package io.hops.hopsworks.common.dataset.acl;

import io.hops.hopsworks.common.constants.auth.AllowedRoles;
import io.hops.hopsworks.common.dao.dataset.DatasetFacade;
import io.hops.hopsworks.common.dao.dataset.DatasetSharedWithFacade;
import io.hops.hopsworks.common.dao.hdfsUser.HdfsGroupsFacade;
import io.hops.hopsworks.common.dao.project.ProjectFacade;
import io.hops.hopsworks.common.hdfs.DistributedFileSystemOps;
import io.hops.hopsworks.common.hdfs.DistributedFsService;
import io.hops.hopsworks.common.hdfs.FsPermissions;
import io.hops.hopsworks.common.hdfs.HdfsUsersController;
import io.hops.hopsworks.common.hdfs.inode.InodeController;
import io.hops.hopsworks.common.serving.inference.logger.KafkaInferenceLogger;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.persistence.entity.dataset.Dataset;
import io.hops.hopsworks.persistence.entity.dataset.DatasetAccessPermission;
import io.hops.hopsworks.persistence.entity.dataset.DatasetSharedWith;
import io.hops.hopsworks.persistence.entity.hdfs.user.HdfsGroups;
import io.hops.hopsworks.persistence.entity.hdfs.user.HdfsUsers;
import io.hops.hopsworks.persistence.entity.project.Project;
import io.hops.hopsworks.persistence.entity.project.team.ProjectRoleTypes;
import io.hops.hopsworks.persistence.entity.project.team.ProjectTeam;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ejb.AccessTimeout;
import javax.ejb.Asynchronous;
import javax.ejb.EJB;
import javax.ejb.Schedule;
import javax.ejb.Singleton;
import javax.ejb.Timer;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;

@Singleton
@AccessTimeout(value = 5, unit = TimeUnit.SECONDS)
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
/* loaded from: input_file:io/hops/hopsworks/common/dataset/acl/PermissionsCleaner.class */
public class PermissionsCleaner {
    private static final Logger LOGGER = Logger.getLogger(PermissionsCleaner.class.getName());

    @EJB
    private ProjectFacade projectFacade;

    @EJB
    private DatasetSharedWithFacade datasetSharedWithFacade;

    @EJB
    private DatasetFacade datasetFacade;

    @EJB
    private HdfsUsersController hdfsUsersController;

    @EJB
    private HdfsGroupsFacade hdfsGroupsFacade;

    @EJB
    private DistributedFsService dfsService;

    @EJB
    private InodeController inodeController;
    private int counter = 0;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.hops.hopsworks.common.dataset.acl.PermissionsCleaner$1, reason: invalid class name */
    /* loaded from: input_file:io/hops/hopsworks/common/dataset/acl/PermissionsCleaner$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$hops$hopsworks$persistence$entity$dataset$DatasetAccessPermission = new int[DatasetAccessPermission.values().length];

        static {
            try {
                $SwitchMap$io$hops$hopsworks$persistence$entity$dataset$DatasetAccessPermission[DatasetAccessPermission.EDITABLE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$hops$hopsworks$persistence$entity$dataset$DatasetAccessPermission[DatasetAccessPermission.READ_ONLY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$hops$hopsworks$persistence$entity$dataset$DatasetAccessPermission[DatasetAccessPermission.EDITABLE_BY_OWNERS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @Schedule(persistent = false, minute = "*/15", hour = Settings.KAFKA_ACL_WILDCARD)
    public void fixPermissions(Timer timer) {
        this.counter = fixPermissions(this.counter, Long.valueOf(System.currentTimeMillis()));
        LOGGER.log(Level.INFO, "Fix permissions triggered by timer counter={0}", Integer.valueOf(this.counter));
    }

