package org.opensearch.ml.action.connector;

import java.time.Instant;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import lombok.Generated;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.action.ActionRequest;
import org.opensearch.action.index.IndexRequest;
import org.opensearch.action.support.ActionFilters;
import org.opensearch.action.support.HandledTransportAction;
import org.opensearch.action.support.WriteRequest;
import org.opensearch.client.Client;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.CheckedConsumer;
import org.opensearch.common.inject.Inject;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.common.xcontent.XContentFactory;
import org.opensearch.common.xcontent.XContentType;
import org.opensearch.commons.authuser.User;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.common.util.CollectionUtils;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.ml.common.AccessMode;
import org.opensearch.ml.common.connector.Connector;
import org.opensearch.ml.common.transport.connector.MLCreateConnectorInput;
import org.opensearch.ml.common.transport.connector.MLCreateConnectorRequest;
import org.opensearch.ml.common.transport.connector.MLCreateConnectorResponse;
import org.opensearch.ml.engine.MLEngine;
import org.opensearch.ml.engine.exceptions.MetaDataException;
import org.opensearch.ml.engine.indices.MLIndicesHandler;
import org.opensearch.ml.helper.ConnectorAccessControlHelper;
import org.opensearch.ml.model.MLModelManager;
import org.opensearch.ml.settings.MLCommonsSettings;
import org.opensearch.ml.utils.RestActionUtils;
import org.opensearch.tasks.Task;
import org.opensearch.transport.TransportService;

/* loaded from: input_file:org/opensearch/ml/action/connector/TransportCreateConnectorAction.class */
public class TransportCreateConnectorAction extends HandledTransportAction<ActionRequest, MLCreateConnectorResponse> {

    @Generated
    private static final Logger log = LogManager.getLogger(TransportCreateConnectorAction.class);
    private final MLIndicesHandler mlIndicesHandler;
    private final Client client;
    private final MLEngine mlEngine;
    private final MLModelManager mlModelManager;
    private final ConnectorAccessControlHelper connectorAccessControlHelper;
    private volatile List<String> trustedConnectorEndpointsRegex;

    @Inject
    public TransportCreateConnectorAction(TransportService transportService, ActionFilters actionFilters, MLIndicesHandler mLIndicesHandler, Client client, MLEngine mLEngine, ConnectorAccessControlHelper connectorAccessControlHelper, Settings settings, ClusterService clusterService, MLModelManager mLModelManager) {
        super("cluster:admin/opensearch/ml/create_connector", transportService, actionFilters, MLCreateConnectorRequest::new);
        this.mlIndicesHandler = mLIndicesHandler;
        this.client = client;
        this.mlEngine = mLEngine;
        this.connectorAccessControlHelper = connectorAccessControlHelper;
        this.mlModelManager = mLModelManager;
        this.trustedConnectorEndpointsRegex = (List) MLCommonsSettings.ML_COMMONS_TRUSTED_CONNECTOR_ENDPOINTS_REGEX.get(settings);
        clusterService.getClusterSettings().addSettingsUpdateConsumer(MLCommonsSettings.ML_COMMONS_TRUSTED_CONNECTOR_ENDPOINTS_REGEX, list -> {
            this.trustedConnectorEndpointsRegex = list;
        });
    }

    protected void doExecute(Task task, ActionRequest actionRequest, ActionListener<MLCreateConnectorResponse> actionListener) {
        MLCreateConnectorInput mlCreateConnectorInput = MLCreateConnectorRequest.fromActionRequest(actionRequest).getMlCreateConnectorInput();
        if (mlCreateConnectorInput.isDryRun()) {
            actionListener.onResponse(new MLCreateConnectorResponse("dryRunConnector"));
            return;
        }
        String name = mlCreateConnectorInput.getName();
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            mlCreateConnectorInput.toXContent(jsonBuilder, ToXContent.EMPTY_PARAMS);
            Connector createConnector = Connector.createConnector(jsonBuilder, mlCreateConnectorInput.getProtocol());
            createConnector.validateConnectorURL(this.trustedConnectorEndpointsRegex);
            User userContext = RestActionUtils.getUserContext(this.client);
            if (this.connectorAccessControlHelper.accessControlNotEnabled(userContext)) {
                validateSecurityDisabledOrConnectorAccessControlDisabled(mlCreateConnectorInput);
                indexConnector(createConnector, actionListener);
            } else {
                validateRequest4AccessControl(mlCreateConnectorInput, userContext);
                if (Boolean.TRUE.equals(mlCreateConnectorInput.getAddAllBackendRoles())) {
                    mlCreateConnectorInput.setBackendRoles(userContext.getBackendRoles());
                }
                createConnector.setBackendRoles(mlCreateConnectorInput.getBackendRoles());
                createConnector.setOwner(userContext);
                createConnector.setAccess(mlCreateConnectorInput.getAccess());
                indexConnector(createConnector, actionListener);
            }
        } catch (Exception e) {
            log.error("Failed to create connector " + name, e);
            actionListener.onFailure(e);
        } catch (MetaDataException e2) {
            log.error("The masterKey for credential encryption is missing in connector creation");
            actionListener.onFailure(e2);
        }
    }

