package io.prestosql.plugin.base.security;

import com.google.common.base.Preconditions;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.airlift.log.Logger;
import io.airlift.units.Duration;
import io.prestosql.plugin.base.security.CatalogAccessControlRule;
import io.prestosql.plugin.base.security.QueryAccessRule;
import io.prestosql.plugin.base.util.JsonUtils;
import io.prestosql.spi.PrestoException;
import io.prestosql.spi.StandardErrorCode;
import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaRoutineName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.SystemAccessControl;
import io.prestosql.spi.security.SystemAccessControlFactory;
import io.prestosql.spi.security.SystemSecurityContext;
import io.prestosql.spi.security.ViewExpression;
import io.prestosql.spi.type.Type;
import java.nio.file.Paths;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;

/* loaded from: input_file:io/prestosql/plugin/base/security/FileBasedSystemAccessControl.class */
public class FileBasedSystemAccessControl implements SystemAccessControl {
    private static final Logger log = Logger.get(FileBasedSystemAccessControl.class);
    public static final String NAME = "file";
    private final List<CatalogAccessControlRule> catalogRules;
    private final Optional<List<QueryAccessRule>> queryAccessRules;
    private final Optional<List<ImpersonationRule>> impersonationRules;
    private final Optional<List<PrincipalUserMatchRule>> principalUserMatchRules;

    /* loaded from: input_file:io/prestosql/plugin/base/security/FileBasedSystemAccessControl$Factory.class */
    public static class Factory implements SystemAccessControlFactory {
        public String getName() {
            return FileBasedSystemAccessControl.NAME;
        }

        public SystemAccessControl create(Map<String, String> map) {
            Objects.requireNonNull(map, "config is null");
            String str = map.get(FileBasedAccessControlConfig.SECURITY_CONFIG_FILE);
            Preconditions.checkState(str != null, "Security configuration must contain the '%s' property", FileBasedAccessControlConfig.SECURITY_CONFIG_FILE);
            if (!map.containsKey(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD)) {
                return create(str);
            }
            try {
                Duration valueOf = Duration.valueOf(map.get(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD));
                if (valueOf.toMillis() == 0) {
                    throw invalidRefreshPeriodException(map, str);
                }
                return ForwardingSystemAccessControl.of(Suppliers.memoizeWithExpiration(() -> {
                    FileBasedSystemAccessControl.log.info("Refreshing system access control from %s", new Object[]{str});
                    return create(str);
                }, valueOf.toMillis(), TimeUnit.MILLISECONDS));
            } catch (IllegalArgumentException e) {
                throw invalidRefreshPeriodException(map, str);
            }
        }

        private PrestoException invalidRefreshPeriodException(Map<String, String> map, String str) {
            return new PrestoException(StandardErrorCode.CONFIGURATION_INVALID, String.format("Invalid duration value '%s' for property '%s' in '%s'", map.get(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD), FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD, str));
        }

        private SystemAccessControl create(String str) {
            FileBasedSystemAccessControlRules fileBasedSystemAccessControlRules = (FileBasedSystemAccessControlRules) JsonUtils.parseJson(Paths.get(str, new String[0]), FileBasedSystemAccessControlRules.class);
            ImmutableList.Builder builder = ImmutableList.builder();
            builder.addAll(fileBasedSystemAccessControlRules.getCatalogRules());
            builder.add(new CatalogAccessControlRule(CatalogAccessControlRule.AccessMode.ALL, Optional.of(Pattern.compile(".*")), Optional.empty(), Optional.of(Pattern.compile("system"))));
            return new FileBasedSystemAccessControl(builder.build(), fileBasedSystemAccessControlRules.getQueryAccessRules(), fileBasedSystemAccessControlRules.getImpersonationRules(), fileBasedSystemAccessControlRules.getPrincipalUserMatchRules());
        }
    }

