package org.apache.ranger.authorization.presto.authorizer;

import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaRoutineName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.SystemAccessControl;
import io.prestosql.spi.security.SystemSecurityContext;
import io.prestosql.spi.security.ViewExpression;
import io.prestosql.spi.type.Type;
import java.io.IOException;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.class */
public class RangerSystemAccessControl implements SystemAccessControl {
    private static Logger LOG = LoggerFactory.getLogger(RangerSystemAccessControl.class);
    public static final String RANGER_CONFIG_KEYTAB = "ranger.keytab";
    public static final String RANGER_CONFIG_PRINCIPAL = "ranger.principal";
    public static final String RANGER_CONFIG_USE_UGI = "ranger.use_ugi";
    public static final String RANGER_CONFIG_HADOOP_CONFIG = "ranger.hadoop_config";
    public static final String RANGER_PRESTO_DEFAULT_HADOOP_CONF = "presto-ranger-site.xml";
    public static final String RANGER_PRESTO_SERVICETYPE = "presto";
    public static final String RANGER_PRESTO_APPID = "presto";
    private final RangerBasePlugin rangerPlugin;
    private boolean useUgi;

    public RangerSystemAccessControl(Map<String, String> map) {
        this.useUgi = false;
        Configuration configuration = new Configuration();
        if (map.get(RANGER_CONFIG_HADOOP_CONFIG) != null) {
            URL resource = configuration.getResource(map.get(RANGER_CONFIG_HADOOP_CONFIG));
            if (resource == null) {
                LOG.warn("Hadoop config " + map.get(RANGER_CONFIG_HADOOP_CONFIG) + " not found");
            } else {
                configuration.addResource(resource);
            }
        } else {
            URL resource2 = configuration.getResource(RANGER_PRESTO_DEFAULT_HADOOP_CONF);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Trying to load Hadoop config from " + resource2 + " (can be null)");
            }
            if (resource2 != null) {
                configuration.addResource(resource2);
            }
        }
        UserGroupInformation.setConfiguration(configuration);
        if (map.get(RANGER_CONFIG_KEYTAB) != null && map.get(RANGER_CONFIG_PRINCIPAL) != null) {
            String str = map.get(RANGER_CONFIG_KEYTAB);
            String str2 = map.get(RANGER_CONFIG_PRINCIPAL);
            LOG.info("Performing kerberos login with principal " + str2 + " and keytab " + str);
            try {
                UserGroupInformation.loginUserFromKeytab(str2, str);
            } catch (IOException e) {
                LOG.error("Kerberos login failed", e);
                throw new RuntimeException(e);
            }
        }
        if (map.getOrDefault(RANGER_CONFIG_USE_UGI, "false").equalsIgnoreCase("true")) {
            this.useUgi = true;
        }
        this.rangerPlugin = new RangerBasePlugin("presto", "presto");
        this.rangerPlugin.init();
        this.rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
    }

    private RangerAccessResult getDataMaskResult(RangerPrestoAccessRequest rangerPrestoAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getDataMaskResult(request=" + rangerPrestoAccessRequest + ")");
        }
        RangerAccessResult evalDataMaskPolicies = this.rangerPlugin.evalDataMaskPolicies(rangerPrestoAccessRequest, (RangerAccessResultProcessor) null);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== getDataMaskResult(request=" + rangerPrestoAccessRequest + "): ret=" + evalDataMaskPolicies);
        }
        return evalDataMaskPolicies;
    }

    private RangerAccessResult getRowFilterResult(RangerPrestoAccessRequest rangerPrestoAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> getRowFilterResult(request=" + rangerPrestoAccessRequest + ")");
        }
        RangerAccessResult evalRowFilterPolicies = this.rangerPlugin.evalRowFilterPolicies(rangerPrestoAccessRequest, (RangerAccessResultProcessor) null);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== getRowFilterResult(request=" + rangerPrestoAccessRequest + "): ret=" + evalRowFilterPolicies);
        }
        return evalRowFilterPolicies;
    }

