package com.tencent.supersonic.headless.server.aspect;

import com.tencent.supersonic.auth.api.authentication.pojo.User;
import com.tencent.supersonic.auth.api.authorization.request.QueryAuthResReq;
import com.tencent.supersonic.auth.api.authorization.response.AuthorizedResourceResp;
import com.tencent.supersonic.auth.api.authorization.service.AuthService;
import com.tencent.supersonic.common.jsqlparser.SqlAddHelper;
import com.tencent.supersonic.common.pojo.Filter;
import com.tencent.supersonic.common.pojo.QueryAuthorization;
import com.tencent.supersonic.common.pojo.enums.AuthType;
import com.tencent.supersonic.common.pojo.enums.FilterOperatorEnum;
import com.tencent.supersonic.common.pojo.enums.SensitiveLevelEnum;
import com.tencent.supersonic.common.pojo.exception.InvalidArgumentException;
import com.tencent.supersonic.common.pojo.exception.InvalidPermissionException;
import com.tencent.supersonic.headless.api.pojo.request.QuerySqlReq;
import com.tencent.supersonic.headless.api.pojo.request.QueryStructReq;
import com.tencent.supersonic.headless.api.pojo.request.SchemaFilterReq;
import com.tencent.supersonic.headless.api.pojo.request.SemanticQueryReq;
import com.tencent.supersonic.headless.api.pojo.response.ModelResp;
import com.tencent.supersonic.headless.api.pojo.response.SemanticQueryResp;
import com.tencent.supersonic.headless.api.pojo.response.SemanticSchemaResp;
import com.tencent.supersonic.headless.server.pojo.MetaFilter;
import com.tencent.supersonic.headless.server.utils.QueryStructUtils;
import com.tencent.supersonic.headless.server.web.service.ModelService;
import com.tencent.supersonic.headless.server.web.service.SchemaService;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.StringJoiner;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.sf.jsqlparser.JSQLParserException;
import net.sf.jsqlparser.expression.Expression;
import net.sf.jsqlparser.parser.CCJSqlParserUtil;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.CollectionUtils;

@Aspect
@Component
/* loaded from: input_file:com/tencent/supersonic/headless/server/aspect/S2DataPermissionAspect.class */
public class S2DataPermissionAspect {
    private static final Logger log = LoggerFactory.getLogger(S2DataPermissionAspect.class);

    @Autowired
    private QueryStructUtils queryStructUtils;

    @Autowired
    private ModelService modelService;

    @Autowired
    private SchemaService schemaService;

    @Autowired
    private AuthService authService;

    @Pointcut("@annotation(com.tencent.supersonic.headless.server.annotation.S2DataPermission)")
    private void s2PermissionCheck() {
    }

    @Around("s2PermissionCheck()")
    public Object doAround(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        Object[] args = proceedingJoinPoint.getArgs();
        SemanticQueryReq semanticQueryReq = null;
        if (args[0] instanceof SemanticQueryReq) {
            semanticQueryReq = (SemanticQueryReq) args[0];
        }
        if (semanticQueryReq == null) {
            throw new InvalidArgumentException("queryReq is not Invalid");
        }
        if (!semanticQueryReq.isNeedAuth()) {
            log.info("needAuth is false, there is no need to check permissions.");
            return proceedingJoinPoint.proceed();
        }
        User user = (User) args[1];
        if (Objects.isNull(user) || StringUtils.isEmpty(user.getName())) {
            throw new RuntimeException("please provide user information");
        }
        SemanticSchemaResp semanticSchemaResp = getSemanticSchemaResp(semanticQueryReq);
        List<Long> modelIds = getModelIds(semanticSchemaResp);
        if (checkModelAdmin(user, modelIds)) {
            return proceedingJoinPoint.proceed();
        }
        checkModelVisible(user, modelIds);
        AuthorizedResourceResp authorizedResource = getAuthorizedResource(user, modelIds);
        if (1 != 0) {
            checkColPermission(semanticQueryReq, authorizedResource, modelIds, semanticSchemaResp);
        }
        checkRowPermission(semanticQueryReq, authorizedResource);
        Object proceed = proceedingJoinPoint.proceed();
        if (proceed instanceof SemanticQueryResp) {
            addHint(modelIds, (SemanticQueryResp) proceed, authorizedResource);
        }
        return proceed;
    }

