package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.cql3.DseQueryHandler;
import com.datastax.bdp.cassandra.db.tiered.TieredTableStatsMXBean;
import com.datastax.bdp.config.DseConfig;
import com.datastax.dse.byos.shade.com.google.common.collect.ImmutableSet;
import com.datastax.dse.byos.shade.com.google.common.collect.Lists;
import com.datastax.dse.byos.shade.com.google.common.collect.Sets;
import java.nio.ByteBuffer;
import java.nio.charset.CharacterCodingException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import org.apache.cassandra.auth.AuthKeyspace;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.CassandraAuthorizer;
import org.apache.cassandra.auth.DataResource;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionDetails;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.auth.permission.Permissions;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.config.SchemaConstants;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.cql3.statements.UseStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.cassandra.utils.Pair;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthorizer.class */
public class DseAuthorizer extends CassandraAuthorizer {
    private static final String ROLE = "role";
    private static final String RESOURCE = "resource";
    private static final String PERMISSIONS = "permissions";
    private static final Set<Permission> extendedRolePermissions = Permissions.immutableSetOf(CorePermission.ALTER, CorePermission.DROP, CorePermission.AUTHORIZE, ProxyPermission.EXECUTE, ProxyPermission.LOGIN);
    protected boolean enabled;
    protected boolean rowLevelEnabled;
    private SelectStatement authorizeRoleRowsStatement;
    private SelectStatement activeResourcesStatement;
    private final RowLevelAccessControlAuthCache rlacAuthCache = new RowLevelAccessControlAuthCache(this);
    protected TransitionalMode transitionalMode = TransitionalMode.DISABLED;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthorizer$TransitionalMode.class */
    public enum TransitionalMode {
        DISABLED,
        NORMAL,
        STRICT
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void setup() {
        super.setup();
        this.authorizeRoleRowsStatement = (SelectStatement) QueryProcessor.getStatement(String.format("SELECT resource, permissions FROM %s.%s WHERE %s = ?", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS, ROLE), ClientState.forInternalCalls()).statement;
        this.activeResourcesStatement = (SelectStatement) QueryProcessor.getStatement(String.format("SELECT resource FROM %s.%s", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.RESOURCE_ROLE_INDEX), ClientState.forInternalCalls()).statement;
    }

    public QueryState getQueryState(QueryState queryState, Map<String, ByteBuffer> map, CQLStatement cQLStatement) throws CharacterCodingException {
        ClientState clientState = queryState.getClientState();
        AuthenticatedUser user = clientState.getUser();
        String string = ByteBufferUtil.string(map.get(DseQueryHandler.PROXY_EXECUTE));
        if (!authorize(user, RoleResource.role(string)).contains(ProxyPermission.EXECUTE)) {
            throw new UnauthorizedException(String.format("Either '%s' does not have permission to execute queries as '%s' or that role does not exist. Run 'GRANT PROXY.EXECUTE ON ROLE '%s' TO '%s' as an administrator if you wish to allow this.", user.getName(), string, string, user.getName()));
        }
        AuthenticatedUser proxy = DseAuthenticator.proxy(user, string);
        if (proxy.isSuper()) {
            throw new UnauthorizedException("Cannot proxy as a super user.");
        }
        if (cQLStatement instanceof UseStatement) {
            throw new InvalidRequestException("USE statements cannot be executed as another user.  To use DSE proxy execution most efficiently, prepare your statements once beforehand (as your normal login user) and then proxy execute them multiple times.  If you really need USE, you can execute it as your normal login user and the selected keyspace will be used for proxy executed queries.");
        }
        ClientState forExternalCalls = ClientState.forExternalCalls(clientState.getRemoteAddress(), clientState.connection);
        if (clientState.getRawKeyspace() != null) {
            forExternalCalls.setKeyspace(clientState.getKeyspace());
        }
        forExternalCalls.login(proxy);
        return new QueryState(forExternalCalls);
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> authorize(AuthenticatedUser authenticatedUser, IResource iResource) {
        if (!this.enabled) {
            return applicablePermissions(iResource);
        }
        if (this.transitionalMode != TransitionalMode.NORMAL && (this.transitionalMode != TransitionalMode.STRICT || authenticatedUser != AuthenticatedUser.ANONYMOUS_USER)) {
            Set<Permission> authorize = super.authorize(authenticatedUser, iResource);
            if (!isRlacTableResource(iResource)) {
                return authorize;
            }
            return new ImmutableSet.Builder().addAll((Iterable) authorize).addAll((Iterable) this.rlacAuthCache.getPermissions(authenticatedUser, (DataResource) iResource)).build();
        }
        if (authenticatedUser.isSuper()) {
            return Permissions.all();
        }
        HashSet newHashSet = Sets.newHashSet(Permissions.all());
        newHashSet.remove(CorePermission.READ);
        newHashSet.remove(CorePermission.WRITE);
        newHashSet.remove(CorePermission.DESCRIBE);
        newHashSet.remove(CorePermission.AUTHORIZE);
        return newHashSet;
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void grant(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) {
        if (!this.enabled) {
            throw new UnsupportedOperationException("GRANT operation is not supported by the DseAuthorizer if it is not enabled");
        }
        super.grant(authenticatedUser, set, iResource, roleResource);
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void revoke(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) {
        if (!this.enabled) {
            throw new UnsupportedOperationException("REVOKE operation is not supported by the DseAuthorizer if it is not enabled");
        }
        super.revoke(authenticatedUser, set, iResource, roleResource);
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void revokeAllFrom(RoleResource roleResource) {
        if (this.enabled) {
            super.revokeAllFrom(roleResource);
        }
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void revokeAllOn(IResource iResource) {
        if (this.enabled) {
            super.revokeAllOn(iResource);
            DseResourceFactory dseResourceFactory = new DseResourceFactory();
            dseResourceFactory.getExtensions(iResource).forEach(iResource2 -> {
                super.revokeAllOn(iResource2);
            });
            if (iResource instanceof DataResource) {
                DataResource dataResource = (DataResource) iResource;
                StreamSupport.stream(UntypedResultSet.create(this.activeResourcesStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, Collections.emptyList()), System.nanoTime()).result).spliterator(), false).map(row -> {
                    return row.getString(RESOURCE);
                }).filter(str -> {
                    return str.startsWith(TieredTableStatsMXBean.ROWS);
                }).filter(str2 -> {
                    return str2.endsWith(dataResource.getName());
                }).map(str3 -> {
                    return dseResourceFactory.fromName(str3);
                }).forEach(iResource3 -> {
                    super.revokeAllOn(iResource3);
                });
            }
        }
    }

