package org.apache.cassandra.auth;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.Marker;

/* loaded from: input_file:cassandra.zip:lib/apache-cassandra-1.2.18-jboss-1.jar:org/apache/cassandra/auth/CassandraAuthorizer.class */
public class CassandraAuthorizer implements IAuthorizer {
    private static final String USERNAME = "username";
    private static final String RESOURCE = "resource";
    private static final String PERMISSIONS = "permissions";
    private static final String PERMISSIONS_CF = "permissions";
    private SelectStatement authorizeStatement;
    private static final Logger logger = LoggerFactory.getLogger(CassandraAuthorizer.class);
    private static final String PERMISSIONS_CF_SCHEMA = String.format("CREATE TABLE %s.%s (username text,resource text,permissions set<text>,PRIMARY KEY(username, resource)) WITH gc_grace_seconds=%d", Auth.AUTH_KS, "permissions", 7776000);

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<Permission> authorize(AuthenticatedUser authenticatedUser, IResource iResource) {
        if (authenticatedUser.isSuper()) {
            return Permission.ALL;
        }
        try {
            UntypedResultSet untypedResultSet = new UntypedResultSet(this.authorizeStatement.execute(ConsistencyLevel.LOCAL_ONE, new QueryState(new ClientState(true)), (List<ByteBuffer>) Lists.newArrayList(ByteBufferUtil.bytes(authenticatedUser.getName()), ByteBufferUtil.bytes(iResource.getName()))).result);
            if (untypedResultSet.isEmpty() || !untypedResultSet.one().has("permissions")) {
                return Permission.NONE;
            }
            EnumSet noneOf = EnumSet.noneOf(Permission.class);
            Iterator it = untypedResultSet.one().getSet("permissions", UTF8Type.instance).iterator();
            while (it.hasNext()) {
                noneOf.add(Permission.valueOf((String) it.next()));
            }
            return noneOf;
        } catch (RequestExecutionException e) {
            logger.warn("CassandraAuthorizer failed to authorize {} for {}", authenticatedUser, iResource);
            return Permission.NONE;
        } catch (RequestValidationException e2) {
            throw new AssertionError(e2);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void grant(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, String str) throws RequestExecutionException {
        modify(set, iResource, str, Marker.ANY_NON_NULL_MARKER);
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revoke(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, String str) throws RequestExecutionException {
        modify(set, iResource, str, HelpFormatter.DEFAULT_OPT_PREFIX);
    }

    private void modify(Set<Permission> set, IResource iResource, String str, String str2) throws RequestExecutionException {
        process(String.format("UPDATE %s.%s SET permissions = permissions %s {%s} WHERE username = '%s' AND resource = '%s'", Auth.AUTH_KS, "permissions", str2, "'" + StringUtils.join(set, "','") + "'", escape(str), escape(iResource.getName())));
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<PermissionDetails> list(AuthenticatedUser authenticatedUser, Set<Permission> set, IResource iResource, String str) throws RequestValidationException, RequestExecutionException {
        if (!authenticatedUser.isSuper() && !authenticatedUser.getName().equals(str)) {
            Object[] objArr = new Object[1];
            objArr[0] = str == null ? "everyone" : str;
            throw new UnauthorizedException(String.format("You are not authorized to view %s's permissions", objArr));
        }
        HashSet hashSet = new HashSet();
        Iterator<UntypedResultSet.Row> it = process(buildListQuery(iResource, str)).iterator();
        while (it.hasNext()) {
            UntypedResultSet.Row next = it.next();
            if (next.has("permissions")) {
                Iterator it2 = next.getSet("permissions", UTF8Type.instance).iterator();
                while (it2.hasNext()) {
                    Permission valueOf = Permission.valueOf((String) it2.next());
                    if (set.contains(valueOf)) {
                        hashSet.add(new PermissionDetails(next.getString("username"), DataResource.fromName(next.getString(RESOURCE)), valueOf));
                    }
                }
            }
        }
        return hashSet;
    }

    private static String buildListQuery(IResource iResource, String str) {
        String str2;
        ArrayList newArrayList = Lists.newArrayList(Auth.AUTH_KS, "permissions");
        ArrayList arrayList = new ArrayList();
        if (iResource != null) {
            arrayList.add("resource = '%s'");
            newArrayList.add(escape(iResource.getName()));
        }
        if (str != null) {
            arrayList.add("username = '%s'");
            newArrayList.add(escape(str));
        }
        str2 = "SELECT username, resource, permissions FROM %s.%s";
        str2 = arrayList.isEmpty() ? "SELECT username, resource, permissions FROM %s.%s" : str2 + " WHERE " + StringUtils.join(arrayList, " AND ");
        if (iResource != null && str == null) {
            str2 = str2 + " ALLOW FILTERING";
        }
        return String.format(str2, newArrayList.toArray());
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revokeAll(String str) {
        try {
            process(String.format("DELETE FROM %s.%s WHERE username = '%s'", Auth.AUTH_KS, "permissions", escape(str)));
        } catch (Throwable th) {
            logger.warn("CassandraAuthorizer failed to revoke all permissions of {}: {}", str, th);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void revokeAll(IResource iResource) {
        try {
            Iterator<UntypedResultSet.Row> it = process(String.format("SELECT username FROM %s.%s WHERE resource = '%s' ALLOW FILTERING", Auth.AUTH_KS, "permissions", escape(iResource.getName()))).iterator();
            while (it.hasNext()) {
                try {
                    process(String.format("DELETE FROM %s.%s WHERE username = '%s' AND resource = '%s'", Auth.AUTH_KS, "permissions", escape(it.next().getString("username")), escape(iResource.getName())));
                } catch (Throwable th) {
                    logger.warn("CassandraAuthorizer failed to revoke all permissions on {}: {}", iResource, th);
                }
            }
        } catch (Throwable th2) {
            logger.warn("CassandraAuthorizer failed to revoke all permissions on {}: {}", iResource, th2);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public Set<DataResource> protectedResources() {
        return ImmutableSet.of(DataResource.columnFamily(Auth.AUTH_KS, "permissions"));
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void validateConfiguration() throws ConfigurationException {
    }

    @Override // org.apache.cassandra.auth.IAuthorizer
    public void setup() {
        if (Schema.instance.getCFMetaData(Auth.AUTH_KS, "permissions") == null) {
            try {
                process(PERMISSIONS_CF_SCHEMA);
            } catch (RequestExecutionException e) {
                throw new AssertionError(e);
            }
        }
        try {
            this.authorizeStatement = (SelectStatement) QueryProcessor.parseStatement(String.format("SELECT permissions FROM %s.%s WHERE username = ? AND resource = ?", Auth.AUTH_KS, "permissions")).prepare().statement;
        } catch (RequestValidationException e2) {
            throw new AssertionError(e2);
        }
    }

    private static String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    private static UntypedResultSet process(String str) throws RequestExecutionException {
        return QueryProcessor.process(str, ConsistencyLevel.ONE);
    }
}
