package io.trino.plugin.base.security;

import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Module;
import io.airlift.bootstrap.Bootstrap;
import io.airlift.configuration.ConfigBinder;
import io.airlift.log.Logger;
import io.airlift.units.Duration;
import io.trino.plugin.base.security.CatalogAccessControlRule;
import io.trino.plugin.base.security.QueryAccessRule;
import io.trino.plugin.base.security.SystemInformationRule;
import io.trino.plugin.base.security.TableAccessControlRule;
import io.trino.plugin.base.util.JsonUtils;
import io.trino.spi.StandardErrorCode;
import io.trino.spi.TrinoException;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.eventlistener.EventListener;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
import io.trino.spi.security.SystemAccessControlFactory;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import java.nio.file.Paths;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Stream;

/* loaded from: input_file:io/trino/plugin/base/security/FileBasedSystemAccessControl.class */
public class FileBasedSystemAccessControl implements SystemAccessControl {
    private static final Logger log = Logger.get(FileBasedSystemAccessControl.class);
    public static final String NAME = "file";
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private final List<CatalogAccessControlRule> catalogRules;
    private final Optional<List<QueryAccessRule>> queryAccessRules;
    private final Optional<List<ImpersonationRule>> impersonationRules;
    private final Optional<List<PrincipalUserMatchRule>> principalUserMatchRules;
    private final Optional<List<SystemInformationRule>> systemInformationRules;
    private final List<CatalogSchemaAccessControlRule> schemaRules;
    private final List<CatalogTableAccessControlRule> tableRules;
    private final List<SessionPropertyAccessControlRule> sessionPropertyRules;
    private final List<CatalogSessionPropertyAccessControlRule> catalogSessionPropertyRules;
    private final Set<AnyCatalogPermissionsRule> anyCatalogPermissionsRules;
    private final Set<AnyCatalogSchemaPermissionsRule> anyCatalogSchemaPermissionsRules;

    /* loaded from: input_file:io/trino/plugin/base/security/FileBasedSystemAccessControl$Builder.class */
    public static final class Builder {
        private List<CatalogAccessControlRule> catalogRules = ImmutableList.of(CatalogAccessControlRule.ALLOW_ALL);
        private Optional<List<QueryAccessRule>> queryAccessRules = Optional.empty();
        private Optional<List<ImpersonationRule>> impersonationRules = Optional.empty();
        private Optional<List<PrincipalUserMatchRule>> principalUserMatchRules = Optional.empty();
        private Optional<List<SystemInformationRule>> systemInformationRules = Optional.empty();
        private List<CatalogSchemaAccessControlRule> schemaRules = ImmutableList.of(CatalogSchemaAccessControlRule.ALLOW_ALL);
        private List<CatalogTableAccessControlRule> tableRules = ImmutableList.of(CatalogTableAccessControlRule.ALLOW_ALL);
        private List<SessionPropertyAccessControlRule> sessionPropertyRules = ImmutableList.of(SessionPropertyAccessControlRule.ALLOW_ALL);
        private List<CatalogSessionPropertyAccessControlRule> catalogSessionPropertyRules = ImmutableList.of(CatalogSessionPropertyAccessControlRule.ALLOW_ALL);

        public Builder denyAllAccess() {
            this.catalogRules = ImmutableList.of();
            this.queryAccessRules = Optional.of(ImmutableList.of());
            this.impersonationRules = Optional.of(ImmutableList.of());
            this.principalUserMatchRules = Optional.of(ImmutableList.of());
            this.systemInformationRules = Optional.of(ImmutableList.of());
            this.schemaRules = ImmutableList.of();
            this.tableRules = ImmutableList.of();
            this.sessionPropertyRules = ImmutableList.of();
            this.catalogSessionPropertyRules = ImmutableList.of();
            return this;
        }

        public Builder setCatalogRules(List<CatalogAccessControlRule> list) {
            this.catalogRules = list;
            return this;
        }

        public Builder setQueryAccessRules(Optional<List<QueryAccessRule>> optional) {
            this.queryAccessRules = optional;
            return this;
        }

