package org.apache.cassandra.auth;

import com.beust.jcommander.Parameters;
import com.datastax.bdp.db.upgrade.SchemaUpgrade;
import com.datastax.bdp.db.upgrade.VersionDependentFeature;
import com.datastax.bdp.db.util.ProductVersion;
import com.datastax.dse.byos.shade.com.google.common.collect.ImmutableSet;
import com.datastax.dse.byos.shade.com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.apache.cassandra.auth.PermissionSets;
import org.apache.cassandra.auth.permission.Permissions;
import org.apache.cassandra.concurrent.TPCUtils;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.gms.Gossiper;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.serializers.ListSerializer;
import org.apache.cassandra.serializers.UTF8Serializer;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.SetsFactory;
import org.apache.cassandra.utils.UnmodifiableArrayList;
import org.apache.cassandra.utils.time.ApolloTime;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.Marker;

/* loaded from: input_file:org/apache/cassandra/auth/CassandraAuthorizer.class */
public class CassandraAuthorizer implements IAuthorizer {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) CassandraAuthorizer.class);
    private static final String ROLE = "role";
    private static final String RESOURCE = "resource";
    private static final String PERMISSIONS = "permissions";
    private static final String GRANTABLES = "grantables";
    private static final String RESTRICTED = "restricted";
    private static final String ROLE_PERMISSIONS_TABLE = "system_auth.role_permissions";
    private final VersionDependentFeature<VersionDependent> feature = VersionDependentFeature.newSchemaUpgradeBuilder().withName("CassandraAuthorizer").withMinimumDseVersion(ProductVersion.DSE_VERSION_60).withRequireDSE(true).withLegacyImplementation(new Legacy()).withCurrentImplementation(new Native()).withSchemaUpgrade(new SchemaUpgrade(AuthKeyspace.metadata(), AuthKeyspace.tablesIfNotExist(), false)).withLogger(logger).withMessageActivating("All live nodes are running DSE 6.0 or newer - preparing to use GRANT AUTHORIZE FOR and RESTRICT").withMessageActivated("All live nodes are running DSE 6.0 or newer - GRANT AUTHORIZE FOR and RESTRICT available").withMessageDeactivated("Not all live nodes are running DSE 6.0 or newer or upgrade in progress - GRANT AUTHORIZE FOR and RESTRICT are not available until all nodes are running DSE 6.0 or newer and automatic schema upgrade has finished").build();

    /* loaded from: input_file:org/apache/cassandra/auth/CassandraAuthorizer$Legacy.class */
    private static final class Legacy extends VersionDependent {
        private static final String listQuery = "SELECT role, resource, permissions FROM system_auth.role_permissions";
        private static final String rolesQuery = "SELECT role, resource, permissions FROM system_auth.role_permissions WHERE role IN ?";
        private SelectStatement permissionsForRolesStatement;

        Legacy() {
            super(listQuery);
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        void addPermissionsFromRow(UntypedResultSet.Row row, PermissionSets.Builder builder) {
            builder.getClass();
            CassandraAuthorizer.permissionsFromRow(row, CassandraAuthorizer.PERMISSIONS, builder::addGranted);
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        String columnForGrantMode(GrantMode grantMode) {
            switch (grantMode) {
                case GRANT:
                    return CassandraAuthorizer.PERMISSIONS;
                case RESTRICT:
                case GRANTABLE:
                    throw new InvalidRequestException("GRANT AUTHORIZE FOR + RESTRICT are not available until all nodes are on DSE 6.0");
                default:
                    throw new AssertionError();
            }
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        Map<IResource, PermissionSets> permissionsForRole(RoleResource roleResource) {
            return permissionsForRoles(Collections.singleton(roleResource)).get(roleResource);
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        Map<RoleResource, Map<IResource, PermissionSets>> permissionsForRoles(Iterable<? extends RoleResource> iterable) {
            HashMap hashMap = new HashMap();
            ArrayList arrayList = new ArrayList();
            for (RoleResource roleResource : iterable) {
                arrayList.add(roleResource.getRoleName());
                hashMap.put(roleResource, new HashMap());
            }
            UntypedResultSet create = UntypedResultSet.create(((ResultMessage.Rows) TPCUtils.blockingGet(this.permissionsForRolesStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, UnmodifiableArrayList.of(ListSerializer.getInstance(UTF8Serializer.instance).serialize(arrayList))), ApolloTime.approximateNanoTime()))).result);
            if (create.isEmpty()) {
                return hashMap;
            }
            Iterator<UntypedResultSet.Row> it2 = create.iterator();
            while (it2.hasNext()) {
                UntypedResultSet.Row next = it2.next();
                IResource fromName = Resources.fromName(next.getString(CassandraAuthorizer.RESOURCE));
                PermissionSets.Builder builder = PermissionSets.builder();
                addPermissionsFromRow(next, builder);
                ((Map) hashMap.get(RoleResource.role(next.getString(CassandraAuthorizer.ROLE)))).put(fromName, builder.build());
            }
            return hashMap;
        }

