package io.trino.plugin.opa;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
import com.google.common.collect.Iterables;
import com.google.common.collect.Multimaps;
import com.google.inject.Inject;
import io.trino.plugin.opa.schema.OpaPluginContext;
import io.trino.plugin.opa.schema.OpaQueryContext;
import io.trino.plugin.opa.schema.OpaQueryInput;
import io.trino.plugin.opa.schema.OpaQueryInputAction;
import io.trino.plugin.opa.schema.OpaQueryInputResource;
import io.trino.plugin.opa.schema.TrinoCatalogSessionProperty;
import io.trino.plugin.opa.schema.TrinoFunction;
import io.trino.plugin.opa.schema.TrinoGrantPrincipal;
import io.trino.plugin.opa.schema.TrinoIdentity;
import io.trino.plugin.opa.schema.TrinoSchema;
import io.trino.plugin.opa.schema.TrinoTable;
import io.trino.plugin.opa.schema.TrinoUser;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import java.security.Principal;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Consumer;

/* loaded from: input_file:io/trino/plugin/opa/OpaAccessControl.class */
public class OpaAccessControl implements SystemAccessControl {
    private final OpaHighLevelClient opaHighLevelClient;
    private final boolean allowPermissionManagementOperations;
    private final OpaPluginContext pluginContext;

    @Inject
    public OpaAccessControl(OpaHighLevelClient opaHighLevelClient, OpaConfig opaConfig, OpaPluginContext opaPluginContext) {
        this.opaHighLevelClient = (OpaHighLevelClient) Objects.requireNonNull(opaHighLevelClient, "opaHighLevelClient is null");
        this.allowPermissionManagementOperations = opaConfig.getAllowPermissionManagementOperations();
        this.pluginContext = (OpaPluginContext) Objects.requireNonNull(opaPluginContext, "pluginContext is null");
    }

    public void checkCanImpersonateUser(Identity identity, String str) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "ImpersonateUser", () -> {
            AccessDeniedException.denyImpersonateUser(identity.getUser(), str);
        }, OpaQueryInputResource.builder().user(new TrinoUser(str)).build());
    }

    public void checkCanSetUser(Optional<Principal> optional, String str) {
    }

    public void checkCanExecuteQuery(Identity identity) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "ExecuteQuery", AccessDeniedException::denyExecuteQuery);
    }

    public void checkCanViewQueryOwnedBy(Identity identity, Identity identity2) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "ViewQueryOwnedBy", AccessDeniedException::denyViewQuery, OpaQueryInputResource.builder().user(new TrinoUser(identity2)).build());
    }

    public Collection<Identity> filterViewQueryOwnedBy(Identity identity, Collection<Identity> collection) {
        return this.opaHighLevelClient.parallelFilterFromOpa(collection, identity2 -> {
            return OpaHighLevelClient.buildQueryInputForSimpleResource(buildQueryContext(identity), "FilterViewQueryOwnedBy", OpaQueryInputResource.builder().user(new TrinoUser(identity2)).build());
        });
    }

    public void checkCanKillQueryOwnedBy(Identity identity, Identity identity2) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "KillQueryOwnedBy", AccessDeniedException::denyKillQuery, OpaQueryInputResource.builder().user(new TrinoUser(identity2)).build());
    }

    public void checkCanReadSystemInformation(Identity identity) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "ReadSystemInformation", AccessDeniedException::denyReadSystemInformationAccess);
    }

    public void checkCanWriteSystemInformation(Identity identity) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "WriteSystemInformation", AccessDeniedException::denyWriteSystemInformationAccess);
    }

    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(identity), "SetSystemSessionProperty", () -> {
            AccessDeniedException.denySetSystemSessionProperty(str);
        }, OpaQueryInputResource.builder().systemSessionProperty(str).build());
    }

    public boolean canAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
        return this.opaHighLevelClient.queryOpaWithSimpleResource(buildQueryContext(systemSecurityContext), "AccessCatalog", OpaQueryInputResource.builder().catalog(str).build());
    }

    public void checkCanCreateCatalog(SystemSecurityContext systemSecurityContext, String str) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "CreateCatalog", () -> {
            AccessDeniedException.denyCreateCatalog(str);
        }, OpaQueryInputResource.builder().catalog(str).build());
    }

    public void checkCanDropCatalog(SystemSecurityContext systemSecurityContext, String str) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "DropCatalog", () -> {
            AccessDeniedException.denyDropCatalog(str);
        }, OpaQueryInputResource.builder().catalog(str).build());
    }

