package io.trino.plugin.hive.security;

import com.google.common.collect.ImmutableSet;
import io.trino.plugin.base.CatalogName;
import io.trino.plugin.hive.authentication.HiveIdentity;
import io.trino.plugin.hive.metastore.Database;
import io.trino.plugin.hive.metastore.HivePrincipal;
import io.trino.plugin.hive.metastore.HivePrivilegeInfo;
import io.trino.plugin.hive.metastore.thrift.ThriftMetastoreUtil;
import io.trino.spi.StandardErrorCode;
import io.trino.spi.TrinoException;
import io.trino.spi.connector.ConnectorAccessControl;
import io.trino.spi.connector.ConnectorSecurityContext;
import io.trino.spi.connector.SchemaRoutineName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.ConnectorIdentity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.inject.Inject;

/* loaded from: input_file:io/trino/plugin/hive/security/SqlStandardAccessControl.class */
public class SqlStandardAccessControl implements ConnectorAccessControl {
    public static final String ADMIN_ROLE_NAME = "admin";
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private static final SchemaTableName ROLES = new SchemaTableName(INFORMATION_SCHEMA_NAME, "roles");
    private static final SchemaTableName ROLE_AUHTORIZATION_DESCRIPTORS = new SchemaTableName(INFORMATION_SCHEMA_NAME, "role_authorization_descriptors");
    private final String catalogName;
    private final SqlStandardAccessControlMetastore metastore;

    @Inject
    public SqlStandardAccessControl(CatalogName catalogName, SqlStandardAccessControlMetastore sqlStandardAccessControlMetastore) {
        this.catalogName = ((CatalogName) Objects.requireNonNull(catalogName, "catalogName is null")).toString();
        this.metastore = (SqlStandardAccessControlMetastore) Objects.requireNonNull(sqlStandardAccessControlMetastore, "metastore is null");
    }

    public void checkCanCreateSchema(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isAdmin(connectorSecurityContext)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(str);
    }

    public void checkCanDropSchema(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isDatabaseOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyDropSchema(str);
    }

    public void checkCanRenameSchema(ConnectorSecurityContext connectorSecurityContext, String str, String str2) {
        if (isDatabaseOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(str, str2);
    }

    public void checkCanSetSchemaAuthorization(ConnectorSecurityContext connectorSecurityContext, String str, TrinoPrincipal trinoPrincipal) {
        if (isDatabaseOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denySetSchemaAuthorization(str, trinoPrincipal);
    }

    public void checkCanShowSchemas(ConnectorSecurityContext connectorSecurityContext) {
    }

    public Set<String> filterSchemas(ConnectorSecurityContext connectorSecurityContext, Set<String> set) {
        return set;
    }

    public void checkCanShowCreateTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, true)) {
            return;
        }
        AccessDeniedException.denyShowCreateTable(schemaTableName.toString());
    }

    public void checkCanShowCreateSchema(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isDatabaseOwner(connectorSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyShowCreateSchema(str);
    }

    public void checkCanCreateTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorSecurityContext, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    public void checkCanDropTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    public void checkCanRenameTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanSetTableComment(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyCommentTable(schemaTableName.toString());
    }

    public void checkCanSetColumnComment(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyCommentColumn(schemaTableName.toString());
    }

    public void checkCanShowTables(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public Set<SchemaTableName> filterTables(ConnectorSecurityContext connectorSecurityContext, Set<SchemaTableName> set) {
        return set;
    }

    public void checkCanShowColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (hasAnyTablePermission(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyShowColumns(schemaTableName.toString());
    }

    public Set<String> filterColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        return !hasAnyTablePermission(connectorSecurityContext, schemaTableName) ? ImmutableSet.of() : set;
    }

    public void checkCanAddColumn(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    public void checkCanDropColumn(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.toString());
    }

    public void checkCanRenameColumn(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    public void checkCanSetTableAuthorization(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, TrinoPrincipal trinoPrincipal) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denySetTableAuthorization(schemaTableName.toString(), trinoPrincipal);
    }

    public void checkCanSelectFromColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, false)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanInsertIntoTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.INSERT, false)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    public void checkCanDeleteFromTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.DELETE, false)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    public void checkCanUpdateTableColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.UPDATE, false)) {
            return;
        }
        AccessDeniedException.denyUpdateTableColumns(schemaTableName.toString(), set);
    }

    public void checkCanCreateView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorSecurityContext, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanRenameView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameView(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanSetViewAuthorization(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, TrinoPrincipal trinoPrincipal) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denySetViewAuthorization(schemaTableName.toString(), trinoPrincipal);
    }

    public void checkCanDropView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, Set<String> set) {
        checkCanSelectFromColumns(connectorSecurityContext, schemaTableName, set);
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, true)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(schemaTableName.toString(), connectorSecurityContext.getIdentity());
    }