        public Builder setImpersonationRules(Optional<List<ImpersonationRule>> optional) {
            this.impersonationRules = optional;
            return this;
        }

        public Builder setPrincipalUserMatchRules(Optional<List<PrincipalUserMatchRule>> optional) {
            this.principalUserMatchRules = optional;
            return this;
        }

        public Builder setSystemInformationRules(Optional<List<SystemInformationRule>> optional) {
            this.systemInformationRules = optional;
            return this;
        }

        public Builder setSchemaRules(List<CatalogSchemaAccessControlRule> list) {
            this.schemaRules = list;
            return this;
        }

        public Builder setTableRules(List<CatalogTableAccessControlRule> list) {
            this.tableRules = list;
            return this;
        }

        public Builder setSessionPropertyRules(List<SessionPropertyAccessControlRule> list) {
            this.sessionPropertyRules = list;
            return this;
        }

        public Builder setCatalogSessionPropertyRules(List<CatalogSessionPropertyAccessControlRule> list) {
            this.catalogSessionPropertyRules = list;
            return this;
        }

        public FileBasedSystemAccessControl build() {
            return new FileBasedSystemAccessControl(this.catalogRules, this.queryAccessRules, this.impersonationRules, this.principalUserMatchRules, this.systemInformationRules, this.schemaRules, this.tableRules, this.sessionPropertyRules, this.catalogSessionPropertyRules);
        }
    }

    /* loaded from: input_file:io/trino/plugin/base/security/FileBasedSystemAccessControl$Factory.class */
    public static class Factory implements SystemAccessControlFactory {
        public String getName() {
            return FileBasedSystemAccessControl.NAME;
        }

        public SystemAccessControl create(Map<String, String> map) {
            Objects.requireNonNull(map, "config is null");
            FileBasedAccessControlConfig fileBasedAccessControlConfig = (FileBasedAccessControlConfig) new Bootstrap(new Module[]{binder -> {
                ConfigBinder.configBinder(binder).bindConfig(FileBasedAccessControlConfig.class);
            }}).doNotInitializeLogging().setRequiredConfigurationProperties(map).initialize().getInstance(FileBasedAccessControlConfig.class);
            String configFile = fileBasedAccessControlConfig.getConfigFile();
            if (!map.containsKey(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD)) {
                return create(configFile);
            }
            try {
                Duration refreshPeriod = fileBasedAccessControlConfig.getRefreshPeriod();
                if (refreshPeriod.toMillis() == 0) {
                    throw invalidRefreshPeriodException(map, configFile);
                }
                return ForwardingSystemAccessControl.of(Suppliers.memoizeWithExpiration(() -> {
                    FileBasedSystemAccessControl.log.info("Refreshing system access control from %s", new Object[]{configFile});
                    return create(configFile);
                }, refreshPeriod.toMillis(), TimeUnit.MILLISECONDS));
            } catch (IllegalArgumentException e) {
                throw invalidRefreshPeriodException(map, configFile);
            }
        }

        private static TrinoException invalidRefreshPeriodException(Map<String, String> map, String str) {
            return new TrinoException(StandardErrorCode.CONFIGURATION_INVALID, String.format("Invalid duration value '%s' for property '%s' in '%s'", map.get(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD), FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD, str));
        }

