package org.apache.cassandra.auth.user;

import com.datastax.dse.byos.shade.com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.QueryExp;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.DataResource;
import org.apache.cassandra.auth.FunctionResource;
import org.apache.cassandra.auth.IAuthorizer;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.JMXResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionSets;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.schema.Schema;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.schema.TableMetadata;
import org.apache.cassandra.schema.TableMetadataRef;
import org.apache.cassandra.schema.TableParams;
import org.apache.cassandra.utils.SetsFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/user/UserRolesAndPermissions.class */
public abstract class UserRolesAndPermissions {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) UserRolesAndPermissions.class);
    public static final Set<String> MODIFIABLE_ATTRIBUTES_ON_PROTECTED_TABLES = Sets.newHashSet(TableParams.Option.NODESYNC.toString());
    public static final UserRolesAndPermissions UNKNOWN = new UserRolesAndPermissions("unkown", Collections.emptySet()) { // from class: org.apache.cassandra.auth.user.UserRolesAndPermissions.1
        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
            throw new UnauthorizedException("Unknown users are not authorized to perform this request");
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public <R> R filterPermissions(Function<R, R> function, Supplier<R> supplier, RoleResourcePermissionFilter<R> roleResourcePermissionFilter) {
            return null;
        }
    };
    public static final UserRolesAndPermissions SYSTEM = new UserRolesAndPermissions("system", Collections.emptySet()) { // from class: org.apache.cassandra.auth.user.UserRolesAndPermissions.2
        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasDataPermission(DataResource dataResource, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean isSystem() {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
        }
    };
    public static final UserRolesAndPermissions ANONYMOUS = new UserRolesAndPermissions("anonymous", Collections.emptySet()) { // from class: org.apache.cassandra.auth.user.UserRolesAndPermissions.3
        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void checkNotAnonymous() {
            throw new UnauthorizedException("Anonymous users are not authorized to perform this request");
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            return checkPermission(permission);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            return checkPermission(permission);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
            if (!checkPermission(permission)) {
                throw new UnauthorizedException("Anonymous users are not authorized to perform this request");
            }
        }

        private boolean checkPermission(Permission permission) {
            IAuthorizer authorizer = DatabaseDescriptor.getAuthorizer();
            IAuthorizer.TransitionalMode transitionalMode = authorizer.getTransitionalMode();
            if (transitionalMode.supportPermissionForAnonymous(permission)) {
                return (authorizer.requireAuthorization() && transitionalMode.enforcePermissionsAgainstAnonymous()) ? false : true;
            }
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
        }
    };
    public static final UserRolesAndPermissions INPROC = new UserRolesAndPermissions(AuthenticatedUser.INPROC_USERNAME, Collections.emptySet()) { // from class: org.apache.cassandra.auth.user.UserRolesAndPermissions.4
        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean isSuper() {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean isSystem() {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void checkNotAnonymous() {
            throw new UnauthorizedException("In-proc users are not authorized to perform this request");
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            return checkPermission(permission);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            return checkPermission(permission);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
            if (!checkPermission(permission)) {
                throw new UnauthorizedException("In-proc users are not authorized to perform this request");
            }
        }

        private boolean checkPermission(Permission permission) {
            return permission != CorePermission.AUTHORIZE;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
        }
    };
    private final String name;
    private final String authenticatedName;
    private final Set<RoleResource> roles;

    /* loaded from: input_file:org/apache/cassandra/auth/user/UserRolesAndPermissions$NormalUserRoles.class */
    private static final class NormalUserRoles extends UserRolesAndPermissions {
        public NormalUserRoles(String str, String str2, Set<RoleResource> set) {
            super(str, str2, set);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:org/apache/cassandra/auth/user/UserRolesAndPermissions$NormalUserWithPermissions.class */
    private static final class NormalUserWithPermissions extends UserRolesAndPermissions {
        private Map<RoleResource, Map<IResource, PermissionSets>> permissions;
        private Map<IResource, PermissionSets> additionalPermissions;
        static final /* synthetic */ boolean $assertionsDisabled;

