package io.prestosql.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.huawei.hetu.spi.function.FunctionNamespaceManagerAccessControl;
import io.airlift.configuration.ConfigurationLoader;
import io.airlift.log.Logger;
import io.airlift.stats.CounterStat;
import io.prestosql.metadata.MetadataUtil;
import io.prestosql.security.AllowAllSystemAccessControl;
import io.prestosql.security.FileBasedSystemAccessControl;
import io.prestosql.security.ReadOnlySystemAccessControl;
import io.prestosql.spi.PrestoException;
import io.prestosql.spi.StandardErrorCode;
import io.prestosql.spi.connector.CatalogName;
import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.ConnectorAccessControl;
import io.prestosql.spi.connector.ConnectorTransactionHandle;
import io.prestosql.spi.connector.QualifiedObjectName;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.SystemAccessControl;
import io.prestosql.spi.security.SystemAccessControlFactory;
import io.prestosql.transaction.TransactionId;
import io.prestosql.transaction.TransactionManager;
import java.io.File;
import java.security.Principal;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import javax.inject.Inject;
import org.weakref.jmx.Managed;
import org.weakref.jmx.Nested;

/* loaded from: input_file:io/prestosql/security/AccessControlManager.class */
public class AccessControlManager implements AccessControl {
    private static final Logger log = Logger.get(AccessControlManager.class);
    private static final File ACCESS_CONTROL_CONFIGURATION = new File("etc/access-control.properties");
    private static final String ACCESS_CONTROL_PROPERTY_NAME = "access-control.name";
    private final TransactionManager transactionManager;
    private final Map<String, SystemAccessControlFactory> systemAccessControlFactories = new ConcurrentHashMap();
    private final Map<CatalogName, CatalogAccessControlEntry> connectorAccessControl = new ConcurrentHashMap();
    private final AtomicReference<SystemAccessControl> systemAccessControl = new AtomicReference<>(new InitializingSystemAccessControl());
    private final AtomicBoolean systemAccessControlLoading = new AtomicBoolean();
    private final Map<String, FunctionNamespaceManagerAccessControl> functionNamespaceManagerAccessControl = new ConcurrentHashMap();
    private final CounterStat authenticationSuccess = new CounterStat();
    private final CounterStat authenticationFail = new CounterStat();
    private final CounterStat authorizationSuccess = new CounterStat();
    private final CounterStat authorizationFail = new CounterStat();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/prestosql/security/AccessControlManager$CatalogAccessControlEntry.class */
    public class CatalogAccessControlEntry {
        private final CatalogName catalogName;
        private final ConnectorAccessControl accessControl;

        public CatalogAccessControlEntry(CatalogName catalogName, ConnectorAccessControl connectorAccessControl) {
            this.catalogName = (CatalogName) Objects.requireNonNull(catalogName, "catalogName is null");
            this.accessControl = (ConnectorAccessControl) Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        }

        public CatalogName getCatalogName() {
            return this.catalogName;
        }

        public ConnectorAccessControl getAccessControl() {
            return this.accessControl;
        }

        public ConnectorTransactionHandle getTransactionHandle(TransactionId transactionId) {
            return AccessControlManager.this.transactionManager.getConnectorTransaction(transactionId, this.catalogName);
        }
    }

    /* loaded from: input_file:io/prestosql/security/AccessControlManager$InitializingSystemAccessControl.class */
    private static class InitializingSystemAccessControl implements SystemAccessControl {
        private InitializingSystemAccessControl() {
        }

        public void checkCanSetUser(Optional<Principal> optional, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        public void checkCanImpersonateUser(Identity identity, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        public void checkCanSetSystemSessionProperty(Identity identity, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        public void checkCanAccessCatalog(Identity identity, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }
    }

    @Inject
    public AccessControlManager(TransactionManager transactionManager) {
        this.transactionManager = (TransactionManager) Objects.requireNonNull(transactionManager, "transactionManager is null");
        addSystemAccessControlFactory(new AllowAllSystemAccessControl.Factory());
        addSystemAccessControlFactory(new ReadOnlySystemAccessControl.Factory());
        addSystemAccessControlFactory(new FileBasedSystemAccessControl.Factory());
    }

    public void addSystemAccessControlFactory(SystemAccessControlFactory systemAccessControlFactory) {
        Objects.requireNonNull(systemAccessControlFactory, "accessControlFactory is null");
        if (this.systemAccessControlFactories.putIfAbsent(systemAccessControlFactory.getName(), systemAccessControlFactory) != null) {
            throw new IllegalArgumentException(String.format("Access control '%s' is already registered", systemAccessControlFactory.getName()));
        }
    }

