package com.facebook.presto.plugin.base.security;

import com.facebook.presto.plugin.base.security.TableAccessControlRule;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.spi.security.Privilege;
import com.google.common.collect.ImmutableSet;
import io.airlift.json.JsonCodec;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.inject.Inject;

/* loaded from: input_file:com/facebook/presto/plugin/base/security/FileBasedAccessControl.class */
public class FileBasedAccessControl implements ConnectorAccessControl {
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private final List<SchemaAccessControlRule> schemaRules;
    private final List<TableAccessControlRule> tableRules;
    private final List<SessionPropertyAccessControlRule> sessionPropertyRules;

    @Inject
    public FileBasedAccessControl(FileBasedAccessControlConfig fileBasedAccessControlConfig, JsonCodec<AccessControlRules> jsonCodec) throws IOException {
        AccessControlRules accessControlRules = (AccessControlRules) jsonCodec.fromJson(Files.readAllBytes(Paths.get(fileBasedAccessControlConfig.getConfigFile(), new String[0])));
        this.schemaRules = accessControlRules.getSchemaRules();
        this.tableRules = accessControlRules.getTableRules();
        this.sessionPropertyRules = accessControlRules.getSessionPropertyRules();
    }

    public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(identity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    public void checkCanSelectFromTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.SELECT)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.INSERT)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.DELETE)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(identity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    public void checkCanSelectFromView(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.SELECT)) {
            return;
        }
        AccessDeniedException.denySelectView(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromTable(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.SELECT)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    public void checkCanCreateViewWithSelectFromView(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, SchemaTableName schemaTableName) {
        if (!checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.SELECT)) {
            AccessDeniedException.denySelectView(schemaTableName.toString());
        }
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.GRANT_SELECT)) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    public void checkCanSetCatalogSessionProperty(Identity identity, String str) {
        if (canSetSessionProperty(identity, str)) {
            return;
        }
        denySetSessionProperty(str);
    }

    public void checkCanGrantTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Privilege privilege, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, Identity identity, Privilege privilege, SchemaTableName schemaTableName) {
        if (checkTablePermission(identity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    private boolean canSetSessionProperty(Identity identity, String str) {
        Iterator<SessionPropertyAccessControlRule> it = this.sessionPropertyRules.iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), str);
            if (match.isPresent() && match.get().booleanValue()) {
                return true;
            }
            if (match.isPresent() && !match.get().booleanValue()) {
                return false;
            }
        }
        return false;
    }

    private boolean checkTablePermission(Identity identity, SchemaTableName schemaTableName, TableAccessControlRule.TablePrivilege... tablePrivilegeArr) {
        if (INFORMATION_SCHEMA_NAME.equals(schemaTableName.getSchemaName())) {
            return true;
        }
        Iterator<TableAccessControlRule> it = this.tableRules.iterator();
        while (it.hasNext()) {
            Optional<Set<TableAccessControlRule.TablePrivilege>> match = it.next().match(identity.getUser(), schemaTableName);
            if (match.isPresent()) {
                return match.get().containsAll(ImmutableSet.copyOf(tablePrivilegeArr));
            }
        }
        return false;
    }

    private boolean isDatabaseOwner(Identity identity, String str) {
        Iterator<SchemaAccessControlRule> it = this.schemaRules.iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), str);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }

    private static void denySetSessionProperty(String str) {
        throw new AccessDeniedException("Cannot set catalog session property: " + str);
    }
}
