package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.cql3.RLACExpression;
import com.datastax.bdp.cassandra.cql3.RlacWhitelistStatement;
import com.datastax.bdp.cassandra.cql3.RpcCallStatement;
import com.datastax.dse.byos.shade.com.google.inject.Inject;
import java.nio.ByteBuffer;
import java.nio.charset.CharacterCodingException;
import java.util.Collections;
import java.util.Set;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.DataResource;
import org.apache.cassandra.auth.IAuthorizer;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionSets;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.auth.user.UserRolesAndPermissions;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.BatchQueryOptions;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.CQLStatementUtils;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.restrictions.StatementRestrictions;
import org.apache.cassandra.cql3.statements.AuthenticationStatement;
import org.apache.cassandra.cql3.statements.AuthorizationStatement;
import org.apache.cassandra.cql3.statements.BatchStatement;
import org.apache.cassandra.cql3.statements.ModificationStatement;
import org.apache.cassandra.cql3.statements.SchemaAlteringStatement;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.cql3.statements.TruncateStatement;
import org.apache.cassandra.cql3.statements.UseStatement;
import org.apache.cassandra.db.Clustering;
import org.apache.cassandra.db.DecoratedKey;
import org.apache.cassandra.db.marshal.AbstractType;
import org.apache.cassandra.db.marshal.CompositeType;
import org.apache.cassandra.db.rows.Row;
import org.apache.cassandra.db.view.View;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.schema.ColumnMetadata;
import org.apache.cassandra.schema.KeyspaceMetadata;
import org.apache.cassandra.schema.Schema;
import org.apache.cassandra.schema.TableMetadata;
import org.apache.cassandra.schema.TableMetadataRef;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/RowLevelAccessControlAuthorizer.class */
public class RowLevelAccessControlAuthorizer {
    private static final Logger logger;
    public static final String EXTENSION_KEY = "DSE_RLACA";
    private static final PermissionSets GRANTED_SELECT;
    private static final PermissionSets GRANTED_MODIFY;
    private static final PermissionSets GRANTED_MODIFY_AND_SELECT;

    @Inject(optional = true)
    private static Set<RowLevelAccessControlComponentAuthorizer> rowLevelAccessControlComponentAuthorizers;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static Set<RowLevelAccessControlComponentAuthorizer> getRowLevelAccessControlComponentAuthorizers() {
        return rowLevelAccessControlComponentAuthorizers;
    }

    public static CQLStatement approveStatement(CQLStatement cQLStatement, QueryState queryState, QueryOptions queryOptions) {
        if (!isEnabled()) {
            return cQLStatement;
        }
        if (cQLStatement instanceof BatchStatement) {
            ((BatchStatement) cQLStatement).getStatements().forEach(modificationStatement -> {
                verifyModificationPermissions(modificationStatement, queryState, queryOptions);
            });
        } else {
            if (cQLStatement instanceof SelectStatement) {
                return verifyAndMaybeUpdateSelect((SelectStatement) cQLStatement, queryState, queryOptions);
            }
            if (cQLStatement instanceof ModificationStatement) {
                verifyModificationPermissions((ModificationStatement) cQLStatement, queryState, queryOptions);
            } else if (cQLStatement instanceof TruncateStatement) {
                verifyUserHasPermissionForStatement(queryState, CQLStatementUtils.getKeyspace(cQLStatement), CQLStatementUtils.getTable(cQLStatement), CorePermission.MODIFY);
            } else if (!(cQLStatement instanceof UseStatement) && !(cQLStatement instanceof AuthenticationStatement) && !(cQLStatement instanceof AuthorizationStatement) && !(cQLStatement instanceof RpcCallStatement) && !(cQLStatement instanceof SchemaAlteringStatement) && !(cQLStatement instanceof RlacWhitelistStatement)) {
                throw new RuntimeException(String.format("Row Level Access Controller Does Not Know How To Handle Statement %s", cQLStatement));
            }
        }
        return cQLStatement;
    }

    public static void approveBatchStatement(BatchStatement batchStatement, QueryState queryState, BatchQueryOptions batchQueryOptions) {
        if (isEnabled()) {
            for (int i = 0; i < batchStatement.getStatements().size(); i++) {
                approveStatement(batchStatement.getStatements().get(i), queryState, batchQueryOptions.forStatement(i));
            }
        }
    }

    public static boolean isEnabled() {
        IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
        return authorizer.isImplementationOf(DseAuthorizer.class) && ((DseAuthorizer) authorizer.implementation()).isRowLevelEnabled() && authorizer.requireAuthorization();
    }

    private static boolean shouldShortCircuitRlac(QueryState queryState) {
        AuthenticatedUser user = queryState.getUser();
        return user == null || user.isAnonymous() || user.isSystem() || queryState.isSuper();
    }

