package org.apache.ranger.authorization.presto.authorizer;

import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.SystemAccessControl;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.class */
public class RangerSystemAccessControl implements SystemAccessControl {
    public static String RANGER_CONFIG_KEYTAB = "ranger.keytab";
    public static String RANGER_CONFIG_PRINCIPAL = "ranger.principal";
    public static String RANGER_PRESTO_SERVICETYPE = "presto";
    public static String RANGER_PRESTO_APPID = "presto";
    private static Logger LOG = LoggerFactory.getLogger(RangerSystemAccessControl.class);
    private RangerBasePlugin rangerPlugin;

    public RangerSystemAccessControl(Map<String, String> map) {
        if (map.get(RANGER_CONFIG_KEYTAB) != null && map.get(RANGER_CONFIG_PRINCIPAL) != null) {
            String str = map.get(RANGER_CONFIG_KEYTAB);
            String str2 = map.get(RANGER_CONFIG_PRINCIPAL);
            LOG.info("Performing kerberos login with principal " + str2 + " and keytab " + str);
            try {
                UserGroupInformation.setConfiguration(new Configuration());
                UserGroupInformation.loginUserFromKeytab(str2, str);
            } catch (IOException e) {
                LOG.error("Kerberos login failed", e);
                throw new RuntimeException(e);
            }
        }
        this.rangerPlugin = new RangerBasePlugin(RANGER_PRESTO_SERVICETYPE, RANGER_PRESTO_APPID);
        this.rangerPlugin.init();
        this.rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
    }

    private boolean checkPermission(RangerPrestoResource rangerPrestoResource, Identity identity, PrestoAccessType prestoAccessType) {
        boolean z = false;
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(identity.getUser());
        String[] groupNames = createRemoteUser != null ? createRemoteUser.getGroupNames() : null;
        HashSet hashSet = null;
        if (groupNames != null && groupNames.length > 0) {
            hashSet = new HashSet(Arrays.asList(groupNames));
        }
        RangerAccessResult isAccessAllowed = this.rangerPlugin.isAccessAllowed(new RangerPrestoAccessRequest(rangerPrestoResource, identity.getUser(), hashSet, prestoAccessType));
        if (isAccessAllowed != null && isAccessAllowed.getIsAllowed()) {
            z = true;
        }
        return z;
    }

    public void checkCanSetUser(Optional<Principal> optional, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerSystemAccessControl.checkCanSetUser(" + str + ")");
        }
    }

    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
        if (checkPermission(new RangerPrestoResource(), identity, PrestoAccessType.ADMIN)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
        AccessDeniedException.denySetSystemSessionProperty(str);
    }

    public void checkCanAccessCatalog(Identity identity, String str) {
        if (checkPermission(createResource(str), identity, PrestoAccessType.SELECT)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanAccessCatalog(" + str + ") denied");
        AccessDeniedException.denyCatalogAccess(str);
    }

    public Set<String> filterCatalogs(Identity identity, Set<String> set) {
        return set;
    }

    public void checkCanCreateSchema(Identity identity, CatalogSchemaName catalogSchemaName) {
        if (checkPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), identity, PrestoAccessType.CREATE)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanCreateSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyCreateSchema(catalogSchemaName.getSchemaName());
    }

    public void checkCanDropSchema(Identity identity, CatalogSchemaName catalogSchemaName) {
        if (checkPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), identity, PrestoAccessType.DROP)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanDropSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyDropSchema(catalogSchemaName.getSchemaName());
    }

    public void checkCanRenameSchema(Identity identity, CatalogSchemaName catalogSchemaName, String str) {
        if (checkPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), identity, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanRenameSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyRenameSchema(catalogSchemaName.getSchemaName(), str);
    }

    public void checkCanShowSchemas(Identity identity, String str) {
        if (checkPermission(createResource(str), identity, PrestoAccessType.SELECT)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanShowSchemas(" + str + ") denied");
        AccessDeniedException.denyShowSchemas(str);
    }

    public Set<String> filterSchemas(Identity identity, String str, Set<String> set) {
        LOG.debug("==> RangerSystemAccessControl.filterSchemas(" + str + ")");
        return set;
    }

    public void checkCanCreateTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.CREATE)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanCreateTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyCreateTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDropTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.DROP)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanDropTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDropTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanRenameTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanRenameTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyRenameTable(catalogSchemaTableName.getSchemaTableName().getTableName(), catalogSchemaTableName2.getSchemaTableName().getTableName());
    }

