package org.opensearch.ml.model;

import java.time.Instant;
import java.util.HashSet;
import java.util.Iterator;
import lombok.Generated;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.action.index.IndexRequest;
import org.opensearch.action.search.SearchRequest;
import org.opensearch.action.search.SearchResponse;
import org.opensearch.action.support.WriteRequest;
import org.opensearch.client.Client;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.inject.Inject;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.common.xcontent.XContentType;
import org.opensearch.commons.authuser.User;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.common.util.CollectionUtils;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.index.IndexNotFoundException;
import org.opensearch.index.query.BoolQueryBuilder;
import org.opensearch.index.query.TermQueryBuilder;
import org.opensearch.ml.common.AccessMode;
import org.opensearch.ml.common.MLModelGroup;
import org.opensearch.ml.common.transport.model_group.MLRegisterModelGroupInput;
import org.opensearch.ml.helper.ModelAccessControlHelper;
import org.opensearch.ml.indices.MLIndicesHandler;
import org.opensearch.ml.utils.RestActionUtils;
import org.opensearch.search.SearchHit;
import org.opensearch.search.builder.SearchSourceBuilder;

/* loaded from: input_file:org/opensearch/ml/model/MLModelGroupManager.class */
public class MLModelGroupManager {

    @Generated
    private static final Logger log = LogManager.getLogger(MLModelGroupManager.class);
    private final MLIndicesHandler mlIndicesHandler;
    private final Client client;
    ClusterService clusterService;
    ModelAccessControlHelper modelAccessControlHelper;

    @Inject
    public MLModelGroupManager(MLIndicesHandler mLIndicesHandler, Client client, ClusterService clusterService, ModelAccessControlHelper modelAccessControlHelper) {
        this.mlIndicesHandler = mLIndicesHandler;
        this.client = client;
        this.clusterService = clusterService;
        this.modelAccessControlHelper = modelAccessControlHelper;
    }

    public void createModelGroup(MLRegisterModelGroupInput mLRegisterModelGroupInput, ActionListener<String> actionListener) {
        ThreadContext.StoredContext stashContext;
        try {
            String name = mLRegisterModelGroupInput.getName();
            User userContext = RestActionUtils.getUserContext(this.client);
            try {
                stashContext = this.client.threadPool().getThreadContext().stashContext();
            } catch (Exception e) {
                log.error("Failed to create model group doc", e);
                actionListener.onFailure(e);
            }
            try {
                ActionListener runBefore = ActionListener.runBefore(actionListener, () -> {
                    stashContext.restore();
                });
                validateUniqueModelGroupName(mLRegisterModelGroupInput.getName(), ActionListener.wrap(searchResponse -> {
                    MLModelGroup build;
                    if (searchResponse != null && searchResponse.getHits().getTotalHits() != null && searchResponse.getHits().getTotalHits().value != 0) {
                        Iterator it = searchResponse.getHits().iterator();
                        while (it.hasNext()) {
                            runBefore.onFailure(new IllegalArgumentException("The name you provided is already being used by a model group with ID: " + ((SearchHit) it.next()).getId() + "."));
                        }
                        return;
                    }
                    MLModelGroup.MLModelGroupBuilder builder = MLModelGroup.builder();
                    if (this.modelAccessControlHelper.isSecurityEnabledAndModelAccessControlEnabled(userContext)) {
                        validateRequestForAccessControl(mLRegisterModelGroupInput, userContext);
                        MLModelGroup.MLModelGroupBuilder access = builder.access(mLRegisterModelGroupInput.getModelAccessMode().getValue());
                        if (Boolean.TRUE.equals(mLRegisterModelGroupInput.getIsAddAllBackendRoles())) {
                            mLRegisterModelGroupInput.setBackendRoles(userContext.getBackendRoles());
                        }
                        build = access.name(name).description(mLRegisterModelGroupInput.getDescription()).backendRoles(mLRegisterModelGroupInput.getBackendRoles()).owner(userContext).createdTime(Instant.now()).lastUpdatedTime(Instant.now()).build();
                    } else {
                        validateSecurityDisabledOrModelAccessControlDisabled(mLRegisterModelGroupInput);
                        build = builder.name(name).description(mLRegisterModelGroupInput.getDescription()).access(AccessMode.PUBLIC.getValue()).createdTime(Instant.now()).lastUpdatedTime(Instant.now()).build();
                    }
                    MLModelGroup mLModelGroup = build;
                    this.mlIndicesHandler.initModelGroupIndexIfAbsent(ActionListener.wrap(bool -> {
                        IndexRequest indexRequest = new IndexRequest(".plugins-ml-model-group");
                        indexRequest.source(mLModelGroup.toXContent(XContentBuilder.builder(XContentType.JSON.xContent()), ToXContent.EMPTY_PARAMS));
                        indexRequest.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE);
                        this.client.index(indexRequest, ActionListener.wrap(indexResponse -> {
                            log.debug("Indexed model group doc successfully {}", name);
                            runBefore.onResponse(indexResponse.getId());
                        }, exc -> {
                            log.error("Failed to index model group doc", exc);
                            runBefore.onFailure(exc);
                        }));
                    }, exc -> {
                        log.error("Failed to init model group index", exc);
                        runBefore.onFailure(exc);
                    }));
                }, exc -> {
                    log.error("Failed to search model group index", exc);
                    runBefore.onFailure(exc);
                }));
                if (stashContext != null) {
                    stashContext.close();
                }
            } catch (Throwable th) {
                if (stashContext != null) {
                    try {
                        stashContext.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Exception e2) {
            log.error("Failed to init model group index", e2);
            actionListener.onFailure(e2);
        }
    }

