package org.apache.cassandra.cql3.statements;

import com.datastax.bdp.cassandra.auth.AuthenticationScheme;
import com.datastax.bdp.db.audit.AuditableEventType;
import com.datastax.bdp.db.audit.CoreAuditableEventType;
import io.reactivex.Single;
import org.apache.cassandra.auth.IRoleManager;
import org.apache.cassandra.auth.RoleOptions;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.RoleName;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;

/* loaded from: input_file:org/apache/cassandra/cql3/statements/AlterRoleStatement.class */
public class AlterRoleStatement extends AuthenticationStatement {
    private final RoleResource role;
    private final RoleOptions opts;

    public AlterRoleStatement(RoleName roleName, RoleOptions roleOptions) {
        this.role = RoleResource.role(roleName.getName());
        this.opts = roleOptions;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public AuditableEventType getAuditEventType() {
        return CoreAuditableEventType.ALTER_ROLE;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void validate(QueryState queryState) {
        this.opts.validate();
        if (this.opts.isEmpty()) {
            throw new InvalidRequestException("ALTER [ROLE|USER] can't be empty");
        }
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void checkAccess(QueryState queryState) {
        IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
        queryState.checkNotAnonymous();
        if (!roleManager.isExistingRole(this.role, AuthenticationScheme.INTERNAL)) {
            throw new InvalidRequestException(String.format("%s doesn't exist", this.role.getRoleName()));
        }
        if (this.opts.getSuperuser().isPresent() && queryState.hasRole(this.role)) {
            throw new UnauthorizedException("You aren't allowed to alter your own superuser status or that of a role granted to you");
        }
        boolean isSuper = queryState.isSuper();
        if (this.opts.getSuperuser().isPresent() && !isSuper) {
            throw new UnauthorizedException("Only superusers are allowed to alter superuser status");
        }
        if (isSuper) {
            return;
        }
        if (!queryState.getUserName().equals(this.role.getRoleName())) {
            super.checkPermission(queryState, CorePermission.ALTER, this.role);
            return;
        }
        for (IRoleManager.Option option : this.opts.getOptions().keySet()) {
            if (!roleManager.alterableOptions().contains(option)) {
                throw new UnauthorizedException(String.format("You aren't allowed to alter %s", option));
            }
        }
    }

    @Override // org.apache.cassandra.cql3.statements.AuthenticationStatement
    public Single<ResultMessage> execute(QueryState queryState) throws RequestValidationException, RequestExecutionException {
        return Single.fromCallable(() -> {
            if (!this.opts.isEmpty()) {
                DatabaseDescriptor.getRoleManager().alterRole(queryState.getUser(), this.role, this.opts);
            }
            return new ResultMessage.Void();
        });
    }
}
