEntryResponse> revoke(@PathVariable String str, @PathVariable String str2, AccessRequest accessRequest) throws IOException {
        MutableAclRecord revoke = this.accessService.revoke(this.accessService.getAclEntity(str, str2), accessRequest.getAccessEntryId());
        if (accessRequest.isPrincipal()) {
            revokeTableACL(str, str2, accessRequest.getSid(), "user");
        } else {
            revokeTableACL(str, str2, accessRequest.getSid(), MetadataConstants.TYPE_GROUP);
        }
        return this.accessService.generateAceResponses(revoke);
    }

    private void revokeTableACL(String str, String str2, String str3, String str4) throws IOException {
        if (AclEntityType.PROJECT_INSTANCE.equals(str)) {
            String name = this.projectService.getProjectManager().getPrjByUuid(str2).getName();
            if (this.tableACLService.exists(name, str3, str4)) {
                this.tableACLService.deleteFromTableACL(name, str3, str4);
            }
        }
    }

    public void setAccessService(AccessService accessService) {
        this.accessService = accessService;
    }
}