    private boolean isDataMaskEnabled(RangerAccessResult rangerAccessResult) {
        return rangerAccessResult != null && rangerAccessResult.isMaskEnabled();
    }

    private boolean isRowFilterEnabled(RangerAccessResult rangerAccessResult) {
        return rangerAccessResult != null && rangerAccessResult.isRowFilterEnabled();
    }

    public Optional<ViewExpression> getRowFilter(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        RangerAccessResult rowFilterResult = getRowFilterResult(createAccessRequest(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.SELECT));
        ViewExpression viewExpression = null;
        if (isRowFilterEnabled(rowFilterResult)) {
            viewExpression = new ViewExpression(systemSecurityContext.getIdentity().getUser(), Optional.of(catalogSchemaTableName.getCatalogName()), Optional.of(catalogSchemaTableName.getSchemaTableName().getSchemaName()), rowFilterResult.getFilterExpr());
        }
        return Optional.ofNullable(viewExpression);
    }

    public Optional<ViewExpression> getColumnMask(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String str, Type type) {
        RangerAccessResult dataMaskResult = getDataMaskResult(createAccessRequest(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName(), Optional.of(str)), systemSecurityContext, PrestoAccessType.SELECT));
        ViewExpression viewExpression = null;
        if (isDataMaskEnabled(dataMaskResult)) {
            String maskType = dataMaskResult.getMaskType();
            RangerServiceDef.RangerDataMaskTypeDef maskTypeDef = dataMaskResult.getMaskTypeDef();
            String str2 = null;
            if (maskTypeDef != null) {
                str2 = maskTypeDef.getTransformer();
            }
            if (StringUtils.equalsIgnoreCase(maskType, "MASK_NULL")) {
                str2 = "NULL";
            } else if (StringUtils.equalsIgnoreCase(maskType, "CUSTOM")) {
                String maskedValue = dataMaskResult.getMaskedValue();
                str2 = maskedValue == null ? "NULL" : maskedValue;
            }
            if (StringUtils.isNotEmpty(str2)) {
                str2 = str2.replace("{col}", str).replace("{type}", type.getDisplayName());
            }
            viewExpression = new ViewExpression(systemSecurityContext.getIdentity().getUser(), Optional.of(catalogSchemaTableName.getCatalogName()), Optional.of(catalogSchemaTableName.getSchemaTableName().getSchemaName()), str2);
            if (LOG.isDebugEnabled()) {
                LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s, transformer: %s");
            }
        }
        return Optional.ofNullable(viewExpression);
    }

    public Set<String> filterCatalogs(SystemSecurityContext systemSecurityContext, Set<String> set) {
        LOG.debug("==> RangerSystemAccessControl.filterCatalogs(" + set + ")");
        HashSet hashSet = new HashSet(set.size());
        for (String str : set) {
            if (hasPermission(createResource(str), systemSecurityContext, PrestoAccessType.SELECT)) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    public Set<String> filterSchemas(SystemSecurityContext systemSecurityContext, String str, Set<String> set) {
        LOG.debug("==> RangerSystemAccessControl.filterSchemas(" + str + ")");
        HashSet hashSet = new HashSet(set.size());
        for (String str2 : set) {
            if (hasPermission(createResource(str, str2), systemSecurityContext, PrestoAccessType.SELECT)) {
                hashSet.add(str2);
            }
        }
        return hashSet;
    }

    public Set<SchemaTableName> filterTables(SystemSecurityContext systemSecurityContext, String str, Set<SchemaTableName> set) {
        LOG.debug("==> RangerSystemAccessControl.filterTables(" + str + ")");
        HashSet hashSet = new HashSet(set.size());
        for (SchemaTableName schemaTableName : set) {
            if (hasPermission(createResource(str, schemaTableName.getSchemaName(), schemaTableName.getTableName()), systemSecurityContext, PrestoAccessType.SELECT)) {
                hashSet.add(schemaTableName);
            }
        }
        return hashSet;
    }

