package com.cloudera.api.dao.impl;

import com.cloudera.api.DataView;
import com.cloudera.api.dao.AuthRoleManagerDao;
import com.cloudera.api.dao.DAOFactory;
import com.cloudera.api.fiql.FIQLParser;
import com.cloudera.api.model.ApiAuthRole;
import com.cloudera.api.model.ApiAuthRoleAuthority;
import com.cloudera.api.model.ApiAuthRoleList;
import com.cloudera.api.model.ApiAuthRoleMetadata;
import com.cloudera.api.model.ApiAuthRoleMetadataList;
import com.cloudera.api.model.ApiClusterRef;
import com.cloudera.api.model.ApiExternalUserMappingRef;
import com.cloudera.api.model.ApiUser2Ref;
import com.cloudera.cmf.model.DbAuthRole;
import com.cloudera.cmf.model.DbAuthScope;
import com.cloudera.cmf.model.DbCluster;
import com.cloudera.cmf.model.DbExternalMapping;
import com.cloudera.cmf.model.DbUser;
import com.cloudera.cmf.model.ExternalMappingType;
import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.user.UserRole;
import com.cloudera.server.cmf.CurrentUserManager;
import com.cloudera.server.web.common.I18n;
import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.StringJoiner;

/* loaded from: input_file:com/cloudera/api/dao/impl/AuthRoleManagerDaoImpl.class */
public class AuthRoleManagerDaoImpl extends ManagerDaoBase implements AuthRoleManagerDao {
    private final CurrentUserManager currentUserMgr;

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthRoleManagerDaoImpl(DAOFactory dAOFactory, CurrentUserManager currentUserManager) {
        super(dAOFactory);
        this.currentUserMgr = currentUserManager;
    }

    private DbAuthRole findAuthRoleByUuid(String str) {
        DbAuthRole findAuthRole = this.cmfEM.findAuthRole(str);
        if (findAuthRole == null) {
            throw new IllegalArgumentException(String.format("Role with uuid '%s' does not exist.", str));
        }
        return findAuthRole;
    }

    private DbAuthRole findAuthRoleByName(String str) {
        DbAuthRole findAuthRoleByName = this.cmfEM.findAuthRoleByName(str);
        if (findAuthRoleByName == null) {
            throw new IllegalArgumentException(String.format("UserRole '%s' does not exist.", str));
        }
        return findAuthRoleByName;
    }

    private DbAuthRole findAuthRole(UserRole userRole) {
        DbAuthRole findAuthRole = this.cmfEM.findAuthRole(userRole);
        if (findAuthRole == null) {
            throw new IllegalArgumentException(String.format("UserRole '%s' does not exist.", userRole.name()));
        }
        return findAuthRole;
    }

    public void checkDuplicate(ApiAuthRole apiAuthRole) {
        DbAuthRole findAuthRole = findAuthRole(apiAuthRole.getBaseRole().getUuid(), apiAuthRole.getBaseRole().getName());
        if (findAuthRole == null) {
            throw new IllegalArgumentException("Invalid ApiAuthRoleRef provided.");
        }
        HashSet newHashSet = Sets.newHashSet();
        Iterator it = apiAuthRole.getClusters().iterator();
        while (it.hasNext()) {
            newHashSet.add(((ApiClusterRef) it.next()).getClusterName());
        }
        for (DbAuthRole dbAuthRole : this.cmfEM.findAllAuthRoles()) {
            HashSet newHashSet2 = Sets.newHashSet();
            Iterator it2 = dbAuthRole.getScopes().iterator();
            while (it2.hasNext()) {
                newHashSet2.add(((DbAuthScope) it2.next()).getCluster().getName());
            }
            if (dbAuthRole.getEffectiveUserRoleName().equals(findAuthRole.getEffectiveUserRoleName()) && newHashSet2.equals(newHashSet)) {
                throw new IllegalArgumentException(String.format("Auth role with name %s on scopes %s already exists.", findAuthRole.getEffectiveUserRoleName(), newHashSet2.toString()));
            }
        }
    }