    private static boolean isRlacTableResource(IResource iResource) {
        if (!RowLevelAccessControlAuthorizer.isEnabled() || !(iResource instanceof DataResource)) {
            return false;
        }
        DataResource dataResource = (DataResource) iResource;
        if (dataResource.isRootLevel()) {
            return false;
        }
        return (dataResource.isTableLevel() && RowLevelAccessControlAuthorizer.findRlacTargetColumn(Schema.instance.getCFMetaData(dataResource.getKeyspace(), dataResource.getTable())) == null) ? false : true;
    }

    private static Set<Permission> getPermissionSetFromResult(UntypedResultSet.Row row) {
        return (Set) row.getSet("permissions", UTF8Type.instance).stream().map(Permissions::permission).collect(Collectors.toSet());
    }

    private Set<Permission> findRowPermissionsForRole(RoleResource roleResource, DataResource dataResource) {
        return (Set) StreamSupport.stream(UntypedResultSet.create(this.authorizeRoleRowsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, Collections.singletonList(ByteBufferUtil.bytes(roleResource.getRoleName()))), System.nanoTime()).result).spliterator(), false).map(row -> {
            return Pair.create(row.getString(RESOURCE), getPermissionSetFromResult(row));
        }).filter(pair -> {
            return ((String) pair.left).startsWith(TieredTableStatsMXBean.ROWS);
        }).filter(pair2 -> {
            return ((String) pair2.left).endsWith(dataResource.getName());
        }).flatMap(pair3 -> {
            return ((Set) pair3.right).stream();
        }).collect(Collectors.toSet());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<Permission> findRowPermissionsForUser(AuthenticatedUser authenticatedUser, DataResource dataResource) {
        return (Set) authenticatedUser.getRoles().stream().flatMap(roleResource -> {
            return findRowPermissionsForRole(roleResource, dataResource).stream();
        }).collect(Collectors.toSet());
    }

    private Set<String> findRowTargetsForRoleWithPermission(RoleResource roleResource, DataResource dataResource, Permission permission) {
        return (Set) StreamSupport.stream(UntypedResultSet.create(this.authorizeRoleRowsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, Collections.singletonList(ByteBufferUtil.bytes(roleResource.getRoleName()))), System.nanoTime()).result).spliterator(), false).map(row -> {
            return Pair.create(row.getString(RESOURCE), getPermissionSetFromResult(row));
        }).filter(pair -> {
            return ((String) pair.left).startsWith(TieredTableStatsMXBean.ROWS);
        }).filter(pair2 -> {
            return ((String) pair2.left).endsWith(dataResource.getName());
        }).filter(pair3 -> {
            return ((Set) pair3.right).contains(permission);
        }).map(pair4 -> {
            return ((DseRowResource) Resources.fromName((String) pair4.left)).getRowTarget();
        }).collect(Collectors.toSet());
    }

