package io.prestosql.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.airlift.log.Logger;
import io.airlift.stats.CounterStat;
import io.prestosql.FullConnectorSecurityContext;
import io.prestosql.connector.CatalogName;
import io.prestosql.metadata.QualifiedObjectName;
import io.prestosql.plugin.base.security.AllowAllSystemAccessControl;
import io.prestosql.plugin.base.security.FileBasedSystemAccessControl;
import io.prestosql.plugin.base.security.ReadOnlySystemAccessControl;
import io.prestosql.spi.PrestoException;
import io.prestosql.spi.StandardErrorCode;
import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.ConnectorAccessControl;
import io.prestosql.spi.connector.ConnectorSecurityContext;
import io.prestosql.spi.connector.ConnectorTransactionHandle;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.SystemAccessControl;
import io.prestosql.spi.security.SystemAccessControlFactory;
import io.prestosql.spi.security.SystemSecurityContext;
import io.prestosql.transaction.TransactionId;
import io.prestosql.transaction.TransactionManager;
import io.prestosql.util.PropertiesUtil;
import java.io.File;
import java.security.Principal;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import javax.inject.Inject;
import org.weakref.jmx.Managed;
import org.weakref.jmx.Nested;

/* loaded from: input_file:io/prestosql/security/AccessControlManager.class */
public class AccessControlManager implements AccessControl {
    private static final Logger log = Logger.get(AccessControlManager.class);
    private static final File CONFIG_FILE = new File("etc/access-control.properties");
    private static final String NAME_PROPERTY = "access-control.name";
    private final TransactionManager transactionManager;
    private final Map<String, SystemAccessControlFactory> systemAccessControlFactories = new ConcurrentHashMap();
    private final Map<CatalogName, CatalogAccessControlEntry> connectorAccessControl = new ConcurrentHashMap();
    private final AtomicReference<SystemAccessControl> systemAccessControl = new AtomicReference<>(new InitializingSystemAccessControl());
    private final AtomicBoolean systemAccessControlLoading = new AtomicBoolean();
    private final CounterStat authenticationSuccess = new CounterStat();
    private final CounterStat authenticationFail = new CounterStat();
    private final CounterStat authorizationSuccess = new CounterStat();
    private final CounterStat authorizationFail = new CounterStat();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/prestosql/security/AccessControlManager$CatalogAccessControlEntry.class */
    public class CatalogAccessControlEntry {
        private final CatalogName catalogName;
        private final ConnectorAccessControl accessControl;

        public CatalogAccessControlEntry(CatalogName catalogName, ConnectorAccessControl connectorAccessControl) {
            this.catalogName = (CatalogName) Objects.requireNonNull(catalogName, "catalogName is null");
            this.accessControl = (ConnectorAccessControl) Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        }

        public CatalogName getCatalogName() {
            return this.catalogName;
        }

        public ConnectorAccessControl getAccessControl() {
            return this.accessControl;
        }

        public ConnectorTransactionHandle getTransactionHandle(TransactionId transactionId) {
            return AccessControlManager.this.transactionManager.getConnectorTransaction(transactionId, this.catalogName);
        }

        public ConnectorSecurityContext toConnectorSecurityContext(SecurityContext securityContext) {
            return toConnectorSecurityContext(securityContext.getTransactionId(), securityContext.getIdentity());
        }

        public ConnectorSecurityContext toConnectorSecurityContext(TransactionId transactionId, Identity identity) {
            return new FullConnectorSecurityContext(AccessControlManager.this.transactionManager.getConnectorTransaction(transactionId, this.catalogName), identity.toConnectorIdentity(this.catalogName.getCatalogName()));
        }
    }

    /* loaded from: input_file:io/prestosql/security/AccessControlManager$InitializingSystemAccessControl.class */
    private static class InitializingSystemAccessControl implements SystemAccessControl {
        private InitializingSystemAccessControl() {
        }

        public void checkCanSetUser(Optional<Principal> optional, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        public void checkCanSetSystemSessionProperty(SystemSecurityContext systemSecurityContext, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        public void checkCanAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }
    }

    @Inject
    public AccessControlManager(TransactionManager transactionManager) {
        this.transactionManager = (TransactionManager) Objects.requireNonNull(transactionManager, "transactionManager is null");
        addSystemAccessControlFactory(new AllowAllSystemAccessControl.Factory());
        addSystemAccessControlFactory(new ReadOnlySystemAccessControl.Factory());
        addSystemAccessControlFactory(new FileBasedSystemAccessControl.Factory());
    }

    public final void addSystemAccessControlFactory(SystemAccessControlFactory systemAccessControlFactory) {
        Objects.requireNonNull(systemAccessControlFactory, "accessControlFactory is null");
        if (this.systemAccessControlFactories.putIfAbsent(systemAccessControlFactory.getName(), systemAccessControlFactory) != null) {
            throw new IllegalArgumentException(String.format("Access control '%s' is already registered", systemAccessControlFactory.getName()));
        }
    }