    @Asynchronous
    public void fixPermissions() {
        fixPermissions(0, 0L);
        LOGGER.log(Level.INFO, "Manual fix permissions triggered.");
    }

    private int fixPermissions(int i, Long l) {
        List<Project> findAllOrderByCreated = this.projectFacade.findAllOrderByCreated();
        for (int i2 = i; i2 < findAllOrderByCreated.size(); i2++) {
            fixPermissions(findAllOrderByCreated.get(i2));
            i = i2;
            if (l.longValue() > 0 && System.currentTimeMillis() - l.longValue() > 300000) {
                break;
            }
        }
        if (i >= findAllOrderByCreated.size()) {
            i = 0;
        }
        return i;
    }

    public void fixPermissions(Project project) {
        if (isUnderRemoval(project)) {
            return;
        }
        try {
            fixProject(project);
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Failed to fix dataset permissions for project {0}. Error: {1}", new Object[]{project.getName(), e.getMessage()});
        }
    }

    private void fixProject(Project project) throws IOException {
        Iterator<Dataset> it = this.datasetFacade.findByProject(project).iterator();
        while (it.hasNext()) {
            fixDataset(it.next());
        }
    }

    private void fixDataset(Dataset dataset) throws IOException {
        String hdfsGroupName = this.hdfsUsersController.getHdfsGroupName(dataset.getProject(), dataset);
        String hdfsAclGroupName = this.hdfsUsersController.getHdfsAclGroupName(dataset.getProject(), dataset);
        DistributedFileSystemOps distributedFileSystemOps = null;
        try {
            distributedFileSystemOps = this.dfsService.getDfsOps();
            fixPermission(dataset, getOrCreateGroup(hdfsGroupName, distributedFileSystemOps), getOrCreateGroup(hdfsAclGroupName, distributedFileSystemOps), distributedFileSystemOps);
            this.dfsService.closeDfsClient(distributedFileSystemOps);
        } catch (Throwable th) {
            this.dfsService.closeDfsClient(distributedFileSystemOps);
            throw th;
        }
    }

    private HdfsGroups getOrCreateGroup(String str, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        HdfsGroups findByName = this.hdfsGroupsFacade.findByName(str);
        if (findByName == null) {
            distributedFileSystemOps.addGroup(str);
            findByName = this.hdfsGroupsFacade.findByName(str);
            LOGGER.log(Level.WARNING, "Found and fixed a missing group: group={0}", str);
        }
        return findByName;
    }

    private void fixPermission(Dataset dataset, HdfsGroups hdfsGroups, HdfsGroups hdfsGroups2, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        if (hdfsGroups == null || hdfsGroups2 == null) {
            LOGGER.log(Level.WARNING, "Failed to get groups: {0} or {1}", new Object[]{hdfsGroups.getName(), hdfsGroups2.getName()});
            return;
        }
        if (dataset.isPublicDs() && !DatasetAccessPermission.READ_ONLY.equals(dataset.getPermission())) {
            dataset.setPermission(DatasetAccessPermission.READ_ONLY);
            this.datasetFacade.merge(dataset);
        }
        ArrayList arrayList = new ArrayList();
        testFsPermission(dataset, distributedFileSystemOps);
        testAndFixPermissionForAllMembers(dataset.getProject(), distributedFileSystemOps, hdfsGroups, hdfsGroups2, dataset.getInode().getHdfsUser(), dataset.getPermission());
        arrayList.addAll(dataset.getProject().getProjectTeamCollection());
        for (DatasetSharedWith datasetSharedWith : dataset.getDatasetSharedWithCollection()) {
            if (dataset.isPublicDs() && !DatasetAccessPermission.READ_ONLY.equals(datasetSharedWith.getPermission())) {
                datasetSharedWith.setPermission(DatasetAccessPermission.READ_ONLY);
                this.datasetSharedWithFacade.update(datasetSharedWith);
            }
            if (datasetSharedWith.getAccepted()) {
                testAndFixPermissionForAllMembers(datasetSharedWith.getProject(), distributedFileSystemOps, hdfsGroups, hdfsGroups2, null, datasetSharedWith.getPermission());
                arrayList.addAll(datasetSharedWith.getProject().getProjectTeamCollection());
            }
        }
        testAndRemoveUsersFromGroup(arrayList, hdfsGroups, hdfsGroups2, dataset.getInode().getHdfsUser(), distributedFileSystemOps);
    }

