package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import jodd.util.StringPool;
import org.apache.calcite.avatica.org.apache.http.client.methods.HttpDelete;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.messaging.MessageFactory;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.thrift.TException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.class */
public class SQLAuthorizationUtils {
    private static final String[] SUPPORTED_PRIVS = {MessageFactory.INSERT_EVENT, "UPDATE", HttpDelete.METHOD_NAME, "SELECT"};
    private static final Set<String> SUPPORTED_PRIVS_SET = new HashSet(Arrays.asList(SUPPORTED_PRIVS));
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) SQLAuthorizationUtils.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PrivilegeBag getThriftPrivilegesBag(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException {
        HiveObjectRef thriftHiveObjectRef = getThriftHiveObjectRef(hivePrivilegeObject);
        PrivilegeBag privilegeBag = new PrivilegeBag();
        for (HivePrivilege hivePrivilege : list2) {
            if (hivePrivilege.getColumns() != null && hivePrivilege.getColumns().size() > 0) {
                throw new HiveAuthzPluginException("Privileges on columns not supported currently in sql standard authorization mode");
            }
            if (!SUPPORTED_PRIVS_SET.contains(hivePrivilege.getName().toUpperCase(Locale.US))) {
                throw new HiveAuthzPluginException("Privilege: " + hivePrivilege.getName() + " is not supported in sql standard authorization mode");
            }
            PrivilegeGrantInfo thriftPrivilegeGrantInfo = getThriftPrivilegeGrantInfo(hivePrivilege, hivePrincipal, z, 0);
            for (HivePrincipal hivePrincipal2 : list) {
                privilegeBag.addToPrivileges(new HiveObjectPrivilege(thriftHiveObjectRef, hivePrincipal2.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal2.getType()), thriftPrivilegeGrantInfo));
            }
        }
        return privilegeBag;
    }

    static PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege hivePrivilege, HivePrincipal hivePrincipal, boolean z, int i) throws HiveAuthzPluginException {
        try {
            return AuthorizationUtils.getThriftPrivilegeGrantInfo(hivePrivilege, hivePrincipal, z, i);
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject hivePrivilegeObject) throws HiveAuthzPluginException {
        try {
            return AuthorizationUtils.getThriftHiveObjectRef(hivePrivilegeObject);
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    static HivePrivilegeObject.HivePrivilegeObjectType getPluginObjType(HiveObjectType hiveObjectType) throws HiveAuthzPluginException {
        switch (hiveObjectType) {
            case DATABASE:
                return HivePrivilegeObject.HivePrivilegeObjectType.DATABASE;
            case TABLE:
                return HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW;
            case COLUMN:
            case GLOBAL:
            case PARTITION:
                throw new HiveAuthzPluginException("Unsupported object type " + hiveObjectType);
            default:
                throw new AssertionError("Unexpected object type " + hiveObjectType);
        }
    }

    public static void validatePrivileges(List<HivePrivilege> list) throws HiveAuthzPluginException {
        for (HivePrivilege hivePrivilege : list) {
            if (hivePrivilege.getColumns() != null && hivePrivilege.getColumns().size() != 0) {
                throw new HiveAuthzPluginException("Privilege with columns are not currently supported with sql standard authorization:" + hivePrivilege);
            }
            SQLPrivilegeType.getRequirePrivilege(hivePrivilege.getName());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static RequiredPrivileges getPrivilegesFromMetaStore(IMetaStoreClient iMetaStoreClient, String str, HivePrivilegeObject hivePrivilegeObject, List<String> list, boolean z) throws HiveAuthzPluginException {
        PrincipalPrivilegeSet principalPrivilegeSet = null;
        try {
            HiveObjectRef thriftHiveObjectRef = AuthorizationUtils.getThriftHiveObjectRef(hivePrivilegeObject);
            if (thriftHiveObjectRef.getObjectType() == null) {
                thriftHiveObjectRef.setObjectType(HiveObjectType.GLOBAL);
            }
            principalPrivilegeSet = iMetaStoreClient.get_privilege_set(thriftHiveObjectRef, str, null);
        } catch (MetaException e) {
            throwGetPrivErr(e, hivePrivilegeObject, str);
        } catch (HiveException e2) {
            throwGetPrivErr(e2, hivePrivilegeObject, str);
        } catch (TException e3) {
            throwGetPrivErr(e3, hivePrivilegeObject, str);
        }
        filterPrivsByCurrentRoles(principalPrivilegeSet, list);
        RequiredPrivileges requiredPrivsFromThrift = getRequiredPrivsFromThrift(principalPrivilegeSet);
        if (isOwner(iMetaStoreClient, str, list, hivePrivilegeObject)) {
            requiredPrivsFromThrift.addPrivilege(SQLPrivTypeGrant.OWNER_PRIV);
        }
        if (z) {
            requiredPrivsFromThrift.addPrivilege(SQLPrivTypeGrant.ADMIN_PRIV);
        }
        return requiredPrivsFromThrift;
    }

