package org.neo4j.internal.kernel.api.security;

import java.net.InetAddress;
import java.net.URI;
import java.util.Arrays;
import java.util.function.IntFunction;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.neo4j.gqlstatus.ErrorGqlStatusObject;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.internal.kernel.api.TokenSet;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.messages.MessageUtil;

/* loaded from: input_file:org/neo4j/internal/kernel/api/security/SecurityAuthorizationHandler.class */
public class SecurityAuthorizationHandler {
    AbstractSecurityLog securityLog;

    public SecurityAuthorizationHandler(AbstractSecurityLog abstractSecurityLog) {
        this.securityLog = abstractSecurityLog;
    }

    public void assertAllowsCreateNode(SecurityContext securityContext, IntFunction<String> intFunction, int[] iArr) {
        if (securityContext.mode().allowsCreateNode(iArr)) {
        } else {
            throw logAndGetAuthorizationException(securityContext, MessageUtil.createNodeWithLabelsDenied(null == iArr ? "" : (String) Arrays.stream(iArr).mapToObj(intFunction).collect(Collectors.joining(",")), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsDeleteNode(SecurityContext securityContext, IntFunction<String> intFunction, Supplier<TokenSet> supplier) {
        if (!securityContext.mode().allowsDeleteNode(supplier)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Delete node with labels '%s' on database '%s' is not allowed for %s.", (String) Arrays.stream(supplier.get().all()).mapToObj(intFunction).collect(Collectors.joining(",")), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsCreateRelationship(SecurityContext securityContext, IntFunction<String> intFunction, int i) {
        if (!securityContext.mode().allowsCreateRelationship(i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Create relationship with type '%s' on database '%s' is not allowed for %s.", intFunction.apply(i), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsDeleteRelationship(SecurityContext securityContext, IntFunction<String> intFunction, int i) {
        if (!securityContext.mode().allowsDeleteRelationship(i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Delete relationship with type '%s' on database '%s' is not allowed for %s.", intFunction.apply(i), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsSetLabel(SecurityContext securityContext, IntFunction<String> intFunction, int i) {
        if (!securityContext.mode().allowsSetLabel(i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Set label for label '%s' on database '%s' is not allowed for %s.", intFunction.apply(i), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsRemoveLabel(SecurityContext securityContext, IntFunction<String> intFunction, int i) {
        if (!securityContext.mode().allowsRemoveLabel(i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Remove label for label '%s' on database '%s' is not allowed for %s.", intFunction.apply(i), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsSetProperty(SecurityContext securityContext, IntFunction<String> intFunction, TokenSet tokenSet, int i) {
        if (!securityContext.mode().allowsSetProperty(() -> {
            return tokenSet;
        }, i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Set property for property '%s' on database '%s' is not allowed for %s.", intFunction.apply(i), securityContext.database(), securityContext.description()));
        }
    }

    public void assertAllowsSetProperty(SecurityContext securityContext, IntFunction<String> intFunction, long j, int i) {
        if (!securityContext.mode().allowsSetProperty(() -> {
            return (int) j;
        }, i)) {
            throw logAndGetAuthorizationException(securityContext, String.format("Set property for property '%s' on database '%s' is not allowed for %s.", intFunction.apply(i), securityContext.database(), securityContext.description()));
        }
    }

    public void assertSchemaWrites(SecurityContext securityContext, PrivilegeAction privilegeAction) {
        switch (securityContext.mode().allowsSchemaWrites(privilegeAction)) {
            case NOT_GRANTED:
                throw logAndGetAuthorizationException(securityContext, String.format("Schema operation '%s' on database '%s' is not allowed for %s.", privilegeAction, securityContext.database(), securityContext.description()));
            case EXPLICIT_DENY:
                throw logAndGetAuthorizationException(securityContext, String.format("Schema operation '%s' on database '%s' is denied for %s.", privilegeAction, securityContext.database(), securityContext.description()));
            default:
                return;
        }
    }

