package org.apache.sentry.binding.hive;

import com.google.common.base.Preconditions;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hive.SentryHiveConstants;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask;
import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
import org.apache.hadoop.hive.ql.exec.Task;
import org.apache.hadoop.hive.ql.exec.TaskFactory;
import org.apache.hadoop.hive.ql.hooks.ReadEntity;
import org.apache.hadoop.hive.ql.hooks.WriteEntity;
import org.apache.hadoop.hive.ql.metadata.Hive;
import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactory;
import org.apache.hadoop.hive.ql.plan.DDLWork;
import org.apache.hadoop.hive.ql.plan.GrantDesc;
import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL;
import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
import org.apache.hadoop.hive.ql.plan.RevokeDesc;
import org.apache.hadoop.hive.ql.plan.RoleDDLDesc;
import org.apache.hadoop.hive.ql.plan.ShowGrantDesc;
import org.apache.hadoop.hive.ql.security.authorization.Privilege;
import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.sentry.core.model.db.AccessConstants;

/* loaded from: input_file:org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.class */
public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorizationTaskFactory {
    public SentryHiveAuthorizationTaskFactoryImpl(HiveConf hiveConf, Hive hive) {
    }

    public Task<? extends Serializable> createCreateRoleTask(ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        String unescapeIdentifier = BaseSemanticAnalyzer.unescapeIdentifier(aSTNode.getChild(0).getText());
        if (AccessConstants.RESERVED_ROLE_NAMES.contains(unescapeIdentifier.toUpperCase())) {
            throw new SemanticException("Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES);
        }
        return createTask(new DDLWork(hashSet, hashSet2, new RoleDDLDesc(unescapeIdentifier, RoleDDLDesc.RoleOperation.CREATE_ROLE)));
    }

    public Task<? extends Serializable> createDropRoleTask(ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        String unescapeIdentifier = BaseSemanticAnalyzer.unescapeIdentifier(aSTNode.getChild(0).getText());
        if (AccessConstants.RESERVED_ROLE_NAMES.contains(unescapeIdentifier.toUpperCase())) {
            throw new SemanticException("Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES);
        }
        return createTask(new DDLWork(hashSet, hashSet2, new RoleDDLDesc(unescapeIdentifier, RoleDDLDesc.RoleOperation.DROP_ROLE)));
    }

    public Task<? extends Serializable> createShowRoleGrantTask(ASTNode aSTNode, Path path, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        ASTNode child = aSTNode.getChild(0);
        PrincipalType principalType = PrincipalType.USER;
        switch (child.getType()) {
            case 685:
                principalType = PrincipalType.GROUP;
                break;
            case 781:
                principalType = PrincipalType.ROLE;
                break;
            case 879:
                principalType = PrincipalType.USER;
                break;
        }
        if (principalType != PrincipalType.GROUP) {
            throw new SemanticException(SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType);
        }
        RoleDDLDesc roleDDLDesc = new RoleDDLDesc(BaseSemanticAnalyzer.unescapeIdentifier(child.getChild(0).getText()), principalType, RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT, (String) null);
        roleDDLDesc.setResFile(path.toString());
        return createTask(new DDLWork(hashSet, hashSet2, roleDDLDesc));
    }

    public Task<? extends Serializable> createGrantTask(ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        List<PrivilegeDesc> analyzePrivilegeListDef = analyzePrivilegeListDef((ASTNode) aSTNode.getChild(0));
        List<PrincipalDesc> analyzePrincipalListDef = analyzePrincipalListDef((ASTNode) aSTNode.getChild(1));
        SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc = null;
        boolean z = false;
        if (aSTNode.getChildCount() > 2) {
            for (int i = 2; i < aSTNode.getChildCount(); i++) {
                ASTNode aSTNode2 = (ASTNode) aSTNode.getChild(i);
                if (aSTNode2.getType() == 684) {
                    z = true;
                } else if (aSTNode2.getType() == 765) {
                    sentryHivePrivilegeObjectDesc = analyzePrivilegeObject(aSTNode2);
                }
            }
        }
        String str = null;
        if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) {
            str = SessionState.get().getAuthenticator().getUserName();
        }
        Preconditions.checkNotNull(sentryHivePrivilegeObjectDesc, "privilegeObj is null for " + aSTNode.dump());
        if (sentryHivePrivilegeObjectDesc.getPartSpec() != null) {
            throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
        }
        Iterator<PrivilegeDesc> it = analyzePrivilegeListDef.iterator();
        while (it.hasNext()) {
            List columns = it.next().getColumns();
            if (columns != null && !columns.isEmpty()) {
                throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED);
            }
        }
        for (PrincipalDesc principalDesc : analyzePrincipalListDef) {
            if (principalDesc.getType() != PrincipalType.ROLE) {
                throw new SemanticException(SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalDesc.getType());
            }
        }
        return createTask(new DDLWork(hashSet, hashSet2, new GrantDesc(sentryHivePrivilegeObjectDesc, analyzePrivilegeListDef, analyzePrincipalListDef, str, PrincipalType.USER, z)));
    }