        private static SystemAccessControl create(String str) {
            ImmutableList of;
            FileBasedSystemAccessControlRules fileBasedSystemAccessControlRules = (FileBasedSystemAccessControlRules) JsonUtils.parseJson(Paths.get(str, new String[0]), FileBasedSystemAccessControlRules.class);
            if (fileBasedSystemAccessControlRules.getCatalogRules().isPresent()) {
                ImmutableList.Builder builder = ImmutableList.builder();
                builder.addAll(fileBasedSystemAccessControlRules.getCatalogRules().get());
                builder.add(new CatalogAccessControlRule(CatalogAccessControlRule.AccessMode.ALL, Optional.of(Pattern.compile(".*")), Optional.empty(), Optional.empty(), Optional.of(Pattern.compile("system"))));
                of = builder.build();
            } else {
                of = ImmutableList.of(CatalogAccessControlRule.ALLOW_ALL);
            }
            return FileBasedSystemAccessControl.builder().setCatalogRules(of).setQueryAccessRules(fileBasedSystemAccessControlRules.getQueryAccessRules()).setImpersonationRules(fileBasedSystemAccessControlRules.getImpersonationRules()).setPrincipalUserMatchRules(fileBasedSystemAccessControlRules.getPrincipalUserMatchRules()).setSystemInformationRules(fileBasedSystemAccessControlRules.getSystemInformationRules()).setSchemaRules(fileBasedSystemAccessControlRules.getSchemaRules().orElse(ImmutableList.of(CatalogSchemaAccessControlRule.ALLOW_ALL))).setTableRules(fileBasedSystemAccessControlRules.getTableRules().orElse(ImmutableList.of(CatalogTableAccessControlRule.ALLOW_ALL))).setSessionPropertyRules(fileBasedSystemAccessControlRules.getSessionPropertyRules().orElse(ImmutableList.of(SessionPropertyAccessControlRule.ALLOW_ALL))).setCatalogSessionPropertyRules(fileBasedSystemAccessControlRules.getCatalogSessionPropertyRules().orElse(ImmutableList.of(CatalogSessionPropertyAccessControlRule.ALLOW_ALL))).build();
        }
    }

    private FileBasedSystemAccessControl(List<CatalogAccessControlRule> list, Optional<List<QueryAccessRule>> optional, Optional<List<ImpersonationRule>> optional2, Optional<List<PrincipalUserMatchRule>> optional3, Optional<List<SystemInformationRule>> optional4, List<CatalogSchemaAccessControlRule> list2, List<CatalogTableAccessControlRule> list3, List<SessionPropertyAccessControlRule> list4, List<CatalogSessionPropertyAccessControlRule> list5) {
        this.catalogRules = list;
        this.queryAccessRules = optional;
        this.impersonationRules = optional2;
        this.principalUserMatchRules = optional3;
        this.systemInformationRules = optional4;
        this.schemaRules = list2;
        this.tableRules = list3;
        this.sessionPropertyRules = list4;
        this.catalogSessionPropertyRules = list5;
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Stream flatMap = list2.stream().map((v0) -> {
            return v0.toAnyCatalogPermissionsRule();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Objects.requireNonNull(builder);
        flatMap.forEach((v1) -> {
            r1.add(v1);
        });
        Stream flatMap2 = list3.stream().map((v0) -> {
            return v0.toAnyCatalogPermissionsRule();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Objects.requireNonNull(builder);
        flatMap2.forEach((v1) -> {
            r1.add(v1);
        });
        Stream flatMap3 = list5.stream().map((v0) -> {
            return v0.toAnyCatalogPermissionsRule();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Objects.requireNonNull(builder);
        flatMap3.forEach((v1) -> {
            r1.add(v1);
        });
        this.anyCatalogPermissionsRules = builder.build();
        ImmutableSet.Builder builder2 = ImmutableSet.builder();
        Stream flatMap4 = list2.stream().map((v0) -> {
            return v0.toAnyCatalogSchemaPermissionsRule();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Objects.requireNonNull(builder2);
        flatMap4.forEach((v1) -> {
            r1.add(v1);
        });
        Stream flatMap5 = list3.stream().map((v0) -> {
            return v0.toAnyCatalogSchemaPermissionsRule();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Objects.requireNonNull(builder2);
        flatMap5.forEach((v1) -> {
            r1.add(v1);
        });
        this.anyCatalogSchemaPermissionsRules = builder2.build();
    }

    public void checkCanImpersonateUser(SystemSecurityContext systemSecurityContext, String str) {
        Identity identity = systemSecurityContext.getIdentity();
        if (this.impersonationRules.isEmpty()) {
            if (this.principalUserMatchRules.isEmpty()) {
                AccessDeniedException.denyImpersonateUser(identity.getUser(), str);
                return;
            }
            return;
        }
        Iterator<ImpersonationRule> it = this.impersonationRules.get().iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), identity.getEnabledRoles(), str);
            if (match.isPresent()) {
                if (match.get().booleanValue()) {
                    return;
                } else {
                    AccessDeniedException.denyImpersonateUser(identity.getUser(), str);
                }
            }
        }
        AccessDeniedException.denyImpersonateUser(identity.getUser(), str);
    }