    public Set<String> filterCatalogs(SystemSecurityContext systemSecurityContext, Set<String> set) {
        return this.opaHighLevelClient.parallelFilterFromOpa(set, str -> {
            return OpaHighLevelClient.buildQueryInputForSimpleResource(buildQueryContext(systemSecurityContext), "FilterCatalogs", OpaQueryInputResource.builder().catalog(str).build());
        });
    }

    public void checkCanCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, Map<String, Object> map) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "CreateSchema", () -> {
            AccessDeniedException.denyCreateSchema(catalogSchemaName.toString());
        }, OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName).withProperties(convertProperties(map))).build());
    }

    public void checkCanDropSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "DropSchema", () -> {
            AccessDeniedException.denyDropSchema(catalogSchemaName.toString());
        }, OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName)).build());
    }

    public void checkCanRenameSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, String str) {
        OpaQueryInputResource build = OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName)).build();
        OpaQueryInputResource build2 = OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName.getCatalogName(), str)).build();
        if (this.opaHighLevelClient.queryOpaWithSourceAndTargetResource(buildQueryContext(systemSecurityContext), "RenameSchema", build, build2)) {
            return;
        }
        AccessDeniedException.denyRenameSchema(catalogSchemaName.toString(), str);
    }

    public void checkCanSetSchemaAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal) {
        if (this.opaHighLevelClient.queryOpa(new OpaQueryInput(buildQueryContext(systemSecurityContext), OpaQueryInputAction.builder().operation("SetSchemaAuthorization").resource(OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName)).build()).grantee(TrinoGrantPrincipal.fromTrinoPrincipal(trinoPrincipal)).build()))) {
            return;
        }
        AccessDeniedException.denySetSchemaAuthorization(catalogSchemaName.toString(), trinoPrincipal);
    }

    public void checkCanShowSchemas(SystemSecurityContext systemSecurityContext, String str) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "ShowSchemas", AccessDeniedException::denyShowSchemas, OpaQueryInputResource.builder().catalog(str).build());
    }

    public Set<String> filterSchemas(SystemSecurityContext systemSecurityContext, String str, Set<String> set) {
        return this.opaHighLevelClient.parallelFilterFromOpa(set, str2 -> {
            return OpaHighLevelClient.buildQueryInputForSimpleResource(buildQueryContext(systemSecurityContext), "FilterSchemas", OpaQueryInputResource.builder().schema(new TrinoSchema(str, str2)).build());
        });
    }

    public void checkCanShowCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "ShowCreateSchema", () -> {
            AccessDeniedException.denyShowCreateSchema(catalogSchemaName.toString());
        }, OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName)).build());
    }

    public void checkCanShowCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "ShowCreateTable", catalogSchemaTableName, AccessDeniedException::denyShowCreateTable);
    }

    public void checkCanCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Object> map) {
        checkTableAndPropertiesOperation(systemSecurityContext, "CreateTable", catalogSchemaTableName, convertProperties(map), AccessDeniedException::denyCreateTable);
    }

    public void checkCanDropTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "DropTable", catalogSchemaTableName, AccessDeniedException::denyDropTable);
    }

    public void checkCanRenameTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        OpaQueryInputResource build = OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).build();
        OpaQueryInputResource build2 = OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName2)).build();
        if (this.opaHighLevelClient.queryOpaWithSourceAndTargetResource(buildQueryContext(systemSecurityContext), "RenameTable", build, build2)) {
            return;
        }
        AccessDeniedException.denyRenameTable(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanSetTableProperties(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Optional<Object>> map) {
        checkTableAndPropertiesOperation(systemSecurityContext, "SetTableProperties", catalogSchemaTableName, map, AccessDeniedException::denySetTableProperties);
    }

    public void checkCanSetTableComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "SetTableComment", catalogSchemaTableName, AccessDeniedException::denyCommentTable);
    }

    public void checkCanSetViewComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "SetViewComment", catalogSchemaTableName, AccessDeniedException::denyCommentView);
    }

    public void checkCanSetColumnComment(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "SetColumnComment", catalogSchemaTableName, AccessDeniedException::denyCommentColumn);
    }

    public void checkCanShowTables(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "ShowTables", () -> {
            AccessDeniedException.denyShowTables(catalogSchemaName.toString());
        }, OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName)).build());
    }

    public Set<SchemaTableName> filterTables(SystemSecurityContext systemSecurityContext, String str, Set<SchemaTableName> set) {
        return this.opaHighLevelClient.parallelFilterFromOpa(set, schemaTableName -> {
            return OpaHighLevelClient.buildQueryInputForSimpleResource(buildQueryContext(systemSecurityContext), "FilterTables", OpaQueryInputResource.builder().table(new TrinoTable(str, schemaTableName.getSchemaName(), schemaTableName.getTableName())).build());
        });
    }