    private FileBasedSystemAccessControl(List<CatalogAccessControlRule> list, Optional<List<QueryAccessRule>> optional, Optional<List<ImpersonationRule>> optional2, Optional<List<PrincipalUserMatchRule>> optional3) {
        this.catalogRules = list;
        this.queryAccessRules = optional;
        this.impersonationRules = optional2;
        this.principalUserMatchRules = optional3;
    }

    public void checkCanImpersonateUser(SystemSecurityContext systemSecurityContext, String str) {
        if (!this.impersonationRules.isPresent()) {
            if (this.principalUserMatchRules.isPresent()) {
                return;
            }
            AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
            return;
        }
        Iterator<ImpersonationRule> it = this.impersonationRules.get().iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(systemSecurityContext.getIdentity().getUser(), str);
            if (match.isPresent()) {
                if (match.get().booleanValue()) {
                    return;
                } else {
                    AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
                }
            }
        }
        AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
    }

    public void checkCanSetUser(Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        if (this.principalUserMatchRules.isPresent()) {
            if (!optional.isPresent()) {
                AccessDeniedException.denySetUser(optional, str);
            }
            String name = optional.get().getName();
            Iterator<PrincipalUserMatchRule> it = this.principalUserMatchRules.get().iterator();
            while (it.hasNext()) {
                Optional<Boolean> match = it.next().match(name, str);
                if (match.isPresent()) {
                    if (match.get().booleanValue()) {
                        return;
                    } else {
                        AccessDeniedException.denySetUser(optional, str);
                    }
                }
            }
            AccessDeniedException.denySetUser(optional, str);
        }
    }

    public void checkCanExecuteQuery(SystemSecurityContext systemSecurityContext) {
        if (this.queryAccessRules.isPresent() && !canAccessQuery(systemSecurityContext.getIdentity(), QueryAccessRule.AccessMode.EXECUTE)) {
            AccessDeniedException.denyViewQuery();
        }
    }

    public void checkCanViewQueryOwnedBy(SystemSecurityContext systemSecurityContext, String str) {
        if (this.queryAccessRules.isPresent() && !canAccessQuery(systemSecurityContext.getIdentity(), QueryAccessRule.AccessMode.VIEW)) {
            AccessDeniedException.denyViewQuery();
        }
    }

    public Set<String> filterViewQueryOwnedBy(SystemSecurityContext systemSecurityContext, Set<String> set) {
        if (!this.queryAccessRules.isPresent()) {
            return set;
        }
        Identity identity = systemSecurityContext.getIdentity();
        return (Set) set.stream().filter(str -> {
            return canAccessQuery(identity, QueryAccessRule.AccessMode.VIEW);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanKillQueryOwnedBy(SystemSecurityContext systemSecurityContext, String str) {
        if (this.queryAccessRules.isPresent() && !canAccessQuery(systemSecurityContext.getIdentity(), QueryAccessRule.AccessMode.KILL)) {
            AccessDeniedException.denyViewQuery();
        }
    }

    private boolean canAccessQuery(Identity identity, QueryAccessRule.AccessMode accessMode) {
        if (!this.queryAccessRules.isPresent()) {
            return false;
        }
        Iterator<QueryAccessRule> it = this.queryAccessRules.get().iterator();
        while (it.hasNext()) {
            Optional<Set<QueryAccessRule.AccessMode>> match = it.next().match(identity.getUser());
            if (match.isPresent()) {
                return match.get().contains(accessMode);
            }
        }
        return false;
    }

    public void checkCanSetSystemSessionProperty(SystemSecurityContext systemSecurityContext, String str) {
    }

    public void checkCanAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), str, CatalogAccessControlRule.AccessMode.READ_ONLY)) {
            return;
        }
        AccessDeniedException.denyCatalogAccess(str);
    }

