package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.auth.negotiators.ProxyAuthenticatedUser;
import com.datastax.bdp.cassandra.cql3.StatementUtils;
import com.datastax.bdp.config.ConfigUtil;
import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.config.LdapConfig;
import com.datastax.bdp.config.ModeByAuthenticationConfig;
import com.datastax.bdp.gms.DseVersionNotifier;
import com.datastax.bdp.gms.VersionBarrier;
import com.datastax.bdp.graph.api.schema.SchemaImpl;
import com.datastax.bdp.system.DseSecurityKeyspace;
import com.datastax.dse.byos.shade.com.google.common.annotations.VisibleForTesting;
import com.datastax.dse.byos.shade.com.google.common.base.Optional;
import com.datastax.dse.byos.shade.com.google.common.collect.ImmutableSet;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.CassandraRoleManager;
import org.apache.cassandra.auth.IAuthContext;
import org.apache.cassandra.auth.IRoleManager;
import org.apache.cassandra.auth.RoleOptions;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.DeleteStatement;
import org.apache.cassandra.cql3.statements.IndexPropDefs;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.cql3.statements.UpdateStatement;
import org.apache.cassandra.db.marshal.MapType;
import org.apache.cassandra.db.marshal.TimestampType;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.ExceptionCode;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.CassandraVersion;
import org.apache.cassandra.utils.Throwables;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseRoleManager.class */
public class DseRoleManager extends CassandraRoleManager {
    private static final Logger logger;
    private VersionBarrier versionBarrier;
    private Set<IRoleManager.Option> supportedOptions;
    private Set<IRoleManager.Option> alterableOptions;
    private SelectStatement loadOptionsStatement;
    private UpdateStatement insertOptionsStatement;
    private UpdateStatement updateOptionsStatement;
    private DeleteStatement deleteOptionsStatement;
    private UpdateStatement insertRoleCreationTimeStatement;
    private UpdateStatement insertPwdChangeTimeStatement;
    private DeleteStatement deleteRoleStatsStatement;
    private MapType<String, String> optionsSerializer;
    private RoleManagement roleManagement;
    private final Map<IAuthContext, RoleManagement> modeByAuth = new HashMap();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseRoleManager$RoleManagement.class */
    public enum RoleManagement {
        INTERNAL,
        LDAP
    }

    @VisibleForTesting
    void setRoleManagementAndModeByAuth(RoleManagement roleManagement, ModeByAuthenticationConfig modeByAuthenticationConfig) {
        this.roleManagement = roleManagement;
        if (modeByAuthenticationConfig != null) {
            this.modeByAuth.clear();
            setAuthSchemeRoleManagementMode(AuthenticationScheme.INTERNAL, modeByAuthenticationConfig.internal());
            setAuthSchemeRoleManagementMode(AuthenticationScheme.LDAP, modeByAuthenticationConfig.ldap());
            setAuthSchemeRoleManagementMode(AuthenticationScheme.KERBEROS, modeByAuthenticationConfig.kerberos());
            setAuthSchemeRoleManagementMode(AuthenticationScheme.TOKEN, modeByAuthenticationConfig.kerberos());
        }
    }

    private void setAuthSchemeRoleManagementMode(AuthenticationScheme authenticationScheme, RoleManagement roleManagement) {
        if (roleManagement != null) {
            this.modeByAuth.put(authenticationScheme, roleManagement);
        }
    }

    @VisibleForTesting
    void maybeSetupLdapInstance(LdapConfig ldapConfig) {
        if (this.roleManagement == RoleManagement.LDAP || this.modeByAuth.containsValue(RoleManagement.LDAP)) {
            getLdapInstance().setupWith(ldapConfig, false);
            DnsServiceDiscoveryBasedLdapConfigurator.instance.maybeConfigure(getLdapInstance());
        }
    }