    public void checkCanShowColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "ShowColumns", catalogSchemaTableName, AccessDeniedException::denyShowColumns);
    }

    public Map<SchemaTableName, Set<String>> filterColumns(SystemSecurityContext systemSecurityContext, String str, Map<SchemaTableName, Set<String>> map) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (Map.Entry<SchemaTableName, Set<String>> entry : map.entrySet()) {
            SchemaTableName key = entry.getKey();
            TrinoTable trinoTable = new TrinoTable(str, key.getSchemaName(), key.getTableName());
            Iterator<String> it = entry.getValue().iterator();
            while (it.hasNext()) {
                builder.add(trinoTable.withColumns(ImmutableSet.of(it.next())));
            }
        }
        Set<TrinoTable> parallelFilterFromOpa = this.opaHighLevelClient.parallelFilterFromOpa(builder.build(), trinoTable2 -> {
            return OpaHighLevelClient.buildQueryInputForSimpleResource(buildQueryContext(systemSecurityContext), "FilterColumns", OpaQueryInputResource.builder().table(trinoTable2).build());
        });
        ImmutableSetMultimap.Builder builder2 = ImmutableSetMultimap.builder();
        for (TrinoTable trinoTable3 : parallelFilterFromOpa) {
            builder2.put(new SchemaTableName(trinoTable3.schemaName(), trinoTable3.tableName()), (String) Iterables.getOnlyElement(trinoTable3.columns()));
        }
        return Multimaps.asMap(builder2.build());
    }

    public void checkCanAddColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "AddColumn", catalogSchemaTableName, AccessDeniedException::denyAddColumn);
    }

    public void checkCanAlterColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "AlterColumn", catalogSchemaTableName, AccessDeniedException::denyAlterColumn);
    }

    public void checkCanDropColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "DropColumn", catalogSchemaTableName, AccessDeniedException::denyDropColumn);
    }

    public void checkCanSetTableAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal) {
        if (this.opaHighLevelClient.queryOpa(new OpaQueryInput(buildQueryContext(systemSecurityContext), OpaQueryInputAction.builder().operation("SetTableAuthorization").resource(OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).build()).grantee(TrinoGrantPrincipal.fromTrinoPrincipal(trinoPrincipal)).build()))) {
            return;
        }
        AccessDeniedException.denySetTableAuthorization(catalogSchemaTableName.toString(), trinoPrincipal);
    }

    public void checkCanRenameColumn(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "RenameColumn", catalogSchemaTableName, AccessDeniedException::denyRenameColumn);
    }

    public void checkCanSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        checkTableAndColumnsOperation(systemSecurityContext, "SelectFromColumns", catalogSchemaTableName, set, (v0, v1) -> {
            AccessDeniedException.denySelectColumns(v0, v1);
        });
    }

    public void checkCanInsertIntoTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "InsertIntoTable", catalogSchemaTableName, AccessDeniedException::denyInsertTable);
    }

    public void checkCanDeleteFromTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "DeleteFromTable", catalogSchemaTableName, AccessDeniedException::denyDeleteTable);
    }

    public void checkCanTruncateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "TruncateTable", catalogSchemaTableName, AccessDeniedException::denyTruncateTable);
    }

    public void checkCanUpdateTableColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        checkTableAndColumnsOperation(systemSecurityContext, "UpdateTableColumns", catalogSchemaTableName, set, AccessDeniedException::denyUpdateTableColumns);
    }

    public void checkCanCreateView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "CreateView", catalogSchemaTableName, AccessDeniedException::denyCreateView);
    }

    public void checkCanRenameView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        OpaQueryInputResource build = OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).build();
        OpaQueryInputResource build2 = OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName2)).build();
        if (this.opaHighLevelClient.queryOpaWithSourceAndTargetResource(buildQueryContext(systemSecurityContext), "RenameView", build, build2)) {
            return;
        }
        AccessDeniedException.denyRenameView(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanSetViewAuthorization(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal) {
        if (this.opaHighLevelClient.queryOpa(new OpaQueryInput(buildQueryContext(systemSecurityContext), OpaQueryInputAction.builder().operation("SetViewAuthorization").resource(OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).build()).grantee(TrinoGrantPrincipal.fromTrinoPrincipal(trinoPrincipal)).build()))) {
            return;
        }
        AccessDeniedException.denySetViewAuthorization(catalogSchemaTableName.toString(), trinoPrincipal);
    }

    public void checkCanDropView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "DropView", catalogSchemaTableName, AccessDeniedException::denyDropView);
    }