    private static void filterPrivsByCurrentRoles(PrincipalPrivilegeSet principalPrivilegeSet, List<String> list) {
        if (principalPrivilegeSet == null || principalPrivilegeSet.getRolePrivileges() == null || principalPrivilegeSet.getRolePrivilegesSize() == 0) {
            return;
        }
        HashMap hashMap = new HashMap();
        for (String str : list) {
            List<PrivilegeGrantInfo> list2 = principalPrivilegeSet.getRolePrivileges().get(str);
            if (list2 != null) {
                hashMap.put(str, list2);
            }
        }
        principalPrivilegeSet.setRolePrivileges(hashMap);
    }

    private static boolean isOwner(IMetaStoreClient iMetaStoreClient, String str, List<String> list, HivePrivilegeObject hivePrivilegeObject) throws HiveAuthzPluginException {
        switch (hivePrivilegeObject.getType()) {
            case TABLE_OR_VIEW:
                Table table = null;
                try {
                    table = iMetaStoreClient.getTable(hivePrivilegeObject.getDbname(), hivePrivilegeObject.getObjectName());
                } catch (Exception e) {
                    throwGetObjErr(e, hivePrivilegeObject);
                }
                return str.equals(table.getOwner());
            case DATABASE:
                if ("default".equalsIgnoreCase(hivePrivilegeObject.getDbname())) {
                    return true;
                }
                Database database = null;
                try {
                    database = iMetaStoreClient.getDatabase(hivePrivilegeObject.getDbname());
                } catch (Exception e2) {
                    throwGetObjErr(e2, hivePrivilegeObject);
                }
                if (database.getOwnerType() == PrincipalType.USER) {
                    return str.equals(database.getOwnerName());
                }
                if (database.getOwnerType() == PrincipalType.ROLE) {
                    return list.contains(database.getOwnerName());
                }
                LOG.warn("Owner of database " + database.getName() + " is of unsupported type " + database.getOwnerType());
                return false;
            case DFS_URI:
            case LOCAL_URI:
            case PARTITION:
            default:
                return false;
        }
    }

    private static void throwGetObjErr(Exception exc, HivePrivilegeObject hivePrivilegeObject) throws HiveAuthzPluginException {
        throw new HiveAuthzPluginException("Error getting object from metastore for " + hivePrivilegeObject, exc);
    }

    private static void throwGetPrivErr(Exception exc, HivePrivilegeObject hivePrivilegeObject, String str) throws HiveAuthzPluginException {
        throw new HiveAuthzPluginException("Error getting privileges on " + hivePrivilegeObject + " for " + str + ": " + exc.getMessage(), exc);
    }

    private static RequiredPrivileges getRequiredPrivsFromThrift(PrincipalPrivilegeSet principalPrivilegeSet) throws HiveAuthzPluginException {
        RequiredPrivileges requiredPrivileges = new RequiredPrivileges();
        Map<String, List<PrivilegeGrantInfo>> userPrivileges = principalPrivilegeSet.getUserPrivileges();
        if (userPrivileges != null && userPrivileges.size() != 1) {
            throw new HiveAuthzPluginException("Invalid number of user privilege objects: " + userPrivileges.size());
        }
        addRequiredPrivs(requiredPrivileges, userPrivileges);
        addRequiredPrivs(requiredPrivileges, principalPrivilegeSet.getRolePrivileges());
        return requiredPrivileges;
    }

    private static void addRequiredPrivs(RequiredPrivileges requiredPrivileges, Map<String, List<PrivilegeGrantInfo>> map) throws HiveAuthzPluginException {
        if (map == null) {
            return;
        }
        Iterator<Map.Entry<String, List<PrivilegeGrantInfo>>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            for (PrivilegeGrantInfo privilegeGrantInfo : it.next().getValue()) {
                requiredPrivileges.addPrivilege(privilegeGrantInfo.getPrivilege(), privilegeGrantInfo.isGrantOption());
            }
        }
    }

    public static void addMissingPrivMsg(Collection<SQLPrivTypeGrant> collection, HivePrivilegeObject hivePrivilegeObject, List<String> list) {
        if (collection.size() != 0) {
            ArrayList arrayList = new ArrayList(collection);
            Collections.sort(arrayList);
            list.add(arrayList + " on " + hivePrivilegeObject);
        }
    }

    public static RequiredPrivileges getPrivilegesFromFS(Path path, HiveConf hiveConf, String str) throws HiveAuthzPluginException {
        RequiredPrivileges requiredPrivileges = new RequiredPrivileges();
        try {
            FileSystem fileSystem = FileSystem.get(path.toUri(), hiveConf);
            FileStatus[] globStatus = fileSystem.globStatus(path);
            if (globStatus == null || globStatus.length <= 1) {
                FileStatus fileStatusOrNull = FileUtils.getFileStatusOrNull(fileSystem, path);
                boolean z = fileStatusOrNull == null;
                if (z) {
                    fileStatusOrNull = FileUtils.getPathOrParentThatExists(fileSystem, path.getParent());
                }
                Path path2 = fileStatusOrNull.getPath();
                if (z) {
                    LOG.debug("Checking fs privileges for parent path {} for nonexistent {}", path2.toString(), path.toString());
                    addPrivilegesFromFS(str, requiredPrivileges, fileSystem, fileStatusOrNull, false);
                } else {
                    LOG.debug("Checking fs privileges for path itself {}, originally specified as {}", path2.toString(), path.toString());
                    addPrivilegesFromFS(str, requiredPrivileges, fileSystem, fileStatusOrNull, true);
                }
            } else {
                LOG.debug("Checking fs privileges for multiple files that matched {}", path.toString());
                addPrivilegesFromFS(str, requiredPrivileges, fileSystem, globStatus, true);
            }
            return requiredPrivileges;
        } catch (Exception e) {
            throw new HiveAuthzPluginException("Error getting permissions for " + path + ": " + e.getMessage(), e);
        }
    }

