package _ss_com.streamsets.datacollector.restapi;

import _ss_com.com.google.common.base.Predicate;
import _ss_com.com.google.common.collect.Collections2;
import _ss_com.streamsets.datacollector.main.RuntimeInfo;
import _ss_com.streamsets.datacollector.main.UserGroupManager;
import _ss_com.streamsets.datacollector.restapi.bean.UserJson;
import _ss_com.streamsets.datacollector.store.AclStoreTask;
import _ss_com.streamsets.datacollector.store.PipelineInfo;
import _ss_com.streamsets.datacollector.store.PipelineStoreTask;
import _ss_com.streamsets.datacollector.store.impl.AclPipelineStoreTask;
import _ss_com.streamsets.datacollector.util.AuthzRole;
import _ss_com.streamsets.datacollector.util.ContainerError;
import _ss_com.streamsets.datacollector.util.PipelineException;
import _ss_com.streamsets.lib.security.acl.AclDtoJsonMapper;
import _ss_com.streamsets.lib.security.acl.dto.Acl;
import _ss_com.streamsets.lib.security.acl.dto.Permission;
import _ss_com.streamsets.lib.security.acl.dto.ResourceType;
import _ss_com.streamsets.lib.security.acl.dto.SubjectType;
import _ss_com.streamsets.lib.security.acl.json.AclJson;
import _ss_com.streamsets.lib.security.acl.json.PermissionJson;
import _ss_com.streamsets.lib.security.http.SSOPrincipal;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.Authorization;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Map;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;

@Api("acl")
@Path("/v1/acl")
@DenyAll
@RequiresCredentialsDeployed
/* loaded from: input_file:_ss_com/streamsets/datacollector/restapi/AclStoreResource.class */
public class AclStoreResource {
    private final PipelineStoreTask store;
    private final AclStoreTask aclStore;
    private final UserJson currentUser;

    @Inject
    public AclStoreResource(Principal principal, PipelineStoreTask pipelineStoreTask, AclStoreTask aclStoreTask, RuntimeInfo runtimeInfo, UserGroupManager userGroupManager) {
        if (runtimeInfo.isDPMEnabled()) {
            this.currentUser = new UserJson((SSOPrincipal) principal);
        } else {
            this.currentUser = userGroupManager.getUser(principal);
        }
        if (runtimeInfo.isAclEnabled()) {
            this.store = new AclPipelineStoreTask(pipelineStoreTask, aclStoreTask, this.currentUser);
        } else {
            this.store = pipelineStoreTask;
        }
        this.aclStore = aclStoreTask;
    }

    @GET
    @Path("/{pipelineId}")
    @PermitAll
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation(value = "Get Pipeline ACL", authorizations = {@Authorization("basic")})
    @Produces({MediaType.APPLICATION_JSON})
    public Response getAcl(@PathParam("pipelineId") String str, @Context SecurityContext securityContext) throws PipelineException, URISyntaxException {
        PipelineInfo info = this.store.getInfo(str);
        RestAPIUtils.injectPipelineInMDC(info.getTitle(), info.getPipelineId());
        Acl acl = this.aclStore.getAcl(str);
        if (acl == null && this.currentUser != null && (info.getCreator().equals(this.currentUser.getName()) || securityContext.isUserInRole(AuthzRole.ADMIN) || securityContext.isUserInRole(AuthzRole.ADMIN_REMOTE))) {
            acl = new Acl();
            acl.setResourceId(str);
            acl.setResourceOwner(info.getCreator());
            acl.setResourceType(ResourceType.PIPELINE);
            acl.setResourceCreatedTime(info.getCreated().getTime());
            acl.setLastModifiedBy(info.getCreator());
            acl.setLastModifiedOn(System.currentTimeMillis());
            Permission permission = new Permission();
            permission.setSubjectId(info.getCreator());
            permission.setSubjectType(SubjectType.USER);
            permission.setLastModifiedOn(info.getCreated().getTime());
            permission.setLastModifiedBy(info.getCreator());
            permission.getActions().addAll(ResourceType.PIPELINE.getActions());
            acl.getPermissions().add(permission);
        }
        return Response.ok(AclDtoJsonMapper.INSTANCE.toAclJson(acl)).build();
    }