    public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        checkTableAndColumnsOperation(systemSecurityContext, "CreateViewWithSelectFromColumns", catalogSchemaTableName, set, (str, set2) -> {
            AccessDeniedException.denyCreateViewWithSelect(str, systemSecurityContext.getIdentity());
        });
    }

    public void checkCanCreateMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Object> map) {
        checkTableAndPropertiesOperation(systemSecurityContext, "CreateMaterializedView", catalogSchemaTableName, convertProperties(map), AccessDeniedException::denyCreateMaterializedView);
    }

    public void checkCanRefreshMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "RefreshMaterializedView", catalogSchemaTableName, AccessDeniedException::denyRefreshMaterializedView);
    }

    public void checkCanSetMaterializedViewProperties(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Optional<Object>> map) {
        checkTableAndPropertiesOperation(systemSecurityContext, "SetMaterializedViewProperties", catalogSchemaTableName, map, AccessDeniedException::denySetMaterializedViewProperties);
    }

    public void checkCanDropMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName) {
        checkTableOperation(systemSecurityContext, "DropMaterializedView", catalogSchemaTableName, AccessDeniedException::denyDropMaterializedView);
    }

    public void checkCanRenameMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, CatalogSchemaTableName catalogSchemaTableName2) {
        OpaQueryInputResource build = OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).build();
        OpaQueryInputResource build2 = OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName2)).build();
        if (this.opaHighLevelClient.queryOpaWithSourceAndTargetResource(buildQueryContext(systemSecurityContext), "RenameMaterializedView", build, build2)) {
            return;
        }
        AccessDeniedException.denyRenameMaterializedView(catalogSchemaTableName.toString(), catalogSchemaTableName2.toString());
    }

    public void checkCanSetCatalogSessionProperty(SystemSecurityContext systemSecurityContext, String str, String str2) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "SetCatalogSessionProperty", () -> {
            AccessDeniedException.denySetCatalogSessionProperty(str2);
        }, OpaQueryInputResource.builder().catalogSessionProperty(new TrinoCatalogSessionProperty(str, str2)).build());
    }

    public void checkCanGrantSchemaPrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal, boolean z) {
        enforcePermissionManagementOperation(AccessDeniedException::denyGrantSchemaPrivilege, privilege.toString(), catalogSchemaName.toString());
    }

    public void checkCanDenySchemaPrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal) {
        enforcePermissionManagementOperation(AccessDeniedException::denyDenySchemaPrivilege, privilege.toString(), catalogSchemaName.toString());
    }

    public void checkCanRevokeSchemaPrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaName catalogSchemaName, TrinoPrincipal trinoPrincipal, boolean z) {
        enforcePermissionManagementOperation(AccessDeniedException::denyRevokeSchemaPrivilege, privilege.toString(), catalogSchemaName.toString());
    }

    public void checkCanGrantTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal, boolean z) {
        enforcePermissionManagementOperation(AccessDeniedException::denyGrantTablePrivilege, privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanDenyTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal) {
        enforcePermissionManagementOperation(AccessDeniedException::denyDenyTablePrivilege, privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanRevokeTablePrivilege(SystemSecurityContext systemSecurityContext, Privilege privilege, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal, boolean z) {
        enforcePermissionManagementOperation(AccessDeniedException::denyRevokeTablePrivilege, privilege.toString(), catalogSchemaTableName.toString());
    }

    public void checkCanCreateRole(SystemSecurityContext systemSecurityContext, String str, Optional<TrinoPrincipal> optional) {
        enforcePermissionManagementOperation(AccessDeniedException::denyCreateRole, str);
    }

    public void checkCanDropRole(SystemSecurityContext systemSecurityContext, String str) {
        enforcePermissionManagementOperation(AccessDeniedException::denyDropRole, str);
    }

    public void checkCanGrantRoles(SystemSecurityContext systemSecurityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional) {
        enforcePermissionManagementOperation(AccessDeniedException::denyGrantRoles, set, set2);
    }

    public void checkCanRevokeRoles(SystemSecurityContext systemSecurityContext, Set<String> set, Set<TrinoPrincipal> set2, boolean z, Optional<TrinoPrincipal> optional) {
        enforcePermissionManagementOperation(AccessDeniedException::denyRevokeRoles, set, set2);
    }

    public void checkCanShowRoles(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanShowCurrentRoles(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanShowRoleGrants(SystemSecurityContext systemSecurityContext) {
    }

    public void checkCanShowFunctions(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "ShowFunctions", () -> {
            AccessDeniedException.denyShowFunctions(catalogSchemaName.toString());
        }, OpaQueryInputResource.builder().schema(new TrinoSchema(catalogSchemaName)).build());
    }