    public Task<? extends Serializable> createRevokeTask(ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        List<PrivilegeDesc> analyzePrivilegeListDef = analyzePrivilegeListDef((ASTNode) aSTNode.getChild(0));
        List<PrincipalDesc> analyzePrincipalListDef = analyzePrincipalListDef((ASTNode) aSTNode.getChild(1));
        SentryHivePrivilegeObjectDesc analyzePrivilegeObject = aSTNode.getChildCount() > 2 ? analyzePrivilegeObject((ASTNode) aSTNode.getChild(2)) : null;
        if (analyzePrivilegeObject.getPartSpec() != null) {
            throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
        }
        Iterator<PrivilegeDesc> it = analyzePrivilegeListDef.iterator();
        while (it.hasNext()) {
            List columns = it.next().getColumns();
            if (columns != null && !columns.isEmpty()) {
                throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED);
            }
        }
        for (PrincipalDesc principalDesc : analyzePrincipalListDef) {
            if (principalDesc.getType() != PrincipalType.ROLE) {
                throw new SemanticException(SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalDesc.getType());
            }
        }
        return createTask(new DDLWork(hashSet, hashSet2, new RevokeDesc(analyzePrivilegeListDef, analyzePrincipalListDef, analyzePrivilegeObject)));
    }

    public Task<? extends Serializable> createGrantRoleTask(ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        return analyzeGrantRevokeRole(true, aSTNode, hashSet, hashSet2);
    }

    public Task<? extends Serializable> createShowGrantTask(ASTNode aSTNode, Path path, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc = null;
        ASTNode child = aSTNode.getChild(0);
        PrincipalType principalType = PrincipalType.USER;
        switch (child.getType()) {
            case 685:
                principalType = PrincipalType.GROUP;
                break;
            case 781:
                principalType = PrincipalType.ROLE;
                break;
            case 879:
                principalType = PrincipalType.USER;
                break;
        }
        if (principalType != PrincipalType.ROLE) {
            throw new SemanticException(SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType);
        }
        PrincipalDesc principalDesc = new PrincipalDesc(BaseSemanticAnalyzer.unescapeIdentifier(child.getChild(0).getText()), principalType);
        if (aSTNode.getChildCount() > 1) {
            ASTNode aSTNode2 = (ASTNode) aSTNode.getChild(1);
            if (aSTNode2.getToken().getType() != 766) {
                throw new SemanticException("Unrecognized Token: " + aSTNode2.getToken().getType());
            }
            sentryHivePrivilegeObjectDesc = analyzePrivilegeObject(aSTNode2);
        }
        return createTask(new DDLWork(hashSet, hashSet2, new ShowGrantDesc(path.toString(), principalDesc, sentryHivePrivilegeObjectDesc, (List) null)));
    }

    public Task<? extends Serializable> createRevokeRoleTask(ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        return analyzeGrantRevokeRole(false, aSTNode, hashSet, hashSet2);
    }

    private Task<? extends Serializable> analyzeGrantRevokeRole(boolean z, ASTNode aSTNode, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        List<PrincipalDesc> analyzePrincipalListDef = analyzePrincipalListDef((ASTNode) aSTNode.getChild(0));
        ArrayList arrayList = new ArrayList();
        for (int i = 1; i < aSTNode.getChildCount(); i++) {
            arrayList.add(BaseSemanticAnalyzer.unescapeIdentifier(aSTNode.getChild(i).getText()));
        }
        String str = "";
        if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) {
            str = SessionState.get().getAuthenticator().getUserName();
        }
        for (PrincipalDesc principalDesc : analyzePrincipalListDef) {
            if (principalDesc.getType() != PrincipalType.GROUP) {
                throw new SemanticException(SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + principalDesc.getType());
            }
        }
        return createTask(new DDLWork(hashSet, hashSet2, new GrantRevokeRoleDDL(z, arrayList, analyzePrincipalListDef, str, PrincipalType.USER, false)));
    }

    public Task<? extends Serializable> createSetRoleTask(String str, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) {
        return createTask(new DDLWork(hashSet, hashSet2, new RoleDDLDesc(str, RoleDDLDesc.RoleOperation.SET_ROLE)));
    }

