package com.facebook.presto.security;

import com.facebook.airlift.log.Logger;
import com.facebook.airlift.stats.CounterStat;
import com.facebook.presto.common.CatalogSchemaName;
import com.facebook.presto.metadata.QualifiedObjectName;
import com.facebook.presto.security.AllowAllSystemAccessControl;
import com.facebook.presto.security.FileBasedSystemAccessControl;
import com.facebook.presto.security.ReadOnlySystemAccessControl;
import com.facebook.presto.spi.ConnectorId;
import com.facebook.presto.spi.PrestoException;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.StandardErrorCode;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.Privilege;
import com.facebook.presto.spi.security.SystemAccessControl;
import com.facebook.presto.spi.security.SystemAccessControlFactory;
import com.facebook.presto.transaction.TransactionId;
import com.facebook.presto.transaction.TransactionManager;
import com.facebook.presto.util.PropertiesUtil;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.File;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import javax.inject.Inject;
import org.weakref.jmx.Managed;
import org.weakref.jmx.Nested;

/* loaded from: input_file:com/facebook/presto/security/AccessControlManager.class */
public class AccessControlManager implements AccessControl {
    private static final Logger log = Logger.get((Class<?>) AccessControlManager.class);
    private static final File ACCESS_CONTROL_CONFIGURATION = new File("etc/access-control.properties");
    private static final String ACCESS_CONTROL_PROPERTY_NAME = "access-control.name";
    private final TransactionManager transactionManager;
    private final Map<String, SystemAccessControlFactory> systemAccessControlFactories = new ConcurrentHashMap();
    private final Map<ConnectorId, CatalogAccessControlEntry> connectorAccessControl = new ConcurrentHashMap();
    private final AtomicReference<SystemAccessControl> systemAccessControl = new AtomicReference<>(new InitializingSystemAccessControl());
    private final AtomicBoolean systemAccessControlLoading = new AtomicBoolean();
    private final CounterStat authenticationSuccess = new CounterStat();
    private final CounterStat authenticationFail = new CounterStat();
    private final CounterStat authorizationSuccess = new CounterStat();
    private final CounterStat authorizationFail = new CounterStat();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/security/AccessControlManager$CatalogAccessControlEntry.class */
    public class CatalogAccessControlEntry {
        private final ConnectorId connectorId;
        private final ConnectorAccessControl accessControl;

        public CatalogAccessControlEntry(ConnectorId connectorId, ConnectorAccessControl connectorAccessControl) {
            this.connectorId = (ConnectorId) Objects.requireNonNull(connectorId, "connectorId is null");
            this.accessControl = (ConnectorAccessControl) Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        }

        public ConnectorId getConnectorId() {
            return this.connectorId;
        }

        public ConnectorAccessControl getAccessControl() {
            return this.accessControl;
        }

        public ConnectorTransactionHandle getTransactionHandle(TransactionId transactionId) {
            return AccessControlManager.this.transactionManager.getConnectorTransaction(transactionId, this.connectorId);
        }
    }

    /* loaded from: input_file:com/facebook/presto/security/AccessControlManager$InitializingSystemAccessControl.class */
    private static class InitializingSystemAccessControl implements SystemAccessControl {
        private InitializingSystemAccessControl() {
        }

        @Override // com.facebook.presto.spi.security.SystemAccessControl
        public void checkQueryIntegrity(Identity identity, AccessControlContext accessControlContext, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        @Override // com.facebook.presto.spi.security.SystemAccessControl
        public void checkCanSetUser(AccessControlContext accessControlContext, Optional<Principal> optional, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        @Override // com.facebook.presto.spi.security.SystemAccessControl
        public void checkCanSetSystemSessionProperty(Identity identity, AccessControlContext accessControlContext, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }

        @Override // com.facebook.presto.spi.security.SystemAccessControl
        public void checkCanAccessCatalog(Identity identity, AccessControlContext accessControlContext, String str) {
            throw new PrestoException(StandardErrorCode.SERVER_STARTING_UP, "Presto server is still initializing");
        }
    }

    @Inject
    public AccessControlManager(TransactionManager transactionManager) {
        this.transactionManager = (TransactionManager) Objects.requireNonNull(transactionManager, "transactionManager is null");
        addSystemAccessControlFactory(new AllowAllSystemAccessControl.Factory());
        addSystemAccessControlFactory(new ReadOnlySystemAccessControl.Factory());
        addSystemAccessControlFactory(new FileBasedSystemAccessControl.Factory());
    }

    public void addSystemAccessControlFactory(SystemAccessControlFactory systemAccessControlFactory) {
        Objects.requireNonNull(systemAccessControlFactory, "accessControlFactory is null");
        if (this.systemAccessControlFactories.putIfAbsent(systemAccessControlFactory.getName(), systemAccessControlFactory) != null) {
            throw new IllegalArgumentException(String.format("Access control '%s' is already registered", systemAccessControlFactory.getName()));
        }
    }

