package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.cql3.DseQueryHandler;
import com.datastax.bdp.config.DseConfig;
import com.datastax.dse.byos.shade.com.google.common.annotations.VisibleForTesting;
import io.reactivex.Single;
import java.nio.ByteBuffer;
import java.nio.charset.CharacterCodingException;
import java.util.AbstractMap;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import org.apache.cassandra.auth.AuthKeyspace;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.CassandraAuthorizer;
import org.apache.cassandra.auth.DataResource;
import org.apache.cassandra.auth.GrantMode;
import org.apache.cassandra.auth.IAuthContext;
import org.apache.cassandra.auth.IAuthorizer;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionSets;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.auth.permission.Permissions;
import org.apache.cassandra.concurrent.TPCUtils;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.cql3.statements.UseStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.ByteBufferUtil;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthorizer.class */
public class DseAuthorizer extends CassandraAuthorizer {
    private static final Set<Permission> extendedRolePermissions = Permissions.immutableSetOf(CorePermission.ALTER, CorePermission.DROP, CorePermission.AUTHORIZE, ProxyPermission.EXECUTE, ProxyPermission.LOGIN);
    protected boolean enabled;
    protected boolean rowLevelEnabled;
    protected IAuthorizer.TransitionalMode transitionalMode = IAuthorizer.TransitionalMode.DISABLED;
    private SelectStatement activeResourcesStatement;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthorizer$PermissionsMap.class */
    public final class PermissionsMap extends AbstractMap<IResource, PermissionSets> {
        private final Function<IResource, PermissionSets> function;

        private PermissionsMap(Function<IResource, PermissionSets> function) {
            this.function = function;
        }

        @Override // java.util.AbstractMap, java.util.Map
        public Set<Map.Entry<IResource, PermissionSets>> entrySet() {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.AbstractMap, java.util.Map
        public PermissionSets get(Object obj) {
            return this.function.apply((IResource) obj);
        }
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void setup() {
        super.setup();
        this.activeResourcesStatement = (SelectStatement) QueryProcessor.getStatement(String.format("SELECT role, resource FROM %s.%s", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS), QueryState.forInternalCalls()).statement;
    }

    public Single<QueryState> getQueryState(QueryState queryState, Map<String, ByteBuffer> map, CQLStatement cQLStatement) throws CharacterCodingException {
        ClientState clientState = queryState.getClientState();
        AuthenticatedUser user = clientState.getUser();
        String string = ByteBufferUtil.string(map.get(DseQueryHandler.PROXY_EXECUTE));
        if (!queryState.hasPermission(RoleResource.role(string), ProxyPermission.EXECUTE)) {
            throw new UnauthorizedException(String.format("Either '%s' does not have permission to execute queries as '%s' or that role does not exist. Run 'GRANT PROXY.EXECUTE ON ROLE '%s' TO '%s' as an administrator if you wish to allow this.", user.getName(), string, string, user.getName()));
        }
        AuthenticatedUser proxy = DseAuthenticator.proxy(user, string);
        if (cQLStatement instanceof UseStatement) {
            throw new InvalidRequestException("USE statements cannot be executed as another user.  To use DSE proxy execution most efficiently, prepare your statements once beforehand (as your normal login user) and then proxy execute them multiple times.  If you really need USE, you can execute it as your normal login user and the selected keyspace will be used for proxy executed queries.");
        }
        ClientState forExternalCalls = ClientState.forExternalCalls(clientState.getRemoteAddress(), clientState.connection);
        if (clientState.getRawKeyspace() != null) {
            forExternalCalls.setKeyspace(clientState.getKeyspace());
        }
        return forExternalCalls.login(proxy).flatMap(clientState2 -> {
            return DatabaseDescriptor.getAuthManager().getUserRolesAndPermissions(proxy);
        }).map(userRolesAndPermissions -> {
            if (userRolesAndPermissions.isSuper()) {
                throw new UnauthorizedException("Cannot proxy as a super user.");
            }
            return new QueryState(forExternalCalls, queryState.getStreamId(), userRolesAndPermissions);
        });
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public Map<IResource, PermissionSets> allPermissionSets(RoleResource roleResource, IAuthContext iAuthContext) {
        if (!this.enabled) {
            return new PermissionsMap(DseAuthorizer::applicablePermissionsTransform);
        }
        switch (this.transitionalMode) {
            case DISABLED:
                return super.allPermissionSets(roleResource, iAuthContext);
            case NORMAL:
                return allTransitionalPermissionSets(roleResource, iAuthContext);
            case STRICT:
                return roleResource.equals(AuthenticatedUser.ANONYMOUS_USER.getPrimaryRole()) ? allTransitionalPermissionSets(roleResource, iAuthContext) : super.allPermissionSets(roleResource, iAuthContext);
            default:
                throw new AssertionError("Unknown transitionalMode " + this.transitionalMode);
        }
    }