    private void checkColPermission(SemanticQueryReq semanticQueryReq, AuthorizedResourceResp authorizedResourceResp, List<Long> list, SemanticSchemaResp semanticSchemaResp) {
        Set<String> bizNameInQueryReq = getBizNameInQueryReq(semanticQueryReq, semanticSchemaResp);
        Set<String> highSensitiveBizNamesByModelId = getHighSensitiveBizNamesByModelId(semanticSchemaResp);
        Stream<String> parallelStream = bizNameInQueryReq.parallelStream();
        Objects.requireNonNull(highSensitiveBizNamesByModelId);
        Set set = (Set) parallelStream.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toSet());
        set.removeAll((Set) authorizedResourceResp.getAuthResList().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()));
        if (!CollectionUtils.isEmpty(set)) {
            throw new InvalidPermissionException(String.format("存在以下敏感资源:%s您暂无权限，请联系管理员%s申请", semanticSchemaResp.getNameFromBizNames(set), this.modelService.getModelAdmin(list.get(0))));
        }
    }

    private void checkRowPermission(SemanticQueryReq semanticQueryReq, AuthorizedResourceResp authorizedResourceResp) {
        if (semanticQueryReq instanceof QuerySqlReq) {
            doRowPermission((QuerySqlReq) semanticQueryReq, authorizedResourceResp);
        }
        if (semanticQueryReq instanceof QueryStructReq) {
            doRowPermission((QueryStructReq) semanticQueryReq, authorizedResourceResp);
        }
    }

    private Set<String> getBizNameInQueryReq(SemanticQueryReq semanticQueryReq, SemanticSchemaResp semanticSchemaResp) {
        if (semanticQueryReq instanceof QuerySqlReq) {
            return this.queryStructUtils.getBizNameFromSql((QuerySqlReq) semanticQueryReq, semanticSchemaResp);
        }
        if (semanticQueryReq instanceof QueryStructReq) {
            return this.queryStructUtils.getBizNameFromStruct((QueryStructReq) semanticQueryReq);
        }
        throw new InvalidArgumentException("queryReq is not Invalid:" + semanticQueryReq);
    }

    private SemanticSchemaResp getSemanticSchemaResp(SemanticQueryReq semanticQueryReq) {
        SchemaFilterReq schemaFilterReq = new SchemaFilterReq();
        schemaFilterReq.setModelIds(semanticQueryReq.getModelIds());
        schemaFilterReq.setDataSetId(semanticQueryReq.getDataSetId());
        return this.schemaService.fetchSemanticSchema(schemaFilterReq);
    }

    private List<Long> getModelIds(SemanticSchemaResp semanticSchemaResp) {
        return (List) semanticSchemaResp.getModelResps().stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
    }

    private void doRowPermission(QuerySqlReq querySqlReq, AuthorizedResourceResp authorizedResourceResp) {
        log.debug("start doRowPermission logic");
        StringJoiner stringJoiner = new StringJoiner(" OR ");
        ArrayList arrayList = new ArrayList();
        if (!CollectionUtils.isEmpty(authorizedResourceResp.getFilters())) {
            authorizedResourceResp.getFilters().stream().forEach(dimensionFilter -> {
                arrayList.addAll(dimensionFilter.getExpressions());
            });
        }
        if (CollectionUtils.isEmpty(arrayList)) {
            log.debug("dimensionFilters is empty");
            return;
        }
        arrayList.stream().forEach(str -> {
            if (StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(str.trim())) {
                stringJoiner.add(" ( " + str + " ) ");
            }
        });
        try {
            Expression parseCondExpression = CCJSqlParserUtil.parseCondExpression(" ( " + stringJoiner + " ) ");
            if (StringUtils.isNotEmpty(stringJoiner.toString())) {
                String addWhere = SqlAddHelper.addWhere(querySqlReq.getSql(), parseCondExpression);
                log.info("before doRowPermission, queryS2SQLReq:{}", querySqlReq.getSql());
                querySqlReq.setSql(addWhere);
                log.info("after doRowPermission, queryS2SQLReq:{}", querySqlReq.getSql());
            }
        } catch (JSQLParserException e) {
            log.info("jsqlParser has an exception:{}", e.toString());
        }
    }

    private void doRowPermission(QueryStructReq queryStructReq, AuthorizedResourceResp authorizedResourceResp) {
        log.debug("start doRowPermission logic");
        StringJoiner stringJoiner = new StringJoiner(" OR ");
        ArrayList arrayList = new ArrayList();
        if (!CollectionUtils.isEmpty(authorizedResourceResp.getFilters())) {
            authorizedResourceResp.getFilters().stream().forEach(dimensionFilter -> {
                arrayList.addAll(dimensionFilter.getExpressions());
            });
        }
        if (CollectionUtils.isEmpty(arrayList)) {
            log.debug("dimensionFilters is empty");
            return;
        }
        arrayList.stream().forEach(str -> {
            if (StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(str.trim())) {
                stringJoiner.add(" ( " + str + " ) ");
            }
        });
        if (StringUtils.isNotEmpty(stringJoiner.toString())) {
            log.info("before doRowPermission, queryStructReq:{}", queryStructReq);
            Filter filter = new Filter("", FilterOperatorEnum.SQL_PART, stringJoiner.toString());
            List arrayList2 = Objects.isNull(queryStructReq.getOriginalFilter()) ? new ArrayList() : queryStructReq.getOriginalFilter();
            arrayList2.add(filter);
            queryStructReq.setDimensionFilters(arrayList2);
            log.info("after doRowPermission, queryStructReq:{}", queryStructReq);
        }
    }

