package org.apache.cassandra.auth;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.cassandra.auth.IRoleManager;
import org.apache.cassandra.concurrent.ScheduledExecutors;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnauthorizedException;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.service.StorageService;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.cassandra.utils.Clock;
import org.apache.commons.lang3.StringUtils;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/CassandraRoleManager.class */
public class CassandraRoleManager implements IRoleManager {
    public static final String DEFAULT_SUPERUSER_NAME = "cassandra";
    static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";

    @VisibleForTesting
    public static final String GENSALT_LOG2_ROUNDS_PROPERTY = "cassandra.auth_bcrypt_gensalt_log2_rounds";
    private SelectStatement loadRoleStatement;
    private final Set<IRoleManager.Option> supportedOptions;
    private final Set<IRoleManager.Option> alterableOptions;
    private static final Logger logger = LoggerFactory.getLogger(CassandraRoleManager.class);
    static final ConsistencyLevel DEFAULT_SUPERUSER_CONSISTENCY_LEVEL = ConsistencyLevel.QUORUM;
    private static final Function<UntypedResultSet.Row, Role> ROW_TO_ROLE = row -> {
        try {
            return new Role(row.getString("role"), row.getBoolean("is_superuser"), row.getBoolean("can_login"), Collections.emptyMap(), row.has("member_of") ? row.getSet("member_of", UTF8Type.instance) : Collections.emptySet());
        } catch (NullPointerException e) {
            logger.warn("An invalid value has been detected in the {} table for role {}. If you are unable to login, you may need to disable authentication and confirm that values in that table are accurate", AuthKeyspace.ROLES, row.getString("role"));
            throw new RuntimeException(String.format("Invalid metadata has been detected for role %s", row.getString("role")), e);
        }
    };
    private static final int GENSALT_LOG2_ROUNDS = getGensaltLogRounds();

    static int getGensaltLogRounds() {
        int intValue = Integer.getInteger(GENSALT_LOG2_ROUNDS_PROPERTY, 10).intValue();
        if (intValue < 4 || intValue > 30) {
            throw new ConfigurationException(String.format("Bad value for system property -D%s.Please use a value between 4 and 30 inclusively", GENSALT_LOG2_ROUNDS_PROPERTY));
        }
        return intValue;
    }

    public CassandraRoleManager() {
        this.supportedOptions = DatabaseDescriptor.getAuthenticator() instanceof PasswordAuthenticator ? ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER, IRoleManager.Option.PASSWORD, IRoleManager.Option.HASHED_PASSWORD) : ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER);
        this.alterableOptions = DatabaseDescriptor.getAuthenticator() instanceof PasswordAuthenticator ? ImmutableSet.of(IRoleManager.Option.PASSWORD, IRoleManager.Option.HASHED_PASSWORD) : ImmutableSet.of();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void setup() {
        loadRoleStatement();
        scheduleSetupTask(() -> {
            setupDefaultRole();
            return null;
        });
    }

    protected final void loadRoleStatement() {
        this.loadRoleStatement = (SelectStatement) prepare("SELECT * from %s.%s WHERE role = ?", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES);
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<IRoleManager.Option> supportedOptions() {
        return this.supportedOptions;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<IRoleManager.Option> alterableOptions() {
        return this.alterableOptions;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void createRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) throws RequestValidationException, RequestExecutionException {
        process((roleOptions.getPassword().isPresent() || roleOptions.getHashedPassword().isPresent()) ? String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) VALUES ('%s', %s, %s, '%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(roleResource.getRoleName()), roleOptions.getSuperuser().orElse(false), roleOptions.getLogin().orElse(false), roleOptions.getHashedPassword().orElseGet(() -> {
            return escape(hashpw(roleOptions.getPassword().get()));
        })) : String.format("INSERT INTO %s.%s (role, is_superuser, can_login) VALUES ('%s', %s, %s)", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(roleResource.getRoleName()), roleOptions.getSuperuser().orElse(false), roleOptions.getLogin().orElse(false)), consistencyForRoleWrite(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void dropRole(AuthenticatedUser authenticatedUser, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        process(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, escape(roleResource.getRoleName())), consistencyForRoleWrite(roleResource.getRoleName()));
        removeAllMembers(roleResource.getRoleName());
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void alterRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) {
        String optionsToAssignments = optionsToAssignments(roleOptions.getOptions());
        if (Strings.isNullOrEmpty(optionsToAssignments)) {
            return;
        }
        process(String.format("UPDATE %s.%s SET %s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, optionsToAssignments, escape(roleResource.getRoleName())), consistencyForRoleWrite(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void grantRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) throws RequestValidationException, RequestExecutionException {
        if (getRoles(roleResource2, true).contains(roleResource)) {
            throw new InvalidRequestException(String.format("%s is a member of %s", roleResource2.getRoleName(), roleResource.getRoleName()));
        }
        if (getRoles(roleResource, true).contains(roleResource2)) {
            throw new InvalidRequestException(String.format("%s is a member of %s", roleResource.getRoleName(), roleResource2.getRoleName()));
        }
        modifyRoleMembership(roleResource2.getRoleName(), roleResource.getRoleName(), "+");
        process(String.format("INSERT INTO %s.%s (role, member) values ('%s', '%s')", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS, escape(roleResource.getRoleName()), escape(roleResource2.getRoleName())), consistencyForRoleWrite(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void revokeRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) throws RequestValidationException, RequestExecutionException {
        if (!getRoles(roleResource2, false).contains(roleResource)) {
            throw new InvalidRequestException(String.format("%s is not a member of %s", roleResource2.getRoleName(), roleResource.getRoleName()));
        }
        modifyRoleMembership(roleResource2.getRoleName(), roleResource.getRoleName(), "-");
        process(String.format("DELETE FROM %s.%s WHERE role = '%s' and member = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS, escape(roleResource.getRoleName()), escape(roleResource2.getRoleName())), consistencyForRoleWrite(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<RoleResource> getRoles(RoleResource roleResource, boolean z) throws RequestValidationException, RequestExecutionException {
        return (Set) collectRoles(getRole(roleResource.getRoleName()), z, filter(), this::getRole).map(role -> {
            return role.resource;
        }).collect(Collectors.toSet());
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<Role> getRoleDetails(RoleResource roleResource) {
        return (Set) collectRoles(getRole(roleResource.getRoleName()), true, filter(), this::getRole).collect(Collectors.toSet());
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<RoleResource> getAllRoles() throws RequestValidationException, RequestExecutionException {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        process(String.format("SELECT role from %s.%s", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES), ConsistencyLevel.QUORUM).forEach(row -> {
            builder.add(RoleResource.role(row.getString("role")));
        });
        return builder.build();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean isSuper(RoleResource roleResource) {
        try {
            return getRole(roleResource.getRoleName()).isSuper;
        } catch (RequestExecutionException e) {
            logger.debug("Failed to authorize {} for super-user permission", roleResource.getRoleName());
            throw new UnauthorizedException("Unable to perform authorization of super-user permission: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean canLogin(RoleResource roleResource) {
        try {
            return getRole(roleResource.getRoleName()).canLogin;
        } catch (RequestExecutionException e) {
            logger.debug("Failed to authorize {} for login permission", roleResource.getRoleName());
            throw new UnauthorizedException("Unable to perform authorization of login permission: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Map<String, String> getCustomOptions(RoleResource roleResource) {
        return Collections.emptyMap();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean isExistingRole(RoleResource roleResource) {
        return !Roles.isNullRole(getRole(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<? extends IResource> protectedResources() {
        return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES), DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void validateConfiguration() throws ConfigurationException {
    }