    public void addCatalogAccessControl(CatalogName catalogName, ConnectorAccessControl connectorAccessControl) {
        Objects.requireNonNull(catalogName, "catalogName is null");
        Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        Preconditions.checkState(this.connectorAccessControl.putIfAbsent(catalogName, new CatalogAccessControlEntry(catalogName, connectorAccessControl)) == null, "Access control for connector '%s' is already registered", catalogName);
    }

    public void removeCatalogAccessControl(CatalogName catalogName) {
        this.connectorAccessControl.remove(catalogName);
    }

    public void loadSystemAccessControl() throws Exception {
        File absoluteFile = CONFIG_FILE.getAbsoluteFile();
        if (!absoluteFile.exists()) {
            setSystemAccessControl("allow-all", ImmutableMap.of());
            return;
        }
        HashMap hashMap = new HashMap(PropertiesUtil.loadProperties(absoluteFile));
        String remove = hashMap.remove(NAME_PROPERTY);
        Preconditions.checkState(!Strings.isNullOrEmpty(remove), "Access control configuration %s does not contain '%s'", absoluteFile, NAME_PROPERTY);
        setSystemAccessControl(remove, hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public void setSystemAccessControl(String str, Map<String, String> map) {
        Objects.requireNonNull(str, "name is null");
        Objects.requireNonNull(map, "properties is null");
        Preconditions.checkState(this.systemAccessControlLoading.compareAndSet(false, true), "System access control already initialized");
        log.info("-- Loading system access control --");
        SystemAccessControlFactory systemAccessControlFactory = this.systemAccessControlFactories.get(str);
        Preconditions.checkState(systemAccessControlFactory != null, "Access control '%s' is not registered", str);
        this.systemAccessControl.set(systemAccessControlFactory.create(ImmutableMap.copyOf(map)));
        log.info("-- Loaded system access control %s --", new Object[]{str});
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetUser(Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanSetUser(optional, str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public Set<String> filterCatalogs(Identity identity, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "catalogs is null");
        return this.systemAccessControl.get().filterCatalogs(new SystemSecurityContext(identity), set);
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAccessCatalog(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalog is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanAccessCatalog(new SystemSecurityContext(identity), str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateSchema(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateSchema(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropSchema(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropSchema(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameSchema(securityContext.toSystemSecurityContext(), catalogSchemaName, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameSchema(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaName.getSchemaName(), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowSchemas(SecurityContext securityContext, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str);
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowSchemas(securityContext.toSystemSecurityContext(), str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowSchemas(connectorAccessControl.toConnectorSecurityContext(securityContext));
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public Set<String> filterSchemas(SecurityContext securityContext, String str, Set<String> set) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "schemaNames is null");
        if (filterCatalogs(securityContext.getIdentity(), ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Set<String> filterSchemas = this.systemAccessControl.get().filterSchemas(securityContext.toSystemSecurityContext(), str, set);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            filterSchemas = connectorAccessControl.getAccessControl().filterSchemas(connectorAccessControl.toConnectorSecurityContext(securityContext), filterSchemas);
        }
        return filterSchemas;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateTable(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropTable(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newTableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), qualifiedObjectName2.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameTable(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName(), qualifiedObjectName2.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetTableComment(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetTableComment(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetTableComment(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowTablesMetadata(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(catalogSchemaName, "schema is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowTablesMetadata(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowTablesMetadata(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public Set<SchemaTableName> filterTables(SecurityContext securityContext, String str, Set<SchemaTableName> set) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "tableNames is null");
        if (filterCatalogs(securityContext.getIdentity(), ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Set<SchemaTableName> filterTables = this.systemAccessControl.get().filterTables(securityContext.toSystemSecurityContext(), str, set);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            filterTables = connectorAccessControl.getAccessControl().filterTables(connectorAccessControl.toConnectorSecurityContext(securityContext), filterTables);
        }
        return filterTables;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowColumnsMetadata(SecurityContext securityContext, CatalogSchemaTableName catalogSchemaTableName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(catalogSchemaTableName, "table is null");
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowColumnsMetadata(securityContext.toSystemSecurityContext(), catalogSchemaTableName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaTableName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowColumnsMetadata(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaTableName.getSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public List<ColumnMetadata> filterColumns(SecurityContext securityContext, CatalogSchemaTableName catalogSchemaTableName, List<ColumnMetadata> list) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(catalogSchemaTableName, "tableName is null");
        if (filterTables(securityContext, catalogSchemaTableName.getCatalogName(), ImmutableSet.of(catalogSchemaTableName.getSchemaTableName())).isEmpty()) {
            return ImmutableList.of();
        }
        List<ColumnMetadata> filterColumns = this.systemAccessControl.get().filterColumns(securityContext.toSystemSecurityContext(), catalogSchemaTableName, list);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaTableName.getCatalogName());
        if (connectorAccessControl != null) {
            filterColumns = connectorAccessControl.getAccessControl().filterColumns(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaTableName.getSchemaTableName(), filterColumns);
        }
        return filterColumns;
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanAddColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAddColumn(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAddColumn(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropColumn(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropColumn(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRenameColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameColumn(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameColumn(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanInsertIntoTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanInsertIntoTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanInsertIntoTable(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDeleteFromTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDeleteFromTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDeleteFromTable(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateView(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropView(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateViewWithSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateViewWithSelectFromColumns(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateViewWithSelectFromColumns(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName(), set);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanGrantTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, PrestoPrincipal prestoPrincipal, boolean z) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanGrantTablePrivilege(securityContext.toSystemSecurityContext(), privilege, qualifiedObjectName.asCatalogSchemaTableName(), prestoPrincipal, z);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanGrantTablePrivilege(connectorAccessControl.toConnectorSecurityContext(securityContext), privilege, qualifiedObjectName.asSchemaTableName(), prestoPrincipal, z);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRevokeTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, PrestoPrincipal prestoPrincipal, boolean z) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRevokeTablePrivilege(securityContext.toSystemSecurityContext(), privilege, qualifiedObjectName.asCatalogSchemaTableName(), prestoPrincipal, z);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRevokeTablePrivilege(connectorAccessControl.toConnectorSecurityContext(securityContext), privilege, qualifiedObjectName.asSchemaTableName(), prestoPrincipal, z);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "propertyName is null");
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetSystemSessionProperty(new SystemSecurityContext(identity), str);
        });
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetCatalogSessionProperty(TransactionId transactionId, Identity identity, String str, String str2) {
        Objects.requireNonNull(transactionId, "transactionId is null");
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(str2, "propertyName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str);
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetCatalogSessionProperty(new SystemSecurityContext(identity), str, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetCatalogSessionProperty(connectorAccessControl.toConnectorSecurityContext(transactionId, identity), str2);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(set, "columnNames is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSelectFromColumns(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSelectFromColumns(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName(), set);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanCreateRole(SecurityContext securityContext, String str, Optional<PrestoPrincipal> optional, String str2) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str2, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateRole(connectorAccessControl.toConnectorSecurityContext(securityContext), str, optional);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanDropRole(SecurityContext securityContext, String str, String str2) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropRole(connectorAccessControl.toConnectorSecurityContext(securityContext), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanGrantRoles(SecurityContext securityContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanGrantRoles(connectorAccessControl.toConnectorSecurityContext(securityContext), set, set2, z, optional, str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanRevokeRoles(SecurityContext securityContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRevokeRoles(connectorAccessControl.toConnectorSecurityContext(securityContext), set, set2, z, optional, str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanSetRole(TransactionId transactionId, Identity identity, String str, String str2) {
        Objects.requireNonNull(transactionId, "transactionId is null");
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalog is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetRole(connectorAccessControl.toConnectorSecurityContext(transactionId, identity), str, str2);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowRoles(SecurityContext securityContext, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowRoles(connectorAccessControl.toConnectorSecurityContext(securityContext), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowCurrentRoles(SecurityContext securityContext, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowCurrentRoles(connectorAccessControl.toConnectorSecurityContext(securityContext), str);
            });
        }
    }