    public void checkCanSetUser(Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        if (this.principalUserMatchRules.isEmpty()) {
            return;
        }
        if (optional.isEmpty()) {
            AccessDeniedException.denySetUser(optional, str);
        }
        String name = optional.get().getName();
        Iterator<PrincipalUserMatchRule> it = this.principalUserMatchRules.get().iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(name, str);
            if (match.isPresent()) {
                if (match.get().booleanValue()) {
                    return;
                } else {
                    AccessDeniedException.denySetUser(optional, str);
                }
            }
        }
        AccessDeniedException.denySetUser(optional, str);
    }

    public void checkCanExecuteQuery(SystemSecurityContext systemSecurityContext) {
        if (canAccessQuery(systemSecurityContext.getIdentity(), QueryAccessRule.AccessMode.EXECUTE)) {
            return;
        }
        AccessDeniedException.denyViewQuery();
    }

    public void checkCanViewQueryOwnedBy(SystemSecurityContext systemSecurityContext, String str) {
        if (canAccessQuery(systemSecurityContext.getIdentity(), QueryAccessRule.AccessMode.VIEW)) {
            return;
        }
        AccessDeniedException.denyViewQuery();
    }

    public Set<String> filterViewQueryOwnedBy(SystemSecurityContext systemSecurityContext, Set<String> set) {
        if (this.queryAccessRules.isEmpty()) {
            return set;
        }
        Identity identity = systemSecurityContext.getIdentity();
        return (Set) set.stream().filter(str -> {
            return canAccessQuery(identity, QueryAccessRule.AccessMode.VIEW);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanKillQueryOwnedBy(SystemSecurityContext systemSecurityContext, String str) {
        if (canAccessQuery(systemSecurityContext.getIdentity(), QueryAccessRule.AccessMode.KILL)) {
            return;
        }
        AccessDeniedException.denyViewQuery();
    }

    private boolean canAccessQuery(Identity identity, QueryAccessRule.AccessMode accessMode) {
        if (this.queryAccessRules.isEmpty()) {
            return true;
        }
        Iterator<QueryAccessRule> it = this.queryAccessRules.get().iterator();
        while (it.hasNext()) {
            Optional<Set<QueryAccessRule.AccessMode>> match = it.next().match(identity.getUser(), identity.getEnabledRoles());
            if (match.isPresent()) {
                return match.get().contains(accessMode);
            }
        }
        return false;
    }

    public void checkCanReadSystemInformation(SystemSecurityContext systemSecurityContext) {
        if (checkCanSystemInformation(systemSecurityContext.getIdentity(), SystemInformationRule.AccessMode.READ)) {
            return;
        }
        AccessDeniedException.denyReadSystemInformationAccess();
    }

    public void checkCanWriteSystemInformation(SystemSecurityContext systemSecurityContext) {
        if (checkCanSystemInformation(systemSecurityContext.getIdentity(), SystemInformationRule.AccessMode.WRITE)) {
            return;
        }
        AccessDeniedException.denyWriteSystemInformationAccess();
    }

    private boolean checkCanSystemInformation(Identity identity, SystemInformationRule.AccessMode accessMode) {
        Iterator<SystemInformationRule> it = this.systemInformationRules.orElseGet(ImmutableList::of).iterator();
        while (it.hasNext()) {
            Optional<Set<SystemInformationRule.AccessMode>> match = it.next().match(identity.getUser(), identity.getEnabledRoles());
            if (match.isPresent()) {
                return match.get().contains(accessMode);
            }
        }
        return false;
    }

    public void checkCanSetSystemSessionProperty(SystemSecurityContext systemSecurityContext, String str) {
        Identity identity = systemSecurityContext.getIdentity();
        if (((Boolean) this.sessionPropertyRules.stream().map(sessionPropertyAccessControlRule -> {
            return sessionPropertyAccessControlRule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), str);
        }).flatMap((v0) -> {
            return v0.stream();
        }).findFirst().orElse(false)).booleanValue()) {
            return;
        }
        AccessDeniedException.denySetSystemSessionProperty(str);
    }

