package com.facebook.presto.hive.security.ranger;

import com.facebook.airlift.http.client.HttpClient;
import com.facebook.airlift.http.client.HttpUriBuilder;
import com.facebook.airlift.http.client.JsonResponseHandler;
import com.facebook.airlift.http.client.Request;
import com.facebook.airlift.http.client.StringResponseHandler;
import com.facebook.airlift.json.JsonCodec;
import com.facebook.presto.common.Subfield;
import com.facebook.presto.hive.HiveErrorCode;
import com.facebook.presto.spi.PrestoException;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.ConnectorIdentity;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.UnmodifiableIterator;
import com.google.inject.Inject;
import java.io.IOException;
import java.net.URI;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.apache.ranger.plugin.util.ServicePolicies;

/* loaded from: input_file:com/facebook/presto/hive/security/ranger/RangerBasedAccessControl.class */
public class RangerBasedAccessControl implements ConnectorAccessControl {
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
    private static final JsonCodec<Users> USER_INFO_CODEC = JsonCodec.jsonCodec(Users.class);
    private static final JsonCodec<List<String>> ROLES_INFO_CODEC = JsonCodec.listJsonCodec(String.class);
    private final RangerAuthorizer rangerAuthorizer;
    private final Supplier<Map<String, Set<String>>> userRolesMapping;
    private final Supplier<Map<String, Set<String>>> userGroupsMapping;
    private final Supplier<ServicePolicies> servicePolicies;
    private final HttpClient httpClient;

    /* loaded from: input_file:com/facebook/presto/hive/security/ranger/RangerBasedAccessControl$HiveAccessType.class */
    enum HiveAccessType {
        NONE,
        CREATE,
        ALTER,
        DROP,
        INDEX,
        LOCK,
        SELECT,
        UPDATE,
        USE,
        ALL,
        ADMIN
    }

    @Inject
    public RangerBasedAccessControl(RangerBasedAccessControlConfig rangerBasedAccessControlConfig, @ForRangerInfo HttpClient httpClient) {
        Objects.requireNonNull(rangerBasedAccessControlConfig, "config is null");
        Objects.requireNonNull(rangerBasedAccessControlConfig.getRangerHttpEndPoint(), "Ranger service http end point is null");
        Objects.requireNonNull(rangerBasedAccessControlConfig.getRangerHiveServiceName(), "Ranger hive service name is null");
        this.httpClient = (HttpClient) Objects.requireNonNull(httpClient, "httpClient is null");
        try {
            this.servicePolicies = Suppliers.memoizeWithExpiration(() -> {
                return getHiveServicePolicies(rangerBasedAccessControlConfig);
            }, rangerBasedAccessControlConfig.getRefreshPeriod().toMillis(), TimeUnit.MILLISECONDS);
            this.userGroupsMapping = Suppliers.memoizeWithExpiration(() -> {
                return getUserGroupsMappings(rangerBasedAccessControlConfig);
            }, rangerBasedAccessControlConfig.getRefreshPeriod().toMillis(), TimeUnit.MILLISECONDS);
            this.userRolesMapping = Suppliers.memoizeWithExpiration(() -> {
                return getRolesForUserList(rangerBasedAccessControlConfig);
            }, rangerBasedAccessControlConfig.getRefreshPeriod().toMillis(), TimeUnit.MILLISECONDS);
            this.rangerAuthorizer = new RangerAuthorizer(this.servicePolicies, rangerBasedAccessControlConfig);
        } catch (Exception e) {
            throw new RuntimeException("Unable to query ranger service ", e);
        }
    }

