package org.opensearch.ml.helper;

import com.google.common.collect.ImmutableList;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.join.ScoreMode;
import org.opensearch.action.get.GetRequest;
import org.opensearch.client.Client;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.commons.authuser.User;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.common.util.CollectionUtils;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.core.xcontent.XContentParser;
import org.opensearch.core.xcontent.XContentParserUtils;
import org.opensearch.index.IndexNotFoundException;
import org.opensearch.index.query.BoolQueryBuilder;
import org.opensearch.index.query.ExistsQueryBuilder;
import org.opensearch.index.query.IdsQueryBuilder;
import org.opensearch.index.query.MatchAllQueryBuilder;
import org.opensearch.index.query.MatchPhraseQueryBuilder;
import org.opensearch.index.query.MatchQueryBuilder;
import org.opensearch.index.query.NestedQueryBuilder;
import org.opensearch.index.query.QueryBuilders;
import org.opensearch.index.query.RangeQueryBuilder;
import org.opensearch.index.query.TermQueryBuilder;
import org.opensearch.index.query.TermsQueryBuilder;
import org.opensearch.ml.common.AccessMode;
import org.opensearch.ml.common.MLModelGroup;
import org.opensearch.ml.common.exception.MLResourceNotFoundException;
import org.opensearch.ml.common.exception.MLValidationException;
import org.opensearch.ml.settings.MLCommonsSettings;
import org.opensearch.ml.utils.MLNodeUtils;
import org.opensearch.search.builder.SearchSourceBuilder;

/* loaded from: input_file:org/opensearch/ml/helper/ModelAccessControlHelper.class */
public class ModelAccessControlHelper {
    private volatile Boolean modelAccessControlEnabled;

    @Generated
    private static final Logger log = LogManager.getLogger(ModelAccessControlHelper.class);
    private static final List<Class<?>> SUPPORTED_QUERY_TYPES = ImmutableList.of(IdsQueryBuilder.class, MatchQueryBuilder.class, MatchAllQueryBuilder.class, MatchPhraseQueryBuilder.class, TermQueryBuilder.class, TermsQueryBuilder.class, ExistsQueryBuilder.class, RangeQueryBuilder.class);

    public ModelAccessControlHelper(ClusterService clusterService, Settings settings) {
        this.modelAccessControlEnabled = (Boolean) MLCommonsSettings.ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED.get(settings);
        clusterService.getClusterSettings().addSettingsUpdateConsumer(MLCommonsSettings.ML_COMMONS_MODEL_ACCESS_CONTROL_ENABLED, bool -> {
            this.modelAccessControlEnabled = bool;
        });
    }

    public void validateModelGroupAccess(User user, String str, Client client, ActionListener<Boolean> actionListener) {
        if (str == null || isAdmin(user) || !isSecurityEnabledAndModelAccessControlEnabled(user)) {
            actionListener.onResponse(true);
            return;
        }
        List backendRoles = user.getBackendRoles();
        GetRequest id = new GetRequest(".plugins-ml-model-group").id(str);
        try {
            ThreadContext.StoredContext stashContext = client.threadPool().getThreadContext().stashContext();
            try {
                ActionListener runBefore = ActionListener.runBefore(actionListener, () -> {
                    stashContext.restore();
                });
                client.get(id, ActionListener.wrap(getResponse -> {
                    if (getResponse == null || !getResponse.isExists()) {
                        runBefore.onFailure(new MLResourceNotFoundException("Fail to find model group"));
                        return;
                    }
                    try {
                        XContentParser createXContentParserFromRegistry = MLNodeUtils.createXContentParserFromRegistry(NamedXContentRegistry.EMPTY, getResponse.getSourceAsBytesRef());
                        try {
                            XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, createXContentParserFromRegistry.nextToken(), createXContentParserFromRegistry);
                            MLModelGroup parse = MLModelGroup.parse(createXContentParserFromRegistry);
                            AccessMode from = AccessMode.from(parse.getAccess());
                            if (parse.getOwner() == null) {
                                runBefore.onResponse(true);
                            } else if (AccessMode.RESTRICTED == from) {
                                if (parse.getBackendRoles() == null || parse.getBackendRoles().size() == 0) {
                                    throw new IllegalStateException("Backend roles shouldn't be null");
                                }
                                Stream stream = ((List) Optional.ofNullable(backendRoles).orElse(ImmutableList.of())).stream();
                                List backendRoles2 = parse.getBackendRoles();
                                Objects.requireNonNull(backendRoles2);
                                runBefore.onResponse(Boolean.valueOf(stream.anyMatch((v1) -> {
                                    return r2.contains(v1);
                                })));
                            } else if (AccessMode.PUBLIC == from) {
                                runBefore.onResponse(true);
                            } else if (AccessMode.PRIVATE == from) {
                                if (isOwner(parse.getOwner(), user)) {
                                    runBefore.onResponse(true);
                                } else {
                                    runBefore.onResponse(false);
                                }
                            }
                            if (createXContentParserFromRegistry != null) {
                                createXContentParserFromRegistry.close();
                            }
                        } finally {
                        }
                    } catch (Exception e) {
                        log.error("Failed to parse ml model group");
                        runBefore.onFailure(e);
                    }
                }, exc -> {
                    if (exc instanceof IndexNotFoundException) {
                        runBefore.onFailure(new MLResourceNotFoundException("Fail to find model group"));
                    } else {
                        log.error("Fail to get model group", exc);
                        runBefore.onFailure(new MLValidationException("Fail to get model group"));
                    }
                }));
                if (stashContext != null) {
                    stashContext.close();
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Failed to validate Access", e);
            actionListener.onFailure(e);
        }
    }

