package org.opensearch.ml.helper;

import java.util.Objects;
import lombok.Generated;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.join.ScoreMode;
import org.opensearch.OpenSearchStatusException;
import org.opensearch.action.get.GetRequest;
import org.opensearch.client.Client;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.commons.authuser.User;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.common.util.CollectionUtils;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.core.xcontent.XContentParser;
import org.opensearch.core.xcontent.XContentParserUtils;
import org.opensearch.index.query.BoolQueryBuilder;
import org.opensearch.index.query.NestedQueryBuilder;
import org.opensearch.index.query.QueryBuilders;
import org.opensearch.ml.common.AccessMode;
import org.opensearch.ml.common.connector.Connector;
import org.opensearch.ml.settings.MLCommonsSettings;
import org.opensearch.ml.utils.MLNodeUtils;
import org.opensearch.ml.utils.RestActionUtils;
import org.opensearch.search.builder.SearchSourceBuilder;

/* loaded from: input_file:org/opensearch/ml/helper/ConnectorAccessControlHelper.class */
public class ConnectorAccessControlHelper {

    @Generated
    private static final Logger log = LogManager.getLogger(ConnectorAccessControlHelper.class);
    private volatile Boolean connectorAccessControlEnabled;

    public ConnectorAccessControlHelper(ClusterService clusterService, Settings settings) {
        this.connectorAccessControlEnabled = (Boolean) MLCommonsSettings.ML_COMMONS_CONNECTOR_ACCESS_CONTROL_ENABLED.get(settings);
        clusterService.getClusterSettings().addSettingsUpdateConsumer(MLCommonsSettings.ML_COMMONS_CONNECTOR_ACCESS_CONTROL_ENABLED, bool -> {
            this.connectorAccessControlEnabled = bool;
        });
    }

    public boolean hasPermission(User user, Connector connector) {
        return accessControlNotEnabled(user) || isAdmin(user) || previouslyPublicConnector(connector) || isPublicConnector(connector) || (isPrivateConnector(connector) && isOwner(user, connector.getOwner())) || (isRestrictedConnector(connector) && isUserHasBackendRole(user, connector));
    }

    public void validateConnectorAccess(Client client, String str, ActionListener<Boolean> actionListener) {
        User userContext = RestActionUtils.getUserContext(client);
        if (isAdmin(userContext) || accessControlNotEnabled(userContext)) {
            actionListener.onResponse(true);
            return;
        }
        try {
            ThreadContext.StoredContext stashContext = client.threadPool().getThreadContext().stashContext();
            try {
                Objects.requireNonNull(stashContext);
                ActionListener runBefore = ActionListener.runBefore(actionListener, stashContext::restore);
                getConnector(client, str, ActionListener.wrap(connector -> {
                    runBefore.onResponse(Boolean.valueOf(hasPermission(userContext, connector)));
                }, exc -> {
                    runBefore.onFailure(exc);
                }));
                if (stashContext != null) {
                    stashContext.close();
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Failed to validate Access for connector:" + str, e);
            actionListener.onFailure(e);
        }
    }

    public boolean validateConnectorAccess(Client client, Connector connector) {
        User userContext = RestActionUtils.getUserContext(client);
        if (isAdmin(userContext) || accessControlNotEnabled(userContext)) {
            return true;
        }
        return hasPermission(userContext, connector);
    }

    public void getConnector(Client client, String str, ActionListener<Connector> actionListener) {
        client.get(new GetRequest().index(".plugins-ml-connector").id(str), ActionListener.wrap(getResponse -> {
            if (getResponse == null || !getResponse.isExists()) {
                actionListener.onFailure(new OpenSearchStatusException("Failed to find connector:" + str, RestStatus.NOT_FOUND, new Object[0]));
                return;
            }
            try {
                XContentParser createXContentParserFromRegistry = MLNodeUtils.createXContentParserFromRegistry(NamedXContentRegistry.EMPTY, getResponse.getSourceAsBytesRef());
                try {
                    XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, createXContentParserFromRegistry.nextToken(), createXContentParserFromRegistry);
                    actionListener.onResponse(Connector.createConnector(createXContentParserFromRegistry));
                    if (createXContentParserFromRegistry != null) {
                        createXContentParserFromRegistry.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                log.error("Failed to parse connector:" + str);
                actionListener.onFailure(e);
            }
        }, exc -> {
            log.error("Failed to get connector", exc);
            actionListener.onFailure(new OpenSearchStatusException("Failed to get connector:" + str, RestStatus.NOT_FOUND, new Object[0]));
        }));
    }

    public boolean skipConnectorAccessControl(User user) {
        return user == null || !this.connectorAccessControlEnabled.booleanValue() || isAdmin(user);
    }

    public boolean accessControlNotEnabled(User user) {
        return user == null || !this.connectorAccessControlEnabled.booleanValue();
    }

    public boolean isAdmin(User user) {
        if (user == null || CollectionUtils.isEmpty(user.getRoles())) {
            return false;
        }
        return user.getRoles().contains("all_access");
    }

    private boolean isOwner(User user, User user2) {
        if (user2 == null || user == null) {
            return false;
        }
        return user.getName().equals(user2.getName());
    }

    private boolean isUserHasBackendRole(User user, Connector connector) {
        return AccessMode.RESTRICTED == connector.getAccess() && user.getBackendRoles() != null && connector.getBackendRoles() != null && connector.getBackendRoles().stream().anyMatch(str -> {
            return user.getBackendRoles().contains(str);
        });
    }

    private boolean previouslyPublicConnector(Connector connector) {
        return connector.getOwner() == null;
    }

    private boolean isPublicConnector(Connector connector) {
        return AccessMode.PUBLIC == connector.getAccess();
    }

    private boolean isPrivateConnector(Connector connector) {
        return AccessMode.PRIVATE == connector.getAccess();
    }

    private boolean isRestrictedConnector(Connector connector) {
        return AccessMode.RESTRICTED == connector.getAccess();
    }

    public SearchSourceBuilder addUserBackendRolesFilter(User user, SearchSourceBuilder searchSourceBuilder) {
        BoolQueryBuilder boolQueryBuilder = new BoolQueryBuilder();
        boolQueryBuilder.should(QueryBuilders.termQuery("access", AccessMode.PUBLIC.getValue()));
        boolQueryBuilder.should(QueryBuilders.termsQuery("backend_roles.keyword", user.getBackendRoles()));
        BoolQueryBuilder boolQueryBuilder2 = new BoolQueryBuilder();
        boolQueryBuilder2.must(new NestedQueryBuilder("owner", QueryBuilders.termQuery("owner.name.keyword", user.getName()), ScoreMode.None));
        boolQueryBuilder2.must(QueryBuilders.termQuery("access", AccessMode.PRIVATE.getValue()));
        boolQueryBuilder.should(boolQueryBuilder2);
        BoolQueryBuilder query = searchSourceBuilder.query();
        if (query == null) {
            searchSourceBuilder.query(boolQueryBuilder);
        } else if (query instanceof BoolQueryBuilder) {
            query.filter(boolQueryBuilder);
        } else {
            BoolQueryBuilder boolQueryBuilder3 = new BoolQueryBuilder();
            boolQueryBuilder3.must(query);
            boolQueryBuilder3.filter(boolQueryBuilder);
            searchSourceBuilder.query(boolQueryBuilder3);
        }
        return searchSourceBuilder;
    }
}