    private static boolean shouldShortCircuitRlacOrNoTarget(QueryState queryState, String str) {
        return shouldShortCircuitRlac(queryState) || str == null;
    }

    private static boolean userHasPermissionToTableOrKs(QueryState queryState, Permission permission, String str, String str2) {
        return queryState.hasPermission(str != null ? DataResource.table(str2, str) : DataResource.keyspace(str2), permission);
    }

    private static SelectStatement verifyAndMaybeUpdateSelect(SelectStatement selectStatement, QueryState queryState, QueryOptions queryOptions) {
        TableMetadataRef findBaseTable;
        String findRlacTargetColumn = findRlacTargetColumn(selectStatement.table);
        AuthenticatedUser user = queryState.getClientState().getUser();
        if (!shouldShortCircuitRlacOrNoTarget(queryState, findRlacTargetColumn) && !userHasPermissionToTableOrKs(queryState, CorePermission.SELECT, selectStatement.columnFamily(), selectStatement.keyspace())) {
            if (!verifyRestrictions(selectStatement.getRestrictions(), selectStatement.table, queryOptions, queryState, true)) {
                throw new UnauthorizedException("Not authorized");
            }
            UserRolesAndPermissions userRolesAndPermissions = queryState.getUserRolesAndPermissions();
            userRolesAndPermissions.additionalQueryPermission(DataResource.table(selectStatement.keyspace(), selectStatement.columnFamily()), GRANTED_SELECT);
            if (selectStatement.table.isView() && (findBaseTable = View.findBaseTable(selectStatement.keyspace(), selectStatement.columnFamily())) != null) {
                userRolesAndPermissions.additionalQueryPermission(DataResource.table(findBaseTable.keyspace, findBaseTable.name), GRANTED_SELECT);
            }
            logger.debug("Restricting select for user {}", user);
            return selectStatement.addIndexRestrictions(Collections.singletonList(RLACExpression.newExpression(selectStatement.table, queryState)));
        }
        return selectStatement;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void verifyModificationPermissions(ModificationStatement modificationStatement, QueryState queryState, QueryOptions queryOptions) {
        if (shouldShortCircuitRlacOrNoTarget(queryState, findRlacTargetColumn(modificationStatement.metadata()))) {
            return;
        }
        if (userHasPermissionToTableOrKs(queryState, CorePermission.MODIFY, modificationStatement.columnFamily(), modificationStatement.keyspace())) {
            if (!modificationStatement.hasConditions() || userHasPermissionToTableOrKs(queryState, CorePermission.SELECT, modificationStatement.columnFamily(), modificationStatement.keyspace())) {
                return;
            }
            if (!verifyRestrictions(modificationStatement.getRestrictions(), modificationStatement.metadata(), queryOptions, queryState, true)) {
                throw new UnauthorizedException("Not authorized");
            }
            queryState.getUserRolesAndPermissions().additionalQueryPermission(DataResource.table(modificationStatement.keyspace(), modificationStatement.columnFamily()), GRANTED_SELECT);
            return;
        }
        StatementRestrictions restrictions = modificationStatement.getRestrictions();
        if (!verifyRestrictions(restrictions, modificationStatement.metadata(), queryOptions, queryState, false)) {
            throw new UnauthorizedException("Not authorized");
        }
        if (!modificationStatement.hasConditions()) {
            queryState.getUserRolesAndPermissions().additionalQueryPermission(DataResource.table(modificationStatement.keyspace(), modificationStatement.columnFamily()), GRANTED_MODIFY);
        } else if (userHasPermissionToTableOrKs(queryState, CorePermission.SELECT, modificationStatement.columnFamily(), modificationStatement.keyspace())) {
            queryState.getUserRolesAndPermissions().additionalQueryPermission(DataResource.table(modificationStatement.keyspace(), modificationStatement.columnFamily()), GRANTED_MODIFY);
        } else {
            if (!verifyRestrictions(restrictions, modificationStatement.metadata(), queryOptions, queryState, true)) {
                throw new UnauthorizedException("Not authorized");
            }
            queryState.getUserRolesAndPermissions().additionalQueryPermission(DataResource.table(modificationStatement.keyspace(), modificationStatement.columnFamily()), GRANTED_MODIFY_AND_SELECT);
        }
    }

    private static void verifyUserHasPermissionForStatement(QueryState queryState, String str, String str2, Permission permission) {
        if (!shouldShortCircuitRlac(queryState) && !userHasPermissionToTableOrKs(queryState, permission, str2, str)) {
            throw new UnauthorizedException("Not authorized");
        }
    }

