package com.datastax.bdp.cassandra.cql3;

import com.datastax.bdp.cassandra.auth.AuthenticationScheme;
import com.datastax.bdp.cassandra.auth.RowLevelAccessControlAuthorizer;
import com.datastax.bdp.db.upgrade.ClusterVersionBarrier;
import com.datastax.bdp.db.util.ProductVersion;
import com.datastax.dse.byos.shade.com.google.common.annotations.VisibleForTesting;
import com.datastax.dse.byos.shade.com.google.common.collect.ImmutableSet;
import io.reactivex.Single;
import io.reactivex.SingleObserver;
import io.reactivex.disposables.Disposable;
import io.reactivex.internal.operators.single.SingleJust;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.util.Set;
import java.util.stream.Stream;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.concurrent.TPCTaskType;
import org.apache.cassandra.concurrent.TPCUtils;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.Operator;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.restrictions.ExternalRestriction;
import org.apache.cassandra.db.DecoratedKey;
import org.apache.cassandra.db.ReadVerbs;
import org.apache.cassandra.db.filter.RowFilter;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.db.rows.Row;
import org.apache.cassandra.gms.Gossiper;
import org.apache.cassandra.io.util.DataInputPlus;
import org.apache.cassandra.io.util.DataOutputBuffer;
import org.apache.cassandra.io.util.DataOutputPlus;
import org.apache.cassandra.schema.ColumnMetadata;
import org.apache.cassandra.schema.TableMetadata;
import org.apache.cassandra.serializers.MarshalException;
import org.apache.cassandra.serializers.UTF8Serializer;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.cassandra.utils.flow.Flow;
import org.apache.cassandra.utils.flow.Threads;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/cql3/RLACExpression.class */
public class RLACExpression extends RowFilter.UserExpression implements ExternalRestriction {
    private volatile QueryState queryState;
    private final ClientState clientState;
    private final AuthenticatedUser user;
    private final Version version;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) RLACExpression.class);
    private static final ByteBuffer FAKE_COLUMN_NAME = ByteBuffer.wrap("RLSExpression".getBytes());
    public static final Set<ProductVersion.Version> VERSIONS_SUPPORTS_RLAC_V2 = ImmutableSet.of(new ProductVersion.Version("5.1.21"), new ProductVersion.Version("6.0.15"), new ProductVersion.Version("6.7.13"), new ProductVersion.Version("6.8.9"));

    /* loaded from: input_file:com/datastax/bdp/cassandra/cql3/RLACExpression$Deserializer.class */
    public static class Deserializer extends RowFilter.UserExpression.Deserializer {
        @Override // org.apache.cassandra.db.filter.RowFilter.UserExpression.Deserializer
        public RLACExpression deserialize(DataInputPlus dataInputPlus, ReadVerbs.ReadVersion readVersion, TableMetadata tableMetadata) throws IOException {
            return deserialize(dataInputPlus, tableMetadata, RLACExpression.getDSESupportedRLACExpressionVersion());
        }

        @VisibleForTesting
        RLACExpression deserialize(DataInputPlus dataInputPlus, TableMetadata tableMetadata, Version version) throws IOException {
            ByteBuffer readWithShortLength = ByteBufferUtil.readWithShortLength(dataInputPlus);
            return new RLACExpression(tableMetadata, readWithShortLength, ClientState.forExternalCalls(RLACExpression.deserializeAuthenticatedUser(readWithShortLength.duplicate(), version)), version);
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/cql3/RLACExpression$Version.class */
    public enum Version {
        V1,
        V2
    }

    @Override // org.apache.cassandra.cql3.restrictions.ExternalRestriction
    public void addToRowFilter(RowFilter rowFilter, TableMetadata tableMetadata, QueryOptions queryOptions) {
        rowFilter.addUserExpression(this);
    }

    public static Version getDSESupportedRLACExpressionVersion() {
        return getDSESupportedRLACExpressionVersion(Gossiper.instance.clusterVersionBarrier.currentClusterVersionInfo());
    }