    private ServicePolicies getHiveServicePolicies(RangerBasedAccessControlConfig rangerBasedAccessControlConfig) {
        try {
            return (ServicePolicies) OBJECT_MAPPER.readValue(((StringResponseHandler.StringResponse) this.httpClient.execute(setContentTypeHeaders(Request.Builder.prepareGet()).setUri(HttpUriBuilder.uriBuilderFrom(URI.create(rangerBasedAccessControlConfig.getRangerHttpEndPoint())).appendPath("/service/plugins/policies/download/" + rangerBasedAccessControlConfig.getRangerHiveServiceName()).build()).build(), StringResponseHandler.createStringResponseHandler())).getBody(), ServicePolicies.class);
        } catch (IOException e) {
            throw new PrestoException(HiveErrorCode.HIVE_RANGER_SERVER_ERROR, String.format("Unable to fetch policies from %s hive service end point", rangerBasedAccessControlConfig.getRangerHiveServiceName()));
        }
    }

    private Users getUsers(RangerBasedAccessControlConfig rangerBasedAccessControlConfig) {
        return (Users) this.httpClient.execute(setContentTypeHeaders(Request.Builder.prepareGet()).setUri(HttpUriBuilder.uriBuilderFrom(URI.create(rangerBasedAccessControlConfig.getRangerHttpEndPoint())).appendPath(RangerBasedAccessControlConfig.RANGER_REST_USER_GROUP_URL).build()).build(), JsonResponseHandler.createJsonResponseHandler(USER_INFO_CODEC));
    }

    private static Request.Builder setContentTypeHeaders(Request.Builder builder) {
        return builder.setHeader("Accept", "application/json");
    }

    private Map<String, Set<String>> getRolesForUserList(RangerBasedAccessControlConfig rangerBasedAccessControlConfig) {
        Users users = getUsers(rangerBasedAccessControlConfig);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        for (VXUser vXUser : users.getvXUsers()) {
            builder.put(vXUser.getName(), getRolesForUser(vXUser.getName(), rangerBasedAccessControlConfig));
        }
        return builder.build();
    }

    private Set<String> getRolesForUser(String str, RangerBasedAccessControlConfig rangerBasedAccessControlConfig) {
        return ImmutableSet.copyOf((Collection) this.httpClient.execute(setContentTypeHeaders(Request.Builder.prepareGet()).setUri(HttpUriBuilder.uriBuilderFrom(URI.create(rangerBasedAccessControlConfig.getRangerHttpEndPoint())).appendPath("/service/roles/roles/user/" + str).build()).build(), JsonResponseHandler.createJsonResponseHandler(ROLES_INFO_CODEC)));
    }

    private Map<String, Set<String>> getUserGroupsMappings(RangerBasedAccessControlConfig rangerBasedAccessControlConfig) {
        Users users = getUsers(rangerBasedAccessControlConfig);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        for (VXUser vXUser : users.getvXUsers()) {
            if (!Objects.isNull(vXUser.getGroupNameList()) && !vXUser.getGroupNameList().isEmpty()) {
                builder.put(vXUser.getName(), ImmutableSet.copyOf(vXUser.getGroupNameList()));
            }
        }
        return builder.build();
    }

    private Set<String> getGroupsForUser(String str) {
        try {
            return this.userGroupsMapping.get().get(str);
        } catch (Exception e) {
            throw new PrestoException(HiveErrorCode.HIVE_RANGER_SERVER_ERROR, "Unable to fetch user groups information from ranger", e);
        }
    }

    private Set<String> getRolesForUser(String str) {
        try {
            return this.userRolesMapping.get().get(str);
        } catch (Exception e) {
            throw new PrestoException(HiveErrorCode.HIVE_RANGER_SERVER_ERROR, "Unable to fetch user roles information from ranger", e);
        }
    }

    private boolean checkAccess(ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, String str, HiveAccessType hiveAccessType) {
        return this.rangerAuthorizer.authorizeHiveResource(schemaTableName.getSchemaName(), schemaTableName.getTableName(), str, hiveAccessType.toString(), connectorIdentity.getUser(), getGroupsForUser(connectorIdentity.getUser()), getRolesForUser(connectorIdentity.getUser()));
    }

