package com.huawei.flink.table.permission;

import com.huawei.flink.table.ranger.FlinkAccessType;
import com.huawei.flink.table.ranger.FlinkObjectType;
import com.huawei.flink.table.ranger.RangerFlinkPlugin;
import com.huawei.flink.table.ranger.RangerFlinkResource;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Supplier;
import org.apache.calcite.sql.SqlBasicCall;
import org.apache.calcite.sql.SqlBinaryOperator;
import org.apache.calcite.sql.SqlCall;
import org.apache.calcite.sql.SqlIdentifier;
import org.apache.calcite.sql.SqlJoin;
import org.apache.calcite.sql.SqlKind;
import org.apache.calcite.sql.SqlNode;
import org.apache.calcite.sql.SqlSelect;
import org.apache.calcite.sql.parser.SqlParserPos;
import org.apache.calcite.sql.util.SqlBasicVisitor;
import org.apache.flink.shaded.guava31.com.google.common.collect.ImmutableList;
import org.apache.flink.table.api.config.TableConfigOptions;
import org.apache.flink.table.catalog.CatalogManager;
import org.apache.flink.table.catalog.ObjectIdentifier;
import org.apache.flink.table.catalog.UnresolvedIdentifier;
import org.apache.flink.table.planner.parse.CalciteParser;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/huawei/flink/table/permission/RowFilterVisitor.class */
public class RowFilterVisitor extends SqlBasicVisitor<Void> {
    private static final Logger LOG = LoggerFactory.getLogger(RowFilterVisitor.class);
    private final RangerFlinkPlugin rangerFlinkPlugin;
    private final CalciteParser calciteParser;
    private final String username;
    private final CatalogManager catalogManager;

    public RowFilterVisitor(CatalogManager catalogManager, String str, Supplier<CalciteParser> supplier, RangerFlinkPlugin rangerFlinkPlugin) {
        this.catalogManager = catalogManager;
        this.username = str;
        this.calciteParser = supplier.get();
        this.rangerFlinkPlugin = rangerFlinkPlugin;
    }

    @Override // org.apache.calcite.sql.util.SqlBasicVisitor, org.apache.calcite.sql.util.SqlVisitor
    /* renamed from: visit */
    public Void mo4572visit(SqlCall sqlCall) {
        if (sqlCall instanceof SqlSelect) {
            SqlSelect sqlSelect = (SqlSelect) sqlCall;
            SqlNode where = sqlSelect.getWhere();
            SqlNode addCondition = addCondition(sqlSelect.getFrom(), where, false);
            if (addCondition != where) {
                LOG.info("Rewritten SQL based on row-level privilege filtering for user [{}]", this.username);
            }
            sqlSelect.setWhere(addCondition);
        }
        return (Void) super.mo4572visit(sqlCall);
    }

    private ObjectIdentifier getObjectIdentifier(String str) {
        return this.catalogManager.qualifyIdentifier(UnresolvedIdentifier.of(this.calciteParser.parseIdentifier(str).names));
    }

    private SqlNode addCondition(SqlNode sqlNode, SqlNode sqlNode2, boolean z) {
        if (sqlNode instanceof SqlIdentifier) {
            String sqlNode3 = sqlNode.toString();
            ObjectIdentifier objectIdentifier = getObjectIdentifier(sqlNode3);
            return ((String) TableConfigOptions.TABLE_CATALOG_NAME.defaultValue()).equals(objectIdentifier.getCatalogName()) ? sqlNode2 : addPermission(sqlNode2, objectIdentifier, z ? sqlNode3 : null);
        }
        if (sqlNode instanceof SqlJoin) {
            SqlJoin sqlJoin = (SqlJoin) sqlNode;
            return addCondition(sqlJoin.getRight(), addCondition(sqlJoin.getLeft(), sqlNode2, true), true);
        }
        if (!(sqlNode instanceof SqlBasicCall)) {
            return sqlNode2;
        }
        List<SqlNode> operandList = ((SqlBasicCall) sqlNode).getOperandList();
        if (!(operandList.get(0) instanceof SqlIdentifier)) {
            return sqlNode2;
        }
        ObjectIdentifier objectIdentifier2 = getObjectIdentifier(operandList.get(0).toString());
        return ((String) TableConfigOptions.TABLE_CATALOG_NAME.defaultValue()).equals(objectIdentifier2.getCatalogName()) ? sqlNode2 : addPermission(sqlNode2, objectIdentifier2, operandList.get(1).toString());
    }

    private SqlNode addPermission(SqlNode sqlNode, ObjectIdentifier objectIdentifier, String str) {
        Optional empty = Optional.empty();
        try {
            String filterExpr = this.rangerFlinkPlugin.evalRowFilterPolicies(new RangerAccessRequestImpl(new RangerFlinkResource(FlinkObjectType.TABLE, objectIdentifier.getDatabaseName(), objectIdentifier.getObjectName()), FlinkAccessType.SELECT.name().toLowerCase(), this.username, (Set) null, (Set) null), null).getFilterExpr();
            LOG.info("find ranger permissions, username: {}, catalogName: {}, databaseName: {}, tableName: {}, permissions: {}", new Object[]{this.username, objectIdentifier.getCatalogName(), objectIdentifier.getDatabaseName(), objectIdentifier.getObjectName(), filterExpr});
            if (filterExpr != null) {
                empty = Optional.of((SqlBasicCall) this.calciteParser.parseExpression(filterExpr));
            }
            if (!empty.isPresent()) {
                return buildWhereClause(sqlNode, null);
            }
            SqlBasicCall sqlBasicCall = (SqlBasicCall) empty.get();
            if (str != null) {
                sqlBasicCall.setOperand(0, new SqlIdentifier(ImmutableList.of(str, sqlBasicCall.getOperandList().get(0).toString()), null, new SqlParserPos(0, 0), null));
            }
            return buildWhereClause(sqlNode, sqlBasicCall);
        } catch (Exception e) {
            throw new RuntimeException(e.toString());
        }
    }

    private SqlNode buildWhereClause(SqlNode sqlNode, SqlBasicCall sqlBasicCall) {
        return sqlBasicCall != null ? sqlNode == null ? sqlBasicCall : new SqlBasicCall(new SqlBinaryOperator(SqlKind.AND.name(), SqlKind.AND, 0, true, null, null, null), new SqlNode[]{sqlNode, sqlBasicCall}, new SqlParserPos(0, 0)) : sqlNode;
    }
}
