package org.apache.cassandra.auth;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import java.nio.ByteBuffer;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.cassandra.auth.AuthCache;
import org.apache.cassandra.auth.CIDRPermissions;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.service.reads.range.RangeCommands;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.cassandra.utils.Clock;
import org.apache.cassandra.utils.MBeanWrapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/CIDRPermissionsManager.class */
public class CIDRPermissionsManager implements CIDRPermissionsManagerMBean, AuthCache.BulkLoader<RoleResource, CIDRPermissions> {
    public static final String MBEAN_NAME = "org.apache.cassandra.db:type=CIDRPermissionsManager";
    private static final Logger logger = LoggerFactory.getLogger(CIDRPermissionsManager.class);
    private SelectStatement getCidrPermissionsOfUserStatement = null;

    public void setup() {
        if (!MBeanWrapper.instance.isRegistered(MBEAN_NAME)) {
            MBeanWrapper.instance.registerMBean(this, MBEAN_NAME);
        }
        this.getCidrPermissionsOfUserStatement = (SelectStatement) QueryProcessor.getStatement(String.format("SELECT %s FROM %s.%s WHERE %s = ?", "cidr_groups", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.CIDR_PERMISSIONS, AuthKeyspace.CIDR_PERMISSIONS_TBL_ROLE_COL_NAME), ClientState.forInternalCalls());
    }

    @VisibleForTesting
    ResultMessage.Rows select(SelectStatement selectStatement, QueryOptions queryOptions) {
        return selectStatement.execute(QueryState.forInternalCalls(), queryOptions, Clock.Global.nanoTime());
    }

    @VisibleForTesting
    UntypedResultSet process(String str, ConsistencyLevel consistencyLevel) throws RequestExecutionException {
        return QueryProcessor.process(str, consistencyLevel);
    }

    private Set<String> getAuthorizedCIDRGroups(String str) {
        UntypedResultSet create = UntypedResultSet.create(select(this.getCidrPermissionsOfUserStatement, QueryOptions.forInternalCalls(CassandraAuthorizer.authReadConsistencyLevel(), Lists.newArrayList(new ByteBuffer[]{ByteBufferUtil.bytes(str)}))).result);
        return (create.isEmpty() || !create.one().has("cidr_groups")) ? Collections.emptySet() : create.one().getFrozenSet("cidr_groups", UTF8Type.instance);
    }

    private static String getCidrPermissionsSetString(CIDRPermissions cIDRPermissions) {
        return "{" + (cIDRPermissions.restrictsAccess() ? (String) cIDRPermissions.allowedCIDRGroups().stream().map(str -> {
            return "'" + str + "'";
        }).collect(Collectors.joining(", ")) : "") + "}";
    }

    public CIDRPermissions getCidrPermissionsForRole(RoleResource roleResource) {
        if (!Roles.canLogin(roleResource)) {
            return CIDRPermissions.none();
        }
        if (Roles.hasSuperuserStatus(roleResource) && !DatabaseDescriptor.getCidrChecksForSuperusers()) {
            return CIDRPermissions.all();
        }
        Set<String> authorizedCIDRGroups = getAuthorizedCIDRGroups(roleResource.getRoleName());
        return (authorizedCIDRGroups == null || authorizedCIDRGroups.isEmpty()) ? CIDRPermissions.all() : CIDRPermissions.subset(authorizedCIDRGroups);
    }

    public void setCidrGroupsForRole(RoleResource roleResource, CIDRPermissions cIDRPermissions) {
        process(String.format("UPDATE %s.%s SET %s = %s WHERE %s = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.CIDR_PERMISSIONS, "cidr_groups", getCidrPermissionsSetString(cIDRPermissions), AuthKeyspace.CIDR_PERMISSIONS_TBL_ROLE_COL_NAME, roleResource.getRoleName()), CassandraAuthorizer.authWriteConsistencyLevel());
    }

    public void drop(RoleResource roleResource) {
        process(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.CIDR_PERMISSIONS, roleResource.getRoleName()), CassandraAuthorizer.authWriteConsistencyLevel());
    }

    @Override // org.apache.cassandra.auth.AuthCache.BulkLoader
    public Supplier<Map<RoleResource, CIDRPermissions>> bulkLoader() {
        return () -> {
            if (!RangeCommands.sufficientLiveNodesForSelectStar(AuthKeyspace.metadata().tables.getNullable(AuthKeyspace.CIDR_PERMISSIONS), AuthProperties.instance.getReadConsistencyLevel())) {
                throw new RuntimeException("insufficient live nodes for " + AuthProperties.instance.getReadConsistencyLevel() + "pre-warm query again system_auth.cidr_permissions");
            }
            logger.info("Pre-warming CIDR permissions cache from cidr_permissions table");
            HashMap hashMap = new HashMap();
            Iterator<UntypedResultSet.Row> it = process(String.format("SELECT %s, %s FROM %s.%s", AuthKeyspace.CIDR_PERMISSIONS_TBL_ROLE_COL_NAME, "cidr_groups", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.CIDR_PERMISSIONS), CassandraAuthorizer.authReadConsistencyLevel()).iterator();
            while (it.hasNext()) {
                UntypedResultSet.Row next = it.next();
                RoleResource role = RoleResource.role(next.getString(AuthKeyspace.CIDR_PERMISSIONS_TBL_ROLE_COL_NAME));
                CIDRPermissions.Builder builder = new CIDRPermissions.Builder();
                Iterator it2 = next.getFrozenSet("cidr_groups", UTF8Type.instance).iterator();
                while (it2.hasNext()) {
                    builder.add((String) it2.next());
                }
                hashMap.put(role, builder.build());
            }
            return hashMap;
        };
    }

    @Override // org.apache.cassandra.auth.CIDRPermissionsManagerMBean
    public boolean invalidateCidrPermissionsCache(String str) {
        return DatabaseDescriptor.getCIDRAuthorizer().invalidateCidrPermissionsCache(str);
    }
}