    private void testFsPermission(Dataset dataset, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        FsPermission createImmutable = FsPermission.createImmutable(dataset.getInode().getPermission());
        FsPermission createImmutable2 = FsPermission.createImmutable((short) 360);
        FsPermission createImmutable3 = FsPermission.createImmutable((short) 872);
        FsPermission fsPermission = FsPermissions.rwxrwx___;
        FsPermission fsPermission2 = FsPermissions.rwxrwx___T;
        Path path = new Path(this.inodeController.getPath(dataset.getInode()));
        if (dataset.isPublicDs() && !createImmutable2.equals(createImmutable) && !createImmutable3.equals(createImmutable)) {
            this.hdfsUsersController.makeImmutable(path, distributedFileSystemOps);
            LOGGER.log(Level.WARNING, "Found and fixed a public dataset with wrong permission. id={0}, permission={1}", new Object[]{dataset.getId(), createImmutable});
        }
        if (dataset.isPublicDs() || fsPermission.equals(createImmutable) || fsPermission2.equals(createImmutable)) {
            return;
        }
        this.hdfsUsersController.undoImmutable(path, distributedFileSystemOps);
        LOGGER.log(Level.WARNING, "Found and fixed a dataset with wrong permission. id={0}, permission={1}", new Object[]{dataset.getId(), createImmutable});
    }

    private void testAndFixPermissionForAllMembers(Project project, DistributedFileSystemOps distributedFileSystemOps, HdfsGroups hdfsGroups, HdfsGroups hdfsGroups2, HdfsUsers hdfsUsers, DatasetAccessPermission datasetAccessPermission) throws IOException {
        Iterator it = project.getProjectTeamCollection().iterator();
        while (it.hasNext()) {
            testAndFixPermission((ProjectTeam) it.next(), distributedFileSystemOps, hdfsGroups, hdfsGroups2, hdfsUsers, datasetAccessPermission);
        }
    }

    private void testAndRemoveUsersFromGroup(Collection<ProjectTeam> collection, HdfsGroups hdfsGroups, HdfsGroups hdfsGroups2, HdfsUsers hdfsUsers, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        Iterator it = hdfsGroups.getHdfsUsersCollection().iterator();
        while (it.hasNext()) {
            testAndRemoveMember(collection, hdfsGroups, (HdfsUsers) it.next(), hdfsUsers, distributedFileSystemOps);
        }
        Iterator it2 = hdfsGroups2.getHdfsUsersCollection().iterator();
        while (it2.hasNext()) {
            testAndRemoveMember(collection, hdfsGroups2, (HdfsUsers) it2.next(), hdfsUsers, distributedFileSystemOps);
        }
    }

    private void testAndRemoveMember(Collection<ProjectTeam> collection, HdfsGroups hdfsGroups, HdfsUsers hdfsUsers, HdfsUsers hdfsUsers2, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        if (hdfsUsers == null || hdfsUsers.equals(hdfsUsers2)) {
            return;
        }
        boolean z = false;
        for (ProjectTeam projectTeam : collection) {
            if (hdfsUsers.getName().equals(this.hdfsUsersController.getHdfsUserName(projectTeam.getProject(), projectTeam.getUser()))) {
                z = true;
            }
        }
        if (z) {
            return;
        }
        removeFromGroup(hdfsUsers, hdfsGroups, distributedFileSystemOps);
    }