    public void addCatalogAccessControl(ConnectorId connectorId, ConnectorAccessControl connectorAccessControl) {
        Objects.requireNonNull(connectorId, "connectorId is null");
        Objects.requireNonNull(connectorAccessControl, "accessControl is null");
        Preconditions.checkState(this.connectorAccessControl.putIfAbsent(connectorId, new CatalogAccessControlEntry(connectorId, connectorAccessControl)) == null, "Access control for connector '%s' is already registered", connectorId);
    }

    public void removeCatalogAccessControl(ConnectorId connectorId) {
        this.connectorAccessControl.remove(connectorId);
    }

    public void loadSystemAccessControl() throws Exception {
        if (!ACCESS_CONTROL_CONFIGURATION.exists()) {
            setSystemAccessControl(AllowAllSystemAccessControl.NAME, ImmutableMap.of());
            return;
        }
        HashMap hashMap = new HashMap(PropertiesUtil.loadProperties(ACCESS_CONTROL_CONFIGURATION));
        String remove = hashMap.remove(ACCESS_CONTROL_PROPERTY_NAME);
        Preconditions.checkArgument(!Strings.isNullOrEmpty(remove), "Access control configuration %s does not contain %s", ACCESS_CONTROL_CONFIGURATION.getAbsoluteFile(), ACCESS_CONTROL_PROPERTY_NAME);
        setSystemAccessControl(remove, hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public void setSystemAccessControl(String str, Map<String, String> map) {
        Objects.requireNonNull(str, "name is null");
        Objects.requireNonNull(map, "properties is null");
        Preconditions.checkState(this.systemAccessControlLoading.compareAndSet(false, true), "System access control already initialized");
        log.info("-- Loading system access control --");
        SystemAccessControlFactory systemAccessControlFactory = this.systemAccessControlFactories.get(str);
        Preconditions.checkState(systemAccessControlFactory != null, "Access control %s is not registered", str);
        this.systemAccessControl.set(systemAccessControlFactory.create(ImmutableMap.copyOf((Map) map)));
        log.info("-- Loaded system access control %s --", str);
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanSetUser(AccessControlContext accessControlContext, Optional<Principal> optional, String str) {
        Objects.requireNonNull(optional, "principal is null");
        Objects.requireNonNull(str, "userName is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanSetUser(accessControlContext, optional, str);
        });
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkQueryIntegrity(Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "query is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkQueryIntegrity(identity, accessControlContext, str);
        });
    }

