package org.apache.cassandra.auth;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.Attributes;
import org.apache.cassandra.cql3.BatchQueryOptions;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.VariableSpecifications;
import org.apache.cassandra.cql3.statements.BatchStatement;
import org.apache.cassandra.cql3.statements.ModificationStatement;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/CassandraAuthorizer.class */
public class CassandraAuthorizer implements IAuthorizer {
    private static final Logger logger = LoggerFactory.getLogger(CassandraAuthorizer.class);
    private static final String ROLE = "role";
    private static final String RESOURCE = "resource";
    private static final String PERMISSIONS = "permissions";
    private SelectStatement authorizeRoleStatement;

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> authorize(AuthenticatedUser authenticatedUser, IResource iResource) {
        try {
            if (authenticatedUser.isSuper()) {
                return iResource.applicablePermissions();
            }
            EnumSet noneOf = EnumSet.noneOf(Permission.class);
            Iterator<Role> it = authenticatedUser.getRoleDetails().iterator();
            while (it.hasNext()) {
                addPermissionsForRole(noneOf, iResource, it.next().resource);
            }
            return noneOf;
        } catch (RequestExecutionException | RequestValidationException e) {
            logger.debug("Failed to authorize {} for {}", authenticatedUser, iResource);
            throw new UnauthorizedException("Unable to perform authorization of permissions: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void grant(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        modifyRolePermissions(set, iResource, roleResource, "+");
        addLookupEntry(iResource, roleResource);
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revoke(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        modifyRolePermissions(set, iResource, roleResource, "-");
        removeLookupEntry(iResource, roleResource);
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revokeAllFrom(RoleResource roleResource) {
        try {
            UntypedResultSet process = process(String.format("SELECT resource FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS, escape(roleResource.getRoleName())));
            ArrayList arrayList = new ArrayList();
            Iterator<UntypedResultSet.Row> it = process.iterator();
            while (it.hasNext()) {
                arrayList.add(QueryProcessor.getStatement(String.format("DELETE FROM %s.%s WHERE resource = '%s' AND role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.RESOURCE_ROLE_INDEX, escape(it.next().getString(RESOURCE)), escape(roleResource.getRoleName())), ClientState.forInternalCalls()));
            }
            arrayList.add(QueryProcessor.getStatement(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS, escape(roleResource.getRoleName())), ClientState.forInternalCalls()));
            executeLoggedBatch(arrayList);
        } catch (RequestExecutionException | RequestValidationException e) {
            logger.warn(String.format("CassandraAuthorizer failed to revoke all permissions of %s", roleResource.getRoleName()), e);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revokeAllOn(IResource iResource) {
        try {
            UntypedResultSet process = process(String.format("SELECT role FROM %s.%s WHERE resource = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.RESOURCE_ROLE_INDEX, escape(iResource.getName())));
            ArrayList arrayList = new ArrayList();
            Iterator<UntypedResultSet.Row> it = process.iterator();
            while (it.hasNext()) {
                arrayList.add(QueryProcessor.getStatement(String.format("DELETE FROM %s.%s WHERE role = '%s' AND resource = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS, escape(it.next().getString(ROLE)), escape(iResource.getName())), ClientState.forInternalCalls()));
            }
            arrayList.add(QueryProcessor.getStatement(String.format("DELETE FROM %s.%s WHERE resource = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.RESOURCE_ROLE_INDEX, escape(iResource.getName())), ClientState.forInternalCalls()));
            executeLoggedBatch(arrayList);
        } catch (RequestExecutionException | RequestValidationException e) {
            logger.warn(String.format("CassandraAuthorizer failed to revoke all permissions on %s", iResource), e);
        }
    }

    private void executeLoggedBatch(List<CQLStatement> list) throws RequestExecutionException, RequestValidationException {
        processBatch(new BatchStatement(BatchStatement.Type.LOGGED, VariableSpecifications.empty(), Lists.newArrayList(Iterables.filter(list, ModificationStatement.class)), Attributes.none()));
    }

    private void addPermissionsForRole(Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestExecutionException, RequestValidationException {
        UntypedResultSet create = UntypedResultSet.create(select(this.authorizeRoleStatement, QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, Lists.newArrayList(new ByteBuffer[]{ByteBufferUtil.bytes(roleResource.getRoleName()), ByteBufferUtil.bytes(iResource.getName())}))).result);
        if (create.isEmpty() || !create.one().has(PERMISSIONS)) {
            return;
        }
        Iterator it = create.one().getSet(PERMISSIONS, UTF8Type.instance).iterator();
        while (it.hasNext()) {
            set.add(Permission.valueOf((String) it.next()));
        }
    }