    public void checkCanAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
        if (canAccessCatalog(systemSecurityContext, str, CatalogAccessControlRule.AccessMode.READ_ONLY)) {
            return;
        }
        AccessDeniedException.denyCatalogAccess(str);
    }

    public Set<String> filterCatalogs(SystemSecurityContext systemSecurityContext, Set<String> set) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (String str : set) {
            if (checkAnyCatalogAccess(systemSecurityContext, str)) {
                builder.add(str);
            }
        }
        return builder.build();
    }

    public void checkCanCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(catalogSchemaName.toString());
    }

    public void checkCanDropSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName)) {
            return;
        }
        AccessDeniedException.denyDropSchema(catalogSchemaName.toString());
    }

    public void checkCanRenameSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, String str) {
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName) && isSchemaOwner(systemSecurityContext, new CatalogSchemaName(catalogSchemaName.getCatalogName(), str))) {
            return;
        }
        AccessDeniedException.denyRenameSchema(catalogSchemaName.toString(), str);
    }

    public void checkCanSetSchemaAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal) {
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName)) {
            return;
        }
        AccessDeniedException.denySetSchemaAuthorization(catalogSchemaName.toString(), trinoPrincipal);
    }

    public void checkCanShowSchemas(SystemSecurityContext systemSecurityContext, String str) {
        if (checkAnyCatalogAccess(systemSecurityContext, str)) {
            return;
        }
        AccessDeniedException.denyShowSchemas();
    }

    public Set<String> filterSchemas(SystemSecurityContext systemSecurityContext, String str, Set<String> set) {
        return (Set) set.stream().filter(str2 -> {
            return checkAnySchemaAccess(systemSecurityContext, str, str2);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanShowCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyShowCreateTable(catalogSchemaTableName.toString());
    }

    public void checkCanShowCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName)) {
            return;
        }
        AccessDeniedException.denyShowCreateSchema(catalogSchemaName.toString());
    }

    public void checkCanCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCreateTable(catalogSchemaTableName.toString());
    }

    public void checkCanCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Object> map) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCreateTable(catalogSchemaTableName.toString());
    }

    public void checkCanDropTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropTable(catalogSchemaTableName.toString());
    }

    public void checkCanRenameTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP) && checkTablePermission(systemSecurityContext, catalogSchemaTableName2, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameTable(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanSetTableProperties(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Object> map) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denySetTableProperties(catalogSchemaTableName.toString());
    }

    public void checkCanSetTableComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCommentTable(catalogSchemaTableName.toString());
    }

    public void checkCanSetColumnComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCommentColumn(catalogSchemaTableName.toString());
    }

    public void checkCanShowTables(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (checkAnySchemaAccess(systemSecurityContext, catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyShowTables(catalogSchemaName.toString());
    }

    public Set<SchemaTableName> filterTables(SystemSecurityContext systemSecurityContext, String str, Set<SchemaTableName> set) {
        return (Set) set.stream().filter(schemaTableName -> {
            return isSchemaOwner(systemSecurityContext, new CatalogSchemaName(str, schemaTableName.getSchemaName())) || checkAnyTablePermission(systemSecurityContext, new CatalogSchemaTableName(str, schemaTableName));
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanShowColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkAnyTablePermission(systemSecurityContext, catalogSchemaTableName)) {
            return;
        }
        AccessDeniedException.denyShowColumns(catalogSchemaTableName.toString());
    }