    @Override // io.prestosql.security.AccessControl
    public void checkCanShowRoleGrants(SecurityContext securityContext, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(securityContext.getIdentity(), str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowRoleGrants(connectorAccessControl.toConnectorSecurityContext(securityContext), str);
            });
        }
    }

    private CatalogAccessControlEntry getConnectorAccessControl(TransactionId transactionId, String str) {
        return (CatalogAccessControlEntry) this.transactionManager.getOptionalCatalogMetadata(transactionId, str).map(catalogMetadata -> {
            return this.connectorAccessControl.get(catalogMetadata.getCatalogName());
        }).orElse(null);
    }

    @Managed
    @Nested
    public CounterStat getAuthenticationSuccess() {
        return this.authenticationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthenticationFail() {
        return this.authenticationFail;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationSuccess() {
        return this.authorizationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationFail() {
        return this.authorizationFail;
    }

    private void authenticationCheck(Runnable runnable) {
        try {
            runnable.run();
            this.authenticationSuccess.update(1L);
        } catch (PrestoException e) {
            this.authenticationFail.update(1L);
            throw e;
        }
    }

    private void authorizationCheck(Runnable runnable) {
        try {
            runnable.run();
            this.authorizationSuccess.update(1L);
        } catch (PrestoException e) {
            this.authorizationFail.update(1L);
            throw e;
        }
    }
}
