package org.apache.cassandra.auth;

import com.datastax.dse.byos.shade.com.google.common.annotations.VisibleForTesting;
import io.reactivex.Single;
import java.net.InetAddress;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Future;
import java.util.stream.Collectors;
import org.apache.cassandra.auth.IAuthorizer;
import org.apache.cassandra.auth.IRoleManager;
import org.apache.cassandra.auth.user.UserRolesAndPermissions;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.gms.Gossiper;
import org.apache.cassandra.net.MessagingService;
import org.apache.cassandra.net.MessagingVersion;
import org.apache.cassandra.net.Verbs;
import org.apache.cassandra.utils.FBUtilities;
import org.apache.cassandra.utils.Pair;
import org.apache.cassandra.utils.SetsFactory;

/* loaded from: input_file:org/apache/cassandra/auth/AuthManager.class */
public final class AuthManager {
    private final IRoleManager roleManager;

    @VisibleForTesting
    final RolesCache rolesCache;
    private final IAuthorizer authorizer;

    @VisibleForTesting
    final PermissionsCache permissionsCache;

    /* loaded from: input_file:org/apache/cassandra/auth/AuthManager$AuthorizerInvalidator.class */
    private class AuthorizerInvalidator implements IAuthorizer {
        private final IRoleManager roleManager;
        private final IAuthorizer authorizer;

        public AuthorizerInvalidator(IRoleManager iRoleManager, IAuthorizer iAuthorizer) {
            this.roleManager = iRoleManager;
            this.authorizer = iAuthorizer;
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public IAuthorizer.TransitionalMode getTransitionalMode() {
            return this.authorizer.getTransitionalMode();
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public <T extends IAuthorizer> T implementation() {
            return (T) this.authorizer;
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public boolean requireAuthorization() {
            return this.authorizer.requireAuthorization();
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Map<IResource, PermissionSets> allPermissionSets(RoleResource roleResource, IAuthContext iAuthContext) {
            return this.authorizer.allPermissionSets(roleResource, iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Set<Permission> grant(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource, GrantMode... grantModeArr) {
            Set<Permission> grant = this.authorizer.grant(authenticatedUser, set, iResource, roleResource, grantModeArr);
            if (!grant.isEmpty()) {
                AuthManager.this.invalidateRoles(Collections.singleton(roleResource));
            }
            return grant;
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Set<Permission> revoke(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource, GrantMode... grantModeArr) {
            Set<Permission> revoke = this.authorizer.revoke(authenticatedUser, set, iResource, roleResource, grantModeArr);
            if (!revoke.isEmpty()) {
                AuthManager.this.invalidateRoles(Collections.singleton(roleResource));
            }
            return revoke;
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Set<PermissionDetails> list(Set<Permission> set, IResource iResource, RoleResource roleResource, IAuthContext iAuthContext) {
            return this.authorizer.list(set, iResource, roleResource, iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public void revokeAllFrom(RoleResource roleResource) {
            this.authorizer.revokeAllFrom(roleResource);
            AuthManager.this.invalidateRoles(Collections.singleton(roleResource));
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Set<RoleResource> revokeAllOn(IResource iResource) {
            Set<RoleResource> revokeAllOn = this.authorizer.revokeAllOn(iResource);
            if (!revokeAllOn.isEmpty()) {
                AuthManager.this.invalidateRoles(revokeAllOn);
            }
            return revokeAllOn;
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Set<? extends IResource> protectedResources() {
            return this.authorizer.protectedResources();
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public void validateConfiguration() throws ConfigurationException {
            this.authorizer.validateConfiguration();
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public void setup() {
            this.authorizer.setup();
        }

        @Override // org.apache.cassandra.auth.IAuthorizer
        public Set<Permission> applicablePermissions(IResource iResource) {
            return this.authorizer.applicablePermissions(iResource);
        }
    }

    /* loaded from: input_file:org/apache/cassandra/auth/AuthManager$RoleManagerCacheInvalidator.class */
    private class RoleManagerCacheInvalidator implements IRoleManager {
        private final IRoleManager roleManager;
        private final IAuthorizer authorizer;