    public boolean skipModelAccessControl(User user) {
        return user == null || !this.modelAccessControlEnabled.booleanValue() || isAdmin(user);
    }

    public boolean isSecurityEnabledAndModelAccessControlEnabled(User user) {
        return user != null && this.modelAccessControlEnabled.booleanValue();
    }

    public boolean isAdmin(User user) {
        if (user == null || CollectionUtils.isEmpty(user.getRoles())) {
            return false;
        }
        return user.getRoles().contains("all_access");
    }

    public boolean isOwner(User user, User user2) {
        if (user2 == null || user == null) {
            return false;
        }
        return user.getName().equals(user2.getName());
    }

    public boolean isUserHasBackendRole(User user, MLModelGroup mLModelGroup) {
        AccessMode from = AccessMode.from(mLModelGroup.getAccess());
        if (AccessMode.PUBLIC == from) {
            return true;
        }
        return (AccessMode.PRIVATE == from || user.getBackendRoles() == null || mLModelGroup.getBackendRoles() == null || !mLModelGroup.getBackendRoles().stream().anyMatch(str -> {
            return user.getBackendRoles().contains(str);
        })) ? false : true;
    }

    public boolean isOwnerStillHasPermission(User user, MLModelGroup mLModelGroup) {
        AccessMode from;
        if (!isSecurityEnabledAndModelAccessControlEnabled(user) || AccessMode.PUBLIC == (from = AccessMode.from(mLModelGroup.getAccess()))) {
            return true;
        }
        if (AccessMode.PRIVATE == from) {
            return isOwner(user, mLModelGroup.getOwner());
        }
        if (AccessMode.RESTRICTED != from) {
            throw new IllegalStateException("Access shouldn't be null");
        }
        if (CollectionUtils.isEmpty(mLModelGroup.getBackendRoles())) {
            throw new IllegalStateException("Backend roles should not be null");
        }
        return user.getBackendRoles() != null && new HashSet(mLModelGroup.getBackendRoles()).stream().anyMatch(str -> {
            return user.getBackendRoles().contains(str);
        });
    }

    public boolean isModelAccessControlEnabled() {
        return this.modelAccessControlEnabled.booleanValue();
    }

    public SearchSourceBuilder addUserBackendRolesFilter(User user, SearchSourceBuilder searchSourceBuilder) {
        BoolQueryBuilder boolQueryBuilder = new BoolQueryBuilder();
        boolQueryBuilder.should(QueryBuilders.termQuery("access", AccessMode.PUBLIC.getValue()));
        boolQueryBuilder.should(QueryBuilders.termsQuery("backend_roles.keyword", user.getBackendRoles()));
        BoolQueryBuilder boolQueryBuilder2 = new BoolQueryBuilder();
        boolQueryBuilder2.must(new NestedQueryBuilder("owner", QueryBuilders.termQuery("owner.name.keyword", user.getName()), ScoreMode.None));
        boolQueryBuilder2.must(QueryBuilders.termQuery("access", AccessMode.PRIVATE.getValue()));
        boolQueryBuilder.should(boolQueryBuilder2);
        BoolQueryBuilder query = searchSourceBuilder.query();
        if (query == null) {
            searchSourceBuilder.query(boolQueryBuilder);
        } else if (query instanceof BoolQueryBuilder) {
            query.filter(boolQueryBuilder);
        } else {
            BoolQueryBuilder boolQueryBuilder3 = new BoolQueryBuilder();
            boolQueryBuilder3.must(query);
            boolQueryBuilder3.filter(boolQueryBuilder);
            searchSourceBuilder.query(boolQueryBuilder3);
        }
        return searchSourceBuilder;
    }

    public SearchSourceBuilder createSearchSourceBuilder(User user) {
        return addUserBackendRolesFilter(user, new SearchSourceBuilder());
    }
}