    private String generateName(DbAuthRole dbAuthRole) {
        String name = dbAuthRole.getBaseRoleId().getName();
        StringJoiner stringJoiner = new StringJoiner(FIQLParser.OR);
        Iterator it = dbAuthRole.getScopes().iterator();
        while (it.hasNext()) {
            stringJoiner.add(((DbAuthScope) it.next()).getCluster().getDisplayName());
        }
        return name + FIQLParser.OR + stringJoiner.toString();
    }

    public void authRoleListPreconditions(ApiAuthRoleList apiAuthRoleList) {
        Preconditions.checkArgument((apiAuthRoleList == null || apiAuthRoleList.getAuthRoles().isEmpty()) ? false : true, "Auth roles list must be provided.");
        Iterator it = apiAuthRoleList.iterator();
        while (it.hasNext()) {
            ApiAuthRole apiAuthRole = (ApiAuthRole) it.next();
            authRolePreconditions(apiAuthRole);
            checkDuplicate(apiAuthRole);
        }
    }

    public void authRolePreconditions(ApiAuthRole apiAuthRole) {
        Preconditions.checkArgument(apiAuthRole != null, "Auth Role information not provided.");
        Preconditions.checkArgument(apiAuthRole.getBaseRole() != null, "Base role not provided.");
        Preconditions.checkArgument(!apiAuthRole.getClusters().isEmpty(), "Clusters not provided.");
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxCommit
    public void createBuiltInAuthRoles() {
        this.cmfEM.createBuiltInAuthRoles();
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxCommit
    public ApiAuthRoleList createAuthRoles(ApiAuthRoleList apiAuthRoleList, boolean z) {
        authRoleListPreconditions(apiAuthRoleList);
        ApiAuthRoleList apiAuthRoleList2 = new ApiAuthRoleList();
        Iterator it = apiAuthRoleList.iterator();
        while (it.hasNext()) {
            ApiAuthRole apiAuthRole = (ApiAuthRole) it.next();
            DbAuthRole findAuthRole = findAuthRole(apiAuthRole.getBaseRole().getUuid(), apiAuthRole.getBaseRole().getName());
            if (findAuthRole == null) {
                throw new IllegalArgumentException("Invalid base role provided.");
            }
            DbAuthRole dbAuthRole = new DbAuthRole(findAuthRole);
            assignAuthScopes(dbAuthRole, apiAuthRole);
            if (dbAuthRole.isCustom()) {
                dbAuthRole.setName(generateName(dbAuthRole));
            }
            DbAuthRole addAuthRole = this.operationsManager.addAuthRole(this.cmfEM, dbAuthRole);
            if (!z) {
                assignUsersAndExternalMappings(addAuthRole, apiAuthRole);
            }
            apiAuthRoleList2.getAuthRoles().add(this.modelFactory.newAuthRole(addAuthRole));
        }
        return apiAuthRoleList2;
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxReadOnly
    public void checkForAdmins() {
        DbUser loggedInUser = this.currentUserMgr.getLoggedInUser(this.cmfEM);
