package org.teiid.dqp.internal.process;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import org.teiid.PolicyDecider;
import org.teiid.adminapi.DataPolicy;
import org.teiid.api.exception.query.QueryValidatorException;
import org.teiid.core.CoreConstants;
import org.teiid.core.TeiidComponentException;
import org.teiid.core.types.DataTypeManager;
import org.teiid.core.types.TransformationException;
import org.teiid.core.util.PropertiesUtils;
import org.teiid.dqp.internal.process.AuthorizationValidator;
import org.teiid.dqp.internal.process.multisource.MultiSourceElement;
import org.teiid.metadata.AbstractMetadataRecord;
import org.teiid.metadata.FunctionMethod;
import org.teiid.metadata.Procedure;
import org.teiid.metadata.Schema;
import org.teiid.query.QueryPlugin;
import org.teiid.query.metadata.QueryMetadataInterface;
import org.teiid.query.metadata.TempMetadataID;
import org.teiid.query.sql.lang.Command;
import org.teiid.query.sql.lang.Query;
import org.teiid.query.sql.symbol.ElementSymbol;
import org.teiid.query.sql.symbol.Expression;
import org.teiid.query.sql.symbol.MultipleElementSymbol;
import org.teiid.query.util.CommandContext;

/* loaded from: input_file:BOOT-INF/lib/teiid-engine-12.2.2.fuse-740008-redhat-00001.jar:org/teiid/dqp/internal/process/DefaultAuthorizationValidator.class */
public class DefaultAuthorizationValidator implements AuthorizationValidator {
    public static final String IGNORE_UNAUTHORIZED_ASTERISK = "ignore_unauthorized_asterisk";
    private PolicyDecider policyDecider;
    private boolean ignoreUnauthorizedAsteriskDefault = ((Boolean) PropertiesUtils.getHierarchicalProperty("org.teiid.ignoreUnauthorizedAsterisk", false, Boolean.class)).booleanValue();
    private boolean metadataRequiresPermission = ((Boolean) PropertiesUtils.getHierarchicalProperty("org.teiid.metadataRequiresPermission", true, Boolean.class)).booleanValue();

    public void setMetadataRequiresPermission(boolean z) {
        this.metadataRequiresPermission = z;
    }

    @Override // org.teiid.dqp.internal.process.AuthorizationValidator
    public boolean validate(String[] strArr, Command command, QueryMetadataInterface queryMetadataInterface, CommandContext commandContext, AuthorizationValidator.CommandType commandType) throws QueryValidatorException, TeiidComponentException {
        boolean z = false;
        if (this.policyDecider != null && this.policyDecider.validateCommand(commandContext)) {
            if (ignoreUnathorizedInAsterisk(command, commandContext)) {
                Query query = (Query) command;
                HashMap hashMap = null;
                for (Expression expression : query.getSelect().getSymbols()) {
                    if (expression instanceof MultipleElementSymbol) {
                        MultipleElementSymbol multipleElementSymbol = (MultipleElementSymbol) expression;
                        if (hashMap == null) {
                            hashMap = new HashMap();
                        }
                        Iterator<ElementSymbol> it = multipleElementSymbol.getElementSymbols().iterator();
                        while (it.hasNext()) {
                            ElementSymbol next = it.next();
                            Object metadataID = next.getMetadataID();
                            if (!(metadataID instanceof MultiSourceElement) && !(metadataID instanceof TempMetadataID)) {
                                hashMap.clear();
                                AuthorizationValidationVisitor.addToNameMap(metadataID, next, hashMap, commandContext.getMetadata());
                                if (!this.policyDecider.getInaccessibleResources(DataPolicy.PermissionType.READ, hashMap.keySet(), DataPolicy.Context.QUERY, commandContext).isEmpty()) {
                                    it.remove();
                                    z = true;
                                }
                            }
                        }
                    }
                }
                if (query.getProjectedSymbols().isEmpty()) {
                    throw new QueryValidatorException(QueryPlugin.Util.gs(QueryPlugin.Event.TEIID31151, new Object[0]));
                }
            }
            Request.validateWithVisitor(new AuthorizationValidationVisitor(this.policyDecider, commandContext), queryMetadataInterface, command);
        }
        return z;
    }

    private boolean ignoreUnathorizedInAsterisk(Command command, CommandContext commandContext) {
        if (!(command instanceof Query) || ((Query) command).getInto() != null) {
            return false;
        }
        if (this.ignoreUnauthorizedAsteriskDefault) {
            return true;
        }
        Object sessionVariable = commandContext.getSessionVariable(IGNORE_UNAUTHORIZED_ASTERISK);
        if (sessionVariable == null) {
            return false;
        }
        try {
            return Boolean.TRUE.equals(DataTypeManager.transformValue(sessionVariable, DataTypeManager.DefaultDataClasses.BOOLEAN));
        } catch (TransformationException e) {
            return false;
        }
    }