    private void modifyRolePermissions(Set<Permission> set, IResource iResource, RoleResource roleResource, String str) throws RequestExecutionException {
        process(String.format("UPDATE %s.%s SET permissions = permissions %s {%s} WHERE role = '%s' AND resource = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS, str, "'" + StringUtils.join(set, "','") + "'", escape(roleResource.getRoleName()), escape(iResource.getName())));
    }

    private void removeLookupEntry(IResource iResource, RoleResource roleResource) throws RequestExecutionException {
        process(String.format("DELETE FROM %s.%s WHERE resource = '%s' and role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.RESOURCE_ROLE_INDEX, escape(iResource.getName()), escape(roleResource.getRoleName())));
    }

    private void addLookupEntry(IResource iResource, RoleResource roleResource) throws RequestExecutionException {
        process(String.format("INSERT INTO %s.%s (resource, role) VALUES ('%s','%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.RESOURCE_ROLE_INDEX, escape(iResource.getName()), escape(roleResource.getRoleName())));
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<PermissionDetails> list(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        if (!authenticatedUser.isSuper() && !authenticatedUser.isSystem() && !authenticatedUser.getRoles().contains(roleResource) && !authenticatedUser.getPermissions(RoleResource.root()).contains(Permission.DESCRIBE) && (roleResource == null || !authenticatedUser.getPermissions(roleResource).contains(Permission.DESCRIBE))) {
            Object[] objArr = new Object[1];
            objArr[0] = roleResource == null ? "everyone" : roleResource.getRoleName();
            throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", objArr));
        }
        if (null == roleResource) {
            return listPermissionsForRole(set, iResource, null);
        }
        Set<RoleResource> roles = DatabaseDescriptor.getRoleManager().getRoles(roleResource, true);
        HashSet hashSet = new HashSet();
        Iterator<RoleResource> it = roles.iterator();
        while (it.hasNext()) {
            hashSet.addAll(listPermissionsForRole(set, iResource, it.next()));
        }
        return hashSet;
    }

    private Set<PermissionDetails> listPermissionsForRole(Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestExecutionException {
        HashSet hashSet = new HashSet();
        Iterator<UntypedResultSet.Row> it = process(buildListQuery(iResource, roleResource)).iterator();
        while (it.hasNext()) {
            UntypedResultSet.Row next = it.next();
            if (next.has(PERMISSIONS)) {
                Iterator it2 = next.getSet(PERMISSIONS, UTF8Type.instance).iterator();
                while (it2.hasNext()) {
                    Permission valueOf = Permission.valueOf((String) it2.next());
                    if (set.contains(valueOf)) {
                        hashSet.add(new PermissionDetails(next.getString(ROLE), Resources.fromName(next.getString(RESOURCE)), valueOf));
                    }
                }
            }
        }
        return hashSet;
    }

    private String buildListQuery(IResource iResource, RoleResource roleResource) {
        String str;
        ArrayList newArrayList = Lists.newArrayList(new String[]{SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS});
        ArrayList arrayList = new ArrayList();
        if (iResource != null) {
            arrayList.add("resource = '%s'");
            newArrayList.add(escape(iResource.getName()));
        }
        if (roleResource != null) {
            arrayList.add("role = '%s'");
            newArrayList.add(escape(roleResource.getRoleName()));
        }
        str = "SELECT role, resource, permissions FROM %s.%s";
        str = arrayList.isEmpty() ? "SELECT role, resource, permissions FROM %s.%s" : str + " WHERE " + StringUtils.join(arrayList, " AND ");
        if (iResource != null && roleResource == null) {
            str = str + " ALLOW FILTERING";
        }
        return String.format(str, newArrayList.toArray());
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<DataResource> protectedResources() {
        return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS));
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void validateConfiguration() throws ConfigurationException {
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void setup() {
        this.authorizeRoleStatement = prepare(ROLE, AuthKeyspace.ROLE_PERMISSIONS);
    }

    private SelectStatement prepare(String str, String str2) {
        return (SelectStatement) QueryProcessor.getStatement(String.format("SELECT permissions FROM %s.%s WHERE %s = ? AND resource = ?", SchemaConstants.AUTH_KEYSPACE_NAME, str2, str), ClientState.forInternalCalls());
    }

    private String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    ResultMessage.Rows select(SelectStatement selectStatement, QueryOptions queryOptions) {
        return selectStatement.execute(QueryState.forInternalCalls(), queryOptions, System.nanoTime());
    }

    UntypedResultSet process(String str) throws RequestExecutionException {
        return QueryProcessor.process(str, ConsistencyLevel.LOCAL_ONE);
    }

    void processBatch(BatchStatement batchStatement) {
        QueryProcessor.instance.processBatch(batchStatement, QueryState.forInternalCalls(), BatchQueryOptions.withoutPerStatementVariables(QueryOptions.DEFAULT), System.nanoTime());
    }
}