    public void checkCanSetSystemSessionProperty(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createSystemPropertyResource(str), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
        AccessDeniedException.denySetSystemSessionProperty(str);
    }

    public void checkCanImpersonateUser(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createUserResource(str), systemSecurityContext, PrestoAccessType.IMPERSONATE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + str + ") denied");
        AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
    }

    public void checkCanSetUser(Optional<Principal> optional, String str) {
    }

    public void checkCanSetCatalogSessionProperty(SystemSecurityContext systemSecurityContext, String str, String str2) {
        if (hasPermission(createCatalogSessionResource(str, str2), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanSetCatalogSessionProperty(" + str + ") denied");
        AccessDeniedException.denySetCatalogSessionProperty(str, str2);
    }

    public void checkCanShowRoles(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createResource(str), systemSecurityContext, PrestoAccessType.SHOW)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanShowRoles(" + str + ") denied");
        AccessDeniedException.denyShowRoles(str);
    }

    public void checkCanAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createResource(str), systemSecurityContext, PrestoAccessType.USE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + str + ") denied");
        AccessDeniedException.denyCatalogAccess(str);
    }

    public void checkCanShowSchemas(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createResource(str), systemSecurityContext, PrestoAccessType.SHOW)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanShowSchemas(" + str + ") denied");
        AccessDeniedException.denyShowSchemas(str);
    }

    public void checkCanSetSchemaAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, PrestoPrincipal prestoPrincipal) {
        if (hasPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), systemSecurityContext, PrestoAccessType.GRANT)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanSetSchemaAuthorization(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denySetSchemaAuthorization(catalogSchemaName.getSchemaName(), prestoPrincipal);
    }

    public void checkCanShowCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (hasPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), systemSecurityContext, PrestoAccessType.SHOW)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanShowCreateSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyShowCreateSchema(catalogSchemaName.getSchemaName());
    }

    public void checkCanCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (hasPermission(createResource(catalogSchemaName.getCatalogName()), systemSecurityContext, PrestoAccessType.CREATE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyCreateSchema(catalogSchemaName.getSchemaName());
    }

    public void checkCanDropSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (hasPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), systemSecurityContext, PrestoAccessType.DROP)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanDropSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyDropSchema(catalogSchemaName.getSchemaName());
    }

    public void checkCanRenameSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, String str) {
        if (hasPermission(createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanRenameSchema(" + catalogSchemaName.getSchemaName() + ") denied");
        AccessDeniedException.denyRenameSchema(catalogSchemaName.getSchemaName(), str);
    }

    public void checkCanShowTables(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        if (hasPermission(createResource(catalogSchemaName), systemSecurityContext, PrestoAccessType.SHOW)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + catalogSchemaName.toString() + ") denied");
        AccessDeniedException.denyShowTables(catalogSchemaName.toString());
    }

    public void checkCanShowCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.SHOW)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + catalogSchemaTableName.toString() + ") denied");
        AccessDeniedException.denyShowCreateTable(catalogSchemaTableName.toString());
    }

    public void checkCanCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName()), systemSecurityContext, PrestoAccessType.CREATE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanCreateTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyCreateTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDropTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.DROP)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanDropTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDropTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanRenameTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanRenameTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyRenameTable(catalogSchemaTableName.getSchemaTableName().getTableName(), catalogSchemaTableName2.getSchemaTableName().getTableName());
    }

    public void checkCanInsertIntoTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.INSERT)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanInsertIntoTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyInsertTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDeleteFromTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.DELETE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanDeleteFromTable(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDeleteTable(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanGrantTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.GRANT)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanGrantTablePrivilege(" + catalogSchemaTableName + ") denied");
        AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.REVOKE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + catalogSchemaTableName + ") denied");
        AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanSetTableComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanSetTableComment(" + catalogSchemaTableName.toString() + ") denied");
        AccessDeniedException.denyCommentTable(catalogSchemaTableName.toString());
    }

