package io.prestosql.plugin.base.security;

import com.google.common.collect.ImmutableSet;
import io.prestosql.plugin.base.security.TableAccessControlRule;
import io.prestosql.plugin.base.util.JsonUtils;
import io.prestosql.spi.connector.ConnectorAccessControl;
import io.prestosql.spi.connector.ConnectorSecurityContext;
import io.prestosql.spi.connector.SchemaRoutineName;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.ConnectorIdentity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.ViewExpression;
import io.prestosql.spi.type.Type;
import java.nio.file.Paths;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Stream;

/* loaded from: input_file:io/prestosql/plugin/base/security/FileBasedAccessControl.class */
public class FileBasedAccessControl implements ConnectorAccessControl {
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private final String catalogName;
    private final List<SchemaAccessControlRule> schemaRules;
    private final List<TableAccessControlRule> tableRules;
    private final List<SessionPropertyAccessControlRule> sessionPropertyRules;
    private final Set<AnySchemaPermissionsRule> anySchemaPermissionsRules;

    public FileBasedAccessControl(String str, FileBasedAccessControlConfig fileBasedAccessControlConfig) {
        this.catalogName = (String) Objects.requireNonNull(str, "catalogName is null");
        AccessControlRules accessControlRules = (AccessControlRules) JsonUtils.parseJson(Paths.get(fileBasedAccessControlConfig.getConfigFile(), new String[0]), AccessControlRules.class);
        this.schemaRules = accessControlRules.getSchemaRules();
        this.tableRules = accessControlRules.getTableRules();
        this.sessionPropertyRules = accessControlRules.getSessionPropertyRules();
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Stream map = this.schemaRules.stream().map((v0) -> {
            return v0.toAnySchemaPermissionsRule();
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        });
        Objects.requireNonNull(builder);
        map.forEach((v1) -> {
            r1.add(v1);
        });
        Stream map2 = this.tableRules.stream().map((v0) -> {
            return v0.toAnySchemaPermissionsRule();
        }).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        });
        Objects.requireNonNull(builder);
        map2.forEach((v1) -> {
            r1.add(v1);
        });
        this.anySchemaPermissionsRules = builder.build();
    }

    public void checkCanCreateSchema(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isSchemaOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(str);
    }

    public void checkCanDropSchema(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isSchemaOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyDropSchema(str);
    }

    public void checkCanRenameSchema(ConnectorSecurityContext connectorSecurityContext, String str, String str2) {
        if (isSchemaOwner(connectorSecurityContext, str) && isSchemaOwner(connectorSecurityContext, str2)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(str, str2);
    }

    public void checkCanSetSchemaAuthorization(ConnectorSecurityContext connectorSecurityContext, String str, PrestoPrincipal prestoPrincipal) {
        if (isSchemaOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denySetSchemaAuthorization(str, prestoPrincipal);
    }

    public void checkCanShowSchemas(ConnectorSecurityContext connectorSecurityContext) {
    }

    public Set<String> filterSchemas(ConnectorSecurityContext connectorSecurityContext, Set<String> set) {
        return (Set) set.stream().filter(str -> {
            return checkAnySchemaAccess(connectorSecurityContext, str);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanShowCreateSchema(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isSchemaOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyShowCreateSchema(str);
    }

    public void checkCanShowCreateTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyShowCreateTable(schemaTableName.toString());
    }

    public void checkCanCreateTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    public void checkCanDropTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    public void checkCanShowTables(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (checkAnySchemaAccess(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyShowTables(str);
    }

    public Set<SchemaTableName> filterTables(ConnectorSecurityContext connectorSecurityContext, Set<SchemaTableName> set) {
        return (Set) set.stream().filter(schemaTableName -> {
            return isSchemaOwner(connectorSecurityContext, schemaTableName.getSchemaName()) || checkAnyTablePermission(connectorSecurityContext, schemaTableName);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanShowColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkAnyTablePermission(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyShowColumns(schemaTableName.toString());
    }

    public Set<String> filterColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return set;
        }
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        TableAccessControlRule orElse = this.tableRules.stream().filter(tableAccessControlRule -> {
            return tableAccessControlRule.matches(identity.getUser(), identity.getGroups(), schemaTableName);
        }).findFirst().orElse(null);
        if (orElse == null || orElse.getPrivileges().isEmpty()) {
            return ImmutableSet.of();
        }
        if (orElse.getPrivileges().stream().anyMatch(tablePrivilege -> {
            return TableAccessControlRule.TablePrivilege.SELECT != tablePrivilege;
        })) {
            return set;
        }
        Set<String> restrictedColumns = orElse.getRestrictedColumns();
        return (Set) set.stream().filter(str -> {
            return !restrictedColumns.contains(str);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanRenameTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP) && checkTablePermission(connectorSecurityContext, schemaTableName2, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanSetTableComment(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCommentTable(schemaTableName.toString());
    }

    public void checkCanSetColumnComment(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCommentColumn(schemaTableName.toString());
    }

    public void checkCanAddColumn(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    public void checkCanDropColumn(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.toString());
    }

    public void checkCanRenameColumn(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    public void checkCanSetTableAuthorization(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denySetTableAuthorization(schemaTableName.toString(), prestoPrincipal);
    }