    private static void addPrivilegesFromFS(String str, RequiredPrivileges requiredPrivileges, FileSystem fileSystem, FileStatus[] fileStatusArr, boolean z) throws Exception {
        if (fileStatusArr.length > 0) {
            Set<SQLPrivTypeGrant> privilegesFromFS = getPrivilegesFromFS(str, fileSystem, fileStatusArr[0], z);
            for (int i = 1; i < fileStatusArr.length && privilegesFromFS.size() > 0; i++) {
                privilegesFromFS.retainAll(getPrivilegesFromFS(str, fileSystem, fileStatusArr[i], z));
            }
            requiredPrivileges.addAll((SQLPrivTypeGrant[]) privilegesFromFS.toArray(new SQLPrivTypeGrant[privilegesFromFS.size()]));
        }
    }

    private static void addPrivilegesFromFS(String str, RequiredPrivileges requiredPrivileges, FileSystem fileSystem, FileStatus fileStatus, boolean z) throws Exception {
        Set<SQLPrivTypeGrant> privilegesFromFS = getPrivilegesFromFS(str, fileSystem, fileStatus, z);
        requiredPrivileges.addAll((SQLPrivTypeGrant[]) privilegesFromFS.toArray(new SQLPrivTypeGrant[privilegesFromFS.size()]));
    }

    private static Set<SQLPrivTypeGrant> getPrivilegesFromFS(String str, FileSystem fileSystem, FileStatus fileStatus, boolean z) throws Exception {
        HashSet hashSet = new HashSet();
        LOG.debug("Checking fs privileges for {} {}", fileStatus.toString(), z ? "recursively" : "without recursion");
        if (FileUtils.isOwnerOfFileHierarchy(fileSystem, fileStatus, str, z)) {
            hashSet.add(SQLPrivTypeGrant.OWNER_PRIV);
        }
        if (FileUtils.isActionPermittedForFileHierarchy(fileSystem, fileStatus, str, FsAction.WRITE, z)) {
            hashSet.add(SQLPrivTypeGrant.INSERT_NOGRANT);
            hashSet.add(SQLPrivTypeGrant.DELETE_NOGRANT);
        }
        if (FileUtils.isActionPermittedForFileHierarchy(fileSystem, fileStatus, str, FsAction.READ, z)) {
            hashSet.add(SQLPrivTypeGrant.SELECT_NOGRANT);
        }
        LOG.debug("addPrivilegesFromFS:[{}] asked for privileges on [{}] with recurse={} and obtained:[{}]", str, fileStatus, Boolean.valueOf(z), hashSet);
        return hashSet;
    }

    public static void assertNoDeniedPermissions(HivePrincipal hivePrincipal, HiveOperationType hiveOperationType, List<String> list) throws HiveAccessControlException {
        if (list.size() != 0) {
            Collections.sort(list);
            throw new HiveAccessControlException("Permission denied: " + hivePrincipal + " does not have following privileges for operation " + hiveOperationType + StringPool.SPACE + list);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HiveAuthzPluginException getPluginException(String str, Exception exc) {
        return new HiveAuthzPluginException(str + ": " + exc.getMessage(), exc);
    }

    public static HivePrincipal getValidatedPrincipal(HivePrincipal hivePrincipal) throws HiveAuthzPluginException {
        if (hivePrincipal == null || hivePrincipal.getType() == null) {
            return hivePrincipal;
        }
        switch (hivePrincipal.getType()) {
            case USER:
                return hivePrincipal;
            case ROLE:
                return new HivePrincipal(hivePrincipal.getName().toLowerCase(), hivePrincipal.getType());
            default:
                throw new HiveAuthzPluginException("Invalid principal type in principal " + hivePrincipal);
        }
    }

    public static List<HivePrincipal> getValidatedPrincipals(List<HivePrincipal> list) throws HiveAuthzPluginException {
        ListIterator<HivePrincipal> listIterator = list.listIterator();
        while (listIterator.hasNext()) {
            listIterator.set(getValidatedPrincipal(listIterator.next()));
        }
        return list;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext hiveAuthzSessionContext, HiveConf hiveConf) {
        if (!hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) || hiveAuthzSessionContext.getClientType() != HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) {
            return hiveAuthzSessionContext;
        }
        HiveAuthzSessionContext.Builder builder = new HiveAuthzSessionContext.Builder(hiveAuthzSessionContext);
        builder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2);
        return builder.build();
    }
}