    public Task<? extends Serializable> createShowCurrentRoleTask(HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2, Path path) throws SemanticException {
        RoleDDLDesc roleDDLDesc = new RoleDDLDesc((String) null, RoleDDLDesc.RoleOperation.SHOW_CURRENT_ROLE);
        roleDDLDesc.setResFile(path.toString());
        return createTask(new DDLWork(hashSet, hashSet2, roleDDLDesc));
    }

    public Task<? extends Serializable> createShowRolePrincipalsTask(ASTNode aSTNode, Path path, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        if (aSTNode.getChildCount() != 1) {
            throw new AssertionError("Unexpected Tokens in SHOW ROLE PRINCIPALS");
        }
        RoleDDLDesc roleDDLDesc = new RoleDDLDesc(aSTNode.getChild(0).getText(), PrincipalType.ROLE, RoleDDLDesc.RoleOperation.SHOW_ROLE_PRINCIPALS, (String) null);
        roleDDLDesc.setResFile(path.toString());
        return createTask(new DDLWork(hashSet, hashSet2, roleDDLDesc));
    }

    public Task<? extends Serializable> createShowRolesTask(ASTNode aSTNode, Path path, HashSet<ReadEntity> hashSet, HashSet<WriteEntity> hashSet2) throws SemanticException {
        RoleDDLDesc roleDDLDesc = new RoleDDLDesc((String) null, (PrincipalType) null, RoleDDLDesc.RoleOperation.SHOW_ROLES, (String) null);
        roleDDLDesc.setResFile(path.toString());
        return createTask(new DDLWork(hashSet, hashSet2, roleDDLDesc));
    }

    private SentryHivePrivilegeObjectDesc analyzePrivilegeObject(ASTNode aSTNode) throws SemanticException {
        SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc = new SentryHivePrivilegeObjectDesc();
        String unescapeIdentifier = BaseSemanticAnalyzer.unescapeIdentifier(aSTNode.getChild(0).getText());
        if (aSTNode.getChildCount() > 1) {
            for (int i = 1; i < aSTNode.getChildCount(); i++) {
                ASTNode child = aSTNode.getChild(i);
                if (child.getToken().getType() == 750) {
                    throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
                }
                if (child.getToken().getType() == 830) {
                    throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED);
                }
                if (child.getToken().getType() == 878) {
                    unescapeIdentifier = unescapeIdentifier.replaceAll("'", "").replaceAll("\"", "");
                    sentryHivePrivilegeObjectDesc.setUri(true);
                } else if (child.getToken().getType() == 790) {
                    sentryHivePrivilegeObjectDesc.setServer(true);
                } else if (child.getToken().getType() == 854) {
                    sentryHivePrivilegeObjectDesc.setTable(true);
                }
            }
        }
        sentryHivePrivilegeObjectDesc.setObject(unescapeIdentifier);
        return sentryHivePrivilegeObjectDesc;
    }

    private List<PrincipalDesc> analyzePrincipalListDef(ASTNode aSTNode) {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < aSTNode.getChildCount(); i++) {
            ASTNode child = aSTNode.getChild(i);
            PrincipalType principalType = null;
            switch (child.getType()) {
                case 685:
                    principalType = PrincipalType.GROUP;
                    break;
                case 781:
                    principalType = PrincipalType.ROLE;
                    break;
                case 879:
                    principalType = PrincipalType.USER;
                    break;
            }
            arrayList.add(new PrincipalDesc(BaseSemanticAnalyzer.unescapeIdentifier(child.getChild(0).getText()), principalType));
        }
        return arrayList;
    }

    private List<PrivilegeDesc> analyzePrivilegeListDef(ASTNode aSTNode) throws SemanticException {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < aSTNode.getChildCount(); i++) {
            ASTNode child = aSTNode.getChild(i);
            ASTNode child2 = child.getChild(0);
            Privilege privilege = PrivilegeRegistry.getPrivilege(child2.getType());
            if (privilege == null) {
                throw new SemanticException("undefined privilege " + child2.getType());
            }
            if (!SentryHiveConstants.ALLOWED_PRIVS.contains(privilege.getPriv())) {
                throw new SemanticException(SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privilege.getPriv());
            }
            if (child.getChildCount() > 1) {
                throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED);
            }
            arrayList.add(new PrivilegeDesc(privilege, (List) null));
        }
        return arrayList;
    }

    private static Task<? extends Serializable> createTask(DDLWork dDLWork) {
        SentryGrantRevokeTask sentryGrantRevokeTask = new SentryGrantRevokeTask();
        sentryGrantRevokeTask.setId("Stage-" + Integer.toString(TaskFactory.getAndIncrementId()));
        sentryGrantRevokeTask.setWork(dDLWork);
        return sentryGrantRevokeTask;
    }
}
