package io.trino.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.airlift.configuration.ConfigurationLoader;
import io.airlift.log.Logger;
import io.airlift.stats.CounterStat;
import io.trino.connector.CatalogName;
import io.trino.eventlistener.EventListenerManager;
import io.trino.metadata.QualifiedObjectName;
import io.trino.plugin.base.security.AllowAllSystemAccessControl;
import io.trino.plugin.base.security.DefaultSystemAccessControl;
import io.trino.plugin.base.security.FileBasedSystemAccessControl;
import io.trino.plugin.base.security.ForwardingSystemAccessControl;
import io.trino.plugin.base.security.ReadOnlySystemAccessControl;
import io.trino.spi.QueryId;
import io.trino.spi.StandardErrorCode;
import io.trino.spi.TrinoException;
import io.trino.spi.classloader.ThreadContextClassLoader;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.ConnectorAccessControl;
import io.trino.spi.connector.ConnectorSecurityContext;
import io.trino.spi.connector.ConnectorTransactionHandle;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
import io.trino.spi.security.SystemAccessControlFactory;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import io.trino.transaction.TransactionId;
import io.trino.transaction.TransactionManager;
import java.io.File;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.Principal;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.stream.Stream;
import javax.inject.Inject;
import org.weakref.jmx.Managed;
import org.weakref.jmx.Nested;

/* loaded from: input_file:io/trino/security/AccessControlManager.class */
public class AccessControlManager implements AccessControl {
    private static final Logger log = Logger.get(AccessControlManager.class);
    private static final File CONFIG_FILE = new File("etc/access-control.properties");
    private static final String NAME_PROPERTY = "access-control.name";
    private final TransactionManager transactionManager;
    private final EventListenerManager eventListenerManager;
    private final List<File> configFiles;
    private final String defaultAccessControlName;
    private final Map<String, SystemAccessControlFactory> systemAccessControlFactories = new ConcurrentHashMap();
    private final Map<CatalogName, CatalogAccessControlEntry> connectorAccessControl = new ConcurrentHashMap();
    private final AtomicReference<List<SystemAccessControl>> systemAccessControls = new AtomicReference<>();
    private final CounterStat authorizationSuccess = new CounterStat();
    private final CounterStat authorizationFail = new CounterStat();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/security/AccessControlManager$CatalogAccessControlEntry.class */
    public class CatalogAccessControlEntry {
        private final CatalogName catalogName;
        private final ConnectorAccessControl accessControl;

        public CatalogAccessControlEntry(CatalogName catalogName, ConnectorAccessControl connectorAccessControl) {
            this.catalogName = (CatalogName) Objects.requireNonNull(catalogName, "catalogName is null");
            this.accessControl = (ConnectorAccessControl) Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        }

        public CatalogName getCatalogName() {
            return this.catalogName;
        }

        public ConnectorAccessControl getAccessControl() {
            return this.accessControl;
        }

        public ConnectorTransactionHandle getTransactionHandle(TransactionId transactionId) {
            return AccessControlManager.this.transactionManager.getConnectorTransaction(transactionId, this.catalogName);
        }

        public ConnectorSecurityContext toConnectorSecurityContext(SecurityContext securityContext) {
            return toConnectorSecurityContext(securityContext.getTransactionId(), securityContext.getIdentity(), securityContext.getQueryId());
        }

        public ConnectorSecurityContext toConnectorSecurityContext(TransactionId transactionId, Identity identity, QueryId queryId) {
            return new ConnectorSecurityContext(AccessControlManager.this.transactionManager.getConnectorTransaction(transactionId, this.catalogName), identity.toConnectorIdentity(this.catalogName.getCatalogName()), queryId);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/security/AccessControlManager$InitializingSystemAccessControl.class */
    public static class InitializingSystemAccessControl extends ForwardingSystemAccessControl {
        private InitializingSystemAccessControl() {
        }

        protected SystemAccessControl delegate() {
            throw new TrinoException(StandardErrorCode.SERVER_STARTING_UP, "Trino server is still initializing");
        }
    }

