package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.config.DseConfig;
import com.datastax.dse.byos.shade.com.google.common.collect.ImmutableSet;
import com.datastax.dse.byos.shade.com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.cassandra.auth.AuthKeyspace;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.CassandraAuthorizer;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionDetails;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthorizer.class */
public class DseAuthorizer extends CassandraAuthorizer {
    private static final Logger logger = LoggerFactory.getLogger(DseAuthorizer.class);
    private static final String ROLE = "role";
    private static final String RESOURCE = "resource";
    private static final String PERMISSIONS = "permissions";
    protected boolean enabled;
    protected TransitionalMode transitionalMode = TransitionalMode.DISABLED;

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthorizer$TransitionalMode.class */
    protected enum TransitionalMode {
        DISABLED,
        NORMAL,
        STRICT
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> authorize(AuthenticatedUser authenticatedUser, IResource iResource) {
        return this.enabled ? (this.transitionalMode == TransitionalMode.NORMAL || (this.transitionalMode == TransitionalMode.STRICT && authenticatedUser == AuthenticatedUser.ANONYMOUS_USER)) ? authenticatedUser.isSuper() ? Permission.ALL : ImmutableSet.copyOf((Collection) EnumSet.of(Permission.CREATE, Permission.ALTER, Permission.SELECT, Permission.DROP, Permission.MODIFY, Permission.EXECUTE)) : super.authorize(authenticatedUser, iResource) : iResource.applicablePermissions();
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public void validateConfiguration() throws ConfigurationException {
        this.enabled = DseConfig.isAuthorizationEnabled();
        this.transitionalMode = TransitionalMode.valueOf(DseConfig.getAuthorizationTransitionalMode().toUpperCase());
    }

    @Override // org.apache.cassandra.auth.CassandraAuthorizer, org.apache.cassandra.auth.IAuthorizer
    public Set<PermissionDetails> list(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        if (!authenticatedUser.isSuper() && !authenticatedUser.getRoles().contains(roleResource)) {
            Object[] objArr = new Object[1];
            objArr[0] = roleResource == null ? "everyone" : roleResource.getRoleName();
            throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", objArr));
        }
        if (null == roleResource) {
            return listPermissionsForRole(set, iResource, roleResource);
        }
        Set<RoleResource> roles = DatabaseDescriptor.getRoleManager().getRoles(roleResource, true);
        HashSet hashSet = new HashSet();
        Iterator<RoleResource> it = roles.iterator();
        while (it.hasNext()) {
            hashSet.addAll(listPermissionsForRole(set, iResource, it.next()));
        }
        return hashSet;
    }

    private Set<PermissionDetails> listPermissionsForRole(Set<Permission> set, IResource iResource, RoleResource roleResource) throws RequestExecutionException {
        HashSet hashSet = new HashSet();
        boolean z = Schema.instance.getCFMetaData(AuthKeyspace.NAME, "permissions") != null;
        String str = z ? "username" : ROLE;
        Iterator<UntypedResultSet.Row> it = QueryProcessor.process(buildListQuery(iResource, roleResource, z), ConsistencyLevel.LOCAL_ONE).iterator();
        while (it.hasNext()) {
            UntypedResultSet.Row next = it.next();
            if (next.has("permissions")) {
                Iterator it2 = next.getSet("permissions", UTF8Type.instance).iterator();
                while (it2.hasNext()) {
                    Permission valueOf = Permission.valueOf((String) it2.next());
                    if (set.contains(valueOf)) {
                        hashSet.add(new PermissionDetails(next.getString(str), DseResources.fromName(next.getString(RESOURCE)), valueOf));
                    }
                }
            }
        }
        return hashSet;
    }

    private String buildListQuery(IResource iResource, RoleResource roleResource, boolean z) {
        String str = z ? "permissions" : AuthKeyspace.ROLE_PERMISSIONS;
        String str2 = z ? "username" : ROLE;
        ArrayList newArrayList = Lists.newArrayList(AuthKeyspace.NAME, str);
        ArrayList arrayList = new ArrayList();
        if (iResource != null) {
            arrayList.add("resource = '%s'");
            newArrayList.add(escape(iResource.getName()));
        }
        if (roleResource != null) {
            arrayList.add(str2 + " = '%s'");
            newArrayList.add(escape(roleResource.getRoleName()));
        }
        String str3 = "SELECT " + str2 + ", resource, permissions FROM %s.%s";
        if (!arrayList.isEmpty()) {
            str3 = str3 + " WHERE " + StringUtils.join(arrayList, " AND ");
        }
        if (iResource != null && roleResource == null) {
            str3 = str3 + " ALLOW FILTERING";
        }
        return String.format(str3, newArrayList.toArray());
    }

    private String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }
}