        public NormalUserWithPermissions(String str, String str2, Set<RoleResource> set, Map<RoleResource, Map<IResource, PermissionSets>> map) {
            super(str, str2, set);
            this.permissions = map;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            Iterator<PermissionSets> it2 = getAllPermissionSetsFor(iResource).iterator();
            while (it2.hasNext()) {
                if (it2.next().grantables.contains(permission)) {
                    return true;
                }
            }
            return false;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
            IAuthorizer.TransitionalMode transitionalMode = DatabaseDescriptor.getAuthorizer().getTransitionalMode();
            if (!transitionalMode.supportPermission(permission)) {
                throw new UnauthorizedException(String.format("User %s has no %s permission on %s or any of its parents", getName(), permission, iResource));
            }
            if (transitionalMode.enforcePermissionsOnAuthenticatedUser()) {
                boolean z = false;
                for (PermissionSets permissionSets : getAllPermissionSetsFor(iResource)) {
                    z |= permissionSets.granted.contains(permission);
                    if (permissionSets.restricted.contains(permission)) {
                        throw new UnauthorizedException(String.format("Access for user %s on %s or any of its parents with %s permission is restricted", getName(), iResource, permission));
                    }
                }
                if (!z) {
                    throw new UnauthorizedException(String.format("User %s has no %s permission on %s or any of its parents", getName(), permission, iResource));
                }
            }
        }

        private List<PermissionSets> getAllPermissionSetsFor(IResource iResource) {
            List<? extends IResource> chain = Resources.chain(iResource);
            ArrayList arrayList = new ArrayList(chain.size() * (((UserRolesAndPermissions) this).roles.size() + 1));
            for (RoleResource roleResource : ((UserRolesAndPermissions) this).roles) {
                Iterator<? extends IResource> it2 = chain.iterator();
                while (it2.hasNext()) {
                    PermissionSets permissions = getPermissions(roleResource, it2.next());
                    if (permissions != null) {
                        arrayList.add(permissions);
                    }
                }
            }
            if (this.additionalPermissions != null) {
                Iterator<? extends IResource> it3 = chain.iterator();
                while (it3.hasNext()) {
                    PermissionSets permissionSets = this.additionalPermissions.get(it3.next());
                    if (permissionSets != null) {
                        arrayList.add(permissionSets);
                    }
                }
            }
            return arrayList;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            IAuthorizer.TransitionalMode transitionalMode = DatabaseDescriptor.getAuthorizer().getTransitionalMode();
            if (!transitionalMode.supportPermission(permission)) {
                return false;
            }
            if (!transitionalMode.enforcePermissionsOnAuthenticatedUser()) {
                return true;
            }
            boolean z = false;
            for (PermissionSets permissionSets : getAllPermissionSetsFor(iResource)) {
                z |= permissionSets.granted.contains(permission);
                if (permissionSets.restricted.contains(permission)) {
                    return false;
                }
            }
            return z;
        }

        private PermissionSets getPermissions(RoleResource roleResource, IResource iResource) {
            Map<IResource, PermissionSets> map = this.permissions.get(roleResource);
            if (map == null) {
                return null;
            }
            return map.get(iResource);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            IAuthorizer.TransitionalMode transitionalMode = DatabaseDescriptor.getAuthorizer().getTransitionalMode();
            if (!transitionalMode.supportPermission(permission)) {
                return false;
            }
            if (!transitionalMode.enforcePermissionsOnAuthenticatedUser()) {
                return true;
            }
            Iterator<Map<IResource, PermissionSets>> it2 = this.permissions.values().iterator();
            while (it2.hasNext()) {
                PermissionSets permissionSets = it2.next().get(JMXResource.root());
                if (permissionSets != null) {
                    if (permissionSets.restricted.contains(permission)) {
                        return false;
                    }
                    if (permissionSets.granted.contains(permission)) {
                        return true;
                    }
                }
            }
            Set<JMXResource> collectPermittedJmxResources = collectPermittedJmxResources(permission);
            if (collectPermittedJmxResources.isEmpty()) {
                return false;
            }
            return objectName.isPattern() ? checkPattern(mBeanServer, objectName, collectPermittedJmxResources) : checkExact(mBeanServer, objectName, collectPermittedJmxResources);
        }