    @VisibleForTesting
    Ldap getLdapInstance() {
        return Ldap.instance;
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void setup() {
        super.setup();
        try {
            CassandraVersion cassandraVersion = DseVersionNotifier.VERSION_50;
            boolean isRoleStatsEnabled = DseConfig.isRoleStatsEnabled();
            if (isRoleStatsEnabled) {
                cassandraVersion = DseVersionNotifier.VERSION_51;
            }
            this.versionBarrier = new VersionBarrier(cassandraVersion, String.format("DseRoleManager create/drop/alter/getcustomoperations will be locked until the upgrade to DSE %s+ finishes", cassandraVersion), "DseRoleManager unlocked after upgrade! you may now create/alter/delete roles", String.format("DseRoleManager can't create/drop/alter/getcustomoptions until the upgrade to %s+ finishes and the schema for dse_security has finished propagating.", cassandraVersion));
            setRoleManagementAndModeByAuth(DseConfig.getRoleManagement(), DseConfig.getModeByAuthenticationConfig());
            maybeSetupLdapInstance(DseConfig.getLdapConfig());
            if (isRoleStatsEnabled) {
                DseSecurityKeyspace.maybeConfigureOptionalTables();
                this.insertRoleCreationTimeStatement = (UpdateStatement) prepare("INSERT INTO %s.%s (role, created) VALUES (?,?)", DseSecurityKeyspace.ROLE_STATS);
                this.insertPwdChangeTimeStatement = (UpdateStatement) prepare("INSERT INTO %s.%s (role, password_changed) VALUES (?,?)", DseSecurityKeyspace.ROLE_STATS);
                this.deleteRoleStatsStatement = (DeleteStatement) prepare("DELETE FROM %s.%s WHERE role = ?", DseSecurityKeyspace.ROLE_STATS);
            } else {
                DseSecurityKeyspace.maybeConfigureKeyspace();
            }
            this.loadOptionsStatement = (SelectStatement) prepare("SELECT options from %s.%s WHERE role = ?", DseSecurityKeyspace.ROLE_OPTIONS);
            this.insertOptionsStatement = (UpdateStatement) prepare("INSERT INTO %s.%s (role, options) VALUES (?,?)", DseSecurityKeyspace.ROLE_OPTIONS);
            this.updateOptionsStatement = (UpdateStatement) prepare("UPDATE %s.%s SET options = ? WHERE role = ?", DseSecurityKeyspace.ROLE_OPTIONS);
            this.deleteOptionsStatement = (DeleteStatement) prepare("DELETE FROM %s.%s WHERE role = ?", DseSecurityKeyspace.ROLE_OPTIONS);
            this.optionsSerializer = MapType.getInstance(UTF8Type.instance, UTF8Type.instance, true);
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void validateConfiguration() throws ConfigurationException {
        this.supportedOptions = DseConfig.isInternalAuthEnabled() ? ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER, IRoleManager.Option.PASSWORD, IRoleManager.Option.OPTIONS) : ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER, IRoleManager.Option.OPTIONS);
        this.alterableOptions = DseConfig.isInternalAuthEnabled() ? ImmutableSet.of(IRoleManager.Option.PASSWORD, IRoleManager.Option.OPTIONS) : ImmutableSet.of(IRoleManager.Option.OPTIONS);
        if (DseConfig.getRoleManagement() == RoleManagement.LDAP) {
            LdapConfig ldapConfig = DseConfig.getLdapConfig();
            ConfigUtil.maybeThrowCombinedConfigurationException("LDAP configuration failed - please check ldap_options section in dse.yaml and fix the following problem", ldapConfig.connectionConfig.validate(), ldapConfig.searchConfig.validateForUserSearches(), ldapConfig.searchConfig.groupSearchConfig.validateForGroupSearches());
        }
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public Set<IRoleManager.Option> supportedOptions() {
