package io.trino.plugin.hive.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.hive.HiveViewNotSupportedException;
import io.trino.plugin.hive.metastore.Database;
import io.trino.plugin.hive.metastore.HivePrincipal;
import io.trino.plugin.hive.metastore.HivePrivilegeInfo;
import io.trino.plugin.hive.metastore.thrift.ThriftMetastoreUtil;
import io.trino.spi.StandardErrorCode;
import io.trino.spi.TrinoException;
import io.trino.spi.connector.ConnectorSession;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.connector.TableNotFoundException;
import io.trino.spi.security.ConnectorIdentity;
import io.trino.spi.security.GrantInfo;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.PrivilegeInfo;
import io.trino.spi.security.RoleGrant;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:io/trino/plugin/hive/security/SqlStandardAccessControlMetadata.class */
public class SqlStandardAccessControlMetadata implements AccessControlMetadata {
    private static final Set<String> RESERVED_ROLES = ImmutableSet.of("all", Database.DEFAULT_DATABASE_NAME, "none");
    private final SqlStandardAccessControlMetadataMetastore metastore;

    public SqlStandardAccessControlMetadata(SqlStandardAccessControlMetadataMetastore sqlStandardAccessControlMetadataMetastore) {
        this.metastore = (SqlStandardAccessControlMetadataMetastore) Objects.requireNonNull(sqlStandardAccessControlMetadataMetastore, "metastore is null");
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public void createRole(ConnectorSession connectorSession, String str, Optional<HivePrincipal> optional) {
        checkRoleIsNotReserved(str);
        this.metastore.createRole(str, null);
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public void dropRole(ConnectorSession connectorSession, String str) {
        checkRoleIsNotReserved(str);
        this.metastore.dropRole(str);
    }

    private static void checkRoleIsNotReserved(String str) {
        if (RESERVED_ROLES.contains(str.toLowerCase(Locale.ENGLISH))) {
            throw new TrinoException(StandardErrorCode.ALREADY_EXISTS, "Role name cannot be one of the reserved roles: " + RESERVED_ROLES);
        }
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public Set<String> listRoles(ConnectorSession connectorSession) {
        return ImmutableSet.copyOf(this.metastore.listRoles());
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public Set<RoleGrant> listRoleGrants(ConnectorSession connectorSession, HivePrincipal hivePrincipal) {
        return ImmutableSet.copyOf(this.metastore.listRoleGrants(hivePrincipal));
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public void grantRoles(ConnectorSession connectorSession, Set<String> set, Set<HivePrincipal> set2, boolean z, Optional<HivePrincipal> optional) {
        this.metastore.grantRoles(set, set2, z, optional.orElse(new HivePrincipal(PrincipalType.USER, connectorSession.getUser())));
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public void revokeRoles(ConnectorSession connectorSession, Set<String> set, Set<HivePrincipal> set2, boolean z, Optional<HivePrincipal> optional) {
        this.metastore.revokeRoles(set, set2, z, optional.orElse(new HivePrincipal(PrincipalType.USER, connectorSession.getUser())));
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public Set<RoleGrant> listApplicableRoles(ConnectorSession connectorSession, HivePrincipal hivePrincipal) {
        SqlStandardAccessControlMetadataMetastore sqlStandardAccessControlMetadataMetastore = this.metastore;
        Objects.requireNonNull(sqlStandardAccessControlMetadataMetastore);
        return (Set) ThriftMetastoreUtil.listApplicableRoles(hivePrincipal, sqlStandardAccessControlMetadataMetastore::listRoleGrants).collect(ImmutableSet.toImmutableSet());
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public Set<String> listEnabledRoles(ConnectorSession connectorSession) {
        ConnectorIdentity identity = connectorSession.getIdentity();
        SqlStandardAccessControlMetadataMetastore sqlStandardAccessControlMetadataMetastore = this.metastore;
        Objects.requireNonNull(sqlStandardAccessControlMetadataMetastore);
        return (Set) ThriftMetastoreUtil.listEnabledRoles(identity, sqlStandardAccessControlMetadataMetastore::listRoleGrants).collect(ImmutableSet.toImmutableSet());
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public void grantTablePrivileges(ConnectorSession connectorSession, SchemaTableName schemaTableName, Set<Privilege> set, HivePrincipal hivePrincipal, boolean z) {
        String schemaName = schemaTableName.getSchemaName();
        String tableName = schemaTableName.getTableName();
        Stream<Privilege> stream = set.stream();
        Privilege privilege = Privilege.CREATE;
        Objects.requireNonNull(privilege);
        this.metastore.grantTablePrivileges(schemaName, tableName, hivePrincipal, new HivePrincipal(PrincipalType.USER, connectorSession.getUser()), (Set) ((Set) stream.filter(Predicate.not((v1) -> {
            return r1.equals(v1);
        })).collect(ImmutableSet.toImmutableSet())).stream().map(HivePrivilegeInfo::toHivePrivilege).collect(Collectors.toSet()), z);
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public void revokeTablePrivileges(ConnectorSession connectorSession, SchemaTableName schemaTableName, Set<Privilege> set, HivePrincipal hivePrincipal, boolean z) {
        String schemaName = schemaTableName.getSchemaName();
        String tableName = schemaTableName.getTableName();
        Stream<Privilege> stream = set.stream();
        Privilege privilege = Privilege.CREATE;
        Objects.requireNonNull(privilege);
        this.metastore.revokeTablePrivileges(schemaName, tableName, hivePrincipal, new HivePrincipal(PrincipalType.USER, connectorSession.getUser()), (Set) ((Set) stream.filter(Predicate.not((v1) -> {
            return r1.equals(v1);
        })).collect(ImmutableSet.toImmutableSet())).stream().map(HivePrivilegeInfo::toHivePrivilege).collect(Collectors.toSet()), z);
    }

