package com.facebook.presto.hive.security;

import com.facebook.presto.hive.HiveConnectorId;
import com.facebook.presto.hive.HiveTransactionHandle;
import com.facebook.presto.hive.metastore.HivePrivilegeInfo;
import com.facebook.presto.hive.metastore.SemiTransactionalHiveMetastore;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.spi.security.Privilege;
import com.google.common.collect.ImmutableSet;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.inject.Inject;

/* loaded from: input_file:com/facebook/presto/hive/security/SqlStandardAccessControl.class */
public class SqlStandardAccessControl implements ConnectorAccessControl {
    public static final String ADMIN_ROLE_NAME = "admin";
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private final String connectorId;
    private final Function<HiveTransactionHandle, SemiTransactionalHiveMetastore> metastoreProvider;

    @Inject
    public SqlStandardAccessControl(HiveConnectorId hiveConnectorId, Function<HiveTransactionHandle, SemiTransactionalHiveMetastore> function) {
        this.connectorId = ((HiveConnectorId) Objects.requireNonNull(hiveConnectorId, "connectorId is null")).toString();
        this.metastoreProvider = (Function) Objects.requireNonNull(function, "metastoreProvider is null");
    }

    public void checkCanCreateSchema(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str) {
        if (isAdmin(connectorTransactionHandle, identity)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(str);
    }

    public void checkCanDropSchema(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str) {
        if (isDatabaseOwner(connectorTransactionHandle, identity, str)) {
            return;
        }
        AccessDeniedException.denyDropSchema(str);
    }

    public void checkCanRenameSchema(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str, String str2) {
        if (isAdmin(connectorTransactionHandle, identity) && isDatabaseOwner(connectorTransactionHandle, identity, str)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(str, str2);
    }

    public void checkCanShowSchemas(ConnectorTransactionHandle connectorTransactionHandle, Identity identity) {
    }

    public Set<String> filterSchemas(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Set<String> set) {
        return set;
    }

    public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorTransactionHandle, identity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanShowTablesMetadata(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str) {
    }

    public Set<SchemaTableName> filterTables(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Set<SchemaTableName> set) {
        return set;
    }

    public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    public void checkCanDropColumn(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.toString());
    }

    public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    public void checkCanSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName, Set<String> set) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.INSERT)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.DELETE)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorTransactionHandle, identity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName, Set<String> set) {
        if (!checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT)) {
            AccessDeniedException.denySelectTable(schemaTableName.toString());
        }
        if (getGrantOptionForPrivilege(connectorTransactionHandle, identity, Privilege.SELECT, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(schemaTableName.toString(), identity);
    }

    public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str) {
        if (isAdmin(connectorTransactionHandle, identity)) {
            return;
        }
        AccessDeniedException.denySetCatalogSessionProperty(this.connectorId, str);
    }

    public void checkCanGrantTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Privilege privilege, SchemaTableName schemaTableName, String str, boolean z) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        if (HivePrivilegeInfo.toHivePrivilege(privilege) == null || !getGrantOptionForPrivilege(connectorTransactionHandle, identity, privilege, schemaTableName)) {
            AccessDeniedException.denyGrantTablePrivilege(privilege.name(), schemaTableName.toString());
        }
    }

    public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Privilege privilege, SchemaTableName schemaTableName, String str, boolean z) {
        if (checkTablePermission(connectorTransactionHandle, identity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP)) {
            return;
        }
        if (HivePrivilegeInfo.toHivePrivilege(privilege) == null || !getGrantOptionForPrivilege(connectorTransactionHandle, identity, privilege, schemaTableName)) {
            AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), schemaTableName.toString());
        }
    }

    private boolean checkDatabasePermission(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str, HivePrivilegeInfo.HivePrivilege... hivePrivilegeArr) {
        return ((Set) this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle).getDatabasePrivileges(identity.getUser(), str).stream().map((v0) -> {
            return v0.getHivePrivilege();
        }).collect(Collectors.toSet())).containsAll(ImmutableSet.copyOf(hivePrivilegeArr));
    }

    private boolean isDatabaseOwner(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, String str) {
        return checkDatabasePermission(connectorTransactionHandle, identity, str, HivePrivilegeInfo.HivePrivilege.OWNERSHIP);
    }

    private boolean getGrantOptionForPrivilege(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Privilege privilege, SchemaTableName schemaTableName) {
        return this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle).getTablePrivileges(identity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()).contains(new HivePrivilegeInfo(HivePrivilegeInfo.toHivePrivilege(privilege), true));
    }

    private boolean checkTablePermission(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName, HivePrivilegeInfo.HivePrivilege... hivePrivilegeArr) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        return ((Set) this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle).getTablePrivileges(identity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()).stream().map((v0) -> {
            return v0.getHivePrivilege();
        }).collect(Collectors.toSet())).containsAll(ImmutableSet.copyOf(hivePrivilegeArr));
    }

    private boolean isAdmin(ConnectorTransactionHandle connectorTransactionHandle, Identity identity) {
        return this.metastoreProvider.apply((HiveTransactionHandle) connectorTransactionHandle).getRoles(identity.getUser()).contains(ADMIN_ROLE_NAME);
    }
}