    @VisibleForTesting
    static Version getDSESupportedRLACExpressionVersion(ClusterVersionBarrier.ClusterVersionInfo clusterVersionInfo) {
        if (clusterVersionInfo == null || clusterVersionInfo.minDse == null || clusterVersionInfo.maxDse == null) {
            return Version.V1;
        }
        Stream<ProductVersion.Version> stream = VERSIONS_SUPPORTS_RLAC_V2.stream();
        ProductVersion.Version version = clusterVersionInfo.minDse;
        version.getClass();
        boolean anyMatch = stream.filter(version::sameMajorMinorVersion).anyMatch(version2 -> {
            return version2.compareTo(clusterVersionInfo.minDse) <= 0;
        });
        Stream<ProductVersion.Version> stream2 = VERSIONS_SUPPORTS_RLAC_V2.stream();
        ProductVersion.Version version3 = clusterVersionInfo.maxDse;
        version3.getClass();
        return (anyMatch && stream2.filter(version3::sameMajorMinorVersion).anyMatch(version4 -> {
            return version4.compareTo(clusterVersionInfo.maxDse) <= 0;
        })) ? Version.V2 : Version.V1;
    }

    public static RLACExpression newExpression(TableMetadata tableMetadata, QueryState queryState) {
        return newExpression(tableMetadata, queryState, getDSESupportedRLACExpressionVersion());
    }

    @VisibleForTesting
    static RLACExpression newExpression(TableMetadata tableMetadata, QueryState queryState, Version version) {
        return new RLACExpression(tableMetadata, serializeAuthenticatedUser(queryState.getUser(), version), queryState, version);
    }

    @VisibleForTesting
    static ByteBuffer serializeAuthenticatedUser(AuthenticatedUser authenticatedUser, Version version) {
        try {
            return Version.V2 == version ? serializeAuthenticatedUserV2(authenticatedUser) : serializeAuthenticatedUserV1(authenticatedUser);
        } catch (IOException e) {
            throw new RuntimeException("Unable to serialize AuthenticatedUser", e);
        }
    }

    private static ByteBuffer serializeAuthenticatedUserV2(AuthenticatedUser authenticatedUser) throws IOException {
        ByteBuffer decompose = UTF8Type.instance.decompose(authenticatedUser.getName());
        ByteBuffer serialize = authenticatedUser.getAuthContext() instanceof AuthenticationScheme ? AuthenticationScheme.getSerializer().serialize((AuthenticationScheme) authenticatedUser.getAuthContext()) : ByteBufferUtil.EMPTY_BYTE_BUFFER;
        DataOutputBuffer dataOutputBuffer = new DataOutputBuffer(decompose.remaining() + serialize.remaining());
        ByteBufferUtil.writeWithShortLength(decompose, dataOutputBuffer);
        ByteBufferUtil.writeWithShortLength(serialize, dataOutputBuffer);
        return dataOutputBuffer.buffer();
    }

    private static ByteBuffer serializeAuthenticatedUserV1(AuthenticatedUser authenticatedUser) {
        return UTF8Type.instance.decompose(authenticatedUser.getName());
    }

    @VisibleForTesting
    static AuthenticatedUser deserializeAuthenticatedUser(ByteBuffer byteBuffer, Version version) {
        return Version.V2 == version ? deserializeAuthenticatedUserV2(byteBuffer) : deserializeAuthenticatedUserV1(byteBuffer);
    }

    private static AuthenticatedUser deserializeAuthenticatedUserV2(ByteBuffer byteBuffer) {
        try {
            String deserialize = UTF8Serializer.instance.deserialize(ByteBufferUtil.readBytesWithShortLength(byteBuffer));
            AuthenticationScheme authenticationScheme = null;
            try {
                ByteBuffer readBytesWithShortLength = ByteBufferUtil.readBytesWithShortLength(byteBuffer);
                if (readBytesWithShortLength.remaining() > 0) {
                    authenticationScheme = AuthenticationScheme.getSerializer().deserialize(readBytesWithShortLength);
                }
                return new AuthenticatedUser(deserialize, deserialize, authenticationScheme);
            } catch (Exception e) {
                throw new MarshalException("Unable to deserialize authentication scheme", e);
            }
        } catch (Exception e2) {
            throw new MarshalException("Unable to deserialize username", e2);
        }
    }

    private static AuthenticatedUser deserializeAuthenticatedUserV1(ByteBuffer byteBuffer) {
        return new AuthenticatedUser(UTF8Serializer.instance.deserialize(byteBuffer), null);
    }

