package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.cql3.RLACExpression;
import com.datastax.bdp.cassandra.cql3.RlacWhitelistStatement;
import com.datastax.bdp.cassandra.cql3.RpcCallStatement;
import com.datastax.bdp.cassandra.cql3.StatementUtils;
import com.datastax.dse.byos.shade.com.google.inject.Inject;
import java.nio.ByteBuffer;
import java.nio.charset.CharacterCodingException;
import java.util.Collections;
import java.util.Set;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.DataResource;
import org.apache.cassandra.auth.IAuthorizer;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.config.CFMetaData;
import org.apache.cassandra.config.ColumnDefinition;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.restrictions.StatementRestrictions;
import org.apache.cassandra.cql3.statements.AuthenticationStatement;
import org.apache.cassandra.cql3.statements.AuthorizationStatement;
import org.apache.cassandra.cql3.statements.BatchStatement;
import org.apache.cassandra.cql3.statements.ModificationStatement;
import org.apache.cassandra.cql3.statements.SchemaAlteringStatement;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.cql3.statements.TruncateStatement;
import org.apache.cassandra.cql3.statements.UseStatement;
import org.apache.cassandra.db.Clustering;
import org.apache.cassandra.db.DecoratedKey;
import org.apache.cassandra.db.marshal.AbstractType;
import org.apache.cassandra.db.marshal.CompositeType;
import org.apache.cassandra.db.rows.Row;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.schema.KeyspaceMetadata;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/RowLevelAccessControlAuthorizer.class */
public class RowLevelAccessControlAuthorizer {
    private static final Logger logger;
    public static final String EXTENSION_KEY = "DSE_RLACA";

    @Inject(optional = true)
    private static Set<RowLevelAccessControlComponentAuthorizer> rowLevelAccessControlComponentAuthorizers;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static Set<RowLevelAccessControlComponentAuthorizer> getRowLevelAccessControlComponentAuthorizers() {
        return rowLevelAccessControlComponentAuthorizers;
    }

    public static CQLStatement approveStatement(CQLStatement cQLStatement, QueryState queryState, QueryOptions queryOptions) {
        if (!isEnabled()) {
            return cQLStatement;
        }
        if (cQLStatement instanceof BatchStatement) {
            ((BatchStatement) cQLStatement).getStatements().forEach(modificationStatement -> {
                verifyModificationPermissions(modificationStatement, queryState, queryOptions);
            });
        } else {
            if (cQLStatement instanceof SelectStatement) {
                return verifyAndMaybeUpdateSelect((SelectStatement) cQLStatement, queryState, queryOptions);
            }
            if (cQLStatement instanceof ModificationStatement) {
                verifyModificationPermissions((ModificationStatement) cQLStatement, queryState, queryOptions);
            } else if (cQLStatement instanceof TruncateStatement) {
                verifyUserHasPermissionForStatement(queryState.getClientState().getUser(), StatementUtils.getKeyspace(cQLStatement), StatementUtils.getColumnFamily(cQLStatement), CorePermission.MODIFY);
            } else if (!(cQLStatement instanceof UseStatement) && !(cQLStatement instanceof AuthenticationStatement) && !(cQLStatement instanceof AuthorizationStatement) && !(cQLStatement instanceof RpcCallStatement) && !(cQLStatement instanceof SchemaAlteringStatement) && !(cQLStatement instanceof RlacWhitelistStatement)) {
                throw new RuntimeException(String.format("Row Level Access Controller Does Not Know How To Handle Statement %s", cQLStatement));
            }
        }
        return cQLStatement;
    }

    public static boolean isEnabled() {
        IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
        return (authorizer instanceof DseAuthorizer) && ((DseAuthorizer) authorizer).isRowLevelEnabled() && authorizer.requireAuthorization();
    }

    private static boolean shouldShortCircuitRlac(AuthenticatedUser authenticatedUser) {
        return authenticatedUser == null || authenticatedUser.isAnonymous() || authenticatedUser.isSystem() || authenticatedUser.isSuper();
    }