    public Set<String> filterColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        if (!checkAnyTablePermission(systemSecurityContext, catalogSchemaTableName)) {
            return ImmutableSet.of();
        }
        if (INFORMATION_SCHEMA_NAME.equals(catalogSchemaTableName.getSchemaTableName().getSchemaName())) {
            return set;
        }
        Identity identity = systemSecurityContext.getIdentity();
        CatalogTableAccessControlRule orElse = this.tableRules.stream().filter(catalogTableAccessControlRule -> {
            return catalogTableAccessControlRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaTableName);
        }).findFirst().orElse(null);
        if (orElse == null || orElse.getPrivileges().isEmpty()) {
            return ImmutableSet.of();
        }
        if (orElse.getPrivileges().stream().anyMatch(tablePrivilege -> {
            return (TableAccessControlRule.TablePrivilege.SELECT == tablePrivilege || TableAccessControlRule.TablePrivilege.GRANT_SELECT == tablePrivilege) ? false : true;
        })) {
            return set;
        }
        Set<String> restrictedColumns = orElse.getRestrictedColumns();
        return (Set) set.stream().filter(str -> {
            return !restrictedColumns.contains(str);
        }).collect(ImmutableSet.toImmutableSet());
    }

    public void checkCanAddColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyAddColumn(catalogSchemaTableName.toString());
    }

    public void checkCanDropColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropColumn(catalogSchemaTableName.toString());
    }

    public void checkCanRenameColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(catalogSchemaTableName.toString());
    }

    public void checkCanSetTableAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denySetTableAuthorization(catalogSchemaTableName.toString(), trinoPrincipal);
    }

    public void checkCanSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        if (!canAccessCatalog(systemSecurityContext, catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.READ_ONLY)) {
            AccessDeniedException.denySelectTable(catalogSchemaTableName.toString());
        }
        if (INFORMATION_SCHEMA_NAME.equals(catalogSchemaTableName.getSchemaTableName().getSchemaName())) {
            return;
        }
        Identity identity = systemSecurityContext.getIdentity();
        if (((Boolean) this.tableRules.stream().filter(catalogTableAccessControlRule -> {
            return catalogTableAccessControlRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaTableName);
        }).map(catalogTableAccessControlRule2 -> {
            return Boolean.valueOf(catalogTableAccessControlRule2.canSelectColumns(set));
        }).findFirst().orElse(false)).booleanValue()) {
            return;
        }
        AccessDeniedException.denySelectTable(catalogSchemaTableName.toString());
    }

    public void checkCanInsertIntoTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.INSERT)) {
            return;
        }
        AccessDeniedException.denyInsertTable(catalogSchemaTableName.toString());
    }

    public void checkCanDeleteFromTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.DELETE)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(catalogSchemaTableName.toString());
    }

    public void checkCanUpdateTableColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.UPDATE)) {
            return;
        }
        AccessDeniedException.denyUpdateTableColumns(catalogSchemaTableName.toString(), set);
    }

    public void checkCanCreateView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCreateView(catalogSchemaTableName.toString());
    }

    public void checkCanRenameView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP) && checkTablePermission(systemSecurityContext, catalogSchemaTableName2, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameView(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanSetViewAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denySetViewAuthorization(catalogSchemaTableName.toString(), trinoPrincipal);
    }

    public void checkCanDropView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropView(catalogSchemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        if (!canAccessCatalog(systemSecurityContext, catalogSchemaTableName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            AccessDeniedException.denySelectTable(catalogSchemaTableName.toString());
        }
        if (INFORMATION_SCHEMA_NAME.equals(catalogSchemaTableName.getSchemaTableName().getSchemaName())) {
            return;
        }
        Identity identity = systemSecurityContext.getIdentity();
        CatalogTableAccessControlRule orElse = this.tableRules.stream().filter(catalogTableAccessControlRule -> {
            return catalogTableAccessControlRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaTableName);
        }).findFirst().orElse(null);
        if (orElse == null || !orElse.canSelectColumns(set)) {
            AccessDeniedException.denySelectTable(catalogSchemaTableName.toString());
        }
        if (orElse.getPrivileges().contains(TableAccessControlRule.TablePrivilege.GRANT_SELECT)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(catalogSchemaTableName.toString(), systemSecurityContext.getIdentity());
    }

    public void checkCanCreateMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyCreateMaterializedView(catalogSchemaTableName.toString());
    }

    public void checkCanRefreshMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.UPDATE)) {
            return;
        }
        AccessDeniedException.denyRefreshMaterializedView(catalogSchemaTableName.toString());
    }