    @Override // io.trino.plugin.hive.security.AccessControlMetadata
    public List<GrantInfo> listTablePrivileges(ConnectorSession connectorSession, List<SchemaTableName> list) {
        ConnectorIdentity identity = connectorSession.getIdentity();
        SqlStandardAccessControlMetadataMetastore sqlStandardAccessControlMetadataMetastore = this.metastore;
        Objects.requireNonNull(sqlStandardAccessControlMetadataMetastore);
        Set<HivePrincipal> set = (Set) ThriftMetastoreUtil.listEnabledPrincipals(identity, sqlStandardAccessControlMetadataMetastore::listRoleGrants).collect(ImmutableSet.toImmutableSet());
        boolean hasAdminRole = hasAdminRole(set);
        ImmutableList.Builder builder = ImmutableList.builder();
        Iterator<SchemaTableName> it = list.iterator();
        while (it.hasNext()) {
            try {
                builder.addAll(buildGrants(set, hasAdminRole, it.next()));
            } catch (HiveViewNotSupportedException e) {
            } catch (TableNotFoundException e2) {
            }
        }
        return builder.build();
    }

    private List<GrantInfo> buildGrants(Set<HivePrincipal> set, boolean z, SchemaTableName schemaTableName) {
        if (z) {
            return buildGrants(schemaTableName, Optional.empty());
        }
        ImmutableList.Builder builder = ImmutableList.builder();
        Iterator<HivePrincipal> it = set.iterator();
        while (it.hasNext()) {
            builder.addAll(buildGrants(schemaTableName, Optional.of(it.next())));
        }
        return builder.build();
    }

    private List<GrantInfo> buildGrants(SchemaTableName schemaTableName, Optional<HivePrincipal> optional) {
        ImmutableList.Builder builder = ImmutableList.builder();
        for (HivePrivilegeInfo hivePrivilegeInfo : this.metastore.listTablePrivileges(schemaTableName.getSchemaName(), schemaTableName.getTableName(), optional)) {
            Iterator<PrivilegeInfo> it = hivePrivilegeInfo.toPrivilegeInfo().iterator();
            while (it.hasNext()) {
                builder.add(new GrantInfo(it.next(), hivePrivilegeInfo.getGrantee().toTrinoPrincipal(), schemaTableName, Optional.of(hivePrivilegeInfo.getGrantor().toTrinoPrincipal()), Optional.empty()));
            }
        }
        return builder.build();
    }

    private static boolean hasAdminRole(Set<HivePrincipal> set) {
        return set.stream().anyMatch(hivePrincipal -> {
            return hivePrincipal.getName().equalsIgnoreCase(SqlStandardAccessControl.ADMIN_ROLE_NAME);
        });
    }
}
