package com.facebook.presto.security;

import com.facebook.airlift.log.Logger;
import com.facebook.presto.common.CatalogSchemaName;
import com.facebook.presto.connector.system.GlobalSystemConnector;
import com.facebook.presto.plugin.base.JsonUtils;
import com.facebook.presto.plugin.base.security.ForwardingSystemAccessControl;
import com.facebook.presto.spi.CatalogSchemaTableName;
import com.facebook.presto.spi.PrestoException;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.StandardErrorCode;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.Privilege;
import com.facebook.presto.spi.security.SystemAccessControl;
import com.facebook.presto.spi.security.SystemAccessControlFactory;
import com.google.common.base.Preconditions;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.airlift.units.Duration;
import java.nio.file.Paths;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;

/* loaded from: input_file:com/facebook/presto/security/FileBasedSystemAccessControl.class */
public class FileBasedSystemAccessControl implements SystemAccessControl {
    private static final Logger log = Logger.get(FileBasedSystemAccessControl.class);
    public static final String NAME = "file";
    private final List<CatalogAccessControlRule> catalogRules;
    private final Optional<List<PrincipalUserMatchRule>> principalUserMatchRules;

    /* loaded from: input_file:com/facebook/presto/security/FileBasedSystemAccessControl$Factory.class */
    public static class Factory implements SystemAccessControlFactory {
        public String getName() {
            return FileBasedSystemAccessControl.NAME;
        }

        public SystemAccessControl create(Map<String, String> map) {
            Objects.requireNonNull(map, "config is null");
            String str = map.get("security.config-file");
            Preconditions.checkState(str != null, "Security configuration must contain the '%s' property", "security.config-file");
            if (!map.containsKey("security.refresh-period")) {
                return create(str);
            }
            try {
                Duration valueOf = Duration.valueOf(map.get("security.refresh-period"));
                if (valueOf.toMillis() == 0) {
                    throw invalidRefreshPeriodException(map, str);
                }
                return ForwardingSystemAccessControl.of(Suppliers.memoizeWithExpiration(() -> {
                    FileBasedSystemAccessControl.log.info("Refreshing system access control from %s", new Object[]{str});
                    return create(str);
                }, valueOf.toMillis(), TimeUnit.MILLISECONDS));
            } catch (IllegalArgumentException e) {
                throw invalidRefreshPeriodException(map, str);
            }
        }

        private PrestoException invalidRefreshPeriodException(Map<String, String> map, String str) {
            return new PrestoException(StandardErrorCode.CONFIGURATION_INVALID, String.format("Invalid duration value '%s' for property '%s' in '%s'", map.get("security.refresh-period"), "security.refresh-period", str));
        }

        private SystemAccessControl create(String str) {
            FileBasedSystemAccessControlRules fileBasedSystemAccessControlRules = (FileBasedSystemAccessControlRules) JsonUtils.parseJson(Paths.get(str, new String[0]), FileBasedSystemAccessControlRules.class);
            ImmutableList.Builder builder = ImmutableList.builder();
            builder.addAll(fileBasedSystemAccessControlRules.getCatalogRules());
            builder.add(new CatalogAccessControlRule(true, Optional.of(Pattern.compile(".*")), Optional.of(Pattern.compile(GlobalSystemConnector.NAME))));
            return new FileBasedSystemAccessControl(builder.build(), fileBasedSystemAccessControlRules.getPrincipalUserMatchRules());
        }
    }

    private FileBasedSystemAccessControl(List<CatalogAccessControlRule> list, Optional<List<PrincipalUserMatchRule>> optional) {
        this.catalogRules = list;
        this.principalUserMatchRules = optional;
    }

    public void checkCanSetUser(AccessControlContext accessControlContext, Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        if (this.principalUserMatchRules.isPresent()) {
            if (!optional.isPresent()) {
                AccessDeniedException.denySetUser(optional, str);
            }
            String name = optional.get().getName();
            Iterator<PrincipalUserMatchRule> it = this.principalUserMatchRules.get().iterator();
            while (it.hasNext()) {
                Optional<Boolean> match = it.next().match(name, str);
                if (match.isPresent()) {
                    if (match.get().booleanValue()) {
                        return;
                    } else {
                        AccessDeniedException.denySetUser(optional, str);
                    }
                }
            }
            AccessDeniedException.denySetUser(optional, str);
        }
    }

    public void checkQueryIntegrity(Identity identity, AccessControlContext accessControlContext, String str) {
    }

    public void checkCanSetSystemSessionProperty(Identity identity, AccessControlContext accessControlContext, String str) {
    }

    public void checkCanAccessCatalog(Identity identity, AccessControlContext accessControlContext, String str) {
        if (canAccessCatalog(identity, str)) {
            return;
        }
        AccessDeniedException.denyCatalogAccess(str);
    }

    public Set<String> filterCatalogs(Identity identity, AccessControlContext accessControlContext, Set<String> set) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (String str : set) {
            if (canAccessCatalog(identity, str)) {
                builder.add(str);
            }
        }
        return builder.build();
    }

    private boolean canAccessCatalog(Identity identity, String str) {
        Iterator<CatalogAccessControlRule> it = this.catalogRules.iterator();
        while (it.hasNext()) {
            Optional<Boolean> match = it.next().match(identity.getUser(), str);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }

    public void checkCanCreateSchema(Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName) {
    }

    public void checkCanDropSchema(Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName) {
    }

    public void checkCanRenameSchema(Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName, String str) {
    }

    public void checkCanShowSchemas(Identity identity, AccessControlContext accessControlContext, String str) {
    }

    public Set<String> filterSchemas(Identity identity, AccessControlContext accessControlContext, String str, Set<String> set) {
        return !canAccessCatalog(identity, str) ? ImmutableSet.of() : set;
    }

    public void checkCanCreateTable(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanDropTable(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanRenameTable(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
    }

    public void checkCanShowTablesMetadata(Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName) {
    }

    public Set<SchemaTableName> filterTables(Identity identity, AccessControlContext accessControlContext, String str, Set<SchemaTableName> set) {
        return !canAccessCatalog(identity, str) ? ImmutableSet.of() : set;
    }

    public void checkCanAddColumn(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanDropColumn(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanRenameColumn(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanSelectFromColumns(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
    }

    public void checkCanInsertIntoTable(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanDeleteFromTable(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanCreateView(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanDropView(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName) {
    }

    public void checkCanCreateViewWithSelectFromColumns(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
    }

    public void checkCanSetCatalogSessionProperty(Identity identity, AccessControlContext accessControlContext, String str, String str2) {
    }

    public void checkCanGrantTablePrivilege(Identity identity, AccessControlContext accessControlContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
    }

    public void checkCanRevokeTablePrivilege(Identity identity, AccessControlContext accessControlContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
    }
}
