package org.apache.impala.authorization;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.UnmodifiableIterator;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.impala.analysis.AnalysisContext;
import org.apache.impala.analysis.Analyzer;
import org.apache.impala.authorization.Authorizable;
import org.apache.impala.catalog.FeCatalog;
import org.apache.impala.catalog.FeDb;
import org.apache.impala.catalog.FeIncompleteTable;
import org.apache.impala.catalog.FeTable;
import org.apache.impala.common.InternalException;
import org.apache.impala.common.Pair;
import org.apache.impala.common.PrintUtils;
import org.apache.impala.service.BackendConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/impala/authorization/BaseAuthorizationChecker.class */
public abstract class BaseAuthorizationChecker implements AuthorizationChecker {
    private static final Logger LOG = LoggerFactory.getLogger(BaseAuthorizationChecker.class);
    protected final AuthorizationConfig config_;

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseAuthorizationChecker(AuthorizationConfig authorizationConfig) {
        Preconditions.checkNotNull(authorizationConfig);
        this.config_ = authorizationConfig;
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public boolean hasAccess(User user, PrivilegeRequest privilegeRequest) throws InternalException {
        return hasAccess(createAuthorizationContext(false, null, null, Optional.empty()), user, privilegeRequest);
    }

    private boolean hasAccess(AuthorizationContext authorizationContext, User user, PrivilegeRequest privilegeRequest) throws InternalException {
        Preconditions.checkNotNull(user);
        Preconditions.checkNotNull(privilegeRequest);
        if (!this.config_.isEnabled() || (user instanceof ImpalaInternalAdminUser)) {
            return true;
        }
        return authorizeResource(authorizationContext, user, privilegeRequest);
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public boolean hasAnyAccess(User user, Set<PrivilegeRequest> set) throws InternalException {
        Preconditions.checkNotNull(user);
        Preconditions.checkNotNull(set);
        Iterator<PrivilegeRequest> it = set.iterator();
        while (it.hasNext()) {
            if (hasAccess(user, it.next())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public void postAuthorize(AuthorizationContext authorizationContext, boolean z, boolean z2) {
        if (authorizationContext.getTimeline().isPresent()) {
            LOG.debug("Authorization check took {} ms", Long.valueOf(authorizationContext.getTimeline().get().markEvent(String.format("Authorization finished (%s)", this.config_.getProviderName())) / PrintUtils.MEGA));
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.apache.impala.authorization.AuthorizationChecker
    public void authorize(AuthorizationContext authorizationContext, AnalysisContext.AnalysisResult analysisResult, FeCatalog feCatalog) throws AuthorizationException, InternalException {
        Preconditions.checkNotNull(analysisResult);
        Analyzer analyzer = analysisResult.getAnalyzer();
        if (analysisResult.isHierarchicalAuthStmt()) {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            ArrayList arrayList = new ArrayList();
            UnmodifiableIterator it = analyzer.getPrivilegeReqs().iterator();
            while (it.hasNext()) {
                PrivilegeRequest privilegeRequest = (PrivilegeRequest) it.next();
                String fullTableName = privilegeRequest.getAuthorizable().getFullTableName();
                if (fullTableName == null) {
                    arrayList.add(privilegeRequest);
                } else {
                    List list = (List) linkedHashMap.get(fullTableName);
                    if (list == null) {
                        list = new ArrayList();
                        linkedHashMap.put(fullTableName, list);
                    }
                    Preconditions.checkState(list.isEmpty() || privilegeRequest.getAuthorizable().getType() != Authorizable.Type.COLUMN || (((PrivilegeRequest) list.get(0)).getAuthorizable().getType() == Authorizable.Type.TABLE && ((PrivilegeRequest) list.get(0)).getPrivilege() == Privilege.SELECT));
                    list.add(privilegeRequest);
                }
            }
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                authorizePrivilegeRequest(authorizationContext, analysisResult, feCatalog, (PrivilegeRequest) it2.next());
            }
            Iterator it3 = linkedHashMap.entrySet().iterator();
            while (it3.hasNext()) {
                authorizeTableAccess(authorizationContext, analysisResult, feCatalog, (List) ((Map.Entry) it3.next()).getValue());
            }
        } else {
            UnmodifiableIterator it4 = analyzer.getPrivilegeReqs().iterator();
            while (it4.hasNext()) {
                PrivilegeRequest privilegeRequest2 = (PrivilegeRequest) it4.next();
                Preconditions.checkState(privilegeRequest2.getAuthorizable().getType() != Authorizable.Type.COLUMN || analysisResult.isSingleColumnPrivStmt());
                authorizePrivilegeRequest(authorizationContext, analysisResult, feCatalog, privilegeRequest2);
            }
        }
        UnmodifiableIterator it5 = analyzer.getMaskedPrivilegeReqs().iterator();
        while (it5.hasNext()) {
            Pair pair = (Pair) it5.next();
            try {
                try {
                    authorizationContext.setRetainAudits(false);
                    authorizePrivilegeRequest(authorizationContext, analysisResult, feCatalog, (PrivilegeRequest) pair.first);
                    authorizationContext.setRetainAudits(true);
                } catch (AuthorizationException e) {
                    analysisResult.setUserHasProfileAccess(false);
                    if (!Strings.isNullOrEmpty((String) pair.second)) {
                        throw new AuthorizationException((String) pair.second);
                    }
                    authorizationContext.setRetainAudits(true);
                    return;
                }
            } catch (Throwable th) {
                authorizationContext.setRetainAudits(true);
                throw th;
            }
        }
    }