        private boolean checkPattern(MBeanServer mBeanServer, ObjectName objectName, Set<JMXResource> set) {
            Set queryNames = mBeanServer.queryNames(objectName, (QueryExp) null);
            for (JMXResource jMXResource : set) {
                try {
                    queryNames.removeAll(mBeanServer.queryNames(ObjectName.getInstance(jMXResource.getObjectName()), (QueryExp) null));
                } catch (MalformedObjectNameException e) {
                    UserRolesAndPermissions.logger.warn("Permissions for JMX resource contains invalid ObjectName {}", jMXResource.getObjectName());
                }
                if (queryNames.isEmpty()) {
                    return true;
                }
            }
            return false;
        }

        private boolean checkExact(MBeanServer mBeanServer, ObjectName objectName, Set<JMXResource> set) {
            for (JMXResource jMXResource : set) {
                try {
                } catch (MalformedObjectNameException e) {
                    UserRolesAndPermissions.logger.warn("Permissions for JMX resource contains invalid ObjectName {}", jMXResource.getObjectName());
                }
                if (ObjectName.getInstance(jMXResource.getObjectName()).apply(objectName)) {
                    return true;
                }
            }
            UserRolesAndPermissions.logger.trace("Subject does not have sufficient permissions on target MBean {}", objectName);
            return false;
        }

        private Set<JMXResource> collectPermittedJmxResources(Permission permission) {
            Set<JMXResource> newSet = SetsFactory.newSet();
            Iterator<Map<IResource, PermissionSets>> it2 = this.permissions.values().iterator();
            while (it2.hasNext()) {
                for (Map.Entry<IResource, PermissionSets> entry : it2.next().entrySet()) {
                    if ((entry.getKey() instanceof JMXResource) && entry.getValue().hasEffectivePermission(permission)) {
                        newSet.add((JMXResource) entry.getKey());
                    }
                }
            }
            return newSet;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
            if (this.additionalPermissions == null) {
                this.additionalPermissions = new HashMap();
            }
            PermissionSets putIfAbsent = this.additionalPermissions.putIfAbsent(iResource, permissionSets);
            if (!$assertionsDisabled && putIfAbsent != null) {
                throw new AssertionError();
            }
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public <R> R filterPermissions(Function<R, R> function, Supplier<R> supplier, RoleResourcePermissionFilter<R> roleResourcePermissionFilter) {
            R r = supplier.get();
            for (RoleResource roleResource : getRoles()) {
                Map<IResource, PermissionSets> map = this.permissions.get(roleResource);
                if (map != null) {
                    for (Map.Entry<IResource, PermissionSets> entry : map.entrySet()) {
                        r = roleResourcePermissionFilter.apply(r, roleResource, entry.getKey(), entry.getValue());
                    }
                }
            }
            return r;
        }

        static {
            $assertionsDisabled = !UserRolesAndPermissions.class.desiredAssertionStatus();
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:org/apache/cassandra/auth/user/UserRolesAndPermissions$RoleResourcePermissionFilter.class */
    public interface RoleResourcePermissionFilter<R> {
        R apply(R r, RoleResource roleResource, IResource iResource, PermissionSets permissionSets);
    }

    /* loaded from: input_file:org/apache/cassandra/auth/user/UserRolesAndPermissions$SuperUserRoleAndPermissions.class */
    private static final class SuperUserRoleAndPermissions extends UserRolesAndPermissions {
        public SuperUserRoleAndPermissions(String str, String str2, Set<RoleResource> set) {
            super(str, str2, set);
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean isSuper() {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasGrantPermission(IResource iResource, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected void checkPermissionOnResourceChain(IResource iResource, Permission permission) {
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        protected boolean hasPermissionOnResourceChain(IResource iResource, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission) {
            return true;
        }