        Preconditions.checkArgument(loggedInUser != null);
        if (loggedInUser.isInternal()) {
            throw new SecurityException("Internal users cannot administer auth roles.");
        }
        if (!this.currentUserMgr.getRoles().contains(UserRole.ROLE_USER_ADMIN) && !this.currentUserMgr.getRoles().contains(UserRole.ROLE_ADMIN)) {
            throw new SecurityException("Only administrators can administer auth roles.");
        }
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxCommit
    public ApiAuthRole deleteAuthRole(String str) {
        checkForAdmins();
        DbAuthRole findAuthRoleByUuid = findAuthRoleByUuid(str);
        Preconditions.checkArgument(findAuthRoleByUuid != null);
        Preconditions.checkArgument(findAuthRoleByUuid.isCustom());
        if (!findAuthRoleByUuid.getImmutableUsers().isEmpty() || !findAuthRoleByUuid.getImmutableExts().isEmpty()) {
            throw new SecurityException("Cannot delete this auth role because it has users or external mappings that have to be deleted first.");
        }
        ApiAuthRole newAuthRole = this.modelFactory.newAuthRole(findAuthRoleByUuid);
        this.operationsManager.deleteAuthRole(this.cmfEM, findAuthRoleByUuid);
        this.cmfEM.deleteAuthRole(findAuthRoleByUuid);
        return newAuthRole;
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxCommit
    public ApiAuthRole deleteAuthRoleByName(String str) {
        checkForAdmins();
        DbAuthRole findAuthRoleByName = findAuthRoleByName(str);
        Preconditions.checkArgument(findAuthRoleByName != null);
        Preconditions.checkArgument(findAuthRoleByName.isCustom());
        ApiAuthRole newAuthRole = this.modelFactory.newAuthRole(findAuthRoleByName);
        this.operationsManager.deleteAuthRole(this.cmfEM, findAuthRoleByName);
        this.cmfEM.deleteAuthRole(findAuthRoleByName);
        return newAuthRole;
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxReadOnly
    public ApiAuthRoleList listAuthRoles(DataView dataView) {
        ApiAuthRoleList apiAuthRoleList = new ApiAuthRoleList();
        Iterator<DbAuthRole> it = this.operationsManager.getAllowedAuthRoles(this.cmfEM).iterator();
        while (it.hasNext()) {
            apiAuthRoleList.getAuthRoles().add(this.modelFactory.newAuthRole(it.next(), dataView));
        }
        Collections.sort(apiAuthRoleList.getAuthRoles(), new Comparator<ApiAuthRole>() { // from class: com.cloudera.api.dao.impl.AuthRoleManagerDaoImpl.1
            @Override // java.util.Comparator
            public int compare(ApiAuthRole apiAuthRole, ApiAuthRole apiAuthRole2) {
                return (apiAuthRole == null ? CommandUtils.CONFIG_TOP_LEVEL_DIR : apiAuthRole.getDisplayName()).compareTo(apiAuthRole2 == null ? CommandUtils.CONFIG_TOP_LEVEL_DIR : apiAuthRole2.getDisplayName());
            }
        });
        return apiAuthRoleList;
    }

