package com.facebook.presto.plugin.base.security;

import com.facebook.presto.plugin.base.JsonUtils;
import com.facebook.presto.plugin.base.security.TableAccessControlRule;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.ConnectorIdentity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.Privilege;
import com.google.common.collect.ImmutableSet;
import java.nio.file.Paths;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.inject.Inject;

/* loaded from: input_file:com/facebook/presto/plugin/base/security/FileBasedAccessControl.class */
public class FileBasedAccessControl implements ConnectorAccessControl {
    private static final String INFORMATION_SCHEMA_NAME = "information_schema";
    private final List<SchemaAccessControlRule> schemaRules;
    private final List<TableAccessControlRule> tableRules;
    private final List<SessionPropertyAccessControlRule> sessionPropertyRules;

    @Inject
    public FileBasedAccessControl(FileBasedAccessControlConfig fileBasedAccessControlConfig) {
        AccessControlRules accessControlRules = (AccessControlRules) JsonUtils.parseJson(Paths.get(fileBasedAccessControlConfig.getConfigFile(), new String[0]), AccessControlRules.class);
        this.schemaRules = accessControlRules.getSchemaRules();
        this.tableRules = accessControlRules.getTableRules();
        this.sessionPropertyRules = accessControlRules.getSessionPropertyRules();
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanCreateSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        AccessDeniedException.denyCreateSchema(str);
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanDropSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        AccessDeniedException.denyDropSchema(str);
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanRenameSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, String str2) {
        AccessDeniedException.denyRenameSchema(str, str2);
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanShowSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public Set<String> filterSchemas(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set) {
        return set;
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorIdentity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateTable(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropTable(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanShowTablesMetadata(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public Set<SchemaTableName> filterTables(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<SchemaTableName> set) {
        return set;
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameTable(schemaTableName.toString(), schemaTableName2.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyAddColumn(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanDropColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropColumn(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRenameColumn(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.SELECT)) {
            return;
        }
        AccessDeniedException.denySelectTable(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.INSERT)) {
            return;
        }
        AccessDeniedException.denyInsertTable(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.DELETE)) {
            return;
        }
        AccessDeniedException.denyDeleteTable(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (isDatabaseOwner(connectorIdentity, schemaTableName.getSchemaName())) {
            return;
        }
        AccessDeniedException.denyCreateView(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyDropView(schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
        if (!checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.SELECT)) {
            AccessDeniedException.denySelectTable(schemaTableName.toString());
        }
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.GRANT_SELECT)) {
            return;
        }
        AccessDeniedException.denyCreateViewWithSelect(schemaTableName.toString(), connectorIdentity);
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
        if (canSetSessionProperty(connectorIdentity, str)) {
            return;
        }
        denySetSessionProperty(str);
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanGrantTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyGrantTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (checkTablePermission(connectorIdentity, schemaTableName, TableAccessControlRule.TablePrivilege.OWNERSHIP)) {
            return;
        }
        AccessDeniedException.denyRevokeTablePrivilege(privilege.name(), schemaTableName.toString());
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanCreateRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, Optional<PrestoPrincipal> optional) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanDropRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanGrantRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanRevokeRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Set<String> set, Set<PrestoPrincipal> set2, boolean z, Optional<PrestoPrincipal> optional, String str) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanSetRole(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, String str2) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanShowRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanShowCurrentRoles(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    @Override // com.facebook.presto.spi.connector.ConnectorAccessControl
    public void checkCanShowRoleGrants(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
    }

    private boolean canSetSessionProperty(ConnectorIdentity connectorIdentity, String str) {
        Iterator<SessionPropertyAccessControlRule> it2 = this.sessionPropertyRules.iterator();
        while (it2.hasNext()) {
            Optional<Boolean> match = it2.next().match(connectorIdentity.getUser(), str);
            if (match.isPresent() && match.get().booleanValue()) {
                return true;
            }
            if (match.isPresent() && !match.get().booleanValue()) {
                return false;
            }
        }
        return false;
    }

    private boolean checkTablePermission(ConnectorIdentity connectorIdentity, SchemaTableName schemaTableName, TableAccessControlRule.TablePrivilege... tablePrivilegeArr) {
        if ("information_schema".equals(schemaTableName.getSchemaName())) {
            return true;
        }
        Iterator<TableAccessControlRule> it2 = this.tableRules.iterator();
        while (it2.hasNext()) {
            Optional<Set<TableAccessControlRule.TablePrivilege>> match = it2.next().match(connectorIdentity.getUser(), schemaTableName);
            if (match.isPresent()) {
                return match.get().containsAll(ImmutableSet.copyOf(tablePrivilegeArr));
            }
        }
        return false;
    }

    private boolean isDatabaseOwner(ConnectorIdentity connectorIdentity, String str) {
        Iterator<SchemaAccessControlRule> it2 = this.schemaRules.iterator();
        while (it2.hasNext()) {
            Optional<Boolean> match = it2.next().match(connectorIdentity.getUser(), str);
            if (match.isPresent()) {
                return match.get().booleanValue();
            }
        }
        return false;
    }

    private static void denySetSessionProperty(String str) {
        throw new AccessDeniedException("Cannot set catalog session property: " + str);
    }
}