    private void testAndFixPermission(ProjectTeam projectTeam, DistributedFileSystemOps distributedFileSystemOps, HdfsGroups hdfsGroups, HdfsGroups hdfsGroups2, HdfsUsers hdfsUsers, DatasetAccessPermission datasetAccessPermission) throws IOException {
        if (projectTeam.getUser().getUsername().equals(KafkaInferenceLogger.SERVING_MANAGER_USERNAME)) {
            return;
        }
        HdfsUsers orCreateUser = this.hdfsUsersController.getOrCreateUser(this.hdfsUsersController.getHdfsUserName(projectTeam.getProject(), projectTeam.getUser()), distributedFileSystemOps);
        if (hdfsUsers == null || !hdfsUsers.equals(orCreateUser)) {
            switch (AnonymousClass1.$SwitchMap$io$hops$hopsworks$persistence$entity$dataset$DatasetAccessPermission[datasetAccessPermission.ordinal()]) {
                case 1:
                    if (!hdfsGroups.hasUser(orCreateUser)) {
                        addToGroup(orCreateUser, hdfsGroups, distributedFileSystemOps);
                    }
                    if (hdfsGroups2.hasUser(orCreateUser)) {
                        removeFromGroup(orCreateUser, hdfsGroups2, distributedFileSystemOps);
                        return;
                    }
                    return;
                case Settings.SPARK_MAX_EXECS /* 2 */:
                    if (hdfsGroups.hasUser(orCreateUser)) {
                        removeFromGroup(orCreateUser, hdfsGroups, distributedFileSystemOps);
                    }
                    if (hdfsGroups2.hasUser(orCreateUser)) {
                        return;
                    }
                    addToGroup(orCreateUser, hdfsGroups2, distributedFileSystemOps);
                    return;
                case Settings.INFERENCE_SCHEMAVERSION /* 3 */:
                    if (AllowedRoles.DATA_OWNER.equals(projectTeam.getTeamRole())) {
                        if (!hdfsGroups.hasUser(orCreateUser)) {
                            addToGroup(orCreateUser, hdfsGroups, distributedFileSystemOps);
                        }
                        if (hdfsGroups2.hasUser(orCreateUser)) {
                            removeFromGroup(orCreateUser, hdfsGroups2, distributedFileSystemOps);
                            return;
                        }
                        return;
                    }
                    if (hdfsGroups.hasUser(orCreateUser)) {
                        removeFromGroup(orCreateUser, hdfsGroups, distributedFileSystemOps);
                    }
                    if (hdfsGroups2.hasUser(orCreateUser)) {
                        return;
                    }
                    addToGroup(orCreateUser, hdfsGroups2, distributedFileSystemOps);
                    return;
                default:
                    LOGGER.log(Level.WARNING, "Found a dataset with an unknown permission: group={0}, project={1}", new Object[]{hdfsGroups, projectTeam.getProject().getName()});
                    return;
            }
        }
    }

    private void addToGroup(HdfsUsers hdfsUsers, HdfsGroups hdfsGroups, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        this.hdfsUsersController.addToGroup(hdfsUsers.getName(), hdfsGroups.getName(), distributedFileSystemOps);
        LOGGER.log(Level.WARNING, "Found and fixed a user not added to a dataset group. user={0}, group={1}", new Object[]{hdfsUsers.getName(), hdfsGroups.getName()});
    }

    private void removeFromGroup(HdfsUsers hdfsUsers, HdfsGroups hdfsGroups, DistributedFileSystemOps distributedFileSystemOps) throws IOException {
        this.hdfsUsersController.removeFromGroup(hdfsUsers, hdfsGroups, distributedFileSystemOps);
        LOGGER.log(Level.WARNING, "Found and fixed a user in the wrong dataset group. user={0}, group={1}", new Object[]{hdfsUsers.getName(), hdfsGroups.getName()});
    }

    private boolean isUnderRemoval(Project project) {
        Iterator it = project.getProjectTeamCollection().iterator();
        while (it.hasNext()) {
            if (ProjectRoleTypes.UNDER_REMOVAL.equals(((ProjectTeam) it.next()).getTeamRole())) {
                return true;
            }
        }
        return false;
    }
}
