package io.unitycatalog.server.service;

import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.server.annotation.ExceptionHandler;
import com.linecorp.armeria.server.annotation.Get;
import com.linecorp.armeria.server.annotation.Param;
import com.linecorp.armeria.server.annotation.Patch;
import io.unitycatalog.server.auth.UnityCatalogAuthorizer;
import io.unitycatalog.server.auth.annotation.AuthorizeExpression;
import io.unitycatalog.server.auth.annotation.AuthorizeKey;
import io.unitycatalog.server.exception.BaseException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.exception.GlobalExceptionHandler;
import io.unitycatalog.server.model.PermissionsList;
import io.unitycatalog.server.model.PrivilegeAssignment;
import io.unitycatalog.server.model.SecurableType;
import io.unitycatalog.server.model.UpdatePermissions;
import io.unitycatalog.server.persist.CatalogRepository;
import io.unitycatalog.server.persist.FunctionRepository;
import io.unitycatalog.server.persist.MetastoreRepository;
import io.unitycatalog.server.persist.ModelRepository;
import io.unitycatalog.server.persist.SchemaRepository;
import io.unitycatalog.server.persist.TableRepository;
import io.unitycatalog.server.persist.UserRepository;
import io.unitycatalog.server.persist.VolumeRepository;
import io.unitycatalog.server.persist.model.Privileges;
import io.unitycatalog.server.utils.IdentityUtils;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Collectors;

@ExceptionHandler(GlobalExceptionHandler.class)
/* loaded from: input_file:io/unitycatalog/server/service/PermissionService.class */
public class PermissionService {
    private final UnityCatalogAuthorizer authorizer;
    private static final MetastoreRepository METASTORE_REPOSITORY = MetastoreRepository.getInstance();
    private static final UserRepository USER_REPOSITORY = UserRepository.getInstance();
    private static final CatalogRepository CATALOG_REPOSITORY = CatalogRepository.getInstance();
    private static final SchemaRepository SCHEMA_REPOSITORY = SchemaRepository.getInstance();
    private static final TableRepository TABLE_REPOSITORY = TableRepository.getInstance();
    private static final FunctionRepository FUNCTION_REPOSITORY = FunctionRepository.getInstance();
    private static final VolumeRepository VOLUME_REPOSITORY = VolumeRepository.getInstance();
    private static final ModelRepository MODEL_REPOSITORY = ModelRepository.getInstance();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.unitycatalog.server.service.PermissionService$1, reason: invalid class name */
    /* loaded from: input_file:io/unitycatalog/server/service/PermissionService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$unitycatalog$server$model$SecurableType = new int[SecurableType.values().length];

        static {
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.METASTORE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.CATALOG.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.SCHEMA.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.TABLE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.FUNCTION.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.VOLUME.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$SecurableType[SecurableType.REGISTERED_MODEL.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    public PermissionService(UnityCatalogAuthorizer unityCatalogAuthorizer) {
        this.authorizer = unityCatalogAuthorizer;
    }

    @Get("/metastore/{name}")
    public HttpResponse getMetastoreAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.METASTORE, str);
    }

    @Get("/catalog/{name}")
    public HttpResponse getCatalogAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.CATALOG, str);
    }

    @Get("/schema/{name}")
    public HttpResponse getSchemaAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.SCHEMA, str);
    }

    @Get("/table/{name}")
    public HttpResponse getTableAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.TABLE, str);
    }

    public HttpResponse getFunctionAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.FUNCTION, str);
    }

    @Get("/volume/{name}")
    public HttpResponse getVolumeAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.VOLUME, str);
    }

    @Get("/registered_model/{name}")
    public HttpResponse getRegisteredModelAuthorization(@Param("name") String str) {
        return getAuthorization(SecurableType.REGISTERED_MODEL, str);
    }

    private HttpResponse getAuthorization(SecurableType securableType, String str) {
        UUID resourceId = getResourceId(securableType, str);
        UUID findPrincipalId = IdentityUtils.findPrincipalId();
        UUID hierarchyParent = this.authorizer.getHierarchyParent(resourceId);
        UUID hierarchyParent2 = hierarchyParent != null ? this.authorizer.getHierarchyParent(hierarchyParent) : null;
        return HttpResponse.ofJson(new PermissionsList().privilegeAssignments((List) (this.authorizer.authorize(findPrincipalId, METASTORE_REPOSITORY.getMetastoreId(), Privileges.OWNER) || this.authorizer.authorize(findPrincipalId, resourceId, Privileges.OWNER) || ((hierarchyParent != null && this.authorizer.authorize(findPrincipalId, hierarchyParent, Privileges.OWNER)) || (hierarchyParent2 != null && this.authorizer.authorize(findPrincipalId, hierarchyParent2, Privileges.OWNER))) ? this.authorizer.listAuthorizations(resourceId) : Map.of(findPrincipalId, this.authorizer.listAuthorizations(findPrincipalId, resourceId))).entrySet().stream().map(entry -> {
            return new PrivilegeAssignment().principal(USER_REPOSITORY.getUser(((UUID) entry.getKey()).toString()).getEmail()).privileges(((List) entry.getValue()).stream().map(Privileges::toPrivilege).filter((v0) -> {
                return Objects.nonNull(v0);
            }).toList());
        }).filter(privilegeAssignment -> {
            return !privilegeAssignment.getPrivileges().isEmpty();
        }).collect(Collectors.toList())));
    }

    @Patch("/metastore/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER)")
    public HttpResponse updateMetastoreAuthorization(@Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.METASTORE, str, updatePermissions);
    }