        return this.supportedOptions;
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public Set<IRoleManager.Option> alterableOptions() {
        return this.alterableOptions;
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void createRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) throws RequestValidationException, RequestExecutionException {
        this.versionBarrier.check();
        super.createRole(authenticatedUser, roleResource, roleOptions);
        Optional<Map<String, String>> customOptions = roleOptions.getCustomOptions();
        if (customOptions.isPresent() && !customOptions.get().isEmpty()) {
            this.insertOptionsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Arrays.asList(UTF8Type.instance.decompose(roleResource.getRoleName()), this.optionsSerializer.decompose(customOptions.get()))), System.nanoTime());
        }
        recordRoleCreated(roleResource, roleOptions);
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void dropRole(AuthenticatedUser authenticatedUser, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        this.versionBarrier.check();
        super.dropRole(authenticatedUser, roleResource);
        this.deleteOptionsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Collections.singletonList(UTF8Type.instance.decompose(roleResource.getRoleName()))), System.nanoTime());
        if (this.deleteRoleStatsStatement != null) {
            this.deleteRoleStatsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Collections.singletonList(UTF8Type.instance.decompose(roleResource.getRoleName()))), System.nanoTime());
        }
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void alterRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) throws RequestValidationException, RequestExecutionException {
        this.versionBarrier.check();
        super.alterRole(authenticatedUser, roleResource, roleOptions);
        Optional<Map<String, String>> customOptions = roleOptions.getCustomOptions();
        if (customOptions.isPresent()) {
            Map<String, String> map = customOptions.get();
            if (map.isEmpty()) {
                this.deleteOptionsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Collections.singletonList(UTF8Type.instance.decompose(roleResource.getRoleName()))), System.nanoTime());
            } else {
                this.updateOptionsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Arrays.asList(this.optionsSerializer.decompose(map), UTF8Type.instance.decompose(roleResource.getRoleName()))), System.nanoTime());
            }
        }
        recordPasswordChange(roleResource, roleOptions, new Date());
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void grantRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) throws RequestValidationException, RequestExecutionException {
        if (getRoleManagementMode(authenticatedUser.getAuthContext()) != RoleManagement.INTERNAL) {
            throw new InvalidRequestException("Granting roles is not supported");
        }
        super.grantRole(authenticatedUser, roleResource, roleResource2);
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public void revokeRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) throws RequestValidationException, RequestExecutionException {
        if (getRoleManagementMode(authenticatedUser.getAuthContext()) != RoleManagement.INTERNAL) {
            throw new InvalidRequestException("Revoking roles is not supported");
        }
        super.revokeRole(authenticatedUser, roleResource, roleResource2);
    }