        @Override // org.apache.cassandra.auth.user.UserRolesAndPermissions
        public void additionalQueryPermission(IResource iResource, PermissionSets permissionSets) {
        }
    }

    private UserRolesAndPermissions(String str, String str2, Set<RoleResource> set) {
        this.name = str;
        this.authenticatedName = str2;
        this.roles = set;
    }

    private UserRolesAndPermissions(String str, Set<RoleResource> set) {
        this.name = str;
        this.authenticatedName = str;
        this.roles = set;
    }

    public static UserRolesAndPermissions newNormalUserRoles(String str, String str2, Set<RoleResource> set) {
        return new NormalUserRoles(str, str2, set);
    }

    public static UserRolesAndPermissions newNormalUserRolesAndPermissions(String str, String str2, Set<RoleResource> set, Map<RoleResource, Map<IResource, PermissionSets>> map) {
        return new NormalUserWithPermissions(str, str2, set, map);
    }

    public static UserRolesAndPermissions createSuperUserRolesAndPermissions(String str, String str2, Set<RoleResource> set) {
        return new SuperUserRoleAndPermissions(str, str2, set);
    }

    public final String getName() {
        return this.name;
    }

    public final String getAuthenticatedName() {
        return this.authenticatedName;
    }

    public boolean isSuper() {
        return false;
    }

    public boolean isSystem() {
        return false;
    }

    public void checkNotAnonymous() {
    }

    public boolean hasDataPermission(DataResource dataResource, Permission permission) {
        if (!DataResource.root().equals(dataResource)) {
            if (isSchemaModification(permission)) {
                String keyspace = dataResource.getKeyspace();
                try {
                    preventSystemKSSchemaModification(dataResource, permission);
                    if (SchemaConstants.isReplicatedSystemKeyspace(keyspace) && permission != CorePermission.ALTER && (permission != CorePermission.DROP || !Resources.isDroppable(dataResource))) {
                        return false;
                    }
                } catch (UnauthorizedException e) {
                    return false;
                }
            }
            if (permission == CorePermission.SELECT && Resources.isAlwaysReadable(dataResource)) {
                return true;
            }
            if (Resources.isProtected(dataResource) && isSchemaModification(permission)) {
                return false;
            }
        }
        return hasPermissionOnResourceChain(dataResource, permission);
    }

    public final boolean hasRolePermission(RoleResource roleResource, Permission permission) {
        return hasPermissionOnResourceChain(roleResource, permission);
    }

    public final boolean hasFunctionPermission(FunctionResource functionResource, Permission permission) {
        if (functionResource.hasParent() && isNativeFunction(functionResource)) {
            return true;
        }
        return hasPermissionOnResourceChain(functionResource, permission);
    }

    public abstract boolean hasJMXPermission(MBeanServer mBeanServer, ObjectName objectName, Permission permission);

    public final boolean hasPermission(IResource iResource, Permission permission) {
        return iResource instanceof DataResource ? hasDataPermission((DataResource) iResource, permission) : iResource instanceof FunctionResource ? hasFunctionPermission((FunctionResource) iResource, permission) : hasPermissionOnResourceChain(iResource, permission);
    }

    public abstract boolean hasGrantPermission(IResource iResource, Permission permission);

    public final void checkDataPermission(DataResource dataResource, Permission permission) {
        if (!DataResource.root().equals(dataResource)) {
            preventSystemKSSchemaModification(dataResource, permission);
            if (permission == CorePermission.SELECT && Resources.isAlwaysReadable(dataResource)) {
                return;
            }
            if (Resources.isProtected(dataResource) && isSchemaModification(permission)) {
                throw new UnauthorizedException(String.format("%s schema is protected", dataResource));
            }
        }
        checkPermissionOnResourceChain(dataResource, permission);
    }

    private void checkTableAttributesPermission(DataResource dataResource, Permission permission, Set<String> set) {
        if (!DataResource.root().equals(dataResource)) {
            preventSystemKSSchemaModification(dataResource, permission);
            if (permission == CorePermission.SELECT && Resources.isAlwaysReadable(dataResource)) {
                return;
            }
            if (Resources.isProtected(dataResource) && permission == CorePermission.ALTER && !Sets.difference(set, MODIFIABLE_ATTRIBUTES_ON_PROTECTED_TABLES).isEmpty()) {
                throw new UnauthorizedException(String.format("%s schema is protected - attributes %s cannot be altered", dataResource, set));
            }
        }
        checkPermissionOnResourceChain(dataResource, permission);
    }

