package oracle.kv.impl.admin.plan.task;

import java.util.HashSet;
import java.util.Set;
import oracle.kv.UnauthorizedException;
import oracle.kv.impl.admin.IllegalCommandException;
import oracle.kv.impl.admin.plan.SecurityMetadataPlan;
import oracle.kv.impl.api.table.TableImpl;
import oracle.kv.impl.api.table.TableMetadata;
import oracle.kv.impl.fault.ClientAccessException;
import oracle.kv.impl.metadata.Metadata;
import oracle.kv.impl.security.AccessCheckUtils;
import oracle.kv.impl.security.ExecutionContext;
import oracle.kv.impl.security.KVStorePrivilege;
import oracle.kv.impl.security.KVStorePrivilegeLabel;
import oracle.kv.impl.security.SystemPrivilege;
import oracle.kv.impl.security.TablePrivilege;
import oracle.kv.impl.security.metadata.SecurityMetadata;

/* loaded from: input_file:oracle/kv/impl/admin/plan/task/PrivilegeTask.class */
public class PrivilegeTask extends UpdateMetadata<SecurityMetadata> {
    private static final long serialVersionUID = 1;
    private static final String ALLPRIVS = "ALL";
    final String roleName;
    final String tableName;
    final String namespace;
    final Set<KVStorePrivilege> privileges;

    public PrivilegeTask(SecurityMetadataPlan.PrivilegePlan privilegePlan, String str, String str2, String str3, Set<String> set) {
        super(privilegePlan);
        this.privileges = new HashSet();
        SecurityMetadata metadata = privilegePlan.getMetadata();
        this.roleName = str;
        this.tableName = str3;
        this.namespace = str2;
        if (metadata == null || metadata.getRole(str) == null) {
            throw new IllegalCommandException("Role with name " + str + " does not exist in store");
        }
        if (metadata.getRole(str).readonly()) {
            throw new IllegalCommandException("Cannot grant or revoke privileges to or from a read-only role: " + str);
        }
        parseToPrivileges(set);
    }

    void parseToPrivileges(Set<String> set) {
        if (this.tableName == null) {
            for (String str : set) {
                if ("ALL".equalsIgnoreCase(str)) {
                    this.privileges.addAll(SystemPrivilege.getAllSystemPrivileges());
                    return;
                }
                this.privileges.add(SystemPrivilege.get(KVStorePrivilegeLabel.valueOf(str.toUpperCase())));
            }
            return;
        }
        TableMetadata tableMetadata = (TableMetadata) getPlan().getAdmin().getMetadata(TableMetadata.class, Metadata.MetadataType.TABLE);
        String makeNamespaceName = TableMetadata.makeNamespaceName(this.namespace, this.tableName);
        if (tableMetadata == null || tableMetadata.getTable(this.namespace, this.tableName) == null) {
            throw new IllegalCommandException("Table with name " + makeNamespaceName + " does not exist");
        }
        TableImpl table = tableMetadata.getTable(this.namespace, this.tableName);
        checkPermission(table);
        for (String str2 : set) {
            if ("ALL".equalsIgnoreCase(str2)) {
                this.privileges.addAll(TablePrivilege.getAllTablePrivileges(table.getId(), table.getNamespaceName()));
                return;
            }
            KVStorePrivilegeLabel valueOf = KVStorePrivilegeLabel.valueOf(str2.toUpperCase());
            if (!valueOf.equals(KVStorePrivilegeLabel.READ_TABLE) && table.isSystemTable()) {
                throw new ClientAccessException(new UnauthorizedException("Granting privileges other than read privilege for system tables is not permitted"));
            }
            this.privileges.add(TablePrivilege.get(valueOf, table.getId(), table.getNamespaceName()));
        }
    }

    private void checkPermission(TableImpl tableImpl) {
        ExecutionContext current = ExecutionContext.getCurrent();
        if (current != null && !AccessCheckUtils.currentUserOwnsResource(tableImpl) && !current.hasPrivilege(SystemPrivilege.SYSOPER)) {
            throw new ClientAccessException(new UnauthorizedException("Insufficient privilege granted to grant or revoke privilege on non-owned tables."));
        }
    }
}