        @Override // com.datastax.bdp.db.upgrade.VersionDependentFeature.VersionDependent
        public void initialize() {
            this.permissionsForRolesStatement = (SelectStatement) QueryProcessor.getStatement(rolesQuery, QueryState.forInternalCalls()).statement;
        }
    }

    /* loaded from: input_file:org/apache/cassandra/auth/CassandraAuthorizer$Native.class */
    private static final class Native extends VersionDependent {
        private static final String listQuery = "SELECT role, resource, permissions, restricted, grantables FROM system_auth.role_permissions";
        private static final String rolesQuery = "SELECT role, resource, permissions, restricted, grantables FROM system_auth.role_permissions WHERE role IN ?";
        private SelectStatement permissionsForRolesStatement;

        Native() {
            super(listQuery);
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        void addPermissionsFromRow(UntypedResultSet.Row row, PermissionSets.Builder builder) {
            builder.getClass();
            CassandraAuthorizer.permissionsFromRow(row, CassandraAuthorizer.PERMISSIONS, builder::addGranted);
            builder.getClass();
            CassandraAuthorizer.permissionsFromRow(row, CassandraAuthorizer.RESTRICTED, builder::addRestricted);
            builder.getClass();
            CassandraAuthorizer.permissionsFromRow(row, CassandraAuthorizer.GRANTABLES, builder::addGrantable);
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        String columnForGrantMode(GrantMode grantMode) {
            switch (grantMode) {
                case GRANT:
                    return CassandraAuthorizer.PERMISSIONS;
                case RESTRICT:
                    return CassandraAuthorizer.RESTRICTED;
                case GRANTABLE:
                    return CassandraAuthorizer.GRANTABLES;
                default:
                    throw new AssertionError();
            }
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        Map<IResource, PermissionSets> permissionsForRole(RoleResource roleResource) {
            return permissionsForRoles(Collections.singleton(roleResource)).get(roleResource);
        }

        @Override // org.apache.cassandra.auth.CassandraAuthorizer.VersionDependent
        Map<RoleResource, Map<IResource, PermissionSets>> permissionsForRoles(Iterable<? extends RoleResource> iterable) {
            HashMap hashMap = new HashMap();
            ArrayList arrayList = new ArrayList();
            for (RoleResource roleResource : iterable) {
                arrayList.add(roleResource.getRoleName());
                hashMap.put(roleResource, new HashMap());
            }
            UntypedResultSet create = UntypedResultSet.create(((ResultMessage.Rows) TPCUtils.blockingGet(this.permissionsForRolesStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(ConsistencyLevel.LOCAL_ONE, UnmodifiableArrayList.of(ListSerializer.getInstance(UTF8Serializer.instance).serialize(arrayList))), ApolloTime.approximateNanoTime()))).result);
            if (create.isEmpty()) {
                return hashMap;
            }
            Iterator<UntypedResultSet.Row> it2 = create.iterator();
            while (it2.hasNext()) {
                UntypedResultSet.Row next = it2.next();
                IResource fromName = Resources.fromName(next.getString(CassandraAuthorizer.RESOURCE));
                PermissionSets.Builder builder = PermissionSets.builder();
                addPermissionsFromRow(next, builder);
                ((Map) hashMap.get(RoleResource.role(next.getString(CassandraAuthorizer.ROLE)))).put(fromName, builder.build());
            }
            return hashMap;
        }

        @Override // com.datastax.bdp.db.upgrade.VersionDependentFeature.VersionDependent
        public void initialize() {
            this.permissionsForRolesStatement = (SelectStatement) QueryProcessor.getStatement(rolesQuery, QueryState.forInternalCalls()).statement;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/cassandra/auth/CassandraAuthorizer$VersionDependent.class */
    public static abstract class VersionDependent implements VersionDependentFeature.VersionDependent {
        private final String listQuery;