    public Set<SchemaFunctionName> filterFunctions(SystemSecurityContext systemSecurityContext, String str, Set<SchemaFunctionName> set) {
        return this.opaHighLevelClient.parallelFilterFromOpa(set, schemaFunctionName -> {
            return OpaHighLevelClient.buildQueryInputForSimpleResource(buildQueryContext(systemSecurityContext), "FilterFunctions", OpaQueryInputResource.builder().function(new TrinoFunction(new TrinoSchema(str, schemaFunctionName.getSchemaName()), schemaFunctionName.getFunctionName())).build());
        });
    }

    public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "ExecuteProcedure", () -> {
            AccessDeniedException.denyExecuteProcedure(catalogSchemaRoutineName.toString());
        }, OpaQueryInputResource.builder().function(TrinoFunction.fromTrinoFunction(catalogSchemaRoutineName)).build());
    }

    public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
        return this.opaHighLevelClient.queryOpaWithSimpleResource(buildQueryContext(systemSecurityContext), "ExecuteFunction", OpaQueryInputResource.builder().function(TrinoFunction.fromTrinoFunction(catalogSchemaRoutineName)).build());
    }

    public boolean canCreateViewWithExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
        return this.opaHighLevelClient.queryOpaWithSimpleResource(buildQueryContext(systemSecurityContext), "CreateViewWithExecuteFunction", OpaQueryInputResource.builder().function(TrinoFunction.fromTrinoFunction(catalogSchemaRoutineName)).build());
    }

    public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String str) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "ExecuteTableProcedure", () -> {
            AccessDeniedException.denyExecuteTableProcedure(catalogSchemaTableName.toString(), str);
        }, OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).function(str).build());
    }

    public void checkCanCreateFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "CreateFunction", () -> {
            AccessDeniedException.denyCreateFunction(catalogSchemaRoutineName.toString());
        }, OpaQueryInputResource.builder().function(TrinoFunction.fromTrinoFunction(catalogSchemaRoutineName)).build());
    }

    public void checkCanDropFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName catalogSchemaRoutineName) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), "DropFunction", () -> {
            AccessDeniedException.denyDropFunction(catalogSchemaRoutineName.toString());
        }, OpaQueryInputResource.builder().function(TrinoFunction.fromTrinoFunction(catalogSchemaRoutineName)).build());
    }

    private void checkTableOperation(SystemSecurityContext systemSecurityContext, String str, CatalogSchemaTableName catalogSchemaTableName, Consumer<String> consumer) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), str, () -> {
            consumer.accept(catalogSchemaTableName.toString());
        }, OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName)).build());
    }

    private void checkTableAndPropertiesOperation(SystemSecurityContext systemSecurityContext, String str, CatalogSchemaTableName catalogSchemaTableName, Map<String, Optional<Object>> map, Consumer<String> consumer) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), str, () -> {
            consumer.accept(catalogSchemaTableName.toString());
        }, OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName).withProperties(map)).build());
    }

    private void checkTableAndColumnsOperation(SystemSecurityContext systemSecurityContext, String str, CatalogSchemaTableName catalogSchemaTableName, Set<String> set, BiConsumer<String, Set<String>> biConsumer) {
        this.opaHighLevelClient.queryAndEnforce(buildQueryContext(systemSecurityContext), str, () -> {
            biConsumer.accept(catalogSchemaTableName.toString(), set);
        }, OpaQueryInputResource.builder().table(new TrinoTable(catalogSchemaTableName).withColumns(set)).build());
    }

    private <T> void enforcePermissionManagementOperation(Consumer<T> consumer, T t) {
        if (this.allowPermissionManagementOperations) {
            return;
        }
        consumer.accept(t);
    }

    private <T, U> void enforcePermissionManagementOperation(BiConsumer<T, U> biConsumer, T t, U u) {
        if (this.allowPermissionManagementOperations) {
            return;
        }
        biConsumer.accept(t, u);
    }

    private static Map<String, Optional<Object>> convertProperties(Map<String, Object> map) {
        return (Map) map.entrySet().stream().map(entry -> {
            return Map.entry((String) entry.getKey(), Optional.ofNullable(entry.getValue()));
        }).collect(ImmutableMap.toImmutableMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpaQueryContext buildQueryContext(Identity identity) {
        return new OpaQueryContext(TrinoIdentity.fromTrinoIdentity(identity), this.pluginContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpaQueryContext buildQueryContext(SystemSecurityContext systemSecurityContext) {
        return new OpaQueryContext(TrinoIdentity.fromTrinoIdentity(systemSecurityContext.getIdentity()), this.pluginContext);
    }
}