    public void addCatalogAccessControl(CatalogName catalogName, ConnectorAccessControl connectorAccessControl) {
        Objects.requireNonNull(catalogName, "catalogName is null");
        Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        Preconditions.checkState(this.connectorAccessControl.putIfAbsent(catalogName, new CatalogAccessControlEntry(catalogName, connectorAccessControl)) == null, "Access control for connector '%s' is already registered", catalogName);
    }

    public void removeCatalogAccessControl(CatalogName catalogName) {
        this.connectorAccessControl.remove(catalogName);
    }

    public void addFunctionNamespaceManagerAccessControl(String str, FunctionNamespaceManagerAccessControl functionNamespaceManagerAccessControl) {
        Objects.requireNonNull(str, "functionNamespaceManagerName is null");
        Objects.requireNonNull(functionNamespaceManagerAccessControl, "accessControl in null");
        Preconditions.checkState(this.functionNamespaceManagerAccessControl.putIfAbsent(str, functionNamespaceManagerAccessControl) == null, "Access control for function namespace manager '%s' is already registered", str);
    }

    public void removeFunctionNamespaceManagerAccessControl(String str) {
        this.functionNamespaceManagerAccessControl.remove(str);
    }

    public void loadSystemAccessControl() throws Exception {
        if (!ACCESS_CONTROL_CONFIGURATION.exists()) {
            setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of());
            return;
        }
        HashMap hashMap = new HashMap(ConfigurationLoader.loadPropertiesFrom(ACCESS_CONTROL_CONFIGURATION.getPath()));
        String remove = hashMap.remove(ACCESS_CONTROL_PROPERTY_NAME);
        Preconditions.checkArgument(!Strings.isNullOrEmpty(remove), "Access control configuration %s does not contain %s", ACCESS_CONTROL_CONFIGURATION.getAbsoluteFile(), ACCESS_CONTROL_PROPERTY_NAME);
        setSystemAccessControl(remove, hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public void setSystemAccessControl(String str, Map<String, String> map) {
        Objects.requireNonNull(str, "name is null");
        Objects.requireNonNull(map, "properties is null");
        Preconditions.checkState(this.systemAccessControlLoading.compareAndSet(false, true), "System access control already initialized");
        log.info("-- Loading system access control --");
        SystemAccessControlFactory systemAccessControlFactory = this.systemAccessControlFactories.get(str);
        Preconditions.checkState(systemAccessControlFactory != null, "Access control %s is not registered", str);
        this.systemAccessControl.set(systemAccessControlFactory.create(ImmutableMap.copyOf(map)));
        log.info("-- Loaded system access control %s --", new Object[]{str});
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCallProcedure(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalog is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAlterColumn(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAlterColumn(identity, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAlterColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetUser(Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanSetUser(optional, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanImpersonateUser(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "userName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanImpersonateUser(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public Set<String> filterCatalogs(Identity identity, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "catalogs is null");
        return this.systemAccessControl.get().filterCatalogs(identity, set);
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAccessCatalogs(Identity identity) {
        Objects.requireNonNull(identity, "identity is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanShowCatalogs(identity);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAccessCatalog(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalog is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanAccessCatalog(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateCatalog(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateCatalog(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropCatalog(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalog is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanDropCatalog(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanUpdateCatalog(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalog is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanUpdateCatalog(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanUpdateTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanUpdateTable(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanUpdateTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAlterSchema(TransactionId transactionId, Identity identity, CatalogSchemaName catalogSchemaName, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAlterSchema(identity, catalogSchemaName, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAlterSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), catalogSchemaName.getSchemaName(), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateSchema(TransactionId transactionId, Identity identity, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateSchema(identity, catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.isVirtual() ? "svc" : catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropSchema(TransactionId transactionId, Identity identity, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropSchema(identity, catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.isVirtual() ? "svc" : catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameSchema(TransactionId transactionId, Identity identity, CatalogSchemaName catalogSchemaName, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameSchema(identity, catalogSchemaName, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), catalogSchemaName.getSchemaName(), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowSchemas(TransactionId transactionId, Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowSchemas(identity, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowSchemas(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public Set<String> filterSchemas(TransactionId transactionId, Identity identity, String str, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "schemaNames is null");
        if (filterCatalogs(identity, ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Set<String> filterSchemas = this.systemAccessControl.get().filterSchemas(identity, str, set);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            filterSchemas = connectorAccessControl.getAccessControl().filterSchemas(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), filterSchemas);
        }
        return filterSchemas;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateTable(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropTable(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newTableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameTable(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName), MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName2));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName), MetadataUtil.toSchemaTableName(qualifiedObjectName2));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetTableComment(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetTableComment(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetTableComment(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowTablesMetadata(TransactionId transactionId, Identity identity, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schema is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowTablesMetadata(identity, catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowTablesMetadata(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(), catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public Set<SchemaTableName> filterTables(TransactionId transactionId, Identity identity, String str, Set<SchemaTableName> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "tableNames is null");
        if (filterCatalogs(identity, ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Set<SchemaTableName> filterTables = this.systemAccessControl.get().filterTables(identity, str, set);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            filterTables = connectorAccessControl.getAccessControl().filterTables(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), filterTables);
        }
        return filterTables;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowColumnsMetadata(TransactionId transactionId, Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaTableName, "table is null");
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowColumnsMetadata(identity, catalogSchemaTableName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaTableName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowColumnsMetadata(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(), catalogSchemaTableName.getSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public List<ColumnMetadata> filterColumns(TransactionId transactionId, Identity identity, CatalogSchemaTableName catalogSchemaTableName, List<ColumnMetadata> list) {