    public Set<String> findRowTargetsForUser(AuthenticatedUser authenticatedUser, DataResource dataResource, Permission permission) {
        return (Set) authenticatedUser.getRoles().stream().flatMap(roleResource -> {
            return findRowTargetsForRoleWithPermission(roleResource, dataResource, permission).stream();
        }).collect(Collectors.toSet());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<Permission> authorizeExact(AuthenticatedUser authenticatedUser, IResource iResource) {
        return super.authorize(authenticatedUser, iResource);
    }

    public boolean isRowLevelEnabled() {
        return this.rowLevelEnabled;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public boolean requireAuthorization() {
        return this.enabled;
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void validateConfiguration() throws ConfigurationException {
        this.enabled = DseConfig.isAuthorizationEnabled();
        this.rowLevelEnabled = DseConfig.isRowLevelAuthorizationEnabled();
        this.transitionalMode = TransitionalMode.valueOf(DseConfig.getAuthorizationTransitionalMode().toUpperCase());
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public Set<PermissionDetails> list(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        if (!this.enabled) {
            throw new UnsupportedOperationException("LIST PERMISSIONS operation is not supported by the DseAuthorizer if it is not enabled");
        }
        if (!authenticatedUser.isSuper() && !authenticatedUser.isSystem() && !authenticatedUser.getRoles().contains(roleResource)) {
            Object[] objArr = new Object[1];
            objArr[0] = roleResource == null ? "everyone" : roleResource.getRoleName();
            throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", objArr));
        }
        if (null == roleResource) {
            return listPermissionsForRole(set, iResource, roleResource);
        }
        Set<RoleResource> roles = DatabaseDescriptor.getRoleManager().getRoles(roleResource, true);
        HashSet hashSet = new HashSet();
        Iterator<RoleResource> it = roles.iterator();
        while (it.hasNext()) {
            hashSet.addAll(listPermissionsForRole(set, iResource, it.next()));
        }
        return hashSet;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> applicablePermissions(IResource iResource) {
        return ((iResource instanceof RoleResource) && iResource.hasParent()) ? extendedRolePermissions : iResource.applicablePermissions();
    }

    private Set<PermissionDetails> listPermissionsForRole(Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestExecutionException {
        HashSet hashSet = new HashSet();
        boolean z = Schema.instance.getCFMetaData(SchemaConstants.AUTH_KEYSPACE_NAME, "permissions") != null;
        String str = z ? "username" : ROLE;
        Iterator<UntypedResultSet.Row> it = QueryProcessor.process(buildListQuery(iResource, roleResource, z), ConsistencyLevel.LOCAL_ONE).iterator();
        while (it.hasNext()) {
            UntypedResultSet.Row next = it.next();
            if (next.has("permissions")) {
                Iterator it2 = next.getSet("permissions", UTF8Type.instance).iterator();
                while (it2.hasNext()) {
                    Permission permission = Permissions.permission((String) it2.next());
                    if (set.contains(permission)) {
                        hashSet.add(new PermissionDetails(next.getString(str), Resources.fromName(next.getString(RESOURCE)), permission));
                    }
                }
            }
        }
        return hashSet;
    }

    private String buildListQuery(IResource iResource, RoleResource roleResource, boolean z) {
        String str = z ? "permissions" : AuthKeyspace.ROLE_PERMISSIONS;
        String str2 = z ? "username" : ROLE;
        ArrayList newArrayList = Lists.newArrayList(SchemaConstants.AUTH_KEYSPACE_NAME, str);
        ArrayList arrayList = new ArrayList();
        if (iResource != null) {
            arrayList.add("resource = '%s'");
            newArrayList.add(escape(iResource.getName()));
        }
        if (roleResource != null) {
            arrayList.add(str2 + " = '%s'");
            newArrayList.add(escape(roleResource.getRoleName()));
        }
        String str3 = "SELECT " + str2 + ", resource, permissions FROM %s.%s";
        if (!arrayList.isEmpty()) {
            str3 = str3 + " WHERE " + StringUtils.join(arrayList, " AND ");
        }
        if (iResource != null && roleResource == null) {
            str3 = str3 + " ALLOW FILTERING";
        }
        return String.format(str3, newArrayList.toArray());
    }

    private String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    static {
        Resources.setResourceFactory(new DseResourceFactory());
    }
}