    @Override // org.teiid.dqp.internal.process.AuthorizationValidator
    public boolean hasRole(String str, CommandContext commandContext) {
        if (this.policyDecider == null) {
            return true;
        }
        return this.policyDecider.hasRole(str, commandContext);
    }

    public void setPolicyDecider(PolicyDecider policyDecider) {
        this.policyDecider = policyDecider;
    }

    @Override // org.teiid.dqp.internal.process.AuthorizationValidator
    public boolean isAccessible(AbstractMetadataRecord abstractMetadataRecord, CommandContext commandContext) {
        if (this.policyDecider == null || !this.policyDecider.validateCommand(commandContext) || !this.metadataRequiresPermission) {
            return true;
        }
        AbstractMetadataRecord abstractMetadataRecord2 = abstractMetadataRecord;
        while (abstractMetadataRecord2.getParent() != null) {
            abstractMetadataRecord2 = abstractMetadataRecord2.getParent();
            if (abstractMetadataRecord2 instanceof Procedure) {
                return true;
            }
        }
        if (!(abstractMetadataRecord2 instanceof Schema) || "SYS".equalsIgnoreCase(abstractMetadataRecord2.getName()) || CoreConstants.ODBC_MODEL.equalsIgnoreCase(abstractMetadataRecord2.getName())) {
            return true;
        }
        DataPolicy.PermissionType permissionType = DataPolicy.PermissionType.READ;
        if ((abstractMetadataRecord instanceof FunctionMethod) || (abstractMetadataRecord instanceof Procedure)) {
            permissionType = DataPolicy.PermissionType.EXECUTE;
        }
        HashSet<String> hashSet = new HashSet<>(2);
        boolean z = false;
        if (abstractMetadataRecord instanceof Schema) {
            Boolean isAccessible = commandContext.isAccessible(abstractMetadataRecord);
            if (isAccessible != null) {
                return isAccessible.booleanValue();
            }
            Schema schema = (Schema) abstractMetadataRecord;
            if (schema.getTables().entrySet().stream().anyMatch(entry -> {
                return isAccessibleInternal((AbstractMetadataRecord) entry.getValue(), commandContext, hashSet, DataPolicy.PermissionType.READ);
            })) {
                z = true;
            } else if (schema.getProcedures().entrySet().stream().anyMatch(entry2 -> {
                return isAccessibleInternal((AbstractMetadataRecord) entry2.getValue(), commandContext, hashSet, DataPolicy.PermissionType.EXECUTE);
            })) {
                z = true;
            } else if (schema.getFunctions().entrySet().stream().anyMatch(entry3 -> {
                return isAccessibleInternal((AbstractMetadataRecord) entry3.getValue(), commandContext, hashSet, DataPolicy.PermissionType.EXECUTE);
            })) {
                z = true;
            }
        } else {
            z = isAccessibleInternal(abstractMetadataRecord, commandContext, hashSet, permissionType);
        }
        commandContext.setAccessible(abstractMetadataRecord, Boolean.valueOf(z));
        return z;
    }

    private boolean isAccessibleInternal(AbstractMetadataRecord abstractMetadataRecord, CommandContext commandContext, HashSet<String> hashSet, DataPolicy.PermissionType permissionType) {
        Boolean isAccessible = commandContext.isAccessible(abstractMetadataRecord);
        if (isAccessible != null) {
            return isAccessible.booleanValue();
        }
        hashSet.clear();
        hashSet.add(abstractMetadataRecord.getFullName());
        return this.policyDecider.getInaccessibleResources(permissionType, hashSet, DataPolicy.Context.METADATA, commandContext).isEmpty();
    }
}