    @Inject
    public AccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager, AccessControlConfig accessControlConfig, @DefaultSystemAccessControlName String str) {
        this.transactionManager = (TransactionManager) Objects.requireNonNull(transactionManager, "transactionManager is null");
        this.eventListenerManager = (EventListenerManager) Objects.requireNonNull(eventListenerManager, "eventListenerManager is null");
        this.configFiles = ImmutableList.copyOf(accessControlConfig.getAccessControlFiles());
        this.defaultAccessControlName = (String) Objects.requireNonNull(str, "defaultAccessControl is null");
        addSystemAccessControlFactory(new DefaultSystemAccessControl.Factory());
        addSystemAccessControlFactory(new AllowAllSystemAccessControl.Factory());
        addSystemAccessControlFactory(new ReadOnlySystemAccessControl.Factory());
        addSystemAccessControlFactory(new FileBasedSystemAccessControl.Factory());
    }

    public final void addSystemAccessControlFactory(SystemAccessControlFactory systemAccessControlFactory) {
        Objects.requireNonNull(systemAccessControlFactory, "accessControlFactory is null");
        if (this.systemAccessControlFactories.putIfAbsent(systemAccessControlFactory.getName(), systemAccessControlFactory) != null) {
            throw new IllegalArgumentException(String.format("Access control '%s' is already registered", systemAccessControlFactory.getName()));
        }
    }

    public void addCatalogAccessControl(CatalogName catalogName, ConnectorAccessControl connectorAccessControl) {
        Objects.requireNonNull(catalogName, "catalogName is null");
        Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        Preconditions.checkState(this.connectorAccessControl.putIfAbsent(catalogName, new CatalogAccessControlEntry(catalogName, connectorAccessControl)) == null, "Access control for connector '%s' is already registered", catalogName);
    }

    public void removeCatalogAccessControl(CatalogName catalogName) {
        this.connectorAccessControl.remove(catalogName);
    }

    public void loadSystemAccessControl() {
        List list = this.configFiles;
        if (list.isEmpty()) {
            if (!CONFIG_FILE.exists()) {
                setSystemAccessControl(this.defaultAccessControlName, ImmutableMap.of());
                log.info("Using system access control: %s", new Object[]{this.defaultAccessControlName});
                return;
            }
            list = ImmutableList.of(CONFIG_FILE);
        }
        List<SystemAccessControl> list2 = (List) list.stream().map(this::createSystemAccessControl).collect(ImmutableList.toImmutableList());
        Stream flatMap = list2.stream().map((v0) -> {
            return v0.getEventListeners();
        }).flatMap(iterable -> {
            return ImmutableSet.copyOf(iterable).stream();
        });
        EventListenerManager eventListenerManager = this.eventListenerManager;
        Objects.requireNonNull(eventListenerManager);
        flatMap.forEach(eventListenerManager::addEventListener);
        setSystemAccessControls(list2);
    }

    private SystemAccessControl createSystemAccessControl(File file) {
        log.info("-- Loading system access control %s --", new Object[]{file});
        File absoluteFile = file.getAbsoluteFile();
        try {
            HashMap hashMap = new HashMap(ConfigurationLoader.loadPropertiesFrom(absoluteFile.getPath()));
            String str = (String) hashMap.remove(NAME_PROPERTY);
            Preconditions.checkState(!Strings.isNullOrEmpty(str), "Access control configuration does not contain '%s' property: %s", NAME_PROPERTY, absoluteFile);
            SystemAccessControlFactory systemAccessControlFactory = this.systemAccessControlFactories.get(str);
            Preconditions.checkState(systemAccessControlFactory != null, "Access control '%s' is not registered: %s", str, absoluteFile);
            ThreadContextClassLoader threadContextClassLoader = new ThreadContextClassLoader(systemAccessControlFactory.getClass().getClassLoader());
            try {
                SystemAccessControl create = systemAccessControlFactory.create(ImmutableMap.copyOf(hashMap));
                threadContextClassLoader.close();
                log.info("-- Loaded system access control %s --", new Object[]{str});
                return create;
            } catch (Throwable th) {
                try {
                    threadContextClassLoader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (IOException e) {
            throw new UncheckedIOException("Failed to read configuration file: " + absoluteFile, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public void setSystemAccessControl(String str, Map<String, String> map) {
        Objects.requireNonNull(str, "name is null");
        Objects.requireNonNull(map, "properties is null");
        SystemAccessControlFactory systemAccessControlFactory = this.systemAccessControlFactories.get(str);
        Preconditions.checkState(systemAccessControlFactory != null, "Access control '%s' is not registered", str);
        ThreadContextClassLoader threadContextClassLoader = new ThreadContextClassLoader(systemAccessControlFactory.getClass().getClassLoader());
        try {
            SystemAccessControl create = systemAccessControlFactory.create(ImmutableMap.copyOf(map));
            threadContextClassLoader.close();
            setSystemAccessControls(ImmutableList.of(create));
        } catch (Throwable th) {
            try {
                threadContextClassLoader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @VisibleForTesting
    public void addSystemAccessControl(SystemAccessControl systemAccessControl) {
        this.systemAccessControls.updateAndGet(list -> {
            return ImmutableList.builder().addAll(list).add(systemAccessControl).build();
        });
    }