    public void checkCanCreateView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName()), systemSecurityContext, PrestoAccessType.CREATE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanCreateView(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyCreateView(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDropView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.DROP)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanDropView(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDropView(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        try {
            checkCanCreateView(systemSecurityContext, catalogSchemaTableName);
        } catch (AccessDeniedException e) {
            LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
            AccessDeniedException.denyCreateViewWithSelect(catalogSchemaTableName.getSchemaTableName().getTableName(), systemSecurityContext.getIdentity());
        }
    }

    public void checkCanRenameView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanRenameView(" + catalogSchemaTableName.toString() + ") denied");
        AccessDeniedException.denyRenameView(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanAddColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        AccessDeniedException.denyAddColumn(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanDropColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.DROP)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanDropColumn(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyDropColumn(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanRenameColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.ALTER)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanRenameColumn(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
        AccessDeniedException.denyRenameColumn(catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    public void checkCanShowColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (hasPermission(createResource(catalogSchemaTableName), systemSecurityContext, PrestoAccessType.SHOW)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + catalogSchemaTableName.toString() + ") denied");
        AccessDeniedException.denyShowColumns(catalogSchemaTableName.toString());
    }

    public void checkCanSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        Iterator<RangerPrestoResource> it = createResource(catalogSchemaTableName, set).iterator();
        while (it.hasNext()) {
            if (!hasPermission(it.next(), systemSecurityContext, PrestoAccessType.SELECT)) {
                LOG.debug("RangerSystemAccessControl.checkCanSelectFromColumns(" + catalogSchemaTableName.getSchemaTableName().getTableName() + ") denied");
                AccessDeniedException.denySelectColumns(catalogSchemaTableName.getSchemaTableName().getTableName(), set);
            }
        }
    }

    public List<ColumnMetadata> filterColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, List<ColumnMetadata> list) {
        return list;
    }

    public void checkCanExecuteQuery(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanViewQueryOwnedBy(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createUserResource(str), systemSecurityContext, PrestoAccessType.IMPERSONATE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + str + ") denied");
        AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
    }

    public Set<String> filterViewQueryOwnedBy(SystemSecurityContext systemSecurityContext, Set<String> set) {
        return set;
    }

    public void checkCanKillQueryOwnedBy(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createUserResource(str), systemSecurityContext, PrestoAccessType.IMPERSONATE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + str + ") denied");
        AccessDeniedException.denyImpersonateUser(systemSecurityContext.getIdentity().getUser(), str);
    }

    public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext systemSecurityContext, String str, PrestoPrincipal prestoPrincipal, boolean z) {
        if (hasPermission(createFunctionResource(str), systemSecurityContext, PrestoAccessType.GRANT)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + str + ") denied");
        AccessDeniedException.denyGrantExecuteFunctionPrivilege(str, systemSecurityContext.getIdentity(), prestoPrincipal.getName());
    }

    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String str) {
        if (hasPermission(createFunctionResource(str), systemSecurityContext, PrestoAccessType.EXECUTE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + str + ") denied");
        AccessDeniedException.denyExecuteFunction(str);
    }

    public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
        if (hasPermission(createProcedureResource(catalogSchemaRoutineName), systemSecurityContext, PrestoAccessType.EXECUTE)) {
            return;
        }
        LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + catalogSchemaRoutineName.getSchemaRoutineName().getRoutineName() + ") denied");
        AccessDeniedException.denyExecuteProcedure(catalogSchemaRoutineName.getSchemaRoutineName().getRoutineName());
    }