        Objects.requireNonNull(transactionId, "transaction is null");
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaTableName, "tableName is null");
        if (filterTables(transactionId, identity, catalogSchemaTableName.getCatalogName(), ImmutableSet.of(catalogSchemaTableName.getSchemaTableName())).isEmpty()) {
            return ImmutableList.of();
        }
        List<ColumnMetadata> filterColumns = this.systemAccessControl.get().filterColumns(identity, catalogSchemaTableName, list);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaTableName.getCatalogName());
        if (connectorAccessControl != null) {
            filterColumns = connectorAccessControl.getAccessControl().filterColumns(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(), catalogSchemaTableName.getSchemaTableName(), filterColumns);
        }
        return filterColumns;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAddColumn(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAddColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropColumn(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropColumn(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameColumn(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameColumn(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanInsertIntoTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanInsertIntoTable(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanInsertIntoTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDeleteFromTable(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDeleteFromTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateIndex(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateIndex(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateIndex(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropIndex(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropIndex(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropIndex(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameIndex(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "indexName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newIndexName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameIndex(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName), MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName2));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameIndex(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName), MetadataUtil.toSchemaTableName(qualifiedObjectName2));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanUpdateIndex(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanUpdateIndex(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanUpdateTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowIndex(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        if (qualifiedObjectName == null) {
            authenticationCheck(() -> {
                this.systemAccessControl.get().checkCanShowIndex(identity, (CatalogSchemaTableName) null);
            });
            return;
        }
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanShowIndex(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowIndex(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateView(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateView(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropView(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropView(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAlterView(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAlterView(identity, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAlterView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateViewWithSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateViewWithSelectFromColumns(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName), set);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateViewWithSelectFromColumns(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName), set);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateMaterializedView(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "mvName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateMaterializedView(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateMaterializedView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropMaterializedView(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "mvName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropMaterializedView(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropMaterializedView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRefreshMaterializedView(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "mvName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRefreshMaterializedView(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRefreshMaterializedView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanGrantTablePrivilege(TransactionId transactionId, Identity identity, Privilege privilege, QualifiedObjectName qualifiedObjectName, PrestoPrincipal prestoPrincipal, boolean z) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanGrantTablePrivilege(identity, privilege, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName), prestoPrincipal, z);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanGrantTablePrivilege(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), privilege, MetadataUtil.toSchemaTableName(qualifiedObjectName), prestoPrincipal, z);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRevokeTablePrivilege(TransactionId transactionId, Identity identity, Privilege privilege, QualifiedObjectName qualifiedObjectName, PrestoPrincipal prestoPrincipal, boolean z) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRevokeTablePrivilege(identity, privilege, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName), prestoPrincipal, z);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRevokeTablePrivilege(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), privilege, MetadataUtil.toSchemaTableName(qualifiedObjectName), prestoPrincipal, z);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "propertyName is null");
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetSystemSessionProperty(identity, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetCatalogSessionProperty(TransactionId transactionId, Identity identity, String str, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(str2, "propertyName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetCatalogSessionProperty(identity, str, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetCatalogSessionProperty(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), str2);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(set, "columnNames is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSelectFromColumns(identity, MetadataUtil.toCatalogSchemaTableName(qualifiedObjectName), set);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSelectFromColumns(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), MetadataUtil.toSchemaTableName(qualifiedObjectName), set);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateRole(TransactionId transactionId, Identity identity, String str, Optional<PrestoPrincipal> optional, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str2, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateRole(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str2), str, optional);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropRole(TransactionId transactionId, Identity identity, String str, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropRole(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str2), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanGrantRoles(TransactionId transactionId, Identity identity, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanGrantRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), set, set2, z, optional, str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRevokeRoles(TransactionId transactionId, Identity identity, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRevokeRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), set, set2, z, optional, str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetRole(TransactionId transactionId, Identity identity, String str, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalog is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetRole(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str2), str, str2);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowRoles(TransactionId transactionId, Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowCurrentRoles(TransactionId transactionId, Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowCurrentRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowRoleGrants(TransactionId transactionId, Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowRoleGrants(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public String applyRowFilters(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "table name is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        String applyRowLevelFiltering = this.systemAccessControl.get().applyRowLevelFiltering(identity, qualifiedObjectName.asCatalogSchemaTableName());
        if (applyRowLevelFiltering == null) {
            return null;
        }
        return applyRowLevelFiltering;
    }