    private PermissionsMap allTransitionalPermissionSets(RoleResource roleResource, IAuthContext iAuthContext) {
        return new PermissionsMap(DatabaseDescriptor.getAuthManager().hasSuperUserStatus(roleResource, iAuthContext).blockingGet().booleanValue() ? DseAuthorizer::allPermissionsTransform : DseAuthorizer::transitionalPermissionsTransform);
    }

    private static PermissionSets allPermissionsTransform(IResource iResource) {
        return PermissionSets.builder().addGranted(Permissions.all()).build();
    }

    private static PermissionSets transitionalPermissionsTransform(IResource iResource) {
        return PermissionSets.builder().addGranted(Permissions.all()).removeGranted(CorePermission.AUTHORIZE).removeGranted(CorePermission.READ).removeGranted(CorePermission.WRITE).build();
    }

    private static PermissionSets applicablePermissionsTransform(IResource iResource) {
        return PermissionSets.builder().addGranted(applicablePermissionsInternal(iResource)).build();
    }

    private static Set<Permission> applicablePermissionsInternal(IResource iResource) {
        return ((iResource instanceof RoleResource) && iResource.hasParent()) ? extendedRolePermissions : iResource.applicablePermissions();
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void revokeAllFrom(RoleResource roleResource) {
        if (this.enabled) {
            super.revokeAllFrom(roleResource);
        }
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public Set<RoleResource> revokeAllOn(IResource iResource) {
        if (!this.enabled) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(super.revokeAllOn(iResource));
        DseResourceFactory dseResourceFactory = new DseResourceFactory();
        dseResourceFactory.getExtensions(iResource).forEach(iResource2 -> {
            hashSet.addAll(super.revokeAllOn(iResource2));
        });
        if (iResource instanceof DataResource) {
            DataResource dataResource = (DataResource) iResource;
            Iterator<UntypedResultSet.Row> it2 = UntypedResultSet.create(((ResultMessage.Rows) TPCUtils.blockingGet(this.activeResourcesStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, Collections.emptyList()), System.nanoTime()))).result).iterator();
            while (it2.hasNext()) {
                UntypedResultSet.Row next = it2.next();
                String string = next.getString("resource");
                if (string.startsWith("rows") && string.endsWith(dataResource.getName())) {
                    IResource fromName = dseResourceFactory.fromName(string);
                    revoke(AuthenticatedUser.SYSTEM_USER, fromName.applicablePermissions(), fromName, RoleResource.role(next.getString("role")), GrantMode.GRANT, GrantMode.GRANTABLE, GrantMode.RESTRICT);
                }
            }
        }
        return hashSet;
    }

    @VisibleForTesting
    public Set<String> findRowTargetsForUser(QueryState queryState, DataResource dataResource, Permission permission) {
        return (Set) queryState.getUserRolesAndPermissions().filterPermissions(hashSet -> {
            return hashSet;
        }, HashSet::new, (hashSet2, roleResource, iResource, permissionSets) -> {
            if (iResource instanceof DseRowResource) {
                DseRowResource dseRowResource = (DseRowResource) iResource;
                if (dseRowResource.getParent().equals(dataResource) && permissionSets.hasEffectivePermission(permission)) {
                    hashSet2.add(dseRowResource.getRowTarget());
                }
            }
            return hashSet2;
        });
    }

    public boolean isRowLevelEnabled() {
        return this.rowLevelEnabled;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public boolean requireAuthorization() {
        return this.enabled;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public IAuthorizer.TransitionalMode getTransitionalMode() {
        return this.transitionalMode;
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void validateConfiguration() throws ConfigurationException {
        this.enabled = DseConfig.isAuthorizationEnabled();
        this.rowLevelEnabled = DseConfig.isRowLevelAuthorizationEnabled();
        this.transitionalMode = IAuthorizer.TransitionalMode.valueOf(DseConfig.getAuthorizationTransitionalMode().toUpperCase());
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> applicablePermissions(IResource iResource) {
        return applicablePermissionsInternal(iResource);
    }
}