    private void validateRequestForAccessControl(MLRegisterModelGroupInput mLRegisterModelGroupInput, User user) {
        AccessMode modelAccessMode = mLRegisterModelGroupInput.getModelAccessMode();
        Boolean isAddAllBackendRoles = mLRegisterModelGroupInput.getIsAddAllBackendRoles();
        if (modelAccessMode == null) {
            if (!CollectionUtils.isEmpty(mLRegisterModelGroupInput.getBackendRoles()) && Boolean.TRUE.equals(isAddAllBackendRoles)) {
                throw new IllegalArgumentException("You cannot specify backend roles and add all backend roles at the same time.");
            }
            if (Boolean.TRUE.equals(isAddAllBackendRoles) || !CollectionUtils.isEmpty(mLRegisterModelGroupInput.getBackendRoles())) {
                mLRegisterModelGroupInput.setModelAccessMode(AccessMode.RESTRICTED);
                modelAccessMode = AccessMode.RESTRICTED;
            } else {
                mLRegisterModelGroupInput.setModelAccessMode(AccessMode.PRIVATE);
            }
        }
        if ((AccessMode.PUBLIC == modelAccessMode || AccessMode.PRIVATE == modelAccessMode) && (!CollectionUtils.isEmpty(mLRegisterModelGroupInput.getBackendRoles()) || Boolean.TRUE.equals(isAddAllBackendRoles))) {
            throw new IllegalArgumentException("You can specify backend roles only for a model group with the restricted access mode.");
        }
        if (AccessMode.RESTRICTED == modelAccessMode) {
            if (this.modelAccessControlHelper.isAdmin(user) && Boolean.TRUE.equals(isAddAllBackendRoles)) {
                throw new IllegalArgumentException("Admin users cannot add all backend roles to a model group.");
            }
            if (!this.modelAccessControlHelper.isAdmin(user) && CollectionUtils.isEmpty(user.getBackendRoles())) {
                throw new IllegalArgumentException("You must have at least one backend role to register a restricted model group.");
            }
            if (CollectionUtils.isEmpty(mLRegisterModelGroupInput.getBackendRoles()) && !Boolean.TRUE.equals(isAddAllBackendRoles)) {
                throw new IllegalArgumentException("You must specify one or more backend roles or add all backend roles to register a restricted model group.");
            }
            if (!CollectionUtils.isEmpty(mLRegisterModelGroupInput.getBackendRoles()) && Boolean.TRUE.equals(isAddAllBackendRoles)) {
                throw new IllegalArgumentException("You cannot specify backend roles and add all backend roles at the same time.");
            }
            if (!this.modelAccessControlHelper.isAdmin(user) && !Boolean.TRUE.equals(isAddAllBackendRoles) && !new HashSet(user.getBackendRoles()).containsAll(mLRegisterModelGroupInput.getBackendRoles())) {
                throw new IllegalArgumentException("You don't have the backend roles specified.");
            }
        }
    }

    public void validateUniqueModelGroupName(String str, ActionListener<SearchResponse> actionListener) throws IllegalArgumentException {
        try {
            ThreadContext.StoredContext stashContext = this.client.threadPool().getThreadContext().stashContext();
            try {
                BoolQueryBuilder boolQueryBuilder = new BoolQueryBuilder();
                boolQueryBuilder.filter(new TermQueryBuilder("name.keyword", str));
                this.client.search(new SearchRequest(new String[]{".plugins-ml-model-group"}).source(new SearchSourceBuilder().query(boolQueryBuilder)), ActionListener.runBefore(ActionListener.wrap(searchResponse -> {
                    actionListener.onResponse(searchResponse);
                }, exc -> {
                    if (exc instanceof IndexNotFoundException) {
                        actionListener.onResponse((Object) null);
                    } else {
                        log.error("Failed to search model group index", exc);
                        actionListener.onFailure(exc);
                    }
                }), () -> {
                    stashContext.restore();
                }));
                if (stashContext != null) {
                    stashContext.close();
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Failed to search model group index", e);
            actionListener.onFailure(e);
        }
    }

    private void validateSecurityDisabledOrModelAccessControlDisabled(MLRegisterModelGroupInput mLRegisterModelGroupInput) {
        if (mLRegisterModelGroupInput.getModelAccessMode() != null || mLRegisterModelGroupInput.getIsAddAllBackendRoles() != null || !CollectionUtils.isEmpty(mLRegisterModelGroupInput.getBackendRoles())) {
            throw new IllegalArgumentException("You cannot specify model access control parameters because the Security plugin or model access control is disabled on your cluster.");
        }
    }
}