    @Override // com.facebook.presto.security.AccessControl
    public Set<String> filterCatalogs(Identity identity, AccessControlContext accessControlContext, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "catalogs is null");
        return this.systemAccessControl.get().filterCatalogs(identity, accessControlContext, set);
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanAccessCatalog(Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalog is null");
        authenticationCheck(() -> {
            this.systemAccessControl.get().checkCanAccessCatalog(identity, accessControlContext, str);
        });
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanCreateSchema(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateSchema(identity, accessControlContext, catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), accessControlContext, catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanDropSchema(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropSchema(identity, accessControlContext, catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), accessControlContext, catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanRenameSchema(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schemaName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameSchema(identity, accessControlContext, catalogSchemaName, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameSchema(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(catalogSchemaName.getCatalogName()), accessControlContext, catalogSchemaName.getSchemaName(), str);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanShowSchemas(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowSchemas(identity, accessControlContext, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowSchemas(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public Set<String> filterSchemas(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "schemaNames is null");
        if (filterCatalogs(identity, accessControlContext, ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Set<String> filterSchemas = this.systemAccessControl.get().filterSchemas(identity, accessControlContext, str, set);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            filterSchemas = connectorAccessControl.getAccessControl().filterSchemas(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, filterSchemas);
        }
        return filterSchemas;
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanCreateTable(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateTable(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanDropTable(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropTable(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanRenameTable(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(qualifiedObjectName2, "newTableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameTable(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName(), qualifiedObjectName2.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName(), qualifiedObjectName2.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanShowTablesMetadata(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, CatalogSchemaName catalogSchemaName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(catalogSchemaName, "schema is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, catalogSchemaName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanShowTablesMetadata(identity, accessControlContext, catalogSchemaName);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, catalogSchemaName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowTablesMetadata(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(), accessControlContext, catalogSchemaName.getSchemaName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public Set<SchemaTableName> filterTables(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str, Set<SchemaTableName> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(set, "tableNames is null");
        if (filterCatalogs(identity, accessControlContext, ImmutableSet.of(str)).isEmpty()) {
            return ImmutableSet.of();
        }
        Set<SchemaTableName> filterTables = this.systemAccessControl.get().filterTables(identity, accessControlContext, str, set);
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            filterTables = connectorAccessControl.getAccessControl().filterTables(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, filterTables);
        }
        return filterTables;
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanAddColumns(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanAddColumn(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanAddColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanDropColumn(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropColumn(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanRenameColumn(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRenameColumn(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRenameColumn(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanInsertIntoTable(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanInsertIntoTable(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanInsertIntoTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDeleteFromTable(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDeleteFromTable(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanCreateView(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateView(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanDropView(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "viewName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanDropView(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName());
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropView(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName());
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanCreateViewWithSelectFromColumns(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanCreateViewWithSelectFromColumns(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateViewWithSelectFromColumns(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName(), set);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanGrantTablePrivilege(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, PrestoPrincipal prestoPrincipal, boolean z) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanGrantTablePrivilege(identity, accessControlContext, privilege, qualifiedObjectName.asCatalogSchemaTableName(), prestoPrincipal, z);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanGrantTablePrivilege(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, privilege, qualifiedObjectName.asSchemaTableName(), prestoPrincipal, z);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanRevokeTablePrivilege(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, Privilege privilege, QualifiedObjectName qualifiedObjectName, PrestoPrincipal prestoPrincipal, boolean z) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(privilege, "privilege is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanRevokeTablePrivilege(identity, accessControlContext, privilege, qualifiedObjectName.asCatalogSchemaTableName(), prestoPrincipal, z);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRevokeTablePrivilege(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, privilege, qualifiedObjectName.asSchemaTableName(), prestoPrincipal, z);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanSetSystemSessionProperty(Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "propertyName is null");
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetSystemSessionProperty(identity, accessControlContext, str);
        });
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanSetCatalogSessionProperty(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        Objects.requireNonNull(str2, "propertyName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSetCatalogSessionProperty(identity, accessControlContext, str, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetCatalogSessionProperty(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, str2);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanSelectFromColumns(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(qualifiedObjectName, "tableName is null");
        Objects.requireNonNull(set, "columnNames is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, qualifiedObjectName.getCatalogName());
        });
        authorizationCheck(() -> {
            this.systemAccessControl.get().checkCanSelectFromColumns(identity, accessControlContext, qualifiedObjectName.asCatalogSchemaTableName(), set);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, qualifiedObjectName.getCatalogName());
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSelectFromColumns(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(qualifiedObjectName.getCatalogName()), accessControlContext, qualifiedObjectName.asSchemaTableName(), set);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanCreateRole(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str, Optional<PrestoPrincipal> optional, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str2, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanCreateRole(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str2), accessControlContext, str, optional);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanDropRole(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanDropRole(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str2), accessControlContext, str);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanGrantRoles(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanGrantRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, set, set2, z, optional, str);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanRevokeRoles(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(set, "roles is null");
        Objects.requireNonNull(set2, "grantees is null");
        Objects.requireNonNull(optional, "grantor is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanRevokeRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, set, set2, z, optional, str);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanSetRole(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str, String str2) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "role is null");
        Objects.requireNonNull(str2, "catalog is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str2);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str2);
        if (connectorAccessControl != null) {
            authorizationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanSetRole(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str2), accessControlContext, str, str2);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanShowRoles(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, str);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanShowCurrentRoles(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowCurrentRoles(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, str);
            });
        }
    }

    @Override // com.facebook.presto.security.AccessControl
    public void checkCanShowRoleGrants(TransactionId transactionId, Identity identity, AccessControlContext accessControlContext, String str) {
        Objects.requireNonNull(identity, "identity is null");
        Objects.requireNonNull(str, "catalogName is null");
        authenticationCheck(() -> {
            checkCanAccessCatalog(identity, accessControlContext, str);
        });
        CatalogAccessControlEntry connectorAccessControl = getConnectorAccessControl(transactionId, str);
        if (connectorAccessControl != null) {
            authenticationCheck(() -> {
                connectorAccessControl.getAccessControl().checkCanShowRoleGrants(connectorAccessControl.getTransactionHandle(transactionId), identity.toConnectorIdentity(str), accessControlContext, str);
            });
        }
    }

    private CatalogAccessControlEntry getConnectorAccessControl(TransactionId transactionId, String str) {
        return (CatalogAccessControlEntry) this.transactionManager.getOptionalCatalogMetadata(transactionId, str).map(catalogMetadata -> {
            return this.connectorAccessControl.get(catalogMetadata.getConnectorId());
        }).orElse(null);
    }

    @Managed
    @Nested
    public CounterStat getAuthenticationSuccess() {
        return this.authenticationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthenticationFail() {
        return this.authenticationFail;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationSuccess() {
        return this.authorizationSuccess;
    }

    @Managed
    @Nested
    public CounterStat getAuthorizationFail() {
        return this.authorizationFail;
    }

    private void authenticationCheck(Runnable runnable) {
        try {
            runnable.run();
            this.authenticationSuccess.update(1L);
        } catch (PrestoException e) {
            this.authenticationFail.update(1L);
            throw e;
        }
    }

    private void authorizationCheck(Runnable runnable) {
        try {
            runnable.run();
            this.authorizationSuccess.update(1L);
        } catch (PrestoException e) {
            this.authorizationFail.update(1L);
            throw e;
        }
    }
}