    public static boolean authorizeLocalRead(QueryState queryState, TableMetadata tableMetadata, DecoratedKey decoratedKey, Row row) {
        ByteBuffer byteBuffer = null;
        if (tableMetadata.params.extensions != null) {
            byteBuffer = tableMetadata.params.extensions.get(EXTENSION_KEY);
        }
        ColumnMetadata column = tableMetadata.getColumn(byteBuffer);
        if (!$assertionsDisabled && (column == null || !column.isPrimaryKeyColumn())) {
            throw new AssertionError();
        }
        Set<String> findRowTargetsForUser = findRowTargetsForUser(tableMetadata, queryState, CorePermission.SELECT);
        return column.isPartitionKey() ? authorizeByPartitionKey(tableMetadata.partitionKeyType, column, decoratedKey.getKey(), findRowTargetsForUser) : authorizeByClusteringColumn(row.clustering(), column, findRowTargetsForUser);
    }

    private static boolean verifyRestrictions(StatementRestrictions statementRestrictions, TableMetadata tableMetadata, QueryOptions queryOptions, QueryState queryState, boolean z) {
        CorePermission corePermission = z ? CorePermission.SELECT : CorePermission.MODIFY;
        if (statementRestrictions.isKeyRange()) {
            return z && !findRowTargetsForUser(tableMetadata, queryState, corePermission).isEmpty();
        }
        ColumnMetadata column = tableMetadata.getColumn(tableMetadata.params.extensions != null ? tableMetadata.params.extensions.get(EXTENSION_KEY) : null);
        if (!$assertionsDisabled && (column == null || !column.isPrimaryKeyColumn())) {
            throw new AssertionError();
        }
        Set<String> findRowTargetsForUser = findRowTargetsForUser(tableMetadata, queryState, corePermission);
        if (column.isPartitionKey()) {
            AbstractType<?> abstractType = tableMetadata.partitionKeyType;
            for (ByteBuffer byteBuffer : statementRestrictions.getPartitionKeys(queryOptions)) {
                if (byteBuffer.hasRemaining() && !authorizeByPartitionKey(abstractType, column, byteBuffer, findRowTargetsForUser)) {
                    return false;
                }
            }
            return true;
        }
        if (!column.isClusteringColumn()) {
            return true;
        }
        for (Clustering clustering : statementRestrictions.getClusteringColumns(queryOptions)) {
            if (!z) {
                if (clustering.size() <= column.position() || clustering.get(column.position()) == null || !authorizeByClusteringColumn(clustering, column, findRowTargetsForUser)) {
                    return false;
                }
            } else if (clustering.size() > column.position() && !authorizeByClusteringColumn(clustering, column, findRowTargetsForUser)) {
                return false;
            }
        }
        return true;
    }

    private static Set<String> findRowTargetsForUser(TableMetadata tableMetadata, QueryState queryState, Permission permission) {
        return ((DseAuthorizer) DatabaseDescriptor.getAuthorizer().implementation()).findRowTargetsForUser(queryState, tableMetadata.resource, permission);
    }

    private static boolean authorizeByPartitionKey(AbstractType<?> abstractType, ColumnMetadata columnMetadata, ByteBuffer byteBuffer, Set<String> set) {
        return set.contains(columnMetadata.type.getString(abstractType instanceof CompositeType ? CompositeType.extractComponent(byteBuffer, columnMetadata.position()) : byteBuffer));
    }

    private static boolean authorizeByClusteringColumn(Clustering clustering, ColumnMetadata columnMetadata, Set<String> set) {
        if (clustering == Clustering.STATIC_CLUSTERING) {
            return true;
        }
        return set.contains(columnMetadata.type.getString(clustering.get(columnMetadata.position())));
    }

    public static String findRlacTargetColumn(String str, String str2) {
        if (str == null || Schema.instance.getKeyspaceInstance(str) == null) {
            return null;
        }
        KeyspaceMetadata metadata = Schema.instance.getKeyspaceInstance(str).getMetadata();
        if (str2 == null || metadata.getTableOrViewNullable(str2) == null) {
            return null;
        }
        return findRlacTargetColumn(metadata.getTableOrViewNullable(str2));
    }

    static String findRlacTargetColumn(TableMetadata tableMetadata) {
        ByteBuffer byteBuffer;
        String str = null;
        if (tableMetadata != null) {
            try {
                if (tableMetadata.params.extensions != null && (byteBuffer = tableMetadata.params.extensions.get(EXTENSION_KEY)) != null) {
                    str = ByteBufferUtil.string(byteBuffer);
                }
                logger.debug("We found the rlacTarget to be: {}", str);
            } catch (CharacterCodingException e) {
            }
        }
        return str;
    }

    static {
        $assertionsDisabled = !RowLevelAccessControlAuthorizer.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(RowLevelAccessControlAuthorizer.class);
        GRANTED_SELECT = PermissionSets.builder().addGranted(CorePermission.SELECT).build();
        GRANTED_MODIFY = PermissionSets.builder().addGranted(CorePermission.MODIFY).build();
        GRANTED_MODIFY_AND_SELECT = PermissionSets.builder().addGranted(CorePermission.MODIFY).addGranted(CorePermission.SELECT).build();
    }
}
