package io.prestosql.plugin.hive.security;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.common.collect.ImmutableList;
import com.huawei.hetu.spi.connector.Userlist;
import io.prestosql.plugin.hive.HiveCatalogName;
import io.prestosql.plugin.hive.HiveConfig;
import io.prestosql.plugin.hive.HiveTransactionHandle;
import io.prestosql.plugin.hive.HiveUtil;
import io.prestosql.plugin.hive.metastore.Database;
import io.prestosql.plugin.hive.metastore.HivePrincipal;
import io.prestosql.plugin.hive.metastore.HivePrivilegeInfo;
import io.prestosql.plugin.hive.metastore.SemiTransactionalHiveMetastore;
import io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.ConnectorAccessControl;
import io.prestosql.spi.connector.ConnectorTransactionHandle;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.ConnectorIdentity;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.PrincipalType;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.RoleGrant;
import io.prestosql.spi.security.ViewExpression;
import io.prestosql.spi.type.Type;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.inject.Inject;

/* loaded from: input_file:io/prestosql/plugin/hive/security/SqlStandardAccessControl.class */
public class SqlStandardAccessControl implements ConnectorAccessControl {
    public static final String ADMIN_ROLE_NAME = "admin";
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private static final SchemaTableName ROLES = new SchemaTableName(INFORMATION_SCHEMA_NAME, "roles");
    private final String catalogName;
    private final Function<HiveTransactionHandle, SemiTransactionalHiveMetastore> metastoreProvider;
    private Optional<Map<String, Userlist>> userlistMap;

    @Inject
    public SqlStandardAccessControl(HiveCatalogName hiveCatalogName, Function<HiveTransactionHandle, SemiTransactionalHiveMetastore> function, HiveConfig hiveConfig) {
        this.userlistMap = Optional.empty();
        this.catalogName = ((HiveCatalogName) Objects.requireNonNull(hiveCatalogName, "catalogName is null")).toString();
        this.metastoreProvider = (Function) Objects.requireNonNull(function, "metastoreProvider is null");
        Objects.requireNonNull(hiveConfig, "hiveConfig is null");
        Optional<String> hiveDatasourceUsers = hiveConfig.getHiveDatasourceUsers();
        if (hiveDatasourceUsers.isPresent()) {
            try {
                this.userlistMap = HiveUtil.parseSpecialUserMapping(hiveDatasourceUsers, hiveConfig.getHiveSpecialUserMapping());
            } catch (JsonProcessingException e) {
                e.printStackTrace();
            }
        }
    }

    public void checkCanCreateSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(str);
    }

    public void checkCanDropSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, str)) {
            return;
        }
        AccessDeniedException.denyDropSchema(str);
    }

    public void checkCanAlterColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyAlterColumn(schemaTableName.toString());
    }

    public void checkCanAlterSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str, String str2) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, str)) {
            return;
        }
        AccessDeniedException.denyAlterSchema(str, str2);
    }

    public void checkCanRenameSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str, String str2) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, str)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(str, str2);
    }

    public void checkCanShowSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity) {
    }

    public Set<String> filterSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Set<String> set) {
        return set;
    }

    public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanSetTableComment(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyCommentTable(schemaTableName.toString());
    }

    public void checkCanShowTablesMetadata(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
    }

    public Set<SchemaTableName> filterTables(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Set<SchemaTableName> set) {
        return set;
    }

    public void checkCanShowColumnsMetadata(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (hasAnyTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyShowColumnsMetadata(schemaTableName.toString());
    }

    public List<ColumnMetadata> filterColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, List<ColumnMetadata> list) {
        return !hasAnyTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName) ? ImmutableList.of() : list;
    }

    public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    public void checkCanDropColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.toString());
    }

    public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    public void checkCanSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, Set<String> set) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, false)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.INSERT, false)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.DELETE, false)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    public void checkCanAlterView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, true)) {
            return;
        }
        AccessDeniedException.denyAlterView(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, Set<String> set) {
        checkCanSelectFromColumns(connectorTransactionHandle, connectorIdentity, schemaTableName, set);
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, true)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(schemaTableName.toString(), connectorIdentity);
    }

    public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denySetCatalogSessionProperty(this.catalogName, str);
    }

    public void checkCanGrantTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName) || hasGrantOptionForPrivilege(connectorTransactionHandle, connectorIdentity, privilege, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName) || hasGrantOptionForPrivilege(connectorTransactionHandle, connectorIdentity, privilege, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanCreateRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str, Optional<PrestoPrincipal> optional) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support WITH ADMIN statement");
        }
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyCreateRole(str);
    }

    public void checkCanDropRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyDropRole(str);
    }

    public void checkCanGrantRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support GRANTED BY statement");
        }
        if (hasAdminOptionForRoles(connectorTransactionHandle, connectorIdentity, set)) {
            return;
        }
        AccessDeniedException.denyGrantRoles(set, set2);
    }