    public void checkCanSelectFromColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return;
        }
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        if (((Boolean) this.tableRules.stream().filter(tableAccessControlRule -> {
            return tableAccessControlRule.matches(identity.getUser(), identity.getGroups(), schemaTableName);
        }).map(tableAccessControlRule2 -> {
            return Boolean.valueOf(tableAccessControlRule2.canSelectColumns(set));
        }).findFirst().orElse(false)).booleanValue()) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanInsertIntoTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.INSERT)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    public void checkCanDeleteFromTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.DELETE)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    public void checkCanCreateView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanRenameView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP) && checkTablePermission(connectorSecurityContext, schemaTableName2, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameView(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanSetViewAuthorization(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denySetViewAuthorization(schemaTableName.toString(), prestoPrincipal);
    }

    public void checkCanDropView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return;
        }
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        TableAccessControlRule orElse = this.tableRules.stream().filter(tableAccessControlRule -> {
            return tableAccessControlRule.matches(identity.getUser(), identity.getGroups(), schemaTableName);
        }).findFirst().orElse(null);
        if (orElse == null || !orElse.canSelectColumns(set)) {
            AccessDeniedException.denySelectTable(schemaTableName.toString());
        }
        if (orElse.getPrivileges().contains(TableAccessControlRule.TablePrivilege.GRANT_SELECT)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(schemaTableName.toString(), connectorSecurityContext.getIdentity());
    }

    public void checkCanSetCatalogSessionProperty(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (canSetSessionProperty(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denySetCatalogSessionProperty(str);
    }

    public void checkCanGrantSchemaPrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, String str, PrestoPrincipal prestoPrincipal, boolean z) {
        if (isSchemaOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyGrantSchemaPrivilege(privilege.name(), str);
    }

    public void checkCanRevokeSchemaPrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, String str, PrestoPrincipal prestoPrincipal, boolean z) {
        if (isSchemaOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyRevokeSchemaPrivilege(privilege.name(), str);
    }

    public void checkCanGrantTablePrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), schemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), schemaTableName.toString());
    }

    public void checkCanCreateRole(ConnectorSecurityContext connectorSecurityContext, String str, Optional<PrestoPrincipal> optional) {
        AccessDeniedException.denyCreateRole(str);
    }

    public void checkCanDropRole(ConnectorSecurityContext connectorSecurityContext, String str) {
        AccessDeniedException.denyDropRole(str);
    }

    public void checkCanGrantRoles(ConnectorSecurityContext connectorSecurityContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        AccessDeniedException.denyGrantRoles(set, set2);
    }

    public void checkCanRevokeRoles(ConnectorSecurityContext connectorSecurityContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        AccessDeniedException.denyRevokeRoles(set, set2);
    }

    public void checkCanSetRole(ConnectorSecurityContext connectorSecurityContext, String str, String str2) {
        AccessDeniedException.denySetRole(str);
    }

    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public void checkCanShowRoles(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public void checkCanShowCurrentRoles(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public void checkCanShowRoleGrants(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public void checkCanExecuteProcedure(ConnectorSecurityContext connectorSecurityContext, SchemaRoutineName schemaRoutineName) {
    }

    public Optional<ViewExpression> getRowFilter(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return Optional.empty();
        }
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        return this.tableRules.stream().filter(tableAccessControlRule -> {
            return tableAccessControlRule.matches(identity.getUser(), identity.getGroups(), schemaTableName);
        }).map(tableAccessControlRule2 -> {
            return tableAccessControlRule2.getFilter(identity.getUser(), this.catalogName, schemaTableName.getSchemaName());
        }).findFirst().flatMap(Function.identity());
    }

    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, String str, Type type) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return Optional.empty();
        }
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        return this.tableRules.stream().filter(tableAccessControlRule -> {
            return tableAccessControlRule.matches(identity.getUser(), identity.getGroups(), schemaTableName);
        }).map(tableAccessControlRule2 -> {
            return tableAccessControlRule2.getColumnMask(identity.getUser(), this.catalogName, schemaTableName.getSchemaName(), str);
        }).findFirst().flatMap(Function.identity());
    }

    private boolean canSetSessionProperty(ConnectorSecurityContext connectorSecurityContext, String str) {
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        Iterator<SessionPropertyAccessControlRule> it = this.sessionPropertyRules.iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), identity.getGroups(), str);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }

    private boolean checkAnyTablePermission(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        return checkTablePermission(connectorSecurityContext, schemaTableName, set -> {
            return !set.isEmpty();
        });
    }

    private boolean checkTablePermission(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, TableAccessControlRule.TablePrivilege tablePrivilege) {
        return checkTablePermission(connectorSecurityContext, schemaTableName, set -> {
            return set.contains(tablePrivilege);
        });
    }

    private boolean checkTablePermission(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Predicate<Set<TableAccessControlRule.TablePrivilege>> predicate) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        for (TableAccessControlRule tableAccessControlRule : this.tableRules) {
            if (tableAccessControlRule.matches(identity.getUser(), identity.getGroups(), schemaTableName)) {
                return predicate.test(tableAccessControlRule.getPrivileges());
            }
        }
        return false;
    }

    private boolean checkAnySchemaAccess(ConnectorSecurityContext connectorSecurityContext, String str) {
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        return this.anySchemaPermissionsRules.stream().anyMatch(anySchemaPermissionsRule -> {
            return anySchemaPermissionsRule.match(identity.getUser(), identity.getGroups(), str);
        });
    }

    private boolean isSchemaOwner(ConnectorSecurityContext connectorSecurityContext, String str) {
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        Iterator<SchemaAccessControlRule> it = this.schemaRules.iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), identity.getGroups(), str);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }
}