    @Override // io.prestosql.security.AccessControl
    public String applyColumnMasking(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "table name is null");
        Objects.requireNonNull(str, "column name is null");
        String applyColumnMasking = this.systemAccessControl.get().applyColumnMasking(identity, qualifiedObjectName.asCatalogSchemaTableName(), str);
        if (applyColumnMasking == null) {
            return null;
        }
        return applyColumnMasking;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAlterTable(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAlterTable(identity, new CatalogSchemaTableName(qualifiedObjectName.getCatalogName(), qualifiedObjectName.getSchemaName(), qualifiedObjectName.getObjectName()));
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAlterTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateFunction(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "functionName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateFunction(identity, qualifiedObjectName);
        });
        FunctionNamespaceManagerAccessControl functionNamespaceManagerAccessControl = getFunctionNamespaceManagerAccessControl();
        if (functionNamespaceManagerAccessControl != null) {
            functionNamespaceManagerAccessControl.checkCanCreateFunction(identity, qualifiedObjectName);
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropFunction(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "functionName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanDropFunction(identity, qualifiedObjectName);
        });
        FunctionNamespaceManagerAccessControl functionNamespaceManagerAccessControl = getFunctionNamespaceManagerAccessControl();
        if (functionNamespaceManagerAccessControl != null) {
            functionNamespaceManagerAccessControl.checkCanDropFunction(identity, qualifiedObjectName);
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAccessFunction(TransactionId transactionId, Identity identity, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "functionName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanAccessFunction(identity, qualifiedObjectName);
        });
        FunctionNamespaceManagerAccessControl functionNamespaceManagerAccessControl = getFunctionNamespaceManagerAccessControl();
        if (functionNamespaceManagerAccessControl != null) {
            functionNamespaceManagerAccessControl.checkCanAccessFunction(identity, qualifiedObjectName);
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAccessNodeInfo(Identity identity) {
        Objects.requireNonNull(identity, "identity is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanAccessNodeInfo(identity);
        });
    }

    private CatalogAccessControlEntry getConnectorAccessControl(TransactionId transactionId, String str) {
        return (CatalogAccessControlEntry) this.transactionManager.getOptionalCatalogMetadata(transactionId, str).map(catalogMetadata -> {
            return this.connectorAccessControl.get(catalogMetadata.getCatalogName());
        }).orElse(null);
    }

    private FunctionNamespaceManagerAccessControl getFunctionNamespaceManagerAccessControl() {
        return this.functionNamespaceManagerAccessControl.getOrDefault("HetuEngine", null);
    }

    @Managed
    @Nested
    public CounterStat getAuthenticationSuccess() {
        return this.authenticationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthenticationFail() {
        return this.authenticationFail;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationSuccess() {
        return this.authorizationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationFail() {
        return this.authorizationFail;
    }

    private void authenticationCheck(Runnable runnable) {
        try {
            runnable.run();
            this.authenticationSuccess.update(1L);
        } catch (PrestoException e) {
            this.authenticationFail.update(1L);
            throw e;
        }
    }

    private void authorizationCheck(Runnable runnable) {
        try {
            runnable.run();
            this.authorizationSuccess.update(1L);
        } catch (PrestoException e) {
            this.authorizationFail.update(1L);
            throw e;
        }
    }
}