    @VisibleForTesting
    static ColumnMetadata makeDefinition(TableMetadata tableMetadata) {
        return ColumnMetadata.regularColumn(tableMetadata, FAKE_COLUMN_NAME, UTF8Type.instance);
    }

    private RLACExpression(TableMetadata tableMetadata, ByteBuffer byteBuffer, ClientState clientState, Version version) {
        super(makeDefinition(tableMetadata), Operator.EQ, byteBuffer);
        this.user = clientState.getUser();
        this.clientState = clientState;
        this.queryState = null;
        this.version = version;
    }

    private RLACExpression(TableMetadata tableMetadata, ByteBuffer byteBuffer, QueryState queryState, Version version) {
        super(makeDefinition(tableMetadata), Operator.EQ, byteBuffer);
        this.user = queryState.getUser();
        this.clientState = queryState.getClientState();
        this.queryState = queryState;
        this.version = version;
    }

    @VisibleForTesting
    AuthenticatedUser getAuthenticatedUser() {
        return this.user;
    }

    @VisibleForTesting
    Version getVersion() {
        return this.version;
    }

    @Override // org.apache.cassandra.db.filter.RowFilter.Expression
    public Flow<Boolean> isSatisfiedBy(TableMetadata tableMetadata, DecoratedKey decoratedKey, Row row) {
        if (this.queryState != null) {
            return Flow.just(Boolean.valueOf(RowLevelAccessControlAuthorizer.authorizeLocalRead(this.queryState, tableMetadata, decoratedKey, row)));
        }
        Single<QueryState> queryStateSingle = queryStateSingle();
        if (!(queryStateSingle instanceof SingleJust)) {
            return Threads.evaluateOnIO(() -> {
                QueryState queryState = (QueryState) TPCUtils.blockingGet(queryStateSingle());
                this.queryState = queryState;
                return Boolean.valueOf(RowLevelAccessControlAuthorizer.authorizeLocalRead(queryState, tableMetadata, decoratedKey, row));
            }, TPCTaskType.AUTHENTICATION);
        }
        queryStateSingle.subscribe(new SingleObserver<QueryState>() { // from class: com.datastax.bdp.cassandra.cql3.RLACExpression.1
            @Override // io.reactivex.SingleObserver
            public void onSubscribe(Disposable disposable) {
            }

            @Override // io.reactivex.SingleObserver
            public void onSuccess(QueryState queryState) {
                RLACExpression.this.queryState = queryState;
            }

            @Override // io.reactivex.SingleObserver
            public void onError(Throwable th) {
            }
        });
        return Flow.just(Boolean.valueOf(RowLevelAccessControlAuthorizer.authorizeLocalRead(this.queryState, tableMetadata, decoratedKey, row)));
    }

    private Single<QueryState> queryStateSingle() {
        return DatabaseDescriptor.getAuthManager().getUserRolesAndPermissions(this.clientState.getUser()).map(userRolesAndPermissions -> {
            QueryState queryState = new QueryState(this.clientState, userRolesAndPermissions);
            this.queryState = queryState;
            return queryState;
        });
    }

    @Override // org.apache.cassandra.db.filter.RowFilter.UserExpression
    public void serialize(DataOutputPlus dataOutputPlus, ReadVerbs.ReadVersion readVersion) throws IOException {
        ByteBufferUtil.writeWithShortLength(this.value, dataOutputPlus);
    }

    @Override // org.apache.cassandra.db.filter.RowFilter.UserExpression
    public long serializedSize(ReadVerbs.ReadVersion readVersion) {
        return ByteBufferUtil.serializedSizeWithShortLength(this.value);
    }

    public String toString() {
        Object[] objArr = new Object[1];
        objArr[0] = this.user == null ? "<none>" : this.user.getName();
        return String.format("RLS filter on user %s", objArr);
    }
}
