package _ss_com.streamsets.datacollector.store.impl;

import _ss_com.com.google.common.base.Predicate;
import _ss_com.com.google.common.collect.Collections2;
import _ss_com.streamsets.datacollector.main.UserGroupManager;
import _ss_com.streamsets.datacollector.restapi.bean.UserJson;
import _ss_com.streamsets.datacollector.store.AclStoreTask;
import _ss_com.streamsets.datacollector.store.PipelineInfo;
import _ss_com.streamsets.datacollector.store.PipelineStoreTask;
import _ss_com.streamsets.datacollector.task.AbstractTask;
import _ss_com.streamsets.datacollector.util.AuthzRole;
import _ss_com.streamsets.datacollector.util.ContainerError;
import _ss_com.streamsets.datacollector.util.LockCache;
import _ss_com.streamsets.datacollector.util.PipelineException;
import _ss_com.streamsets.lib.security.acl.dto.Acl;
import _ss_com.streamsets.lib.security.acl.dto.Action;
import _ss_com.streamsets.lib.security.acl.dto.Permission;
import _ss_com.streamsets.lib.security.acl.dto.ResourceType;
import _ss_com.streamsets.lib.security.acl.dto.SubjectType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:_ss_com/streamsets/datacollector/store/impl/AbstractAclStoreTask.class */
public abstract class AbstractAclStoreTask extends AbstractTask implements AclStoreTask {
    private final PipelineStoreTask pipelineStore;
    private final LockCache<String> lockCache;
    private final UserGroupManager userGroupManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractAclStoreTask(PipelineStoreTask pipelineStoreTask, LockCache<String> lockCache, UserGroupManager userGroupManager) {
        super("aclStore");
        this.pipelineStore = pipelineStoreTask;
        this.lockCache = lockCache;
        this.userGroupManager = userGroupManager;
    }

    @Override // _ss_com.streamsets.datacollector.store.AclStoreTask
    public void validateReadPermission(String str, UserJson userJson) throws PipelineException {
        if (!isPermissionGranted(str, EnumSet.of(Action.READ), userJson)) {
            throw new PipelineException(ContainerError.CONTAINER_01200, SubjectType.USER, userJson.getName(), Action.READ, str);
        }
    }

    @Override // _ss_com.streamsets.datacollector.store.AclStoreTask
    public void validateWritePermission(String str, UserJson userJson) throws PipelineException {
        if (!isPermissionGranted(str, EnumSet.of(Action.WRITE), userJson)) {
            throw new PipelineException(ContainerError.CONTAINER_01200, SubjectType.USER, userJson.getName(), Action.WRITE, str);
        }
    }

    @Override // _ss_com.streamsets.datacollector.store.AclStoreTask
    public void validateExecutePermission(String str, UserJson userJson) throws PipelineException {
        if (!isPermissionGranted(str, EnumSet.of(Action.EXECUTE), userJson)) {
            throw new PipelineException(ContainerError.CONTAINER_01200, SubjectType.USER, userJson.getName(), Action.EXECUTE, str);
        }
    }

    @Override // _ss_com.streamsets.datacollector.store.AclStoreTask
    public boolean isPermissionGranted(String str, Set<Action> set, UserJson userJson) throws PipelineException {
        if (userJson == null || isUserAdmin(userJson)) {
            return true;
        }
        Acl acl = getAcl(str);
        return acl == null ? this.pipelineStore.getInfo(str).getCreator().equals(userJson.getName()) : isPermissionGranted(acl, set, userJson);
    }

    @Override // _ss_com.streamsets.datacollector.store.AclStoreTask
    public void updateSubjectsInAcls(Map<String, String> map) throws PipelineException {
        Iterator<PipelineInfo> it = this.pipelineStore.getPipelines().iterator();
        while (it.hasNext()) {
            String pipelineId = it.next().getPipelineId();
            synchronized (this.lockCache.getLock(pipelineId)) {
                updateSubjectsInAcls(pipelineId, map);
            }
        }
    }

    private void updateSubjectsInAcls(String str, Map<String, String> map) throws PipelineException {
        Acl acl = getAcl(str);
        if (acl == null) {
            PipelineInfo info = this.pipelineStore.getInfo(str);
            acl = createAcl(info.getPipelineId(), ResourceType.PIPELINE, info.getCreated().getTime(), info.getCreator());
        }
        String str2 = map.get(acl.getResourceOwner());
        if (str2 != null && !this.userGroupManager.getGroups().contains(str2)) {
            acl.setResourceOwner(str2);
        }
        for (Permission permission : acl.getPermissions()) {
            if (permission != null) {
                String str3 = map.get(permission.getLastModifiedBy());
                if (str3 != null) {
                    permission.setLastModifiedBy(str3);
                }
                String str4 = map.get(permission.getSubjectId());
                if (str4 != null) {
                    permission.setSubjectId(str4);
                    if (this.userGroupManager.getGroups().contains(str4)) {
                        permission.setSubjectType(SubjectType.GROUP);
                    } else {
                        permission.setSubjectType(SubjectType.USER);
                    }
                }
            }
        }
        saveAcl(str, acl);
    }

    private boolean isPermissionGranted(Acl acl, Set<Action> set, UserJson userJson) {
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        arrayList.add(userJson.getName());
        if (userJson.getGroups() != null) {
            arrayList.addAll(userJson.getGroups());
        }
        Iterator<Permission> it = filterPermission(acl, arrayList).iterator();
        while (it.hasNext()) {
            Permission next = it.next();
            z = next != null && next.getActions().containsAll(set);
            if (z) {
                break;
            }
        }
        return z;
    }

    private boolean isUserAdmin(UserJson userJson) {
        return userJson.getRoles() != null && (userJson.getRoles().contains(AuthzRole.ADMIN) || userJson.getRoles().contains(AuthzRole.ADMIN_REMOTE));
    }

    private Collection<Permission> filterPermission(Acl acl, final List<String> list) {
        return Collections2.filter(acl.getPermissions(), new Predicate<Permission>() { // from class: _ss_com.streamsets.datacollector.store.impl.AbstractAclStoreTask.1
            @Override // _ss_com.com.google.common.base.Predicate
            public boolean apply(Permission permission) {
                return list.contains(permission.getSubjectId());
            }
        });
    }

    @Override // _ss_com.streamsets.datacollector.store.AclStoreTask
    public Map<String, Set<String>> getSubjectsInAcls() throws PipelineException {
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Iterator<PipelineInfo> it = this.pipelineStore.getPipelines().iterator();
        while (it.hasNext()) {
            Acl acl = getAcl(it.next().getPipelineId());
            if (acl != null) {
                hashSet.add(acl.getResourceOwner());
                for (Permission permission : acl.getPermissions()) {
                    if (permission.getSubjectType() == SubjectType.GROUP) {
                        hashSet2.add(permission.getSubjectId());
                    } else {
                        hashSet.add(permission.getSubjectId());
                    }
                }
            }
        }
        hashMap.put("groups", hashSet2);
        hashMap.put("users", hashSet);
        return hashMap;
    }
}
