package io.unitycatalog.server.service.credential.aws;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
import io.unitycatalog.server.service.credential.CredentialContext;
import java.net.URI;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.iceberg.exceptions.NotAuthorizedException;

/* loaded from: input_file:io/unitycatalog/server/service/credential/aws/AwsPolicyGenerator.class */
public class AwsPolicyGenerator {
    static final String POLICY_STATEMENT = "Version: 2012-10-17\nStatement: []\n";
    static final String BUCKET_STATEMENT = "Effect: Allow\nAction:\n  - s3:ListBucket\nResource: []\nCondition:\n  StringLike:\n    \"s3:prefix\": []\n";
    static final String OPERATION_STATEMENT = "Effect: Allow\nAction: []\nResource: []\n";
    static final List<String> SELECT_ACTIONS = List.of("s3:GetO*");
    static final List<String> UPDATE_ACTIONS = List.of("s3:GetO*", "s3:PutO*", "s3:DeleteO*", "s3:*Multipart*");
    private static final ObjectMapper JSON_MAPPER = new ObjectMapper();
    private static final ObjectMapper YAML_MAPPER = new ObjectMapper(new YAMLFactory());

    public static String generatePolicy(Set<CredentialContext.Privilege> set, List<String> list) {
        JsonNode loadYaml = loadYaml(POLICY_STATEMENT);
        ArrayNode findPath = loadYaml.findPath("Statement");
        JsonNode loadYaml2 = loadYaml(OPERATION_STATEMENT);
        findPath.add(loadYaml2);
        ArrayNode findPath2 = loadYaml2.findPath("Action");
        if (set.contains(CredentialContext.Privilege.UPDATE)) {
            List<String> list2 = UPDATE_ACTIONS;
            Objects.requireNonNull(findPath2);
            list2.forEach(findPath2::add);
        } else {
            if (!set.contains(CredentialContext.Privilege.SELECT)) {
                throw new NotAuthorizedException("Can't generate policy for unknown privileges '%s' for locations: '%s'".formatted(set, list), new Object[0]);
            }
            List<String> list3 = SELECT_ACTIONS;
            Objects.requireNonNull(findPath2);
            list3.forEach(findPath2::add);
        }
        getBucketToPathsMap(list).forEach((str, list4) -> {
            JsonNode loadYaml3 = loadYaml(BUCKET_STATEMENT);
            findPath.add(loadYaml3);
            ArrayNode findPath3 = loadYaml3.findPath("Resource");
            ArrayNode findPath4 = loadYaml2.findPath("Resource");
            findPath3.add("arn:aws:s3:::%s".formatted(str));
            ArrayNode findPath5 = loadYaml3.findPath("s3:prefix");
            list4.forEach(str -> {
                String replaceAll = str.replaceAll("^/+", "");
                if (replaceAll.isEmpty()) {
                    findPath5.add("*");
                    findPath4.add("arn:aws:s3:::%s/*".formatted(str));
                    return;
                }
                findPath5.add(replaceAll);
                findPath5.add(replaceAll + "/");
                findPath5.add(replaceAll + "/*");
                findPath4.add("arn:aws:s3:::%s/%s/*".formatted(str, replaceAll));
                findPath4.add("arn:aws:s3:::%s/%s".formatted(str, replaceAll));
            });
        });
        return JSON_MAPPER.writeValueAsString(loadYaml);
    }

    private static Map<String, List<String>> getBucketToPathsMap(List<String> list) {
        return (Map) list.stream().map(URI::create).collect(Collectors.toMap((v0) -> {
            return v0.getHost();
        }, uri -> {
            return new LinkedList(List.of(uri.getPath()));
        }, (list2, list3) -> {
            list2.addAll(list3);
            return list2;
        }));
    }

    private static JsonNode loadYaml(String str) {
        return YAML_MAPPER.readTree(str);
    }
}