    public void checkCanDropMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropMaterializedView(catalogSchemaTableName.toString());
    }

    public void checkCanRenameMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP) && checkTablePermission(systemSecurityContext, catalogSchemaTableName2, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameMaterializedView(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext systemSecurityContext, String str, TrinoPrincipal trinoPrincipal, boolean z) {
    }

    public void checkCanSetCatalogSessionProperty(SystemSecurityContext systemSecurityContext, String str, String str2) {
        Identity identity = systemSecurityContext.getIdentity();
        if (canAccessCatalog(systemSecurityContext, str, CatalogAccessControlRule.AccessMode.READ_ONLY) && ((Boolean) this.catalogSessionPropertyRules.stream().map(catalogSessionPropertyAccessControlRule -> {
            return catalogSessionPropertyAccessControlRule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), str, str2);
        }).flatMap((v0) -> {
            return v0.stream();
        }).findFirst().orElse(false)).booleanValue()) {
            return;
        }
        AccessDeniedException.denySetCatalogSessionProperty(str2);
    }

    public void checkCanGrantSchemaPrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal, boolean z) {
        if (!canAccessCatalog(systemSecurityContext, catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            AccessDeniedException.denyGrantSchemaPrivilege(privilege.name(), catalogSchemaName.toString());
        }
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName)) {
            return;
        }
        AccessDeniedException.denyGrantSchemaPrivilege(privilege.name(), catalogSchemaName.toString());
    }

    public void checkCanRevokeSchemaPrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal, boolean z) {
        if (!canAccessCatalog(systemSecurityContext, catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            AccessDeniedException.denyRevokeSchemaPrivilege(privilege.name(), catalogSchemaName.toString());
        }
        if (isSchemaOwner(systemSecurityContext, catalogSchemaName)) {
            return;
        }
        AccessDeniedException.denyRevokeSchemaPrivilege(privilege.name(), catalogSchemaName.toString());
    }

    public void checkCanGrantTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal, boolean z) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.name(), catalogSchemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal, boolean z) {
        if (checkTablePermission(systemSecurityContext, catalogSchemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), catalogSchemaTableName.toString());
    }

    public void checkCanCreateRole(SystemSecurityContext systemSecurityContext, String str, Optional<TrinoPrincipal> optional) {
        AccessDeniedException.denyCreateRole(str);
    }

    public void checkCanDropRole(SystemSecurityContext systemSecurityContext, String str) {
        AccessDeniedException.denyDropRole(str);
    }

    public void checkCanGrantRoles(SystemSecurityContext systemSecurityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional) {
        AccessDeniedException.denyGrantRoles(set, set2);
    }

    public void checkCanRevokeRoles(SystemSecurityContext systemSecurityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional) {
        AccessDeniedException.denyRevokeRoles(set, set2);
    }

    public void checkCanShowRoleAuthorizationDescriptors(SystemSecurityContext systemSecurityContext) {
        AccessDeniedException.denyShowRoleAuthorizationDescriptors();
    }

    public void checkCanShowCurrentRoles(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanShowRoleGrants(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanShowRoles(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
    }

    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String str) {
    }

    public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String str) {
    }

    public Iterable<EventListener> getEventListeners() {
        return ImmutableSet.of();
    }

    public Optional<ViewExpression> getRowFilter(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        SchemaTableName schemaTableName = catalogSchemaTableName.getSchemaTableName();
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return Optional.empty();
        }
        Identity identity = systemSecurityContext.getIdentity();
        return this.tableRules.stream().filter(catalogTableAccessControlRule -> {
            return catalogTableAccessControlRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaTableName);
        }).map(catalogTableAccessControlRule2 -> {
            return catalogTableAccessControlRule2.getFilter(identity.getUser(), catalogSchemaTableName.getCatalogName(), schemaTableName.getSchemaName());
        }).findFirst().flatMap(Function.identity());
    }