    private static boolean shouldShortCircuitRlacOrNoTarget(AuthenticatedUser authenticatedUser, String str) {
        return shouldShortCircuitRlac(authenticatedUser) || str == null;
    }

    private static boolean userHasPermissionToTableOrKs(AuthenticatedUser authenticatedUser, Permission permission, String str, String str2) {
        DseAuthorizer dseAuthorizer = (DseAuthorizer) DatabaseDescriptor.getAuthorizer();
        if ((str == null || !dseAuthorizer.authorizeExact(authenticatedUser, DataResource.table(str2, str)).contains(permission)) && !dseAuthorizer.authorizeExact(authenticatedUser, DataResource.keyspace(str2)).contains(permission)) {
            return dseAuthorizer.authorizeExact(authenticatedUser, DataResource.root()).contains(permission);
        }
        return true;
    }

    private static SelectStatement verifyAndMaybeUpdateSelect(SelectStatement selectStatement, QueryState queryState, QueryOptions queryOptions) {
        String findRlacTargetColumn = findRlacTargetColumn(selectStatement.cfm);
        AuthenticatedUser user = queryState.getClientState().getUser();
        if (!shouldShortCircuitRlacOrNoTarget(user, findRlacTargetColumn) && !userHasPermissionToTableOrKs(user, CorePermission.SELECT, selectStatement.columnFamily(), selectStatement.keyspace())) {
            if (!verifyRestrictions(selectStatement.getRestrictions(), selectStatement.cfm, queryOptions, user, true)) {
                throw new UnauthorizedException("Not authorized");
            }
            logger.debug("Restricting select for user {}", user);
            return selectStatement.addIndexRestrictions(Collections.singletonList(RLACExpression.newExpression(selectStatement.cfm, user)));
        }
        return selectStatement;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void verifyModificationPermissions(ModificationStatement modificationStatement, QueryState queryState, QueryOptions queryOptions) {
        String findRlacTargetColumn = findRlacTargetColumn(modificationStatement.cfm);
        AuthenticatedUser user = queryState.getClientState().getUser();
        if (!shouldShortCircuitRlacOrNoTarget(user, findRlacTargetColumn) && !userHasPermissionToTableOrKs(user, CorePermission.MODIFY, modificationStatement.columnFamily(), modificationStatement.keyspace()) && !verifyRestrictions(modificationStatement.getRestrictions(), modificationStatement.cfm, queryOptions, user, false)) {
            throw new UnauthorizedException("Not authorized");
        }
    }

    private static void verifyUserHasPermissionForStatement(AuthenticatedUser authenticatedUser, String str, String str2, Permission permission) {
        if (!shouldShortCircuitRlac(authenticatedUser) && !userHasPermissionToTableOrKs(authenticatedUser, permission, str2, str)) {
            throw new UnauthorizedException("Not authorized");
        }
    }

    public static boolean authorizeLocalRead(AuthenticatedUser authenticatedUser, CFMetaData cFMetaData, DecoratedKey decoratedKey, Row row) {
        ByteBuffer byteBuffer = null;
        if (cFMetaData.params.extensions != null) {
            byteBuffer = cFMetaData.params.extensions.get(EXTENSION_KEY);
        }
        ColumnDefinition columnDefinition = cFMetaData.getColumnDefinition(byteBuffer);
        if (!$assertionsDisabled && (columnDefinition == null || !columnDefinition.isPrimaryKeyColumn())) {
            throw new AssertionError();
        }
        Set<String> findRowTargetsForUser = ((DseAuthorizer) DatabaseDescriptor.getAuthorizer()).findRowTargetsForUser(authenticatedUser, cFMetaData.resource, CorePermission.SELECT);
        return columnDefinition.isPartitionKey() ? authorizeByPartitionKey(cFMetaData.getKeyValidator(), columnDefinition, decoratedKey.getKey(), findRowTargetsForUser) : authorizeByClusteringColumn(row.clustering(), columnDefinition, findRowTargetsForUser);
    }