    private void indexConnector(Connector connector, ActionListener<MLCreateConnectorResponse> actionListener) {
        MLEngine mLEngine = this.mlEngine;
        Objects.requireNonNull(mLEngine);
        connector.encrypt(mLEngine::encrypt);
        log.info("connector created, indexing into the connector system index");
        this.mlIndicesHandler.initMLConnectorIndex(ActionListener.wrap(bool -> {
            if (!bool.booleanValue()) {
                actionListener.onFailure(new RuntimeException("No response to create ML Connector index"));
                return;
            }
            try {
                ThreadContext.StoredContext stashContext = this.client.threadPool().getThreadContext().stashContext();
                try {
                    CheckedConsumer checkedConsumer = indexResponse -> {
                        log.info("Connector saved into index, result:{}, connector id: {}", indexResponse.getResult(), indexResponse.getId());
                        actionListener.onResponse(new MLCreateConnectorResponse(indexResponse.getId()));
                    };
                    Objects.requireNonNull(actionListener);
                    ActionListener wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
                    Instant now = Instant.now();
                    connector.setCreatedTime(now);
                    connector.setLastUpdateTime(now);
                    IndexRequest indexRequest = new IndexRequest(".plugins-ml-connector");
                    indexRequest.source(connector.toXContent(XContentBuilder.builder(XContentType.JSON.xContent()), ToXContent.EMPTY_PARAMS));
                    indexRequest.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE);
                    Client client = this.client;
                    Objects.requireNonNull(stashContext);
                    client.index(indexRequest, ActionListener.runBefore(wrap, stashContext::restore));
                    if (stashContext != null) {
                        stashContext.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                log.error("Failed to save ML connector", e);
                actionListener.onFailure(e);
            }
        }, exc -> {
            log.error("Failed to init ML connector index", exc);
            actionListener.onFailure(exc);
        }));
    }

    private void validateRequest4AccessControl(MLCreateConnectorInput mLCreateConnectorInput, User user) {
        Boolean addAllBackendRoles = mLCreateConnectorInput.getAddAllBackendRoles();
        if (this.connectorAccessControlHelper.isAdmin(user) && Boolean.TRUE.equals(addAllBackendRoles)) {
            throw new IllegalArgumentException("Admin can't add all backend roles");
        }
        AccessMode access = mLCreateConnectorInput.getAccess();
        if (access == null) {
            if (!CollectionUtils.isEmpty(mLCreateConnectorInput.getBackendRoles()) || Boolean.TRUE.equals(addAllBackendRoles)) {
                mLCreateConnectorInput.setAccess(AccessMode.RESTRICTED);
                access = AccessMode.RESTRICTED;
            } else {
                mLCreateConnectorInput.setAccess(AccessMode.PRIVATE);
                access = AccessMode.PRIVATE;
            }
        }
        if ((AccessMode.PUBLIC == access || AccessMode.PRIVATE == access) && (!CollectionUtils.isEmpty(mLCreateConnectorInput.getBackendRoles()) || Boolean.TRUE.equals(addAllBackendRoles))) {
            throw new IllegalArgumentException("You can specify backend roles only for a connector with the restricted access mode.");
        }
        if (AccessMode.RESTRICTED == access) {
            if (Boolean.TRUE.equals(addAllBackendRoles)) {
                if (!CollectionUtils.isEmpty(mLCreateConnectorInput.getBackendRoles())) {
                    throw new IllegalArgumentException("You can't specify backend roles and add all backend roles to true at same time.");
                }
                if (CollectionUtils.isEmpty(user.getBackendRoles())) {
                    throw new IllegalArgumentException("You must have at least one backend role to create a connector.");
                }
                return;
            }
            if (CollectionUtils.isEmpty(mLCreateConnectorInput.getBackendRoles())) {
                throw new IllegalArgumentException("You must specify at least one backend role or make the connector public/private for registering it.");
            }
            if (!this.connectorAccessControlHelper.isAdmin(user) && !new HashSet(user.getBackendRoles()).containsAll(mLCreateConnectorInput.getBackendRoles())) {
                throw new IllegalArgumentException("You don't have the backend roles specified.");
            }
        }
    }

    private void validateSecurityDisabledOrConnectorAccessControlDisabled(MLCreateConnectorInput mLCreateConnectorInput) {
        if (mLCreateConnectorInput.getAccess() != null || mLCreateConnectorInput.getAddAllBackendRoles() != null || !CollectionUtils.isEmpty(mLCreateConnectorInput.getBackendRoles())) {
            throw new IllegalArgumentException("You cannot specify connector access control parameters because the Security plugin or connector access control is disabled on your cluster.");
        }
    }
}