    public void assertShowIndexAllowed(SecurityContext securityContext) {
        if (!securityContext.mode().allowsShowIndex()) {
            throw logAndGetAuthorizationException(securityContext, String.format("Show indexes on database '%s' is not allowed for %s.", securityContext.database(), securityContext.description()));
        }
    }

    public void assertShowConstraintAllowed(SecurityContext securityContext) {
        if (!securityContext.mode().allowsShowConstraint()) {
            throw logAndGetAuthorizationException(securityContext, String.format("Show constraints on database '%s' is not allowed for %s.", securityContext.database(), securityContext.description()));
        }
    }

    public final void assertAllowsTokenCreates(SecurityContext securityContext, PrivilegeAction privilegeAction) {
        PermissionState allowsTokenCreates = securityContext.mode().allowsTokenCreates(privilegeAction);
        if (allowsTokenCreates.allowsAccess()) {
            return;
        }
        String str = allowsTokenCreates == PermissionState.NOT_GRANTED ? "not allowed" : "denied";
        switch (privilegeAction) {
            case CREATE_LABEL:
                throw logAndGetAuthorizationException(securityContext, String.format("Creating new node label on database '%s' is %s for %s. See GRANT CREATE NEW NODE LABEL ON DATABASE `%s`...", securityContext.database(), str, securityContext.description(), securityContext.database()));
            case CREATE_PROPERTYKEY:
                throw logAndGetAuthorizationException(securityContext, String.format("Creating new property name on database '%s' is %s for %s. See GRANT CREATE NEW PROPERTY NAME ON DATABASE `%s`...", securityContext.database(), str, securityContext.description(), securityContext.database()));
            case CREATE_RELTYPE:
                throw logAndGetAuthorizationException(securityContext, String.format("Creating new relationship type on database '%s' is %s for %s. See GRANT CREATE NEW RELATIONSHIP TYPE ON DATABASE `%s`...", securityContext.database(), str, securityContext.description(), securityContext.database()));
            default:
                throw logAndGetAuthorizationException(securityContext, String.format("'%s' operations on database '%s' are %s for %s.", privilegeAction, securityContext.database(), str, securityContext.description()));
        }
    }

    public void assertLoadAllowed(SecurityContext securityContext, URI uri, InetAddress inetAddress) {
        AccessMode mode = securityContext.mode();
        PermissionState allowsLoadAllData = mode.allowsLoadAllData();
        if (allowsLoadAllData == PermissionState.NOT_GRANTED) {
            allowsLoadAllData = mode.allowsLoadUri(uri, inetAddress);
        } else if (allowsLoadAllData == PermissionState.EXPLICIT_GRANT) {
            allowsLoadAllData = allowsLoadAllData.combine(mode.allowsLoadUri(uri, inetAddress));
        }
        if (allowsLoadAllData.allowsAccess()) {
        } else {
            throw logAndGetAuthorizationException(securityContext, String.format("LOAD on URL '%s' is %s for %s.", uri, allowsLoadAllData == PermissionState.NOT_GRANTED ? "not allowed" : "denied", securityContext.description()));
        }
    }

    public AuthorizationViolationException logAndGetAuthorizationException(SecurityContext securityContext, String str) {
        this.securityLog.error(securityContext, str);
        return new AuthorizationViolationException(str);
    }

    public AuthorizationViolationException logAndGetAuthorizationException(ErrorGqlStatusObject errorGqlStatusObject, SecurityContext securityContext, String str, Status status) {
        this.securityLog.error(securityContext, str);
        return new AuthorizationViolationException(errorGqlStatusObject, str, status);
    }

    public static String generateCredentialsExpiredMessage(String str) {
        return String.format("%s%n%nThe credentials you provided were valid, but must be changed before you can use this instance. If this is the first time you are using Neo4j, this is to ensure you are not using the default credentials in production. If you are not using default credentials, you are getting this message because an administrator requires a password change.%nTo change your password, issue an `ALTER CURRENT USER SET PASSWORD FROM 'current password' TO 'new password'` statement against the system database.", str);
    }
}