    public void checkCanRevokeRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support GRANTED BY statement");
        }
        if (hasAdminOptionForRoles(connectorTransactionHandle, connectorIdentity, set)) {
            return;
        }
        AccessDeniedException.denyRevokeRoles(set, set2);
    }

    public void checkCanSetRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str, String str2) {
        if (ThriftMetastoreUtil.isRoleApplicable(this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle), new HivePrincipal(PrincipalType.USER, connectorIdentity.getUser()), str)) {
            return;
        }
        AccessDeniedException.denySetRole(str);
    }

    public void checkCanShowRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyShowRoles(str);
    }

    public void checkCanShowCurrentRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
    }

    public void checkCanShowRoleGrants(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
    }

    public void checkCanUpdateTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.UPDATE, false)) {
            return;
        }
        AccessDeniedException.denyUpdateTable(schemaTableName.toString());
    }

    private boolean isAdmin(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity) {
        SemiTransactionalHiveMetastore apply = this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle);
        apply.getClass();
        return ThriftMetastoreUtil.isRoleEnabled(connectorIdentity, apply::listRoleGrants, ADMIN_ROLE_NAME);
    }

    private boolean isDatabaseOwner(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if (Database.DEFAULT_DATABASE_NAME.equalsIgnoreCase(str) || isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        SemiTransactionalHiveMetastore apply = this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle);
        Optional<Database> database = apply.getDatabase(str);
        if (!database.isPresent()) {
            return false;
        }
        Database database2 = database.get();
        String orElse = HiveUtil.getOwner(connectorIdentity.getUser(), this.userlistMap).orElse(connectorIdentity.getUser());
        if (database2.getOwnerType() == PrincipalType.USER && orElse.equals(database2.getOwnerName())) {
            return true;
        }
        if (database2.getOwnerType() != PrincipalType.ROLE) {
            return false;
        }
        apply.getClass();
        return ThriftMetastoreUtil.isRoleEnabled(connectorIdentity, apply::listRoleGrants, database2.getOwnerName());
    }

    private boolean isTableOwner(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        return checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP, false);
    }

    private boolean checkTablePermission(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, HivePrivilegeInfo.HivePrivilege hivePrivilege, boolean z) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        if (schemaTableName.equals(ROLES)) {
            return false;
        }
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        return ThriftMetastoreUtil.listEnabledTablePrivileges(this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle), schemaTableName.getSchemaName(), schemaTableName.getTableName(), connectorIdentity).filter(hivePrivilegeInfo -> {
            return !z || hivePrivilegeInfo.isGrantOption();
        }).anyMatch(hivePrivilegeInfo2 -> {
            return hivePrivilegeInfo2.getHivePrivilege().equals(hivePrivilege);
        });
    }

    private boolean hasGrantOptionForPrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Privilege privilege, SchemaTableName schemaTableName) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        return ThriftMetastoreUtil.listApplicableTablePrivileges(this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle), schemaTableName.getSchemaName(), schemaTableName.getTableName(), connectorIdentity.getUser()).anyMatch(hivePrivilegeInfo -> {
            return hivePrivilegeInfo.getHivePrivilege().equals(HivePrivilegeInfo.toHivePrivilege(privilege)) && hivePrivilegeInfo.isGrantOption();
        });
    }

    private boolean hasAdminOptionForRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Set<String> set) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        SemiTransactionalHiveMetastore apply = this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle);
        HivePrincipal hivePrincipal = new HivePrincipal(PrincipalType.USER, connectorIdentity.getUser());
        apply.getClass();
        return ((Set) ThriftMetastoreUtil.listApplicableRoles(hivePrincipal, (Function<HivePrincipal, Set<RoleGrant>>) apply::listRoleGrants).filter((v0) -> {
            return v0.isGrantable();
        }).map((v0) -> {
            return v0.getRoleName();
        }).collect(Collectors.toSet())).containsAll(set);
    }

    private boolean hasAnyTablePermission(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        if (schemaTableName.equals(ROLES)) {
            return false;
        }
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        return ThriftMetastoreUtil.listEnabledTablePrivileges(this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle), schemaTableName.getSchemaName(), schemaTableName.getTableName(), connectorIdentity).anyMatch(hivePrivilegeInfo -> {
            return true;
        });
    }

    public Optional<ViewExpression> getRowFilter(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        return Optional.empty();
    }

    public Optional<ViewExpression> getColumnMask(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName, String str, Type type) {
        return Optional.empty();
    }

    public void checkCanCreateIndex(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
    }

    public void checkCanDropIndex(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
    }

    public void checkCanRenameIndex(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
    }

    public void checkCanUpdateIndex(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
    }

    public void checkCanShowIndex(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
    }

    public void checkCanAlterTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyAlterTable(schemaTableName.toString());
    }
}
