package org.apache.cassandra.cql3.statements;

import com.datastax.bdp.db.audit.AuditableEventType;
import com.datastax.bdp.db.audit.CoreAuditableEventType;
import io.reactivex.Single;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.GrantMode;
import org.apache.cassandra.auth.IAuthorizer;
import org.apache.cassandra.auth.RoleOptions;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.RoleName;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;

/* loaded from: input_file:org/apache/cassandra/cql3/statements/CreateRoleStatement.class */
public class CreateRoleStatement extends AuthenticationStatement {
    private final RoleResource role;
    private final RoleOptions opts;
    private final boolean ifNotExists;

    public CreateRoleStatement(RoleName roleName, RoleOptions roleOptions, boolean z) {
        this.role = RoleResource.role(roleName.getName());
        this.opts = roleOptions;
        this.ifNotExists = z;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public AuditableEventType getAuditEventType() {
        return CoreAuditableEventType.CREATE_ROLE;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void checkAccess(QueryState queryState) {
        queryState.checkNotAnonymous();
        if (!this.ifNotExists && DatabaseDescriptor.getRoleManager().isExistingRole(this.role)) {
            throw RequestValidations.invalidRequest("%s already exists", this.role.getRoleName());
        }
        checkPermission(queryState, CorePermission.CREATE, RoleResource.root());
        if (this.opts.getSuperuser().isPresent() && this.opts.getSuperuser().get().booleanValue() && !queryState.isSuper()) {
            throw new UnauthorizedException("Only superusers can create a role with superuser status");
        }
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void validate(QueryState queryState) throws RequestValidationException {
        this.opts.validate();
        if (this.role.getRoleName().isEmpty()) {
            throw new InvalidRequestException("Role name can't be an empty string");
        }
    }

    @Override // org.apache.cassandra.cql3.statements.AuthenticationStatement
    public Single<ResultMessage> execute(QueryState queryState) throws RequestExecutionException, RequestValidationException {
        return Single.fromCallable(() -> {
            if (this.ifNotExists && DatabaseDescriptor.getRoleManager().isExistingRole(this.role)) {
                return new ResultMessage.Void();
            }
            DatabaseDescriptor.getRoleManager().createRole(queryState.getUser(), this.role, this.opts);
            grantPermissionsToCreator(queryState);
            return new ResultMessage.Void();
        });
    }

    private void grantPermissionsToCreator(QueryState queryState) {
        if (queryState.getUser().isAnonymous()) {
            return;
        }
        try {
            IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
            authorizer.grant(AuthenticatedUser.SYSTEM_USER, authorizer.applicablePermissions(this.role), this.role, RoleResource.role(queryState.getUser().getName()), GrantMode.GRANT);
        } catch (UnsupportedOperationException e) {
        }
    }
}