    @VisibleForTesting
    RoleManagement getRoleManagementMode(IAuthContext iAuthContext) {
        if ($assertionsDisabled || iAuthContext != IAuthContext.ANY) {
            return (iAuthContext == null || !this.modeByAuth.containsKey(iAuthContext)) ? this.roleManagement : this.modeByAuth.get(iAuthContext);
        }
        throw new AssertionError();
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public Set<RoleResource> getRoles(RoleResource roleResource, @Nullable IAuthContext iAuthContext, boolean z) throws RequestValidationException, RequestExecutionException {
        return getRoleManagementMode(iAuthContext) == RoleManagement.INTERNAL ? getInternalRoles(roleResource, z) : getRolesLDAP(roleResource, z);
    }

    @VisibleForTesting
    Set<RoleResource> getInternalRoles(RoleResource roleResource, boolean z) {
        Set<RoleResource> roles = super.getRoles(roleResource, null, z);
        logger.trace("[role-management] found the following roles for grantee: {} - {} using internal mode", roleResource, roles);
        return roles;
    }

    @VisibleForTesting
    Set<RoleResource> getRolesLDAP(RoleResource roleResource, boolean z) {
        try {
            HashSet hashSet = new HashSet();
            Set<String> fetchUserGroups = getLdapInstance().getManager().fetchUserGroups(roleResource.getRoleName(), z);
            if (isExistingInternalRole(roleResource)) {
                hashSet.add(roleResource);
            }
            Iterator<String> it2 = fetchUserGroups.iterator();
            while (it2.hasNext()) {
                RoleResource role = RoleResource.role(it2.next());
                if (isExistingInternalRole(role)) {
                    hashSet.add(role);
                }
            }
            logger.trace("[role-management] found the following roles for grantee: {} - {} using ldap mode", roleResource, hashSet);
            return hashSet;
        } catch (Exception e) {
            throw new AuthRequestExecutionException(ExceptionCode.SERVER_ERROR, "Failed to get LDAP roles", Throwables.unwrapped(e));
        }
    }

    @VisibleForTesting
    boolean isExistingInternalRole(RoleResource roleResource) {
        return super.isExistingRole(roleResource, null);
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public boolean isExistingRole(RoleResource roleResource, @Nullable IAuthContext iAuthContext) {
        return iAuthContext == IAuthContext.ANY ? isExistingInternalRole(roleResource) || !getRolesLDAP(roleResource, true).isEmpty() : getRoleManagementMode(iAuthContext) == RoleManagement.INTERNAL ? isExistingInternalRole(roleResource) : !getRolesLDAP(roleResource, true).isEmpty();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean canLogin(AuthenticatedUser authenticatedUser) {
        if (authenticatedUser instanceof ProxyAuthenticatedUser) {
            authenticatedUser = ((ProxyAuthenticatedUser) authenticatedUser).authenticatedUser;
        }
        if (getRoleManagementMode(authenticatedUser.getAuthContext()) == RoleManagement.INTERNAL) {
            return super.canLogin(authenticatedUser.getPrimaryRole());
        }
        Iterator<RoleResource> it2 = getRolesLDAP(authenticatedUser.getPrimaryRole(), true).iterator();
        while (it2.hasNext()) {
            if (super.canLogin(it2.next())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.cassandra.auth.CassandraRoleManager, org.apache.cassandra.auth.IRoleManager
    public Map<String, String> getCustomOptions(RoleResource roleResource) {
        this.versionBarrier.check();
        ResultMessage.Rows execute = this.loadOptionsStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Collections.singletonList(UTF8Type.instance.decompose(roleResource.getRoleName()))), System.nanoTime());
        return execute.result.isEmpty() ? Collections.emptyMap() : UntypedResultSet.create(execute.result).one().getMap(IndexPropDefs.KW_OPTIONS, UTF8Type.instance, UTF8Type.instance);
    }

    private <T extends CQLStatement> T prepare(String str, String str2) {
        String format = String.format(str, DseSecurityKeyspace.NAME, str2);
        return (T) StatementUtils.prepareStatement(format, QueryState.forInternalCalls(), "Error preparing \"" + format + SchemaImpl.QM);
    }

    private void recordRoleCreated(RoleResource roleResource, RoleOptions roleOptions) {
        if (this.insertRoleCreationTimeStatement == null) {
            return;
        }
        Date date = new Date();
        this.insertRoleCreationTimeStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Arrays.asList(UTF8Type.instance.decompose(roleResource.getRoleName()), TimestampType.instance.decompose(date))), System.nanoTime());
        recordPasswordChange(roleResource, roleOptions, date);
    }

    private void recordPasswordChange(RoleResource roleResource, RoleOptions roleOptions, Date date) {
        if (this.insertPwdChangeTimeStatement == null || !roleOptions.getPassword().isPresent()) {
            return;
        }
        this.insertPwdChangeTimeStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(roleResource.getRoleName()), Arrays.asList(UTF8Type.instance.decompose(roleResource.getRoleName()), TimestampType.instance.decompose(date))), System.nanoTime());
    }

    static {
        $assertionsDisabled = !DseRoleManager.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(DseRoleManager.class);
    }
}
