package org.apache.cassandra.cql3.statements;

import com.datastax.bdp.db.audit.AuditableEventType;
import com.datastax.bdp.db.audit.CoreAuditableEventType;
import io.reactivex.Single;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.cassandra.auth.GrantMode;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionDetails;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.ColumnIdentifier;
import org.apache.cassandra.cql3.ColumnSpecification;
import org.apache.cassandra.cql3.ResultSet;
import org.apache.cassandra.cql3.RoleName;
import org.apache.cassandra.db.marshal.BooleanType;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;

/* loaded from: input_file:org/apache/cassandra/cql3/statements/ListPermissionsStatement.class */
public class ListPermissionsStatement extends AuthorizationStatement {
    private static final String KS = "system_auth";
    private static final String CF = "permissions";
    private static final List<ColumnSpecification> metadata = Collections.unmodifiableList(Arrays.asList(new ColumnSpecification("system_auth", CF, new ColumnIdentifier("role", true), UTF8Type.instance), new ColumnSpecification("system_auth", CF, new ColumnIdentifier("username", true), UTF8Type.instance), new ColumnSpecification("system_auth", CF, new ColumnIdentifier("resource", true), UTF8Type.instance), new ColumnSpecification("system_auth", CF, new ColumnIdentifier("permission", true), UTF8Type.instance), new ColumnSpecification("system_auth", CF, new ColumnIdentifier("granted", true), BooleanType.instance), new ColumnSpecification("system_auth", CF, new ColumnIdentifier("restricted", true), BooleanType.instance), new ColumnSpecification("system_auth", CF, new ColumnIdentifier("grantable", true), BooleanType.instance)));
    protected final Set<Permission> permissions;
    protected IResource resource;
    protected final boolean recursive;
    private final RoleResource grantee;

    public ListPermissionsStatement(Set<Permission> set, IResource iResource, RoleName roleName, boolean z) {
        this.permissions = set;
        this.resource = iResource;
        this.recursive = z;
        this.grantee = roleName.hasName() ? RoleResource.role(roleName.getName()) : null;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public AuditableEventType getAuditEventType() {
        return CoreAuditableEventType.LIST_PERMISSIONS;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void validate(QueryState queryState) {
        if (!DatabaseDescriptor.getAuthorizer().requireAuthorization()) {
            throw RequestValidations.invalidRequest(String.format("LIST PERMISSIONS operation is not supported by the %s if it is not enabled", DatabaseDescriptor.getAuthorizer().implementation().getClass().getSimpleName()));
        }
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void checkAccess(QueryState queryState) {
        queryState.checkNotAnonymous();
        if (this.resource != null) {
            this.resource = maybeCorrectResource(this.resource, queryState.getClientState());
            if (!this.resource.exists()) {
                throw RequestValidations.invalidRequest("%s doesn't exist", this.resource);
            }
        }
        if (this.grantee != null && !DatabaseDescriptor.getRoleManager().isExistingRole(this.grantee)) {
            throw RequestValidations.invalidRequest("%s doesn't exist", this.grantee);
        }
        if (queryState.isSuper() || queryState.isSystem() || queryState.hasRole(this.grantee)) {
            return;
        }
        if (queryState.hasRolePermission(this.grantee != null ? this.grantee : RoleResource.root(), CorePermission.DESCRIBE)) {
            return;
        }
        Object[] objArr = new Object[1];
        objArr[0] = this.grantee == null ? "everyone" : this.grantee.getRoleName();
        throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", objArr));
    }

    @Override // org.apache.cassandra.cql3.statements.AuthorizationStatement
    public Single<ResultMessage> execute(QueryState queryState) throws RequestValidationException, RequestExecutionException {
        return Single.fromCallable(() -> {
            ArrayList arrayList = new ArrayList();
            if (this.resource == null || !this.recursive) {
                arrayList.addAll(list(this.resource));
            } else {
                Iterator<? extends IResource> it2 = Resources.chain(this.resource).iterator();
                while (it2.hasNext()) {
                    arrayList.addAll(list(it2.next()));
                }
            }
            Collections.sort(arrayList);
            return resultMessage(arrayList);
        });
    }

    private Set<PermissionDetails> list(IResource iResource) throws RequestValidationException, RequestExecutionException {
        try {
            return DatabaseDescriptor.getAuthorizer().list(this.permissions, iResource, this.grantee);
        } catch (UnsupportedOperationException e) {
            throw new InvalidRequestException(e.getMessage());
        }
    }

    private ResultMessage resultMessage(List<PermissionDetails> list) {
        if (list.isEmpty()) {
            return new ResultMessage.Void();
        }
        ResultSet resultSet = new ResultSet(new ResultSet.ResultMetadata(metadata));
        for (PermissionDetails permissionDetails : list) {
            resultSet.addColumnValue(UTF8Type.instance.decompose(permissionDetails.grantee));
            resultSet.addColumnValue(UTF8Type.instance.decompose(permissionDetails.grantee));
            resultSet.addColumnValue(UTF8Type.instance.decompose(permissionDetails.resource.toString()));
            resultSet.addColumnValue(UTF8Type.instance.decompose(permissionDetails.permission.getFullName()));
            resultSet.addColumnValue(BooleanType.instance.decompose(Boolean.valueOf(permissionDetails.modes.contains(GrantMode.GRANT))));
            resultSet.addColumnValue(BooleanType.instance.decompose(Boolean.valueOf(permissionDetails.modes.contains(GrantMode.RESTRICT))));
            resultSet.addColumnValue(BooleanType.instance.decompose(Boolean.valueOf(permissionDetails.modes.contains(GrantMode.GRANTABLE))));
        }
        return new ResultMessage.Rows(resultSet);
    }
}