    @VisibleForTesting
    public void setSystemAccessControls(List<SystemAccessControl> list) {
        Preconditions.checkState(this.systemAccessControls.compareAndSet(null, list), "System access control already initialized");
    }

    @Override // io.trino.security.AccessControl
    public void checkCanImpersonateUser(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "userName is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanImpersonateUser(new SystemSecurityContext(identity, Optional.empty()), str);
        });
    }

    @Override // io.trino.security.AccessControl
    @Deprecated
    public void checkCanSetUser(Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetUser(optional, str);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanReadSystemInformation(Identity identity) {
        Objects.requireNonNull(identity, "identity is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(identity, Optional.empty()));
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanWriteSystemInformation(Identity identity) {
        Objects.requireNonNull(identity, "identity is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(identity, Optional.empty()));
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanExecuteQuery(Identity identity) {
        Objects.requireNonNull(identity, "identity is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(identity, Optional.empty()));
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanViewQueryOwnedBy(Identity identity, Identity identity2) {
        Objects.requireNonNull(identity, "identity is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(identity, Optional.empty()), identity2);
        });
    }

    @Override // io.trino.security.AccessControl
    public Collection<Identity> filterQueriesOwnedBy(Identity identity, Collection<Identity> collection) {
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            collection = it.next().filterViewQueryOwnedBy(new SystemSecurityContext(identity, Optional.empty()), collection);
        }
        return collection;
    }

    @Override // io.trino.security.AccessControl
    public void checkCanKillQueryOwnedBy(Identity identity, Identity identity2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(identity2, "queryOwner is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(identity, Optional.empty()), identity2);
        });
    }

    @Override // io.trino.security.AccessControl
    public Set<String> filterCatalogs(Identity identity, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "catalogs is null");
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            set = it.next().filterCatalogs(new SystemSecurityContext(identity, Optional.empty()), set);
        }
        return set;
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanCreateSchema(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateSchema(connectorSecurityContext, catalogSchemaName.getSchemaName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDropSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDropSchema(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDropSchema(connectorSecurityContext, catalogSchemaName.getSchemaName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRenameSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName, String str) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRenameSchema(securityContext.toSystemSecurityContext(), catalogSchemaName, str);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRenameSchema(connectorSecurityContext, catalogSchemaName.getSchemaName(), str);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetSchemaAuthorization(SecurityContext securityContext, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetSchemaAuthorization(securityContext.toSystemSecurityContext(), catalogSchemaName, trinoPrincipal);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetSchemaAuthorization(connectorSecurityContext, catalogSchemaName.getSchemaName(), trinoPrincipal);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowSchemas(SecurityContext securityContext, String str) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "catalogName is null");
        checkCanAccessCatalog(securityContext, str);
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanShowSchemas(securityContext.toSystemSecurityContext(), str);
        });
        catalogAuthorizationCheck(str, securityContext, (v0, v1) -> {
            v0.checkCanShowSchemas(v1);
        });
    }

