package io.unitycatalog.server.service;

import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.server.annotation.ExceptionHandler;
import com.linecorp.armeria.server.annotation.Post;
import io.unitycatalog.server.auth.UnityCatalogAuthorizer;
import io.unitycatalog.server.auth.decorator.KeyMapperUtil;
import io.unitycatalog.server.auth.decorator.UnityAccessEvaluator;
import io.unitycatalog.server.exception.BaseException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.exception.GlobalExceptionHandler;
import io.unitycatalog.server.model.GenerateTemporaryModelVersionCredential;
import io.unitycatalog.server.model.ModelVersionInfo;
import io.unitycatalog.server.model.ModelVersionOperation;
import io.unitycatalog.server.model.ModelVersionStatus;
import io.unitycatalog.server.model.SecurableType;
import io.unitycatalog.server.persist.ModelRepository;
import io.unitycatalog.server.persist.utils.RepositoryUtils;
import io.unitycatalog.server.service.credential.CredentialContext;
import io.unitycatalog.server.service.credential.CredentialOperations;
import io.unitycatalog.server.utils.IdentityUtils;
import java.util.Map;
import java.util.Set;

@ExceptionHandler(GlobalExceptionHandler.class)
/* loaded from: input_file:io/unitycatalog/server/service/TemporaryModelVersionCredentialsService.class */
public class TemporaryModelVersionCredentialsService {
    private static final ModelRepository MODEL_REPOSITORY = ModelRepository.getInstance();
    private final UnityAccessEvaluator evaluator;
    private final CredentialOperations credentialOps;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.unitycatalog.server.service.TemporaryModelVersionCredentialsService$1, reason: invalid class name */
    /* loaded from: input_file:io/unitycatalog/server/service/TemporaryModelVersionCredentialsService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$unitycatalog$server$model$ModelVersionOperation = new int[ModelVersionOperation.values().length];

        static {
            try {
                $SwitchMap$io$unitycatalog$server$model$ModelVersionOperation[ModelVersionOperation.READ_MODEL_VERSION.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$ModelVersionOperation[ModelVersionOperation.READ_WRITE_MODEL_VERSION.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$ModelVersionOperation[ModelVersionOperation.UNKNOWN_MODEL_VERSION_OPERATION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public TemporaryModelVersionCredentialsService(UnityCatalogAuthorizer unityCatalogAuthorizer, CredentialOperations credentialOperations) {
        this.evaluator = new UnityAccessEvaluator(unityCatalogAuthorizer);
        this.credentialOps = credentialOperations;
    }

    @Post("")
    public HttpResponse generateTemporaryModelVersionCredentials(GenerateTemporaryModelVersionCredential generateTemporaryModelVersionCredential) {
        authorizeForOperation(generateTemporaryModelVersionCredential);
        long longValue = generateTemporaryModelVersionCredential.getVersion().longValue();
        String assetFullName = RepositoryUtils.getAssetFullName(generateTemporaryModelVersionCredential.getCatalogName(), generateTemporaryModelVersionCredential.getSchemaName(), generateTemporaryModelVersionCredential.getModelName());
        ModelVersionInfo modelVersion = MODEL_REPOSITORY.getModelVersion(assetFullName, longValue);
        if (modelVersion.getStorageLocation().toLowerCase().startsWith("file")) {
            throw new BaseException(ErrorCode.INVALID_ARGUMENT, "Cannot request credentials on a model version with a file based storage location: " + assetFullName + "/" + longValue);
        }
        ModelVersionOperation operation = generateTemporaryModelVersionCredential.getOperation();
        if (modelVersion.getStatus() == ModelVersionStatus.FAILED_REGISTRATION || modelVersion.getStatus() == ModelVersionStatus.MODEL_VERSION_STATUS_UNKNOWN) {
            throw new BaseException(ErrorCode.INVALID_ARGUMENT, "Cannot request credentials on a model version with status " + modelVersion.getStatus().getValue() + ": " + assetFullName + "/" + longValue);
        }
        if (modelVersion.getStatus() == ModelVersionStatus.PENDING_REGISTRATION || operation != ModelVersionOperation.READ_WRITE_MODEL_VERSION) {
            return HttpResponse.ofJson(this.credentialOps.vendCredential(modelVersion.getStorageLocation(), modelVersionOperationToPrivileges(operation)));
        }
        throw new BaseException(ErrorCode.INVALID_ARGUMENT, "Cannot request read/write credentials on a model version that has been finalized: " + assetFullName + "/" + longValue);
    }

    private Set<CredentialContext.Privilege> modelVersionOperationToPrivileges(ModelVersionOperation modelVersionOperation) {
        switch (AnonymousClass1.$SwitchMap$io$unitycatalog$server$model$ModelVersionOperation[modelVersionOperation.ordinal()]) {
            case 1:
                return Set.of(CredentialContext.Privilege.SELECT);
            case 2:
                return Set.of(CredentialContext.Privilege.SELECT, CredentialContext.Privilege.UPDATE);
            case 3:
                throw new BaseException(ErrorCode.INVALID_ARGUMENT, "Unknown operation in the request: " + ModelVersionOperation.UNKNOWN_MODEL_VERSION_OPERATION);
            default:
                throw new IncompatibleClassChangeError();
        }
    }

    private void authorizeForOperation(GenerateTemporaryModelVersionCredential generateTemporaryModelVersionCredential) {
        if (!this.evaluator.evaluate(IdentityUtils.findPrincipalId(), generateTemporaryModelVersionCredential.getOperation() == ModelVersionOperation.READ_MODEL_VERSION ? "#authorizeAny(#principal, #registered_model, OWNER, EXECUTE) && #authorizeAny(#principal, #schema, OWNER, USE_SCHEMA) && #authorizeAny(#principal, #catalog, OWNER, USE_CATALOG)\n" : "(#authorize(#principal, #registered_model, OWNER) && #authorizeAny(#principal, #schema, OWNER, USE_SCHEMA) && #authorizeAny(#principal, #catalog, OWNER, USE_CATALOG))\n", KeyMapperUtil.mapResourceKeys(Map.of(SecurableType.METASTORE, "metastore", SecurableType.CATALOG, generateTemporaryModelVersionCredential.getCatalogName(), SecurableType.SCHEMA, generateTemporaryModelVersionCredential.getSchemaName(), SecurableType.REGISTERED_MODEL, generateTemporaryModelVersionCredential.getModelName())))) {
            throw new BaseException(ErrorCode.PERMISSION_DENIED, "Access denied.");
        }
    }
}