    public void checkCanCreateSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (this.rangerAuthorizer.authorizeHiveResource(str, null, null, HiveAccessType.CREATE.toString(), connectorIdentity.getUser(), getGroupsForUser(connectorIdentity.getUser()), getRolesForUser(connectorIdentity.getUser()))) {
            return;
        }
        AccessDeniedException.denyCreateSchema(str, String.format("Access denied - User [ %s ] does not have [CREATE] privilege on [ %s ] ", connectorIdentity.getUser(), str));
    }

    public void checkCanDropSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (this.rangerAuthorizer.authorizeHiveResource(str, null, null, HiveAccessType.DROP.toString(), connectorIdentity.getUser(), getGroupsForUser(connectorIdentity.getUser()), getRolesForUser(connectorIdentity.getUser()))) {
            return;
        }
        AccessDeniedException.denyDropSchema(str, String.format("Access denied - User [ %s ] does not have [DROP] privilege on [ %s ] ", connectorIdentity.getUser(), str));
    }

    public void checkCanShowSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext) {
    }

    public Set<String> filterSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set) {
        HashSet hashSet = new HashSet();
        Set<String> groupsForUser = getGroupsForUser(connectorIdentity.getUser());
        Set<String> rolesForUser = getRolesForUser(connectorIdentity.getUser());
        for (String str : set) {
            if (this.rangerAuthorizer.authorizeHiveResource(str, null, null, "_any", connectorIdentity.getUser(), groupsForUser, rolesForUser)) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.CREATE)) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [CREATE] privilege on [ %s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName()));
    }

    public Set<SchemaTableName> filterTables(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<SchemaTableName> set) {
        HashSet hashSet = new HashSet();
        Set<String> groupsForUser = getGroupsForUser(connectorIdentity.getUser());
        Set<String> rolesForUser = getRolesForUser(connectorIdentity.getUser());
        for (SchemaTableName schemaTableName : set) {
            if (this.rangerAuthorizer.authorizeHiveResource(schemaTableName.getSchemaName(), schemaTableName.getTableName(), null, "_any", connectorIdentity.getUser(), groupsForUser, rolesForUser)) {
                hashSet.add(schemaTableName);
            }
        }
        return hashSet;
    }

    public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.ALTER)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [ALTER] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanDropColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.ALTER)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [ALTER] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.ALTER)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [ALTER] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<Subfield> set) {
        HashSet hashSet = new HashSet();
        UnmodifiableIterator it = ((ImmutableSet) set.stream().map(subfield -> {
            return subfield.getRootName();
        }).collect(ImmutableSet.toImmutableSet())).iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (!checkAccess(connectorIdentity, schemaTableName, str, HiveAccessType.SELECT)) {
                hashSet.add(str);
            }
        }
        if (hashSet.size() > 0) {
            AccessDeniedException.denySelectColumns(schemaTableName.getTableName(), (Collection) set.stream().map(subfield2 -> {
                return subfield2.getRootName();
            }).collect(ImmutableSet.toImmutableSet()), String.format("Access denied - User [ %s ] does not have [SELECT] privilege on all mentioned columns of [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
        }
    }

    public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.DROP)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [DROP] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.ALTER)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [ALTER] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanShowTablesMetadata(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.UPDATE)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [UPDATE] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.UPDATE)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [UPDATE] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.CREATE)) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [CREATE] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.DROP)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [DROP] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
    }

    public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
        if (!checkAccess(connectorIdentity, schemaTableName, null, HiveAccessType.CREATE)) {
            AccessDeniedException.denyCreateView(schemaTableName.getTableName(), String.format("Access denied - User [ %s ] does not have [CREATE] privilege on [ %s/%s ] ", connectorIdentity.getUser(), schemaTableName.getSchemaName(), schemaTableName.getTableName()));
        }
        HashSet hashSet = new HashSet();
        for (String str : set) {
            if (!checkAccess(connectorIdentity, schemaTableName, str, HiveAccessType.SELECT)) {
                hashSet.add(str);
            }
        }
        if (hashSet.size() > 0) {
            AccessDeniedException.denyCreateViewWithSelect(schemaTableName.getTableName(), connectorIdentity);
        }
    }

    public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }
}