    @Patch("/catalog/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER) || #authorize(#principal, #catalog, OWNER)")
    public HttpResponse updateCatalogAuthorization(@AuthorizeKey(SecurableType.CATALOG) @Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.CATALOG, str, updatePermissions);
    }

    @Patch("/schema/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER) ||\n#authorize(#principal, #catalog, OWNER) ||\n(#authorize(#principal, #schema, OWNER) && #authorize(#principal, #catalog, USE_CATALOG))\n")
    public HttpResponse updateSchemaAuthorization(@AuthorizeKey(SecurableType.SCHEMA) @Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.SCHEMA, str, updatePermissions);
    }

    @Patch("/table/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER) ||\n#authorize(#principal, #catalog, OWNER) ||\n(#authorize(#principal, #catalog, USE_CATALOG) && #authorize(#principal, #schema, OWNER)) ||\n(#authorize(#principal, #catalog, USE_CATALOG) && #authorize(#principal, #schema, USE_SCHEMA) && #authorize(#principal, #table, OWNER))\n")
    public HttpResponse updateTableAuthorization(@AuthorizeKey(SecurableType.TABLE) @Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.TABLE, str, updatePermissions);
    }

    @Patch("/function/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER) ||\n#authorize(#principal, #catalog, OWNER) ||\n(#authorize(#principal, #catalog, USE_CATALOG) && #authorize(#principal, #schema, OWNER)) ||\n(#authorize(#principal, #catalog, USE_CATALOG) && #authorize(#principal, #schema, USE_SCHEMA) && #authorize(#principal, #function, OWNER))\n")
    public HttpResponse updateFunctionAuthorization(@AuthorizeKey(SecurableType.FUNCTION) @Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.FUNCTION, str, updatePermissions);
    }

    @Patch("/volume/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER) ||\n#authorize(#principal, #catalog, OWNER) ||\n(#authorize(#principal, #catalog, USE_CATALOG) && #authorize(#principal, #schema, OWNER)) ||\n(#authorize(#principal, #catalog, USE_CATALOG) && #authorize(#principal, #schema, USE_SCHEMA) && #authorize(#principal, #volume, OWNER))\n")
    public HttpResponse updateVolumeAuthorization(@AuthorizeKey(SecurableType.VOLUME) @Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.VOLUME, str, updatePermissions);
    }

    @Patch("/registered_model/{name}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER) || #authorize(#principal, #registered_model, OWNER)")
    public HttpResponse updateRegisteredModelAuthorization(@AuthorizeKey(SecurableType.REGISTERED_MODEL) @Param("name") String str, UpdatePermissions updatePermissions) {
        return updateAuthorization(SecurableType.REGISTERED_MODEL, str, updatePermissions);
    }

    private HttpResponse updateAuthorization(SecurableType securableType, String str, UpdatePermissions updatePermissions) {
        UUID resourceId = getResourceId(securableType, str);
        List changes = updatePermissions.getChanges();
        HashSet hashSet = new HashSet();
        changes.forEach(permissionsChange -> {
            UUID fromString = UUID.fromString((String) Objects.requireNonNull(USER_REPOSITORY.getUserByEmail(permissionsChange.getPrincipal()).getId()));
            hashSet.add(fromString);
            permissionsChange.getAdd().forEach(privilege -> {
                Optional.ofNullable(Privileges.fromPrivilege(privilege)).map(privileges -> {
                    return Boolean.valueOf(this.authorizer.grantAuthorization(fromString, resourceId, privileges));
                });
            });
            permissionsChange.getRemove().forEach(privilege2 -> {
                Optional.ofNullable(Privileges.fromPrivilege(privilege2)).map(privileges -> {
                    return Boolean.valueOf(this.authorizer.revokeAuthorization(fromString, resourceId, privileges));
                });
            });
        });
        return HttpResponse.ofJson(new PermissionsList().privilegeAssignments((List) this.authorizer.listAuthorizations(resourceId).entrySet().stream().filter(entry -> {
            return hashSet.contains(entry.getKey());
        }).map(entry2 -> {
            return new PrivilegeAssignment().principal(USER_REPOSITORY.getUser(((UUID) entry2.getKey()).toString()).getEmail()).privileges(((List) entry2.getValue()).stream().map(Privileges::toPrivilege).filter((v0) -> {
                return Objects.nonNull(v0);
            }).toList());
        }).filter(privilegeAssignment -> {
            return !privilegeAssignment.getPrivileges().isEmpty();
        }).collect(Collectors.toList())));
    }

    private UUID getResourceId(SecurableType securableType, String str) {
        String id;
        switch (AnonymousClass1.$SwitchMap$io$unitycatalog$server$model$SecurableType[securableType.ordinal()]) {
            case 1:
                id = METASTORE_REPOSITORY.getMetastoreId().toString();
                break;
            case 2:
                id = CATALOG_REPOSITORY.getCatalog(str).getId();
                break;
            case 3:
                id = SCHEMA_REPOSITORY.getSchema(str).getSchemaId();
                break;
            case 4:
                id = TABLE_REPOSITORY.getTable(str).getTableId();
                break;
            case 5:
                id = FUNCTION_REPOSITORY.getFunction(str).getFunctionId();
                break;
            case 6:
                id = VOLUME_REPOSITORY.getVolume(str).getVolumeId();
                break;
            case 7:
                id = MODEL_REPOSITORY.getRegisteredModel(str).getId();
                break;
            default:
                throw new BaseException(ErrorCode.FAILED_PRECONDITION, "Unknown resource type");
        }
        return UUID.fromString((String) Objects.requireNonNull(id));
    }
}