    @Override // io.trino.security.AccessControl
    public Set<String> filterSchemas(SecurityContext securityContext, String str, Set<String> set) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "schemaNames is null");
        if (filterCatalogs(securityContext.getIdentity(), ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            set = it.next().filterSchemas(securityContext.toSystemSecurityContext(), str, set);
        }
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            set = connectorAccessControl.getAccessControl().filterSchemas(connectorAccessControl.toConnectorSecurityContext(securityContext), set);
        }
        return set;
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowCreateSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanShowCreateSchema(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanShowCreateSchema(connectorSecurityContext, catalogSchemaName.getSchemaName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowCreateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanShowCreateTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanShowCreateTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanCreateTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Map<String, Object> map) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanCreateTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), map);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), map);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDropTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDropTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDropTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRenameTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newTableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRenameTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), qualifiedObjectName2.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRenameTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), qualifiedObjectName2.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetTableProperties(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Map<String, Object> map) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(map, "properties is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetTableProperties(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), map);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetTableProperties(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), map);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetTableComment(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetTableComment(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetTableComment(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetColumnComment(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetColumnComment(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetColumnComment(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowTables(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schema is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanShowTables(securityContext.toSystemSecurityContext(), catalogSchemaName);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanShowTables(connectorSecurityContext, catalogSchemaName.getSchemaName());
        });
    }

    @Override // io.trino.security.AccessControl
    public Set<SchemaTableName> filterTables(SecurityContext securityContext, String str, Set<SchemaTableName> set) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "tableNames is null");
        if (filterCatalogs(securityContext.getIdentity(), ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            set = it.next().filterTables(securityContext.toSystemSecurityContext(), str, set);
        }
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl != null) {
            set = connectorAccessControl.getAccessControl().filterTables(connectorAccessControl.toConnectorSecurityContext(securityContext), set);
        }
        return set;
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowColumns(SecurityContext securityContext, CatalogSchemaTableName catalogSchemaTableName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaTableName, "table is null");
        checkCanAccessCatalog(securityContext, catalogSchemaTableName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanShowColumns(securityContext.toSystemSecurityContext(), catalogSchemaTableName);
        });
        catalogAuthorizationCheck(catalogSchemaTableName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanShowColumns(connectorSecurityContext, catalogSchemaTableName.getSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public Set<String> filterColumns(SecurityContext securityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaTableName, "tableName is null");
        if (filterTables(securityContext, catalogSchemaTableName.getCatalogName(), ImmutableSet.of(catalogSchemaTableName.getSchemaTableName())).isEmpty()) {
            return ImmutableSet.of();
        }
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            set = it.next().filterColumns(securityContext.toSystemSecurityContext(), catalogSchemaTableName, set);
        }
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), catalogSchemaTableName.getCatalogName());
        if (connectorAccessControl != null) {
            set = connectorAccessControl.getAccessControl().filterColumns(connectorAccessControl.toConnectorSecurityContext(securityContext), catalogSchemaTableName.getSchemaTableName(), set);
        }
        return set;
    }