    private void authorizePrivilegeRequest(AuthorizationContext authorizationContext, AnalysisContext.AnalysisResult analysisResult, FeCatalog feCatalog, PrivilegeRequest privilegeRequest) throws AuthorizationException, InternalException {
        FeTable table;
        Preconditions.checkNotNull(privilegeRequest);
        String str = null;
        if (privilegeRequest.getAuthorizable() != null) {
            str = privilegeRequest.getAuthorizable().getDbName();
        }
        if (str == null || !checkSystemDbAccess(feCatalog, str, privilegeRequest.getPrivilege())) {
            if (this.config_.isEnabled() && privilegeRequest.getAuthorizable() != null && privilegeRequest.getAuthorizable().getType() == Authorizable.Type.TABLE && (privilegeRequest.getPrivilege() != Privilege.REFRESH || !BackendConfig.INSTANCE.allowCatalogCacheOpFromMaskedUsers())) {
                Preconditions.checkNotNull(str);
                AuthorizableTable authorizableTable = (AuthorizableTable) privilegeRequest.getAuthorizable();
                FeDb db = feCatalog.getDb(str);
                if (db != null && (table = db.getTable(authorizableTable.getTableName())) != null && !(table instanceof FeIncompleteTable)) {
                    authorizableTable.setColumns(table.getColumnNames());
                }
            }
            checkAccess(authorizationContext, analysisResult.getAnalyzer().getUser(), privilegeRequest);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void authorizeTableAccess(AuthorizationContext authorizationContext, AnalysisContext.AnalysisResult analysisResult, FeCatalog feCatalog, List<PrivilegeRequest> list) throws AuthorizationException, InternalException {
        Preconditions.checkArgument(!list.isEmpty());
        Analyzer analyzer = analysisResult.getAnalyzer();
        authorizeRowFilterAndColumnMask(analyzer.getUser(), list);
        boolean z = true;
        boolean z2 = false;
        for (PrivilegeRequest privilegeRequest : list) {
            if (privilegeRequest.getAuthorizable().getType() == Authorizable.Type.TABLE) {
                try {
                    authorizePrivilegeRequest(authorizationContext, analysisResult, feCatalog, privilegeRequest);
                } catch (AuthorizationException e) {
                    if (privilegeRequest.getPrivilege() != Privilege.SELECT) {
                        throw e;
                    }
                    z = false;
                }
            } else {
                Preconditions.checkState(privilegeRequest.getAuthorizable().getType() == Authorizable.Type.COLUMN);
                if (!z || privilegeRequest.getPrivilege() == Privilege.SELECT || privilegeRequest.getPrivilege() == Privilege.INSERT) {
                    if (!hasAccess(authorizationContext, analyzer.getUser(), privilegeRequest)) {
                        throw new AuthorizationException(String.format("User '%s' does not have privileges to execute '%s' on: %s", analyzer.getUser().getName(), privilegeRequest.getPrivilege().toString(), privilegeRequest.getAuthorizable().getFullTableName()));
                    }
                    z2 = true;
                }
            }
        }
        if (!z && !z2) {
            throw new AuthorizationException(String.format("User '%s' does not have privileges to execute 'SELECT' on: %s", analyzer.getUser().getName(), list.get(0).getAuthorizable().getFullTableName()));
        }
    }