    public void checkCanCreateMaterializedView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorSecurityContext, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateMaterializedView(schemaTableName.toString());
    }

    public void checkCanRefreshMaterializedView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.UPDATE, false)) {
            return;
        }
        AccessDeniedException.denyRefreshMaterializedView(schemaTableName.toString());
    }

    public void checkCanDropMaterializedView(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorSecurityContext, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropMaterializedView(schemaTableName.toString());
    }

    public void checkCanSetCatalogSessionProperty(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isAdmin(connectorSecurityContext)) {
            return;
        }
        AccessDeniedException.denySetCatalogSessionProperty(this.catalogName, str);
    }

    public void checkCanGrantSchemaPrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, String str, TrinoPrincipal trinoPrincipal, boolean z) {
        throw new TrinoException(StandardErrorCode.NOT_SUPPORTED, "This connector does not support grants on schemas");
    }

    public void checkCanRevokeSchemaPrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, String str, TrinoPrincipal trinoPrincipal, boolean z) {
        throw new TrinoException(StandardErrorCode.NOT_SUPPORTED, "This connector does not support revokes on schemas");
    }

    public void checkCanGrantTablePrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, SchemaTableName schemaTableName, TrinoPrincipal trinoPrincipal, boolean z) {
        if (isTableOwner(connectorSecurityContext, schemaTableName) || hasGrantOptionForPrivilege(connectorSecurityContext, privilege, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, SchemaTableName schemaTableName, TrinoPrincipal trinoPrincipal, boolean z) {
        if (isTableOwner(connectorSecurityContext, schemaTableName) || hasGrantOptionForPrivilege(connectorSecurityContext, privilege, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanCreateRole(ConnectorSecurityContext connectorSecurityContext, String str, Optional<TrinoPrincipal> optional) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support WITH ADMIN statement");
        }
        if (isAdmin(connectorSecurityContext)) {
            return;
        }
        AccessDeniedException.denyCreateRole(str);
    }

    public void checkCanDropRole(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isAdmin(connectorSecurityContext)) {
            return;
        }
        AccessDeniedException.denyDropRole(str);
    }

    public void checkCanGrantRoles(ConnectorSecurityContext connectorSecurityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional, String str) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support GRANTED BY statement");
        }
        if (hasAdminOptionForRoles(connectorSecurityContext, set)) {
            return;
        }
        AccessDeniedException.denyGrantRoles(set, set2);
    }

    public void checkCanRevokeRoles(ConnectorSecurityContext connectorSecurityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional, String str) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support GRANTED BY statement");
        }
        if (hasAdminOptionForRoles(connectorSecurityContext, set)) {
            return;
        }
        AccessDeniedException.denyRevokeRoles(set, set2);
    }

    public void checkCanSetRole(ConnectorSecurityContext connectorSecurityContext, String str, String str2) {
        if (ThriftMetastoreUtil.isRoleApplicable(new HivePrincipal(PrincipalType.USER, connectorSecurityContext.getIdentity().getUser()), str, hivePrincipal -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal);
        })) {
            return;
        }
        AccessDeniedException.denySetRole(str);
    }

    public void checkCanShowRoleAuthorizationDescriptors(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isAdmin(connectorSecurityContext)) {
            return;
        }
        AccessDeniedException.denyShowRoleAuthorizationDescriptors(str);
    }

    public void checkCanShowRoles(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (isAdmin(connectorSecurityContext)) {
            return;
        }
        AccessDeniedException.denyShowRoles(str);
    }

    public void checkCanShowCurrentRoles(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public void checkCanShowRoleGrants(ConnectorSecurityContext connectorSecurityContext, String str) {
    }

    public void checkCanExecuteProcedure(ConnectorSecurityContext connectorSecurityContext, SchemaRoutineName schemaRoutineName) {
    }

    public Optional<ViewExpression> getRowFilter(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        return Optional.empty();
    }

    public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, String str, Type type) {
        return Optional.empty();
    }

    private boolean isAdmin(ConnectorSecurityContext connectorSecurityContext) {
        return ThriftMetastoreUtil.isRoleEnabled(connectorSecurityContext.getIdentity(), hivePrincipal -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal);
        }, ADMIN_ROLE_NAME);
    }

    private boolean isDatabaseOwner(ConnectorSecurityContext connectorSecurityContext, String str) {
        if (Database.DEFAULT_DATABASE_NAME.equalsIgnoreCase(str) || isAdmin(connectorSecurityContext)) {
            return true;
        }
        Optional<Database> database = this.metastore.getDatabase(connectorSecurityContext, str);
        if (database.isEmpty()) {
            return false;
        }
        Database database2 = database.get();
        ConnectorIdentity identity = connectorSecurityContext.getIdentity();
        if (database2.getOwnerType() == PrincipalType.USER && identity.getUser().equals(database2.getOwnerName())) {
            return true;
        }
        return database2.getOwnerType() == PrincipalType.ROLE && ThriftMetastoreUtil.isRoleEnabled(identity, hivePrincipal -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal);
        }, database2.getOwnerName());
    }