        public RoleManagerCacheInvalidator(IRoleManager iRoleManager, IAuthorizer iAuthorizer) {
            this.roleManager = iRoleManager;
            this.authorizer = iAuthorizer;
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public <T extends IRoleManager> T implementation() {
            return (T) this.roleManager;
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<IRoleManager.Option> supportedOptions() {
            return this.roleManager.supportedOptions();
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<IRoleManager.Option> alterableOptions() {
            return this.roleManager.alterableOptions();
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public void createRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) {
            this.roleManager.createRole(authenticatedUser, roleResource, roleOptions);
            AuthManager.this.invalidateRoles(Collections.singleton(roleResource));
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public void dropRole(AuthenticatedUser authenticatedUser, RoleResource roleResource) {
            Set newSet = SetsFactory.newSet();
            newSet.add(roleResource);
            Set<RoleResource> roleMemberOf = this.roleManager.getRoleMemberOf(roleResource, authenticatedUser != null ? authenticatedUser.getAuthContext() : null);
            if (roleMemberOf != null) {
                newSet.addAll(roleMemberOf);
            }
            this.roleManager.dropRole(authenticatedUser, roleResource);
            this.authorizer.revokeAllFrom(roleResource);
            this.authorizer.revokeAllOn(roleResource);
            AuthManager.this.invalidateRoles(newSet);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public void alterRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) {
            Set<RoleResource> roles = getRoles(roleResource, authenticatedUser != null ? authenticatedUser.getAuthContext() : null, true);
            this.roleManager.alterRole(authenticatedUser, roleResource, roleOptions);
            AuthManager.this.invalidateRoles(roles);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public void grantRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) {
            this.roleManager.grantRole(authenticatedUser, roleResource, roleResource2);
            AuthManager.this.invalidateRoles(Collections.singleton(roleResource2));
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public void revokeRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) {
            this.roleManager.revokeRole(authenticatedUser, roleResource, roleResource2);
            AuthManager.this.invalidateRoles(Collections.singleton(roleResource2));
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<RoleResource> getRoles(RoleResource roleResource, IAuthContext iAuthContext, boolean z) {
            return this.roleManager.getRoles(roleResource, iAuthContext, z);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<RoleResource> getRolesIncludingGrantee(RoleResource roleResource, IAuthContext iAuthContext, boolean z) {
            return this.roleManager.getRolesIncludingGrantee(roleResource, iAuthContext, z);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<RoleResource> getRoleMemberOf(RoleResource roleResource, IAuthContext iAuthContext) {
            return this.roleManager.getRoleMemberOf(roleResource, iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<RoleResource> getAllRoles() {
            return this.roleManager.getAllRoles();
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public boolean isSuper(RoleResource roleResource) {
            return this.roleManager.isSuper(roleResource);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public boolean canLogin(RoleResource roleResource) {
            return this.roleManager.canLogin(roleResource);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public boolean transitiveRoleLogin(IAuthContext iAuthContext) {
            return this.roleManager.transitiveRoleLogin(iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Map<String, String> getCustomOptions(RoleResource roleResource, IAuthContext iAuthContext) {
            return this.roleManager.getCustomOptions(roleResource, iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public boolean isExistingRole(RoleResource roleResource, IAuthContext iAuthContext) {
            return this.roleManager.isExistingRole(roleResource, iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<RoleResource> filterExistingRoleNames(List<String> list) {
            return this.roleManager.filterExistingRoleNames(list);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Role getRoleData(RoleResource roleResource, IAuthContext iAuthContext) {
            return this.roleManager.getRoleData(roleResource, iAuthContext);
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Set<? extends IResource> protectedResources() {
            return this.roleManager.protectedResources();
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public void validateConfiguration() throws ConfigurationException {
            this.roleManager.validateConfiguration();
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public Future<?> setup() {
            return this.roleManager.setup();
        }

        @Override // org.apache.cassandra.auth.IRoleManager
        public boolean hasSuperuserStatus(RoleResource roleResource, IAuthContext iAuthContext) {
            return this.roleManager.hasSuperuserStatus(roleResource, iAuthContext);
        }
    }

    public AuthManager(IRoleManager iRoleManager, IAuthorizer iAuthorizer) {
        this.rolesCache = new RolesCache(iRoleManager);
        this.permissionsCache = new PermissionsCache(iAuthorizer);
        this.roleManager = new RoleManagerCacheInvalidator(iRoleManager, iAuthorizer);
        this.authorizer = new AuthorizerInvalidator(iRoleManager, iAuthorizer);
    }

    public Single<UserRolesAndPermissions> getUserRolesAndPermissions(AuthenticatedUser authenticatedUser) {
        return authenticatedUser.isInProc() ? Single.just(UserRolesAndPermissions.INPROC) : authenticatedUser.isSystem() ? Single.just(UserRolesAndPermissions.SYSTEM) : authenticatedUser.isAnonymous() ? Single.just(UserRolesAndPermissions.ANONYMOUS) : getUserRolesAndPermissions(authenticatedUser.getName(), authenticatedUser.getAuthenticatedName(), authenticatedUser.getPrimaryRole(), authenticatedUser.getAuthContext());
    }

    public Single<UserRolesAndPermissions> getUserRolesAndPermissions(String str, String str2, IAuthContext iAuthContext) {
        return getUserRolesAndPermissions(str, str2, RoleResource.role(str), iAuthContext);
    }