        VersionDependent(String str) {
            this.listQuery = str;
        }

        String buildListQuery(IResource iResource, Set<RoleResource> set) {
            StringBuilder sb = new StringBuilder(this.listQuery);
            boolean z = iResource != null;
            boolean z2 = (set == null || set.isEmpty()) ? false : true;
            if (z) {
                sb.append(" WHERE resource = '").append(CassandraAuthorizer.escape(iResource.getName())).append('\'');
            }
            if (z2) {
                sb.append(z ? " AND " : " WHERE ").append("role IN ").append((String) set.stream().map(roleResource -> {
                    return CassandraAuthorizer.escape(roleResource.getRoleName());
                }).collect(Collectors.joining("', '", "('", "')")));
            }
            sb.append(" ALLOW FILTERING");
            return sb.toString();
        }

        abstract void addPermissionsFromRow(UntypedResultSet.Row row, PermissionSets.Builder builder);

        abstract String columnForGrantMode(GrantMode grantMode);

        abstract Map<IResource, PermissionSets> permissionsForRole(RoleResource roleResource);

        abstract Map<RoleResource, Map<IResource, PermissionSets>> permissionsForRoles(Iterable<? extends RoleResource> iterable);
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revokeAllFrom(RoleResource roleResource) {
        try {
            process("DELETE FROM system_auth.role_permissions WHERE role = '%s'", escape(roleResource.getRoleName()));
        } catch (RequestExecutionException | RequestValidationException e) {
            logger.warn("CassandraAuthorizer failed to revoke all permissions of {}: {}", roleResource.getRoleName(), e.getMessage());
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<RoleResource> revokeAllOn(IResource iResource) {
        try {
            Set<String> fetchRolesWithPermissionsOn = fetchRolesWithPermissionsOn(iResource);
            if (fetchRolesWithPermissionsOn.isEmpty()) {
                return Collections.emptySet();
            }
            deletePermissionsFor(iResource, fetchRolesWithPermissionsOn);
            return (Set) fetchRolesWithPermissionsOn.stream().map(RoleResource::role).collect(Collectors.toSet());
        } catch (RequestExecutionException | RequestValidationException e) {
            logger.warn("CassandraAuthorizer failed to revoke all permissions on {}: {}", iResource, e.getMessage());
            return Collections.emptySet();
        }
    }

    private void deletePermissionsFor(IResource iResource, Set<String> set) {
        process("DELETE FROM system_auth.role_permissions WHERE role IN (%s) AND resource = '%s'", set.stream().map(CassandraAuthorizer::escape).collect(Collectors.joining("', '", "'", "'")), escape(iResource.getName()));
    }

    private Set<String> fetchRolesWithPermissionsOn(IResource iResource) {
        UntypedResultSet process = process("SELECT role FROM system_auth.role_permissions WHERE resource = '%s' ALLOW FILTERING", escape(iResource.getName()));
        Set<String> newSetForSize = SetsFactory.newSetForSize(process.size());
        Iterator<UntypedResultSet.Row> it2 = process.iterator();
        while (it2.hasNext()) {
            newSetForSize.add(it2.next().getString(ROLE));
        }
        return newSetForSize;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Map<IResource, PermissionSets> allPermissionSets(RoleResource roleResource, IAuthContext iAuthContext) {
        try {
            return permissionsForRole(roleResource);
        } catch (RequestExecutionException e) {
            logger.warn("CassandraAuthorizer failed to authorize {}", roleResource);
            throw new RuntimeException(e);
        } catch (RequestValidationException e2) {
            throw new AssertionError(e2);
        }
    }

    private Map<IResource, PermissionSets> permissionsForRole(RoleResource roleResource) {
        return this.feature.implementation().permissionsForRole(roleResource);
    }