    private static boolean verifyRestrictions(StatementRestrictions statementRestrictions, CFMetaData cFMetaData, QueryOptions queryOptions, AuthenticatedUser authenticatedUser, boolean z) {
        if (statementRestrictions.isKeyRange()) {
            return z;
        }
        ColumnDefinition columnDefinition = cFMetaData.getColumnDefinition(cFMetaData.params.extensions != null ? cFMetaData.params.extensions.get(EXTENSION_KEY) : null);
        if (!$assertionsDisabled && (columnDefinition == null || !columnDefinition.isPrimaryKeyColumn())) {
            throw new AssertionError();
        }
        Set<String> findRowTargetsForUser = ((DseAuthorizer) DatabaseDescriptor.getAuthorizer()).findRowTargetsForUser(authenticatedUser, cFMetaData.resource, z ? CorePermission.SELECT : CorePermission.MODIFY);
        if (columnDefinition.isPartitionKey()) {
            AbstractType<?> keyValidator = cFMetaData.getKeyValidator();
            for (ByteBuffer byteBuffer : statementRestrictions.getPartitionKeys(queryOptions)) {
                if (byteBuffer.hasRemaining() && !authorizeByPartitionKey(keyValidator, columnDefinition, byteBuffer, findRowTargetsForUser)) {
                    return false;
                }
            }
            return true;
        }
        if (!columnDefinition.isClusteringColumn()) {
            return true;
        }
        for (Clustering clustering : statementRestrictions.getClusteringColumns(queryOptions)) {
            if (!z) {
                if (clustering.size() <= columnDefinition.position() || clustering.get(columnDefinition.position()) == null || !authorizeByClusteringColumn(clustering, columnDefinition, findRowTargetsForUser)) {
                    return false;
                }
            } else if (clustering.size() > columnDefinition.position() && !authorizeByClusteringColumn(clustering, columnDefinition, findRowTargetsForUser)) {
                return false;
            }
        }
        return true;
    }

    private static boolean authorizeByPartitionKey(AbstractType<?> abstractType, ColumnDefinition columnDefinition, ByteBuffer byteBuffer, Set<String> set) {
        return set.contains(columnDefinition.type.getString(abstractType instanceof CompositeType ? CompositeType.extractComponent(byteBuffer, columnDefinition.position()) : byteBuffer));
    }

    private static boolean authorizeByClusteringColumn(Clustering clustering, ColumnDefinition columnDefinition, Set<String> set) {
        if (clustering == Clustering.STATIC_CLUSTERING) {
            return true;
        }
        return set.contains(columnDefinition.type.getString(clustering.get(columnDefinition.position())));
    }

    public static String findRlacTargetColumn(String str, String str2) {
        if (str == null || Schema.instance.getKeyspaceInstance(str) == null) {
            return null;
        }
        KeyspaceMetadata metadata = Schema.instance.getKeyspaceInstance(str).getMetadata();
        if (str2 == null || metadata.getTableOrViewNullable(str2) == null) {
            return null;
        }
        return findRlacTargetColumn(metadata.getTableOrViewNullable(str2));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String findRlacTargetColumn(CFMetaData cFMetaData) {
        ByteBuffer byteBuffer;
        String str = null;
        if (cFMetaData != null) {
            try {
                if (cFMetaData.params.extensions != null && (byteBuffer = cFMetaData.params.extensions.get(EXTENSION_KEY)) != null) {
                    str = ByteBufferUtil.string(byteBuffer);
                }
                logger.debug("We found the rlacTarget to be: {}", str);
            } catch (CharacterCodingException e) {
            }
        }
        return str;
    }

    static {
        $assertionsDisabled = !RowLevelAccessControlAuthorizer.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(RowLevelAccessControlAuthorizer.class);
    }
}