    public Optional<ViewExpression> getColumnMask(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String str, Type type) {
        if (INFORMATION_SCHEMA_NAME.equals(catalogSchemaTableName.getSchemaTableName().getSchemaName())) {
            return Optional.empty();
        }
        Identity identity = systemSecurityContext.getIdentity();
        return this.tableRules.stream().filter(catalogTableAccessControlRule -> {
            return catalogTableAccessControlRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaTableName);
        }).map(catalogTableAccessControlRule2 -> {
            return catalogTableAccessControlRule2.getColumnMask(identity.getUser(), catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), str);
        }).findFirst().flatMap(Function.identity());
    }

    private boolean checkAnyCatalogAccess(SystemSecurityContext systemSecurityContext, String str) {
        Identity identity = systemSecurityContext.getIdentity();
        return canAccessCatalog(systemSecurityContext, str, CatalogAccessControlRule.AccessMode.READ_ONLY) && this.anyCatalogPermissionsRules.stream().anyMatch(anyCatalogPermissionsRule -> {
            return anyCatalogPermissionsRule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), str);
        });
    }

    private boolean canAccessCatalog(SystemSecurityContext systemSecurityContext, String str, CatalogAccessControlRule.AccessMode accessMode) {
        Identity identity = systemSecurityContext.getIdentity();
        Iterator<CatalogAccessControlRule> it = this.catalogRules.iterator();
        while (it.hasNext()) {
            Optional<CatalogAccessControlRule.AccessMode> match = it.next().match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), str);
            if (match.isPresent()) {
                return match.get().implies(accessMode);
            }
        }
        return false;
    }

    private boolean checkAnySchemaAccess(SystemSecurityContext systemSecurityContext, String str, String str2) {
        Identity identity = systemSecurityContext.getIdentity();
        return canAccessCatalog(systemSecurityContext, str, CatalogAccessControlRule.AccessMode.READ_ONLY) && this.anyCatalogSchemaPermissionsRules.stream().anyMatch(anyCatalogSchemaPermissionsRule -> {
            return anyCatalogSchemaPermissionsRule.match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), str, str2);
        });
    }

    private boolean isSchemaOwner(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (!canAccessCatalog(systemSecurityContext, catalogSchemaName.getCatalogName(), CatalogAccessControlRule.AccessMode.ALL)) {
            return false;
        }
        Identity identity = systemSecurityContext.getIdentity();
        Iterator<CatalogSchemaAccessControlRule> it = this.schemaRules.iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaName);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }

    private boolean checkAnyTablePermission(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        return checkTablePermission(systemSecurityContext, catalogSchemaTableName, CatalogAccessControlRule.AccessMode.READ_ONLY, set -> {
            return !set.isEmpty();
        });
    }

    private boolean checkTablePermission(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, TableAccessControlRule.TablePrivilege tablePrivilege) {
        return checkTablePermission(systemSecurityContext, catalogSchemaTableName, (tablePrivilege == TableAccessControlRule.TablePrivilege.SELECT || tablePrivilege == TableAccessControlRule.TablePrivilege.GRANT_SELECT) ? CatalogAccessControlRule.AccessMode.READ_ONLY : CatalogAccessControlRule.AccessMode.ALL, set -> {
            return set.contains(tablePrivilege);
        });
    }

    private boolean checkTablePermission(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogAccessControlRule.AccessMode accessMode, Predicate<Set<TableAccessControlRule.TablePrivilege>> predicate) {
        if (!canAccessCatalog(systemSecurityContext, catalogSchemaTableName.getCatalogName(), accessMode)) {
            return false;
        }
        if (INFORMATION_SCHEMA_NAME.equals(catalogSchemaTableName.getSchemaTableName().getSchemaName())) {
            return true;
        }
        Identity identity = systemSecurityContext.getIdentity();
        for (CatalogTableAccessControlRule catalogTableAccessControlRule : this.tableRules) {
            if (catalogTableAccessControlRule.matches(identity.getUser(), identity.getEnabledRoles(), identity.getGroups(), catalogSchemaTableName)) {
                return predicate.test(catalogTableAccessControlRule.getPrivileges());
            }
        }
        return false;
    }

    public static Builder builder() {
        return new Builder();
    }
}