    public Single<UserRolesAndPermissions> getUserRolesAndPermissions(String str, String str2, RoleResource roleResource, IAuthContext iAuthContext) {
        return this.rolesCache.getRoles(roleResource, iAuthContext).flatMap(map -> {
            Set keySet = map.keySet();
            if (isSuperUser(map.values())) {
                return Single.just(UserRolesAndPermissions.createSuperUserRolesAndPermissions(str, str2, keySet));
            }
            if (!this.authorizer.requireAuthorization()) {
                return Single.just(UserRolesAndPermissions.newNormalUserRoles(str, str2, keySet));
            }
            return this.permissionsCache.getAll((Set) keySet.stream().map(roleResource2 -> {
                return Pair.create(roleResource2, iAuthContext);
            }).collect(Collectors.toSet())).flatMap(map -> {
                HashMap hashMap = new HashMap();
                for (Map.Entry entry : map.entrySet()) {
                    hashMap.put(((Pair) entry.getKey()).left, entry.getValue());
                }
                return Single.just(UserRolesAndPermissions.newNormalUserRolesAndPermissions(str, str2, keySet, hashMap));
            });
        });
    }

    @VisibleForTesting
    public Single<String> getCredentials(String str, IAuthContext iAuthContext) {
        return this.rolesCache.get(RoleResource.role(str), iAuthContext).map(role -> {
            return role.hashedPassword;
        });
    }

    public Single<Set<RoleResource>> getRoles(RoleResource roleResource, IAuthContext iAuthContext) {
        return this.rolesCache.getRoles(roleResource, iAuthContext).map(map -> {
            return Collections.unmodifiableSet(map.keySet());
        });
    }

    public Single<Map<IResource, PermissionSets>> getPermissions(RoleResource roleResource, IAuthContext iAuthContext) {
        return this.permissionsCache.get(roleResource, iAuthContext).map(Collections::unmodifiableMap);
    }

    public Single<Boolean> hasSuperUserStatus(RoleResource roleResource, IAuthContext iAuthContext) {
        return this.rolesCache.getRoles(roleResource, iAuthContext).map(map -> {
            return Boolean.valueOf(isSuperUser(map.values()));
        });
    }

    public Single<Boolean> canLogin(AuthenticatedUser authenticatedUser) {
        if (DatabaseDescriptor.getAuthenticator().getTransitionalMode().failedAuthenticationMapsToAnonymous()) {
            return Single.just(true);
        }
        RoleResource loginRole = authenticatedUser.getLoginRole();
        return !this.roleManager.transitiveRoleLogin(authenticatedUser.getAuthContext()) ? this.rolesCache.get(loginRole, authenticatedUser.getAuthContext()).map(role -> {
            return Boolean.valueOf(role.canLogin);
        }) : this.rolesCache.getRoles(loginRole, authenticatedUser.getAuthContext()).map(map -> {
            return Boolean.valueOf(canLogin(map.values()));
        });
    }

    private boolean isSuperUser(Iterable<Role> iterable) {
        Iterator<Role> it2 = iterable.iterator();
        while (it2.hasNext()) {
            if (it2.next().isSuper) {
                return true;
            }
        }
        return false;
    }

    private boolean canLogin(Iterable<Role> iterable) {
        Iterator<Role> it2 = iterable.iterator();
        while (it2.hasNext()) {
            if (it2.next().canLogin) {
                return true;
            }
        }
        return false;
    }

    public IRoleManager getRoleManager() {
        return this.roleManager;
    }

    public IAuthorizer getAuthorizer() {
        return this.authorizer;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleRoleInvalidation(RoleInvalidation roleInvalidation) {
        invalidate(roleInvalidation.roles);
    }

    public void invalidateRoles(Collection<RoleResource> collection) {
        invalidate(collection);
        pushRoleInvalidation(collection);
    }

    private void pushRoleInvalidation(Collection<RoleResource> collection) {
        RoleInvalidation roleInvalidation = new RoleInvalidation(collection);
        for (InetAddress inetAddress : Gossiper.instance.getLiveMembers()) {
            if (!inetAddress.equals(FBUtilities.getBroadcastAddress()) && MessagingService.instance().versionAtLeast(inetAddress, MessagingVersion.DSE_60)) {
                MessagingService.instance().send(Verbs.AUTH.INVALIDATE.newRequest(inetAddress, (InetAddress) roleInvalidation));
            }
        }
    }

    @VisibleForTesting
    public void invalidateCaches() {
        this.permissionsCache.invalidate();
        this.rolesCache.invalidate();
    }

    private void invalidate(Collection<RoleResource> collection) {
        if (collection.isEmpty()) {
            this.permissionsCache.invalidate();
            this.rolesCache.invalidate();
            return;
        }
        for (RoleResource roleResource : collection) {
            this.permissionsCache.invalidate(roleResource, null);
            this.rolesCache.invalidate(roleResource, null);
        }
    }
}