    private boolean checkSystemDbAccess(FeCatalog feCatalog, String str, Privilege privilege) throws AuthorizationException {
        FeDb db = feCatalog.getDb(str);
        if (db == null || !db.isSystemDb()) {
            return false;
        }
        switch (privilege) {
            case VIEW_METADATA:
            case ANY:
                return true;
            case SELECT:
                return false;
            default:
                throw new AuthorizationException("Cannot modify system database.");
        }
    }

    private void checkAccess(AuthorizationContext authorizationContext, User user, PrivilegeRequest privilegeRequest) throws AuthorizationException, InternalException {
        Preconditions.checkNotNull(privilegeRequest);
        if (hasAccess(authorizationContext, user, privilegeRequest)) {
            return;
        }
        Privilege privilege = privilegeRequest.getPrivilege();
        if (privilegeRequest.getAuthorizable().getType() == Authorizable.Type.FUNCTION) {
            throw new AuthorizationException(String.format("User '%s' does not have privileges%s to %s functions in: %s", user.getName(), grantOption(privilegeRequest.hasGrantOption()), privilege, privilegeRequest.getName()));
        }
        if (EnumSet.of(Privilege.ANY, Privilege.ALL, Privilege.VIEW_METADATA).contains(privilege)) {
            throw new AuthorizationException(String.format("User '%s' does not have privileges%s to access: %s", user.getName(), grantOption(privilegeRequest.hasGrantOption()), privilegeRequest.getName()));
        }
        if (privilege == Privilege.REFRESH) {
            throw new AuthorizationException(String.format("User '%s' does not have privileges%s to execute 'INVALIDATE METADATA/REFRESH' on: %s", user.getName(), grantOption(privilegeRequest.hasGrantOption()), privilegeRequest.getName()));
        }
        if (privilege != Privilege.CREATE || privilegeRequest.getAuthorizable().getType() != Authorizable.Type.TABLE) {
            throw new AuthorizationException(String.format("User '%s' does not have privileges%s to execute '%s' on: %s", user.getName(), grantOption(privilegeRequest.hasGrantOption()), privilege, privilegeRequest.getName()));
        }
        throw new AuthorizationException(String.format("User '%s' does not have privileges%s to execute '%s' on: %s", user.getName(), grantOption(privilegeRequest.hasGrantOption()), privilege, privilegeRequest.getAuthorizable().getDbName()));
    }

    private static String grantOption(boolean z) {
        return z ? " with 'GRANT OPTION'" : "";
    }

    protected abstract boolean authorizeResource(AuthorizationContext authorizationContext, User user, PrivilegeRequest privilegeRequest) throws InternalException;

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public abstract Set<String> getUserGroups(User user) throws InternalException;

    protected abstract void authorizeRowFilterAndColumnMask(User user, List<PrivilegeRequest> list) throws AuthorizationException, InternalException;

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public abstract void invalidateAuthorizationCache();
}
