package com.facebook.presto.hive.security;

import com.facebook.presto.hive.HiveConnectorId;
import com.facebook.presto.hive.HiveTransactionManager;
import com.facebook.presto.hive.metastore.Database;
import com.facebook.presto.hive.metastore.HivePrivilegeInfo;
import com.facebook.presto.hive.metastore.SemiTransactionalHiveMetastore;
import com.facebook.presto.hive.metastore.thrift.ThriftMetastoreUtil;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.ConnectorIdentity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.PrincipalType;
import com.facebook.presto.spi.security.Privilege;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;

/* loaded from: input_file:com/facebook/presto/hive/security/SqlStandardAccessControl.class */
public class SqlStandardAccessControl implements ConnectorAccessControl {
    public static final String ADMIN_ROLE_NAME = "admin";
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private static final SchemaTableName ROLES = new SchemaTableName(INFORMATION_SCHEMA_NAME, "roles");
    private final String connectorId;
    private final HiveTransactionManager hiveTransactionManager;

    @Inject
    public SqlStandardAccessControl(HiveConnectorId hiveConnectorId, HiveTransactionManager hiveTransactionManager) {
        this.connectorId = ((HiveConnectorId) Objects.requireNonNull(hiveConnectorId, "connectorId is null")).toString();
        this.hiveTransactionManager = (HiveTransactionManager) Objects.requireNonNull(hiveTransactionManager, "hiveTransactionManager is null");
    }

    public void checkCanCreateSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyCreateSchema(str);
    }

    public void checkCanDropSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, str)) {
            return;
        }
        AccessDeniedException.denyDropSchema(str);
    }

    public void checkCanRenameSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, String str2) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, str)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(str, str2);
    }

    public void checkCanShowSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext) {
    }

    public Set<String> filterSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set) {
        return set;
    }

    public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanShowTablesMetadata(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    public Set<SchemaTableName> filterTables(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<SchemaTableName> set) {
        return set;
    }

    public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    public void checkCanDropColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.toString());
    }

    public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    public void checkCanSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, false)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.INSERT, false)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.DELETE, false)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorTransactionHandle, connectorIdentity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
        checkCanSelectFromColumns(connectorTransactionHandle, connectorIdentity, accessControlContext, schemaTableName, set);
        if (checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.SELECT, true)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(schemaTableName.toString(), connectorIdentity);
    }

    public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denySetCatalogSessionProperty(this.connectorId, str);
    }

    public void checkCanGrantTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName) || hasGrantOptionForPrivilege(connectorTransactionHandle, connectorIdentity, privilege, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (isTableOwner(connectorTransactionHandle, connectorIdentity, schemaTableName) || hasGrantOptionForPrivilege(connectorTransactionHandle, connectorIdentity, privilege, schemaTableName)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanCreateRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, Optional<PrestoPrincipal> optional) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support WITH ADMIN statement");
        }
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyCreateRole(str);
    }

    public void checkCanDropRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyDropRole(str);
    }

    public void checkCanGrantRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support GRANTED BY statement");
        }
        if (hasAdminOptionForRoles(connectorTransactionHandle, connectorIdentity, set)) {
            return;
        }
        AccessDeniedException.denyGrantRoles(set, set2);
    }

    public void checkCanRevokeRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        if (optional.isPresent()) {
            throw new AccessDeniedException("Hive Connector does not support GRANTED BY statement");
        }
        if (hasAdminOptionForRoles(connectorTransactionHandle, connectorIdentity, set)) {
            return;
        }
        AccessDeniedException.denyRevokeRoles(set, set2);
    }

    public void checkCanSetRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, String str2) {
        if (ThriftMetastoreUtil.isRoleApplicable(getMetastore(connectorTransactionHandle), new PrestoPrincipal(PrincipalType.USER, connectorIdentity.getUser()), str)) {
            return;
        }
        AccessDeniedException.denySetRole(str);
    }

    public void checkCanShowRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return;
        }
        AccessDeniedException.denyShowRoles(str);
    }

    public void checkCanShowCurrentRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    public void checkCanShowRoleGrants(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    private boolean isAdmin(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity) {
        SemiTransactionalHiveMetastore metastore = getMetastore(connectorTransactionHandle);
        metastore.getClass();
        return ThriftMetastoreUtil.isRoleEnabled(connectorIdentity, metastore::listRoleGrants, ADMIN_ROLE_NAME);
    }

    private boolean isDatabaseOwner(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, String str) {
        if ("default".equalsIgnoreCase(str) || isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        SemiTransactionalHiveMetastore metastore = getMetastore(connectorTransactionHandle);
        Optional database = metastore.getDatabase(str);
        if (!database.isPresent()) {
            return false;
        }
        Database database2 = (Database) database.get();
        if (database2.getOwnerType() == PrincipalType.USER && connectorIdentity.getUser().equals(database2.getOwnerName())) {
            return true;
        }
        if (database2.getOwnerType() != PrincipalType.ROLE) {
            return false;
        }
        metastore.getClass();
        return ThriftMetastoreUtil.isRoleEnabled(connectorIdentity, metastore::listRoleGrants, database2.getOwnerName());
    }

    private boolean isTableOwner(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName) {
        return checkTablePermission(connectorTransactionHandle, connectorIdentity, schemaTableName, HivePrivilegeInfo.HivePrivilege.OWNERSHIP, false);
    }

    private boolean checkTablePermission(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, HivePrivilegeInfo.HivePrivilege hivePrivilege, boolean z) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        if (schemaTableName.equals(ROLES)) {
            return false;
        }
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        return ThriftMetastoreUtil.listEnabledTablePrivileges(getMetastore(connectorTransactionHandle), schemaTableName.getSchemaName(), schemaTableName.getTableName(), connectorIdentity).filter(hivePrivilegeInfo -> {
            return !z || hivePrivilegeInfo.isGrantOption();
        }).anyMatch(hivePrivilegeInfo2 -> {
            return hivePrivilegeInfo2.getHivePrivilege().equals(hivePrivilege);
        });
    }

    private boolean hasGrantOptionForPrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Privilege privilege, SchemaTableName schemaTableName) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        return ThriftMetastoreUtil.listApplicableTablePrivileges(getMetastore(connectorTransactionHandle), schemaTableName.getSchemaName(), schemaTableName.getTableName(), connectorIdentity.getUser()).anyMatch(hivePrivilegeInfo -> {
            return hivePrivilegeInfo.getHivePrivilege().equals(HivePrivilegeInfo.toHivePrivilege(privilege)) && hivePrivilegeInfo.isGrantOption();
        });
    }

    private boolean hasAdminOptionForRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, Set<String> set) {
        if (isAdmin(connectorTransactionHandle, connectorIdentity)) {
            return true;
        }
        SemiTransactionalHiveMetastore metastore = getMetastore(connectorTransactionHandle);
        PrestoPrincipal prestoPrincipal = new PrestoPrincipal(PrincipalType.USER, connectorIdentity.getUser());
        metastore.getClass();
        return ((Set) ThriftMetastoreUtil.listApplicableRoles(prestoPrincipal, metastore::listRoleGrants).filter((v0) -> {
            return v0.isGrantable();
        }).map((v0) -> {
            return v0.getRoleName();
        }).collect(Collectors.toSet())).containsAll(set);
    }

    private SemiTransactionalHiveMetastore getMetastore(ConnectorTransactionHandle connectorTransactionHandle) {
        return this.hiveTransactionManager.get(connectorTransactionHandle).getMetastore();
    }
}