    @Override // io.trino.security.AccessControl
    public void checkCanAddColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanAddColumn(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanAddColumn(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDropColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDropColumn(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDropColumn(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRenameColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRenameColumn(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRenameColumn(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetTableAuthorization(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, TrinoPrincipal trinoPrincipal) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(trinoPrincipal, "principal is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetTableAuthorization(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), trinoPrincipal);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetTableAuthorization(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), trinoPrincipal);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanInsertIntoTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanInsertIntoTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanInsertIntoTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDeleteFromTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDeleteFromTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDeleteFromTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanTruncateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanTruncateTable(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanTruncateTable(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanUpdateTableColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanUpdateTableColumns(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanUpdateTableColumns(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), set);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanCreateView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRenameView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newViewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRenameView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), qualifiedObjectName2.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRenameView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), qualifiedObjectName2.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetViewAuthorization(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, TrinoPrincipal trinoPrincipal) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        Objects.requireNonNull(trinoPrincipal, "principal is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetViewAuthorization(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), trinoPrincipal);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetViewAuthorization(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), trinoPrincipal);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDropView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDropView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDropView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateViewWithSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanCreateViewWithSelectFromColumns(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateViewWithSelectFromColumns(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), set);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "materializedViewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanCreateMaterializedView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateMaterializedView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRefreshMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "materializedViewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRefreshMaterializedView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRefreshMaterializedView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDropMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "materializedViewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDropMaterializedView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDropMaterializedView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRenameMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newViewName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRenameMaterializedView(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), qualifiedObjectName2.asCatalogSchemaTableName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRenameMaterializedView(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), qualifiedObjectName2.asSchemaTableName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanGrantExecuteFunctionPrivilege(SecurityContext securityContext, String str, Identity identity, boolean z) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "functionName is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanGrantExecuteFunctionPrivilege(securityContext.toSystemSecurityContext(), str, new TrinoPrincipal(PrincipalType.USER, identity.getUser()), z);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanGrantSchemaPrivilege(SecurityContext securityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal, boolean z) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanGrantSchemaPrivilege(securityContext.toSystemSecurityContext(), privilege, catalogSchemaName, trinoPrincipal, z);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanGrantSchemaPrivilege(connectorSecurityContext, privilege, catalogSchemaName.getSchemaName(), trinoPrincipal, z);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDenySchemaPrivilege(SecurityContext securityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDenySchemaPrivilege(securityContext.toSystemSecurityContext(), privilege, catalogSchemaName, trinoPrincipal);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDenySchemaPrivilege(connectorSecurityContext, privilege, catalogSchemaName.getSchemaName(), trinoPrincipal);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRevokeSchemaPrivilege(SecurityContext securityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal, boolean z) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        checkCanAccessCatalog(securityContext, catalogSchemaName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRevokeSchemaPrivilege(securityContext.toSystemSecurityContext(), privilege, catalogSchemaName, trinoPrincipal, z);
        });
        catalogAuthorizationCheck(catalogSchemaName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRevokeSchemaPrivilege(connectorSecurityContext, privilege, catalogSchemaName.getSchemaName(), trinoPrincipal, z);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanGrantTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, TrinoPrincipal trinoPrincipal, boolean z) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanGrantTablePrivilege(securityContext.toSystemSecurityContext(), privilege, qualifiedObjectName.asCatalogSchemaTableName(), trinoPrincipal, z);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanGrantTablePrivilege(connectorSecurityContext, privilege, qualifiedObjectName.asSchemaTableName(), trinoPrincipal, z);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDenyTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, TrinoPrincipal trinoPrincipal) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanDenyTablePrivilege(securityContext.toSystemSecurityContext(), privilege, qualifiedObjectName.asCatalogSchemaTableName(), trinoPrincipal);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDenyTablePrivilege(connectorSecurityContext, privilege, qualifiedObjectName.asSchemaTableName(), trinoPrincipal);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRevokeTablePrivilege(SecurityContext securityContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, TrinoPrincipal trinoPrincipal, boolean z) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanRevokeTablePrivilege(securityContext.toSystemSecurityContext(), privilege, qualifiedObjectName.asCatalogSchemaTableName(), trinoPrincipal, z);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRevokeTablePrivilege(connectorSecurityContext, privilege, qualifiedObjectName.asSchemaTableName(), trinoPrincipal, z);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "propertyName is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetSystemSessionProperty(new SystemSecurityContext(identity, Optional.empty()), str);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetCatalogSessionProperty(SecurityContext securityContext, String str, String str2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(str2, "propertyName is null");
