package com.facebook.presto.security;

import com.facebook.airlift.log.Logger;
import com.facebook.presto.plugin.base.JsonUtils;
import com.facebook.presto.plugin.base.security.FileBasedAccessControlConfig;
import com.facebook.presto.plugin.base.security.ForwardingSystemAccessControl;
import com.facebook.presto.spi.CatalogSchemaName;
import com.facebook.presto.spi.CatalogSchemaTableName;
import com.facebook.presto.spi.PrestoException;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.StandardErrorCode;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.Privilege;
import com.facebook.presto.spi.security.SystemAccessControl;
import com.facebook.presto.spi.security.SystemAccessControlFactory;
import com.google.common.base.Preconditions;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.airlift.units.Duration;
import java.nio.file.Paths;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.testng.internal.RegexpExpectedExceptionsHolder;

/* loaded from: input_file:com/facebook/presto/security/FileBasedSystemAccessControl.class */
public class FileBasedSystemAccessControl implements SystemAccessControl {
    private static final Logger log = Logger.get((Class<?>) FileBasedSystemAccessControl.class);
    public static final String NAME = "file";
    private final List<CatalogAccessControlRule> catalogRules;
    private final Optional<List<PrincipalUserMatchRule>> principalUserMatchRules;

    /* loaded from: input_file:com/facebook/presto/security/FileBasedSystemAccessControl$Factory.class */
    public static class Factory implements SystemAccessControlFactory {
        @Override // com.facebook.presto.spi.security.SystemAccessControlFactory
        public String getName() {
            return "file";
        }

        @Override // com.facebook.presto.spi.security.SystemAccessControlFactory
        public SystemAccessControl create(Map<String, String> map) {
            Objects.requireNonNull(map, "config is null");
            String str = map.get(FileBasedAccessControlConfig.SECURITY_CONFIG_FILE);
            Preconditions.checkState(str != null, "Security configuration must contain the '%s' property", FileBasedAccessControlConfig.SECURITY_CONFIG_FILE);
            if (!map.containsKey(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD)) {
                return create(str);
            }
            try {
                Duration valueOf = Duration.valueOf(map.get(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD));
                if (valueOf.toMillis() == 0) {
                    throw invalidRefreshPeriodException(map, str);
                }
                return ForwardingSystemAccessControl.of(Suppliers.memoizeWithExpiration(() -> {
                    FileBasedSystemAccessControl.log.info("Refreshing system access control from %s", str);
                    return create(str);
                }, valueOf.toMillis(), TimeUnit.MILLISECONDS));
            } catch (IllegalArgumentException e) {
                throw invalidRefreshPeriodException(map, str);
            }
        }

        private PrestoException invalidRefreshPeriodException(Map<String, String> map, String str) {
            return new PrestoException(StandardErrorCode.CONFIGURATION_INVALID, String.format("Invalid duration value '%s' for property '%s' in '%s'", map.get(FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD), FileBasedAccessControlConfig.SECURITY_REFRESH_PERIOD, str));
        }

        private SystemAccessControl create(String str) {
            FileBasedSystemAccessControlRules fileBasedSystemAccessControlRules = (FileBasedSystemAccessControlRules) JsonUtils.parseJson(Paths.get(str, new String[0]), FileBasedSystemAccessControlRules.class);
            ImmutableList.Builder builder = ImmutableList.builder();
            builder.addAll((Iterable) fileBasedSystemAccessControlRules.getCatalogRules());
            builder.add((ImmutableList.Builder) new CatalogAccessControlRule(true, Optional.of(Pattern.compile(RegexpExpectedExceptionsHolder.DEFAULT_REGEXP)), Optional.of(Pattern.compile("system"))));
            return new FileBasedSystemAccessControl(builder.build(), fileBasedSystemAccessControlRules.getPrincipalUserMatchRules());
        }
    }

    private FileBasedSystemAccessControl(List<CatalogAccessControlRule> list, Optional<List<PrincipalUserMatchRule>> optional) {
        this.catalogRules = list;
        this.principalUserMatchRules = optional;
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanSetUser(Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        if (this.principalUserMatchRules.isPresent()) {
            if (!optional.isPresent()) {
                AccessDeniedException.denySetUser(optional, str);
            }
            String name = optional.get().getName();
            Iterator<PrincipalUserMatchRule> it2 = this.principalUserMatchRules.get().iterator();
            while (it2.hasNext()) {
                Optional<Boolean> match = it2.next().match(name, str);
                if (match.isPresent()) {
                    if (match.get().booleanValue()) {
                        return;
                    } else {
                        AccessDeniedException.denySetUser(optional, str);
                    }
                }
            }
            AccessDeniedException.denySetUser(optional, str);
        }
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanAccessCatalog(Identity identity, String str) {
        if (canAccessCatalog(identity, str)) {
            return;
        }
        AccessDeniedException.denyCatalogAccess(str);
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public Set<String> filterCatalogs(Identity identity, Set<String> set) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (String str : set) {
            if (canAccessCatalog(identity, str)) {
                builder.add((ImmutableSet.Builder) str);
            }
        }
        return builder.build();
    }

    private boolean canAccessCatalog(Identity identity, String str) {
        Iterator<CatalogAccessControlRule> it2 = this.catalogRules.iterator();
        while (it2.hasNext()) {
            Optional<Boolean> match = it2.next().match(identity.getUser(), str);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanCreateSchema(Identity identity, CatalogSchemaName catalogSchemaName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanDropSchema(Identity identity, CatalogSchemaName catalogSchemaName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanRenameSchema(Identity identity, CatalogSchemaName catalogSchemaName, String str) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanShowSchemas(Identity identity, String str) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public Set<String> filterSchemas(Identity identity, String str, Set<String> set) {
        return !canAccessCatalog(identity, str) ? ImmutableSet.of() : set;
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanCreateTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanDropTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanRenameTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanShowTablesMetadata(Identity identity, CatalogSchemaName catalogSchemaName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public Set<SchemaTableName> filterTables(Identity identity, String str, Set<SchemaTableName> set) {
        return !canAccessCatalog(identity, str) ? ImmutableSet.of() : set;
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanAddColumn(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanDropColumn(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanRenameColumn(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanSelectFromColumns(Identity identity, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanInsertIntoTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanDeleteFromTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanCreateView(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanDropView(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanCreateViewWithSelectFromColumns(Identity identity, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanSetCatalogSessionProperty(Identity identity, String str, String str2) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanGrantTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
    }

    @Override // com.facebook.presto.spi.security.SystemAccessControl
    public void checkCanRevokeTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
    }
}