    private void preventSystemKSSchemaModification(DataResource dataResource, Permission permission) {
        String keyspace = dataResource.getKeyspace();
        validateKeyspace(keyspace);
        if (isSchemaModification(permission)) {
            if (SchemaConstants.isLocalSystemKeyspace(keyspace) || SchemaConstants.isVirtualKeyspace(keyspace)) {
                throw new UnauthorizedException(keyspace + " keyspace is not user-modifiable.");
            }
            if (!SchemaConstants.isReplicatedSystemKeyspace(keyspace) || permission == CorePermission.ALTER) {
                return;
            }
            if (permission != CorePermission.DROP || !Resources.isDroppable(dataResource)) {
                throw new UnauthorizedException(String.format("Cannot %s %s", permission, dataResource));
            }
        }
    }

    private boolean isSchemaModification(Permission permission) {
        return permission == CorePermission.CREATE || permission == CorePermission.ALTER || permission == CorePermission.DROP;
    }

    public final void checkAllKeyspacesPermission(Permission permission) {
        checkDataPermission(DataResource.root(), permission);
    }

    public final void checkKeyspacePermission(String str, Permission permission) {
        validateKeyspace(str);
        checkDataPermission(DataResource.keyspace(str), permission);
    }

    protected static void validateKeyspace(String str) {
        if (str == null) {
            throw new InvalidRequestException("You have not set a keyspace for this session");
        }
    }

    public final void checkTablePermission(String str, String str2, Permission permission) {
        Schema.instance.validateTable(str, str2);
        checkDataPermission(DataResource.table(str, str2), permission);
    }

    public final void checkTableAttributesPermission(String str, String str2, Permission permission, Set<String> set) {
        Schema.instance.validateTable(str, str2);
        checkTableAttributesPermission(DataResource.table(str, str2), permission, set);
    }

    public final void checkTablePermission(TableMetadataRef tableMetadataRef, Permission permission) {
        checkTablePermission(tableMetadataRef.get(), permission);
    }

    public final void checkTablePermission(TableMetadata tableMetadata, Permission permission) {
        checkDataPermission(tableMetadata.resource, permission);
    }

    public final void checkFunctionPermission(org.apache.cassandra.cql3.functions.Function function, Permission permission) {
        if (function.isNative()) {
            return;
        }
        checkPermissionOnResourceChain(FunctionResource.function(function.name().keyspace, function.name().name, function.argTypes()), permission);
    }

    public final void checkFunctionPermission(FunctionResource functionResource, Permission permission) {
        if (functionResource.hasParent() && isNativeFunction(functionResource)) {
            return;
        }
        checkPermissionOnResourceChain(functionResource, permission);
    }

    private boolean isNativeFunction(FunctionResource functionResource) {
        return functionResource.getKeyspace().equals("system");
    }

    public final void checkPermission(IResource iResource, Permission permission) {
        if (iResource instanceof DataResource) {
            checkDataPermission((DataResource) iResource, permission);
        } else if (iResource instanceof FunctionResource) {
            checkFunctionPermission((FunctionResource) iResource, permission);
        } else {
            checkPermissionOnResourceChain(iResource, permission);
        }
    }

    protected abstract void checkPermissionOnResourceChain(IResource iResource, Permission permission);

    protected abstract boolean hasPermissionOnResourceChain(IResource iResource, Permission permission);

    public abstract void additionalQueryPermission(IResource iResource, PermissionSets permissionSets);

    public final boolean hasRole(RoleResource roleResource) {
        return this.roles.contains(roleResource);
    }

    public final Set<RoleResource> getRoles() {
        return this.roles;
    }

    public <R> R filterPermissions(Function<R, R> function, Supplier<R> supplier, RoleResourcePermissionFilter<R> roleResourcePermissionFilter) {
        return function.apply(supplier.get());
    }
}