        checkCanAccessCatalog(securityContext, str);
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSetCatalogSessionProperty(securityContext.toSystemSecurityContext(), str, str2);
        });
        catalogAuthorizationCheck(str, securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetCatalogSessionProperty(connectorSecurityContext, str2);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(set, "columnNames is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanSelectFromColumns(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSelectFromColumns(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), set);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanCreateRole(SecurityContext securityContext, String str, Optional<TrinoPrincipal> optional, Optional<String> optional2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(optional2, "catalogName is null");
        if (!optional2.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanCreateRole(securityContext.toSystemSecurityContext(), str, optional);
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional2.get());
        checkCatalogRoles(securityContext, optional2.get());
        catalogAuthorizationCheck(optional2.get(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanCreateRole(connectorSecurityContext, str, optional);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanDropRole(SecurityContext securityContext, String str, Optional<String> optional) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(optional, "catalogName is null");
        if (!optional.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanDropRole(securityContext.toSystemSecurityContext(), str);
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional.get());
        checkCatalogRoles(securityContext, optional.get());
        catalogAuthorizationCheck(optional.get(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanDropRole(connectorSecurityContext, str);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanGrantRoles(SecurityContext securityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional, Optional<String> optional2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(optional2, "catalogName is null");
        if (!optional2.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanGrantRoles(securityContext.toSystemSecurityContext(), set, set2, z, optional);
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional2.get());
        checkCatalogRoles(securityContext, optional2.get());
        catalogAuthorizationCheck(optional2.get(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanGrantRoles(connectorSecurityContext, set, set2, z, optional);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanRevokeRoles(SecurityContext securityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional, Optional<String> optional2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(optional2, "catalogName is null");
        if (!optional2.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanRevokeRoles(securityContext.toSystemSecurityContext(), set, set2, z, optional);
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional2.get());
        checkCatalogRoles(securityContext, optional2.get());
        catalogAuthorizationCheck(optional2.get(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanRevokeRoles(connectorSecurityContext, set, set2, z, optional);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanSetCatalogRole(SecurityContext securityContext, String str, String str2) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalogName is null");
        checkCanAccessCatalog(securityContext, str2);
        catalogAuthorizationCheck(str2, securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanSetRole(connectorSecurityContext, str);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowRoleAuthorizationDescriptors(SecurityContext securityContext, Optional<String> optional) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(optional, "catalogName is null");
        if (!optional.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanShowRoleAuthorizationDescriptors(securityContext.toSystemSecurityContext());
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional.get());
        checkCatalogRoles(securityContext, optional.get());
        catalogAuthorizationCheck(optional.get(), securityContext, (v0, v1) -> {
            v0.checkCanShowRoleAuthorizationDescriptors(v1);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowRoles(SecurityContext securityContext, Optional<String> optional) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(optional, "catalogName is null");
        if (!optional.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanShowRoles(securityContext.toSystemSecurityContext());
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional.get());
        checkCatalogRoles(securityContext, optional.get());
        catalogAuthorizationCheck(optional.get(), securityContext, (v0, v1) -> {
            v0.checkCanShowRoles(v1);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowCurrentRoles(SecurityContext securityContext, Optional<String> optional) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(optional, "catalogName is null");
        if (!optional.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanShowCurrentRoles(securityContext.toSystemSecurityContext());
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional.get());
        checkCatalogRoles(securityContext, optional.get());
        catalogAuthorizationCheck(optional.get(), securityContext, (v0, v1) -> {
            v0.checkCanShowCurrentRoles(v1);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanShowRoleGrants(SecurityContext securityContext, Optional<String> optional) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(optional, "catalogName is null");
        if (!optional.isPresent()) {
            systemAuthorizationCheck(systemAccessControl -> {
                systemAccessControl.checkCanShowRoleGrants(securityContext.toSystemSecurityContext());
            });
            return;
        }
        checkCanAccessCatalog(securityContext, optional.get());
        checkCatalogRoles(securityContext, optional.get());
        catalogAuthorizationCheck(optional.get(), securityContext, (v0, v1) -> {
            v0.checkCanShowRoleGrants(v1);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanExecuteProcedure(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(qualifiedObjectName, "procedureName is null");
        checkCanAccessCatalog(securityContext, qualifiedObjectName.getCatalogName());
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanExecuteProcedure(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaRoutineName());
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanExecuteProcedure(connectorSecurityContext, qualifiedObjectName.asSchemaRoutineName());
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanExecuteFunction(SecurityContext securityContext, String str) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(str, "functionName is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanExecuteFunction(securityContext.toSystemSecurityContext(), str);
        });
    }