    public Set<String> filterCatalogs(SystemSecurityContext systemSecurityContext, Set<String> set) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (String str : set) {
            if (canAccessCatalog(systemSecurityContext.getIdentity(), str, CatalogAccessControlRule.AccessMode.READ_ONLY)) {
                builder.add(str);
            }
        }
        return builder.build();
    }

    private boolean canAccessCatalog(Identity identity, String str, CatalogAccessControlRule.AccessMode accessMode) {
        Iterator<CatalogAccessControlRule> it = this.catalogRules.iterator();
        while (it.hasNext()) {
            Optional<CatalogAccessControlRule.AccessMode> match = it.next().match(identity.getUser(), identity.getGroups(), str);
            if (match.isPresent()) {
                return match.get().implies(accessMode);
            }
        }
        return false;
    }

    public void checkCanCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(catalogSchemaName.toString());
    }

    public void checkCanDropSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyDropSchema(catalogSchemaName.toString());
    }

    public void checkCanRenameSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, String str) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(catalogSchemaName.toString(), str);
    }

    public void checkCanSetSchemaAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, PrestoPrincipal prestoPrincipal) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denySetSchemaAuthorization(catalogSchemaName.toString(), prestoPrincipal);
    }

    public void checkCanShowSchemas(SystemSecurityContext systemSecurityContext, String str) {
    }

    public Set<String> filterSchemas(SystemSecurityContext systemSecurityContext, String str, Set<String> set) {
        return !canAccessCatalog(systemSecurityContext.getIdentity(), str, CatalogAccessControlRule.AccessMode.READ_ONLY) ? ImmutableSet.of() : set;
    }

    public void checkCanShowCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyShowCreateTable(catalogSchemaTableName.toString());
    }

    public void checkCanCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyCreateTable(catalogSchemaTableName.toString());
    }

    public void checkCanDropTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyDropTable(catalogSchemaTableName.toString());
    }

    public void checkCanRenameTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyRenameTable(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanSetTableComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyCommentTable(catalogSchemaTableName.toString());
    }

    public void checkCanShowTables(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
    }

    public Set<SchemaTableName> filterTables(SystemSecurityContext systemSecurityContext, String str, Set<SchemaTableName> set) {
        return !canAccessCatalog(systemSecurityContext.getIdentity(), str, CatalogAccessControlRule.AccessMode.READ_ONLY) ? ImmutableSet.of() : set;
    }

    public void checkCanShowColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public List<ColumnMetadata> filterColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, List<ColumnMetadata> list) {
        return !canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.READ_ONLY) ? ImmutableList.of() : list;
    }

    public void checkCanAddColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyAddColumn(catalogSchemaTableName.toString());
    }

    public void checkCanDropColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyDropColumn(catalogSchemaTableName.toString());
    }

    public void checkCanRenameColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(catalogSchemaTableName.toString());
    }

    public void checkCanSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
    }

    public void checkCanInsertIntoTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyInsertTable(catalogSchemaTableName.toString());
    }

    public void checkCanDeleteFromTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(catalogSchemaTableName.toString());
    }

    public void checkCanCreateView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyCreateView(catalogSchemaTableName.toString());
    }

    public void checkCanRenameView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyRenameView(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanDropView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyDropView(catalogSchemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(catalogSchemaTableName.toString(), systemSecurityContext.getIdentity());
    }

    public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext systemSecurityContext, String str, PrestoPrincipal prestoPrincipal, boolean z) {
    }

    public void checkCanSetCatalogSessionProperty(SystemSecurityContext systemSecurityContext, String str, String str2) {
    }

    public void checkCanGrantTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (canAccessCatalog(systemSecurityContext.getIdentity(), catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanShowRoles(SystemSecurityContext systemSecurityContext, String str) {
    }

    public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
    }

    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String str) {
    }

    public Optional<ViewExpression> getRowFilter(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        return Optional.empty();
    }

    public Optional<ViewExpression> getColumnMask(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String str, Type type) {
        return Optional.empty();
    }
}