    public boolean checkModelAdmin(User user, List<Long> list) {
        List<ModelResp> modelListWithAuth = this.modelService.getModelListWithAuth(user, null, AuthType.ADMIN);
        if (CollectionUtils.isEmpty(modelListWithAuth)) {
            return false;
        }
        Set set = (Set) modelListWithAuth.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
        return !CollectionUtils.isEmpty(set) && set.containsAll(list);
    }

    public void checkModelVisible(User user, List<Long> list) {
        List list2 = (List) this.modelService.getModelListWithAuth(user, null, AuthType.VISIBLE).stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
        ArrayList arrayList = new ArrayList(list);
        arrayList.removeAll(list2);
        if (CollectionUtils.isEmpty(arrayList)) {
            return;
        }
        MetaFilter metaFilter = new MetaFilter();
        metaFilter.setIds(arrayList);
        ModelResp orElse = this.modelService.getModelList(metaFilter).stream().findFirst().orElse(null);
        if (orElse != null) {
            throw new InvalidPermissionException(String.format("您没有模型[%s]权限，请联系管理员%s开通", orElse.getName(), orElse.getAdmins()));
        }
        throw new InvalidArgumentException("查询的模型不存在");
    }

    public Set<String> getHighSensitiveBizNamesByModelId(SemanticSchemaResp semanticSchemaResp) {
        HashSet hashSet = new HashSet();
        if (!CollectionUtils.isEmpty(semanticSchemaResp.getDimensions())) {
            semanticSchemaResp.getDimensions().stream().filter(dimSchemaResp -> {
                return SensitiveLevelEnum.HIGH.getCode().equals(dimSchemaResp.getSensitiveLevel());
            }).forEach(dimSchemaResp2 -> {
                hashSet.add(dimSchemaResp2.getBizName());
            });
        }
        if (!CollectionUtils.isEmpty(semanticSchemaResp.getMetrics())) {
            semanticSchemaResp.getMetrics().stream().filter(metricSchemaResp -> {
                return SensitiveLevelEnum.HIGH.getCode().equals(metricSchemaResp.getSensitiveLevel());
            }).forEach(metricSchemaResp2 -> {
                hashSet.add(metricSchemaResp2.getBizName());
            });
        }
        return hashSet;
    }

    public AuthorizedResourceResp getAuthorizedResource(User user, List<Long> list) {
        QueryAuthResReq queryAuthResReq = new QueryAuthResReq();
        queryAuthResReq.setModelIds(list);
        AuthorizedResourceResp fetchAuthRes = fetchAuthRes(queryAuthResReq, user);
        log.info("user:{}, domainId:{}, after queryAuthorizedResources:{}", new Object[]{user.getName(), list, fetchAuthRes});
        return fetchAuthRes;
    }

    private AuthorizedResourceResp fetchAuthRes(QueryAuthResReq queryAuthResReq, User user) {
        log.info("queryAuthResReq:{}", queryAuthResReq);
        return this.authService.queryAuthorizedResources(queryAuthResReq, user);
    }

    public void addHint(List<Long> list, SemanticQueryResp semanticQueryResp, AuthorizedResourceResp authorizedResourceResp) {
        List filters = authorizedResourceResp.getFilters();
        if (CollectionUtils.isEmpty(filters)) {
            return;
        }
        List<String> modelAdmin = this.modelService.getModelAdmin(list.get(0));
        if (CollectionUtils.isEmpty(filters)) {
            return;
        }
        ModelResp model = this.modelService.getModel(list.get(0));
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        filters.stream().forEach(dimensionFilter -> {
            if (StringUtils.isNotEmpty(dimensionFilter.getDescription())) {
                arrayList2.add(dimensionFilter.getDescription());
            }
            arrayList.add(dimensionFilter.getExpressions().toString());
        });
        Object[] objArr = new Object[2];
        objArr[0] = CollectionUtils.isEmpty(arrayList2) ? arrayList : arrayList2;
        objArr[1] = modelAdmin;
        semanticQueryResp.setQueryAuthorization(new QueryAuthorization(model.getName(), arrayList, arrayList2, String.format("当前结果已经过行权限过滤，详细过滤条件如下:%s, 申请权限请联系管理员%s", objArr)));
    }
}