    public void checkCanShowTablesMetadata(Identity identity, CatalogSchemaName catalogSchemaName) {
        if (checkPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), identity, PrestoAccessType.SELECT)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanShowTablesMetadata(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyShowTablesMetadata(catalogSchemaName.getSchemaName());
    }

    public Set<SchemaTableName> filterTables(Identity identity, String str, Set<SchemaTableName> set) {
        LOG.debug("==> RangerSystemAccessControl.filterTables(" + str + ")");
        return set;
    }

    public void checkCanAddColumn(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.ALTER)) {
            return;
        }
        AccessDeniedException.denyAddColumn(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDropColumn(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanDropColumn(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDropColumn(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanRenameColumn(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanRenameColumn(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyRenameColumn(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanSelectFromColumns(Identity identity, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        Iterator<RangerPrestoResource> it = createResource(catalogSchemaTableName, set).iterator();
        while (it.hasNext()) {
            if (!checkPermission(it.next(), identity, PrestoAccessType.SELECT)) {
                LOG.info("==> RangerSystemAccessControl.checkCanSelectFromColumns(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
                AccessDeniedException.denySelectColumns(catalogSchemaTableName.getSchemaTableName().getTableName(), set);
            }
        }
    }

    public void checkCanInsertIntoTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.INSERT)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanInsertIntoTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyInsertTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDeleteFromTable(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.DELETE)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanDeleteFromTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDeleteTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanCreateView(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.CREATE)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanCreateView(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyCreateView(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDropView(Identity identity, CatalogSchemaTableName catalogSchemaTableName) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.DROP)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanDropView(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyCreateView(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanCreateViewWithSelectFromColumns(Identity identity, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        Iterator<RangerPrestoResource> it = createResource(catalogSchemaTableName, set).iterator();
        while (it.hasNext()) {
            if (!checkPermission(it.next(), identity, PrestoAccessType.CREATE)) {
                LOG.info("==> RangerSystemAccessControl.checkCanDropView(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
                AccessDeniedException.denyCreateViewWithSelect(catalogSchemaTableName.getSchemaTableName().getTableName(), identity);
            }
        }
    }

    public void checkCanSetCatalogSessionProperty(Identity identity, String str, String str2) {
        if (checkPermission(createResource(str), identity, PrestoAccessType.ADMIN)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + str + ") denied");
        AccessDeniedException.denySetCatalogSessionProperty(str, str2);
    }

    public void checkCanGrantTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.ADMIN)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanGrantTablePrivilege(" + catalogSchemaTableName + ") denied");
        AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(Identity identity, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (checkPermission(createResource(catalogSchemaTableName), identity, PrestoAccessType.ADMIN)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + catalogSchemaTableName + ") denied");
        AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanShowRoles(Identity identity, String str) {
        if (checkPermission(createResource(str), identity, PrestoAccessType.ADMIN)) {
            return;
        }
        LOG.info("==> RangerSystemAccessControl.checkCanShowRoles(" + str + ") denied");
        AccessDeniedException.denyShowRoles(str);
    }

    private static RangerPrestoResource createResource(CatalogSchemaName catalogSchemaName) {
        return createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName());
    }

    private static RangerPrestoResource createResource(CatalogSchemaTableName catalogSchemaTableName) {
        return createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    private static RangerPrestoResource createResource(String str) {
        return new RangerPrestoResource(str, Optional.empty(), Optional.empty());
    }

    private static RangerPrestoResource createResource(String str, String str2) {
        return new RangerPrestoResource(str, Optional.of(str2), Optional.empty());
    }

    private static RangerPrestoResource createResource(String str, String str2, String str3) {
        return new RangerPrestoResource(str, Optional.of(str2), Optional.of(str3));
    }

    private static RangerPrestoResource createResource(String str, String str2, String str3, Optional<String> optional) {
        return new RangerPrestoResource(str, Optional.of(str2), Optional.of(str3), optional);
    }

    private static List<RangerPrestoResource> createResource(CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        ArrayList arrayList = new ArrayList();
        if (set.size() > 0) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                arrayList.add(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName(), Optional.of(it.next())));
            }
        } else {
            arrayList.add(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName(), Optional.empty()));
        }
        return arrayList;
    }
}