    @TxCommit
    public void assignAuthScopes(DbAuthRole dbAuthRole, ApiAuthRole apiAuthRole) {
        HashSet newHashSet = Sets.newHashSet();
        if (!apiAuthRole.getClusters().isEmpty()) {
            for (ApiClusterRef apiClusterRef : apiAuthRole.getClusters()) {
                if (!UserRole.valueOf(dbAuthRole.getEffectiveUserRoleName()).getAllowedScopes().contains("CLUSTER")) {
                    throw new IllegalArgumentException("Cluster Scope is not supported by this auth role.");
                }
                DbCluster findClusterByName = this.cmfEM.findClusterByName(apiClusterRef.getClusterName());
                if (findClusterByName == null) {
                    Object[] objArr = new Object[1];
                    objArr[0] = apiClusterRef.getClusterName() != null ? apiClusterRef.getClusterName() : "empty";
                    throw new IllegalArgumentException(String.format("Invalid cluster information provided. Bad Cluster Name : %s", objArr));
                }
                newHashSet.add(new DbAuthScope(dbAuthRole, findClusterByName));
            }
        }
        this.operationsManager.assignAuthScopes(this.cmfEM, dbAuthRole, newHashSet);
    }

    @TxCommit
    public void assignUsersAndExternalMappings(DbAuthRole dbAuthRole, ApiAuthRole apiAuthRole) {
        HashSet newHashSet = Sets.newHashSet();
        HashSet newHashSet2 = Sets.newHashSet();
        for (ApiUser2Ref apiUser2Ref : apiAuthRole.getUsers()) {
            DbUser findUserByName = this.cmfEM.findUserByName(apiUser2Ref.getName());
            if (findUserByName == null) {
                throw new IllegalArgumentException(String.format("User %s does not exist.", apiUser2Ref.getName()));
            }
            newHashSet.add(findUserByName);
        }
        for (ApiExternalUserMappingRef apiExternalUserMappingRef : apiAuthRole.getExternalUserMappings()) {
            DbExternalMapping findExternalUser = findExternalUser(apiExternalUserMappingRef.getUuid(), apiExternalUserMappingRef.getName(), ExternalMappingType.valueOf(apiExternalUserMappingRef.getType().toString()));
            if (findExternalUser == null) {
                throw new IllegalArgumentException(String.format("External Mapping %s does not exist.", apiExternalUserMappingRef.getName()));
            }
            newHashSet2.add(findExternalUser);
        }
        if (dbAuthRole.getEffectiveUserRoleName().equals(UserRole.ROLE_ADMIN.name()) && newHashSet != null && newHashSet.isEmpty()) {
            throw new IllegalArgumentException("Cannot delete the last admin account.");
        }
        this.operationsManager.assignUsers(this.cmfEM, dbAuthRole, newHashSet);
        this.operationsManager.assignExternalMappings(this.cmfEM, dbAuthRole, newHashSet2);
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxCommit
    public ApiAuthRole updateAuthRole(String str, ApiAuthRole apiAuthRole) {
        DbAuthRole findAuthRoleByUuid = findAuthRoleByUuid(str);
        Preconditions.checkArgument(findAuthRoleByUuid != null);
        if (findAuthRoleByUuid.isCustom()) {
            if (apiAuthRole.getBaseRole().getUuid() != findAuthRoleByUuid.getBaseRoleId().getUuid()) {
                this.operationsManager.updateBaseAuthRole(this.cmfEM, findAuthRoleByUuid, findAuthRoleByUuid(apiAuthRole.getBaseRole().getUuid()));
            }
        } else if (apiAuthRole.getBaseRole() != null) {
            throw new IllegalArgumentException("Built-in auth roles cannot be modified.");
        }
        assignUsersAndExternalMappings(findAuthRoleByUuid, apiAuthRole);
        assignAuthScopes(findAuthRoleByUuid, apiAuthRole);
        return this.modelFactory.newAuthRole(findAuthRoleByUuid);
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxCommit
    public ApiAuthRole getAuthRole(String str) {
        DbAuthRole findAuthRoleByUuid = findAuthRoleByUuid(str);
        if (this.currentUserMgr.hasAuthority(UserRole.valueOf(findAuthRoleByUuid.getEffectiveUserRoleName()).getModifyAuth())) {
            return this.modelFactory.newAuthRole(findAuthRoleByUuid);
        }
        throw new SecurityException("Not authorized to see this auth role.");
    }

    @Override // com.cloudera.api.dao.AuthRoleManagerDao
    @TxReadOnly
    public ApiAuthRoleMetadataList listAuthRoleMetadata(DataView dataView) {
        ApiAuthRoleMetadataList apiAuthRoleMetadataList = new ApiAuthRoleMetadataList();
        for (UserRole userRole : this.operationsManager.getAllowedUserRoles()) {
            if (this.currentUserMgr.hasAuthority(userRole.getModifyAuth())) {
                ApiAuthRoleMetadata apiAuthRoleMetadata = new ApiAuthRoleMetadata();
                apiAuthRoleMetadata.setDisplayName(I18n.t(userRole.getLabel()));
                apiAuthRoleMetadata.setUuid(findAuthRole(userRole).getUuid());
                apiAuthRoleMetadata.setRole(userRole.name());
                HashSet newHashSet = Sets.newHashSet();
                for (Map.Entry entry : Maps.newHashMap(userRole.getAuthorityDescriptions()).entrySet()) {
                    newHashSet.add(new ApiAuthRoleAuthority((String) entry.getKey(), I18n.t((String) entry.getValue())));
                }
                apiAuthRoleMetadata.setAuthorities(newHashSet);
                apiAuthRoleMetadata.setAllowedScopes(userRole.getAllowedScopes());
                apiAuthRoleMetadataList.getAuthRolesMetadata().add(apiAuthRoleMetadata);
            }
        }
        return apiAuthRoleMetadataList;
    }
}