    private RangerPrestoAccessRequest createAccessRequest(RangerPrestoResource rangerPrestoResource, SystemSecurityContext systemSecurityContext, PrestoAccessType prestoAccessType) {
        String user;
        Set set = null;
        if (this.useUgi) {
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(systemSecurityContext.getIdentity().getUser());
            user = createRemoteUser.getShortUserName();
            String[] groupNames = createRemoteUser != null ? createRemoteUser.getGroupNames() : null;
            if (groupNames != null && groupNames.length > 0) {
                set = new HashSet(Arrays.asList(groupNames));
            }
        } else {
            user = systemSecurityContext.getIdentity().getUser();
            set = systemSecurityContext.getIdentity().getGroups();
        }
        return new RangerPrestoAccessRequest(rangerPrestoResource, user, set, prestoAccessType);
    }

    private boolean hasPermission(RangerPrestoResource rangerPrestoResource, SystemSecurityContext systemSecurityContext, PrestoAccessType prestoAccessType) {
        boolean z = false;
        RangerAccessResult isAccessAllowed = this.rangerPlugin.isAccessAllowed(createAccessRequest(rangerPrestoResource, systemSecurityContext, prestoAccessType));
        if (isAccessAllowed != null && isAccessAllowed.getIsAllowed()) {
            z = true;
        }
        return z;
    }

    private static RangerPrestoResource createUserResource(String str) {
        RangerPrestoResource rangerPrestoResource = new RangerPrestoResource();
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_USER, str);
        return rangerPrestoResource;
    }

    private static RangerPrestoResource createFunctionResource(String str) {
        RangerPrestoResource rangerPrestoResource = new RangerPrestoResource();
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_FUNCTION, str);
        return rangerPrestoResource;
    }

    private static RangerPrestoResource createProcedureResource(CatalogSchemaRoutineName catalogSchemaRoutineName) {
        RangerPrestoResource rangerPrestoResource = new RangerPrestoResource();
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_CATALOG, catalogSchemaRoutineName.getCatalogName());
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_SCHEMA, catalogSchemaRoutineName.getSchemaRoutineName().getSchemaName());
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_PROCEDURE, catalogSchemaRoutineName.getSchemaRoutineName().getRoutineName());
        return rangerPrestoResource;
    }

    private static RangerPrestoResource createCatalogSessionResource(String str, String str2) {
        RangerPrestoResource rangerPrestoResource = new RangerPrestoResource();
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_CATALOG, str);
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_SESSION_PROPERTY, str2);
        return rangerPrestoResource;
    }

    private static RangerPrestoResource createSystemPropertyResource(String str) {
        RangerPrestoResource rangerPrestoResource = new RangerPrestoResource();
        rangerPrestoResource.setValue(RangerPrestoResource.KEY_SYSTEM_PROPERTY, str);
        return rangerPrestoResource;
    }

    private static RangerPrestoResource createResource(CatalogSchemaName catalogSchemaName) {
        return createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName());
    }

    private static RangerPrestoResource createResource(CatalogSchemaTableName catalogSchemaTableName) {
        return createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName());
    }

    private static RangerPrestoResource createResource(String str) {
        return new RangerPrestoResource(str, Optional.empty(), Optional.empty());
    }

    private static RangerPrestoResource createResource(String str, String str2) {
        return new RangerPrestoResource(str, Optional.of(str2), Optional.empty());
    }

    private static RangerPrestoResource createResource(String str, String str2, String str3) {
        return new RangerPrestoResource(str, Optional.of(str2), Optional.of(str3));
    }

    private static RangerPrestoResource createResource(String str, String str2, String str3, Optional<String> optional) {
        return new RangerPrestoResource(str, Optional.of(str2), Optional.of(str3), optional);
    }

    private static List<RangerPrestoResource> createResource(CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        ArrayList arrayList = new ArrayList();
        if (set.size() > 0) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                arrayList.add(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName(), Optional.of(it.next())));
            }
        } else {
            arrayList.add(createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName(), Optional.empty()));
        }
        return arrayList;
    }
}