    @Override // io.trino.security.AccessControl
    public void checkCanExecuteTableProcedure(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, String str) {
        Objects.requireNonNull(securityContext, "securityContext is null");
        Objects.requireNonNull(str, "procedureName is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        systemAuthorizationCheck(systemAccessControl -> {
            systemAccessControl.checkCanExecuteTableProcedure(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), str);
        });
        catalogAuthorizationCheck(qualifiedObjectName.getCatalogName(), securityContext, (connectorAccessControl, connectorSecurityContext) -> {
            connectorAccessControl.checkCanExecuteTableProcedure(connectorSecurityContext, qualifiedObjectName.asSchemaTableName(), str);
        });
    }

    @Override // io.trino.security.AccessControl
    public List<ViewExpression> getRowFilters(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        ImmutableList.Builder builder = ImmutableList.builder();
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            Optional rowFilter = connectorAccessControl.getAccessControl().getRowFilter(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName());
            Objects.requireNonNull(builder);
            rowFilter.ifPresent((v1) -> {
                r1.add(v1);
            });
        }
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            Optional rowFilter2 = it.next().getRowFilter(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName());
            Objects.requireNonNull(builder);
            rowFilter2.ifPresent((v1) -> {
                r1.add(v1);
            });
        }
        return builder.build();
    }

    @Override // io.trino.security.AccessControl
    public List<ViewExpression> getColumnMasks(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, String str, Type type) {
        Objects.requireNonNull(securityContext, "context is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        ImmutableList.Builder builder = ImmutableList.builder();
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            Optional columnMask = connectorAccessControl.getAccessControl().getColumnMask(connectorAccessControl.toConnectorSecurityContext(securityContext), qualifiedObjectName.asSchemaTableName(), str, type);
            Objects.requireNonNull(builder);
            columnMask.ifPresent((v1) -> {
                r1.add(v1);
            });
        }
        Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
        while (it.hasNext()) {
            Optional columnMask2 = it.next().getColumnMask(securityContext.toSystemSecurityContext(), qualifiedObjectName.asCatalogSchemaTableName(), str, type);
            Objects.requireNonNull(builder);
            columnMask2.ifPresent((v1) -> {
                r1.add(v1);
            });
        }
        return builder.build();
    }

    private CatalogAccessControlEntry getConnectorAccessControl(TransactionId transactionId, String str) {
        return (CatalogAccessControlEntry) this.transactionManager.getOptionalCatalogMetadata(transactionId, str).map(catalogMetadata -> {
            return this.connectorAccessControl.get(catalogMetadata.getCatalogName());
        }).orElse(null);
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationSuccess() {
        return this.authorizationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationFail() {
        return this.authorizationFail;
    }

    private void checkCanAccessCatalog(SecurityContext securityContext, String str) {
        try {
            Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
            while (it.hasNext()) {
                it.next().checkCanAccessCatalog(securityContext.toSystemSecurityContext(), str);
            }
            this.authorizationSuccess.update(1L);
        } catch (TrinoException e) {
            this.authorizationFail.update(1L);
            throw e;
        }
    }

    private void systemAuthorizationCheck(Consumer<SystemAccessControl> consumer) {
        try {
            Iterator<SystemAccessControl> it = getSystemAccessControls().iterator();
            while (it.hasNext()) {
                consumer.accept(it.next());
            }
            this.authorizationSuccess.update(1L);
        } catch (TrinoException e) {
            this.authorizationFail.update(1L);
            throw e;
        }
    }

    private void catalogAuthorizationCheck(String str, SecurityContext securityContext, BiConsumer<ConnectorAccessControl, ConnectorSecurityContext> biConsumer) {
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(securityContext.getTransactionId(), str);
        if (connectorAccessControl == null) {
            return;
        }
        try {
            biConsumer.accept(connectorAccessControl.getAccessControl(), connectorAccessControl.toConnectorSecurityContext(securityContext));
            this.authorizationSuccess.update(1L);
        } catch (TrinoException e) {
            this.authorizationFail.update(1L);
            throw e;
        }
    }

    private void checkCatalogRoles(SecurityContext securityContext, String str) {
        if (getConnectorAccessControl(securityContext.getTransactionId(), str) == null) {
            throw new TrinoException(StandardErrorCode.NOT_SUPPORTED, String.format("Catalog %s does not support catalog roles", str));
        }
    }

    private List<SystemAccessControl> getSystemAccessControls() {
        return (List) Optional.ofNullable(this.systemAccessControls.get()).orElse(ImmutableList.of(new InitializingSystemAccessControl()));
    }
}