    private boolean isTableOwner(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        return checkTablePermission(connectorSecurityContext, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP, false);
    }

    private boolean checkTablePermission(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, HivePrivilegeInfo.HivePrivilege hivePrivilege, boolean z) {
        if (isAdmin(connectorSecurityContext)) {
            return true;
        }
        if (schemaTableName.equals(ROLES) || schemaTableName.equals(ROLE_AUHTORIZATION_DESCRIPTORS)) {
            return false;
        }
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        Set set = (Set) this.metastore.listTablePrivileges(connectorSecurityContext, new HiveIdentity(connectorSecurityContext.getIdentity()), schemaTableName.getSchemaName(), schemaTableName.getTableName(), Optional.empty()).stream().filter(hivePrivilegeInfo -> {
            return hivePrivilegeInfo.getHivePrivilege() == hivePrivilege;
        }).filter(hivePrivilegeInfo2 -> {
            return !z || hivePrivilegeInfo2.isGrantOption();
        }).map((v0) -> {
            return v0.getGrantee();
        }).collect(ImmutableSet.toImmutableSet());
        Stream<HivePrincipal> listEnabledPrincipals = ThriftMetastoreUtil.listEnabledPrincipals(connectorSecurityContext.getIdentity(), hivePrincipal -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal);
        });
        Objects.requireNonNull(set);
        return listEnabledPrincipals.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    private boolean hasGrantOptionForPrivilege(ConnectorSecurityContext connectorSecurityContext, Privilege privilege, SchemaTableName schemaTableName) {
        if (isAdmin(connectorSecurityContext)) {
            return true;
        }
        return listApplicableTablePrivileges(connectorSecurityContext, schemaTableName.getSchemaName(), schemaTableName.getTableName(), connectorSecurityContext.getIdentity()).anyMatch(hivePrivilegeInfo -> {
            return hivePrivilegeInfo.getHivePrivilege() == HivePrivilegeInfo.toHivePrivilege(privilege) && hivePrivilegeInfo.isGrantOption();
        });
    }

    private Stream<HivePrivilegeInfo> listApplicableTablePrivileges(ConnectorSecurityContext connectorSecurityContext, String str, String str2, ConnectorIdentity connectorIdentity) {
        HivePrincipal hivePrincipal = new HivePrincipal(PrincipalType.USER, connectorIdentity.getUser());
        return listTablePrivileges(connectorSecurityContext, new HiveIdentity(connectorIdentity), str, str2, Stream.concat(Stream.of(hivePrincipal), ThriftMetastoreUtil.listApplicableRoles(hivePrincipal, hivePrincipal2 -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal2);
        }).map(roleGrant -> {
            return new HivePrincipal(PrincipalType.ROLE, roleGrant.getRoleName());
        })));
    }

    private Stream<HivePrivilegeInfo> listTablePrivileges(ConnectorSecurityContext connectorSecurityContext, HiveIdentity hiveIdentity, String str, String str2, Stream<HivePrincipal> stream) {
        return stream.flatMap(hivePrincipal -> {
            return this.metastore.listTablePrivileges(connectorSecurityContext, hiveIdentity, str, str2, Optional.of(hivePrincipal)).stream();
        });
    }

    private boolean hasAdminOptionForRoles(ConnectorSecurityContext connectorSecurityContext, Set<String> set) {
        if (isAdmin(connectorSecurityContext)) {
            return true;
        }
        return ((Set) ThriftMetastoreUtil.listApplicableRoles(new HivePrincipal(PrincipalType.USER, connectorSecurityContext.getIdentity().getUser()), hivePrincipal -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal);
        }).filter((v0) -> {
            return v0.isGrantable();
        }).map((v0) -> {
            return v0.getRoleName();
        }).collect(Collectors.toSet())).containsAll(set);
    }

    private boolean hasAnyTablePermission(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
        if (isAdmin(connectorSecurityContext)) {
            return true;
        }
        if (schemaTableName.equals(ROLES)) {
            return false;
        }
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        Set set = (Set) this.metastore.listTablePrivileges(connectorSecurityContext, new HiveIdentity(connectorSecurityContext.getIdentity()), schemaTableName.getSchemaName(), schemaTableName.getTableName(), Optional.empty()).stream().map((v0) -> {
            return v0.getGrantee();
        }).collect(ImmutableSet.toImmutableSet());
        Stream<HivePrincipal> listEnabledPrincipals = ThriftMetastoreUtil.listEnabledPrincipals(connectorSecurityContext.getIdentity(), hivePrincipal -> {
            return this.metastore.listRoleGrants(connectorSecurityContext, hivePrincipal);
        });
        Objects.requireNonNull(set);
        return listEnabledPrincipals.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