    @Path("/{pipelineId}")
    @PermitAll
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation(value = "Update Pipeline ACL", authorizations = {@Authorization("basic")})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response saveAcl(@PathParam("pipelineId") String str, @Context SecurityContext securityContext, AclJson aclJson) throws PipelineException, URISyntaxException {
        PipelineInfo info = this.store.getInfo(str);
        RestAPIUtils.injectPipelineInMDC(info.getTitle(), info.getPipelineId());
        Acl acl = this.aclStore.getAcl(str);
        if (acl != null) {
            if (!acl.getResourceOwner().equals(this.currentUser.getName()) && !securityContext.isUserInRole(AuthzRole.ADMIN) && !securityContext.isUserInRole(AuthzRole.ADMIN_REMOTE)) {
                throw new PipelineException(ContainerError.CONTAINER_01201, str);
            }
        } else if (!info.getCreator().equals(this.currentUser.getName()) && !securityContext.isUserInRole(AuthzRole.ADMIN) && !securityContext.isUserInRole(AuthzRole.ADMIN_REMOTE)) {
            throw new PipelineException(ContainerError.CONTAINER_01201, str);
        }
        this.aclStore.saveAcl(str, AclDtoJsonMapper.INSTANCE.asAclDto(aclJson));
        return Response.ok().build();
    }

    @GET
    @Path("/{pipelineId}/permissions")
    @PermitAll
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation(value = "Return pipeline permissions for given pipeline ID", response = PermissionJson.class, responseContainer = "List", authorizations = {@Authorization("basic")})
    @Produces({MediaType.APPLICATION_JSON})
    public Response getPermissions(@PathParam("pipelineId") String str) throws PipelineException {
        PipelineInfo info = this.store.getInfo(str);
        RestAPIUtils.injectPipelineInMDC(info.getTitle(), info.getPipelineId());
        ArrayList arrayList = new ArrayList();
        Acl acl = this.aclStore.getAcl(str);
        if (acl != null && this.currentUser != null) {
            final ArrayList arrayList2 = new ArrayList();
            arrayList2.add(this.currentUser.getName());
            if (this.currentUser.getGroups() != null) {
                arrayList2.addAll(this.currentUser.getGroups());
            }
            arrayList = new ArrayList(Collections2.filter(acl.getPermissions(), new Predicate<Permission>() { // from class: _ss_com.streamsets.datacollector.restapi.AclStoreResource.1
                @Override // _ss_com.com.google.common.base.Predicate
                public boolean apply(Permission permission) {
                    return arrayList2.contains(permission.getSubjectId());
                }
            }));
        } else if (this.currentUser != null && info.getCreator().equals(this.currentUser.getName())) {
            Permission permission = new Permission();
            permission.setSubjectId(info.getCreator());
            permission.setSubjectType(SubjectType.USER);
            permission.getActions().addAll(ResourceType.PIPELINE.getActions());
            arrayList.add(permission);
        }
        return Response.ok(AclDtoJsonMapper.INSTANCE.toPermissionsJson(arrayList)).build();
    }

    @GET
    @Path("/pipelines/subjects")
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation(value = "Get all Subjects in Pipeline ACL", response = Map.class, authorizations = {@Authorization("basic")})
    @Produces({MediaType.APPLICATION_JSON})
    @RolesAllowed({AuthzRole.ADMIN, AuthzRole.ADMIN_REMOTE})
    public Response getSubjectsInAcls() throws PipelineException {
        RestAPIUtils.injectPipelineInMDC("*");
        return Response.ok(this.aclStore.getSubjectsInAcls()).build();
    }

    @Path("/pipelines/subjects")
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation(value = "Update Subjects in Pipeline ACL", authorizations = {@Authorization("basic")})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @RolesAllowed({AuthzRole.ADMIN, AuthzRole.ADMIN_REMOTE})
    public Response updateSubjectsInAcls(Map<String, String> map) throws PipelineException {
        RestAPIUtils.injectPipelineInMDC("*");
        this.aclStore.updateSubjectsInAcls(map);
        return Response.ok().build();
    }
}