    private Map<RoleResource, Map<IResource, PermissionSets>> permissionsForRoles(Iterable<? extends RoleResource> iterable) {
        return this.feature.implementation().permissionsForRoles(iterable);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void permissionsFromRow(UntypedResultSet.Row row, String str, Consumer<Permission> consumer) {
        if (row.has(str)) {
            row.getSet(str, UTF8Type.instance).stream().map(Permissions::permission).forEach(consumer);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> grant(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource, GrantMode... grantModeArr) {
        if (ArrayUtils.isEmpty(grantModeArr)) {
            throw new IllegalArgumentException("Must specify at least one grantMode");
        }
        String escape = escape(roleResource.getRoleName());
        String escape2 = escape(iResource.getName());
        VersionDependent implementation = this.feature.implementation();
        HashSet newHashSetWithExpectedSize = Sets.newHashSetWithExpectedSize(set.size());
        for (GrantMode grantMode : grantModeArr) {
            String columnForGrantMode = implementation.columnForGrantMode(grantMode);
            Set fromCollection = SetsFactory.setFromCollection(set);
            fromCollection.removeAll(getExistingPermissions(escape, escape2, columnForGrantMode, set));
            if (!fromCollection.isEmpty()) {
                updatePermissions(escape, escape2, columnForGrantMode, Marker.ANY_NON_NULL_MARKER, (String) fromCollection.stream().map((v0) -> {
                    return v0.getFullName();
                }).collect(Collectors.joining("','", "'", "'")));
                newHashSetWithExpectedSize.addAll(fromCollection);
            }
        }
        return newHashSetWithExpectedSize;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> revoke(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource, GrantMode... grantModeArr) {
        if (ArrayUtils.isEmpty(grantModeArr)) {
            throw new IllegalArgumentException("Must specify at least one grantMode");
        }
        String escape = escape(roleResource.getRoleName());
        String escape2 = escape(iResource.getName());
        VersionDependent implementation = this.feature.implementation();
        HashSet newHashSetWithExpectedSize = Sets.newHashSetWithExpectedSize(set.size());
        for (GrantMode grantMode : grantModeArr) {
            String columnForGrantMode = implementation.columnForGrantMode(grantMode);
            Set<Permission> existingPermissions = getExistingPermissions(escape, escape2, columnForGrantMode, set);
            if (!existingPermissions.isEmpty()) {
                updatePermissions(escape, escape2, columnForGrantMode, Parameters.DEFAULT_OPTION_PREFIXES, (String) existingPermissions.stream().map((v0) -> {
                    return v0.getFullName();
                }).collect(Collectors.joining("','", "'", "'")));
                newHashSetWithExpectedSize.addAll(existingPermissions);
            }
        }
        return newHashSetWithExpectedSize;
    }

    private void updatePermissions(String str, String str2, String str3, String str4, String str5) {
        process("UPDATE system_auth.role_permissions SET %s = %s %s { %s } WHERE role = '%s' AND resource = '%s'", str3, str3, str4, str5, str, str2);
    }

    private Set<Permission> getExistingPermissions(String str, String str2, String str3, Set<Permission> set) {
        UntypedResultSet process = process("SELECT %s FROM system_auth.role_permissions WHERE role = '%s' AND resource = '%s'", str3, str, str2);
        if (process.isEmpty()) {
            return Collections.emptySet();
        }
        UntypedResultSet.Row one = process.one();
        if (!one.has(str3)) {
            return Collections.emptySet();
        }
        HashSet newHashSetWithExpectedSize = Sets.newHashSetWithExpectedSize(set.size());
        Iterator it2 = one.getSet(str3, UTF8Type.instance).iterator();
        while (it2.hasNext()) {
            Permission permission = Permissions.permission((String) it2.next());
            if (set.contains(permission)) {
                newHashSetWithExpectedSize.add(permission);
            }
        }
        return newHashSetWithExpectedSize;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<PermissionDetails> list(Set<Permission> set, IResource iResource, RoleResource roleResource, IAuthContext iAuthContext) {
        Set<RoleResource> rolesIncludingGrantee = roleResource != null ? DatabaseDescriptor.getRoleManager().getRolesIncludingGrantee(roleResource, iAuthContext, true) : Collections.emptySet();
        VersionDependent implementation = this.feature.implementation();
        Set<PermissionDetails> newSet = SetsFactory.newSet();
        Iterator<UntypedResultSet.Row> it2 = process("%s", implementation.buildListQuery(iResource, rolesIncludingGrantee)).iterator();
        while (it2.hasNext()) {
            UntypedResultSet.Row next = it2.next();
            PermissionSets.Builder builder = PermissionSets.builder();
            implementation.addPermissionsFromRow(next, builder);
            PermissionSets build = builder.build();
            String string = next.getString(ROLE);
            IResource fromName = Resources.fromName(next.getString(RESOURCE));
            for (Permission permission : build.allContainedPermissions()) {
                if (set.contains(permission)) {
                    newSet.add(new PermissionDetails(string, fromName, permission, build.grantModesFor(permission)));
                }
            }
        }
        return newSet;
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<DataResource> protectedResources() {
        return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_PERMISSIONS));
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void validateConfiguration() throws ConfigurationException {
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void setup() {
        this.feature.setup(Gossiper.instance.clusterVersionBarrier);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    private static UntypedResultSet process(String str, Object... objArr) throws RequestExecutionException {
        return QueryProcessor.processBlocking(String.format(str, objArr), ConsistencyLevel.LOCAL_ONE);
    }
}
