package org.apache.cassandra.cql3.statements;

import com.datastax.bdp.cassandra.auth.AuthenticationScheme;
import java.util.Set;
import org.apache.cassandra.auth.FunctionResource;
import org.apache.cassandra.auth.GrantMode;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.auth.permission.Permissions;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.RoleName;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.QueryState;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/apache/cassandra/cql3/statements/PermissionsManagementStatement.class */
public abstract class PermissionsManagementStatement extends AuthorizationStatement {
    protected final Set<Permission> permissions;
    protected IResource resource;
    protected final RoleResource grantee;
    protected final GrantMode grantMode;

    /* JADX INFO: Access modifiers changed from: protected */
    public PermissionsManagementStatement(Set<Permission> set, IResource iResource, RoleName roleName, GrantMode grantMode) {
        this.permissions = set;
        this.resource = iResource;
        this.grantee = RoleResource.role(roleName.getName());
        this.grantMode = grantMode;
    }

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void validate(QueryState queryState) throws RequestValidationException {
        if (!DatabaseDescriptor.getAuthorizer().requireAuthorization()) {
            throw RequestValidations.invalidRequest(String.format("%s operation is not supported by the %s if it is not enabled", operation(), DatabaseDescriptor.getAuthorizer().implementation().getClass().getSimpleName()));
        }
    }

    protected abstract String operation();

    @Override // org.apache.cassandra.cql3.CQLStatement
    public void checkAccess(QueryState queryState) {
        queryState.checkNotAnonymous();
        if (!DatabaseDescriptor.getRoleManager().isExistingRole(this.grantee, AuthenticationScheme.INTERNAL)) {
            throw RequestValidations.invalidRequest("Role %s doesn't exist", this.grantee.getRoleName());
        }
        this.resource = maybeCorrectResource(this.resource, queryState.getClientState());
        if ((this.resource instanceof FunctionResource) && "system".equals(((FunctionResource) this.resource).getKeyspace())) {
            throw RequestValidations.invalidRequest("Altering permissions on builtin functions is not supported");
        }
        if (!RoleResource.isResourceExists(this.resource, AuthenticationScheme.INTERNAL)) {
            throw RequestValidations.invalidRequest("Resource %s doesn't exist", this.resource);
        }
        if (queryState.isSuper()) {
            return;
        }
        if (this.grantMode == GrantMode.RESTRICT) {
            throw new UnauthorizedException("Only superusers are allowed to RESTRICT/UNRESTRICT");
        }
        Set<Permission> of = Permissions.setOf(new Permission[0]);
        try {
            queryState.checkPermission(this.resource, CorePermission.AUTHORIZE);
            for (Permission permission : this.permissions) {
                try {
                    queryState.checkPermission(this.resource, permission);
                } catch (UnauthorizedException e) {
                    of.add(permission);
                }
            }
        } catch (UnauthorizedException e2) {
            of.add(CorePermission.AUTHORIZE);
        }
        if (of.isEmpty()) {
            return;
        }
        if (this.grantMode == GrantMode.GRANTABLE) {
            throw new UnauthorizedException(String.format("User %s must not grant AUTHORIZE FOR %s permission on %s", queryState.getUserName(), StringUtils.join(of, ", "), this.resource));
        }
        Set<Permission> of2 = Permissions.setOf(new Permission[0]);
        for (Permission permission2 : this.permissions) {
            if (!queryState.hasGrantPermission(this.resource, permission2)) {
                of2.add(permission2);
            }
        }
        if (!of2.isEmpty()) {
            throw new UnauthorizedException(String.format("User %s has no %s permission nor AUTHORIZE FOR %s permission on %s or any of its parents", queryState.getUserName(), StringUtils.join(of, ", "), StringUtils.join(of2, ", "), this.resource));
        }
        if (queryState.hasRole(this.grantee)) {
            throw new UnauthorizedException(String.format("User %s has grant privilege for %s permission(s) on %s but must not grant/revoke for him/herself", queryState.getUserName(), StringUtils.join(this.permissions, ", "), this.resource));
        }
    }
}