    private static void setupDefaultRole() {
        if (StorageService.instance.getTokenMetadata().sortedTokens().isEmpty()) {
            throw new IllegalStateException("CassandraRoleManager skipped default role setup: no known tokens in ring");
        }
        try {
            if (!hasExistingRoles()) {
                QueryProcessor.process(createDefaultRoleQuery(), consistencyForRoleWrite("cassandra"));
                logger.info("Created default superuser role '{}'", "cassandra");
            }
        } catch (RequestExecutionException e) {
            logger.warn("CassandraRoleManager skipped default role setup: some nodes were not ready");
            throw e;
        }
    }

    @VisibleForTesting
    public static String createDefaultRoleQuery() {
        return String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) VALUES ('%s', true, true, '%s') USING TIMESTAMP 0", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, "cassandra", escape(hashpw("cassandra")));
    }

    @VisibleForTesting
    public static boolean hasExistingRoles() throws RequestExecutionException {
        String format = String.format("SELECT * FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, "cassandra");
        return (QueryProcessor.process(format, ConsistencyLevel.ONE).isEmpty() && QueryProcessor.process(format, ConsistencyLevel.QUORUM).isEmpty() && QueryProcessor.process(String.format("SELECT * FROM %s.%s LIMIT 1", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES), ConsistencyLevel.QUORUM).isEmpty()) ? false : true;
    }

    protected void scheduleSetupTask(Callable<Void> callable) {
        ScheduledExecutors.optionalTasks.scheduleSelfRecurring(() -> {
            try {
                callable.call();
            } catch (Exception e) {
                logger.info("Setup task failed with error, rescheduling");
                scheduleSetupTask(callable);
            }
        }, AuthKeyspace.SUPERUSER_SETUP_DELAY, TimeUnit.MILLISECONDS);
    }

    private CQLStatement prepare(String str, String str2, String str3) {
        try {
            return QueryProcessor.parseStatement(String.format(str, str2, str3)).prepare(ClientState.forInternalCalls());
        } catch (RequestValidationException e) {
            throw new AssertionError(e);
        }
    }

    private Stream<Role> collectRoles(Role role, boolean z, Predicate<String> predicate, Function<String, Role> function) {
        return Roles.isNullRole(role) ? Stream.empty() : !z ? Stream.concat(Stream.of(role), role.memberOf.stream().map(function)) : Stream.concat(Stream.of(role), role.memberOf.stream().filter(predicate).flatMap(str -> {
            return collectRoles((Role) function.apply(str), true, predicate, function);
        }));
    }

    private static Predicate<String> filter() {
        HashSet hashSet = new HashSet();
        hashSet.getClass();
        return (v1) -> {
            return r0.add(v1);
        };
    }

    private Role getRole(String str) {
        ResultMessage.Rows select = select(this.loadRoleStatement, QueryOptions.forInternalCalls(consistencyForRoleRead(str), Collections.singletonList(ByteBufferUtil.bytes(str))));
        return select.result.isEmpty() ? Roles.nullRole() : ROW_TO_ROLE.apply(UntypedResultSet.create(select.result).one());
    }

    private void modifyRoleMembership(String str, String str2, String str3) throws RequestExecutionException {
        process(String.format("UPDATE %s.%s SET member_of = member_of %s {'%s'} WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES, str3, escape(str2), escape(str)), consistencyForRoleWrite(str));
    }

    private void removeAllMembers(String str) throws RequestValidationException, RequestExecutionException {
        UntypedResultSet process = process(String.format("SELECT member FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS, escape(str)), consistencyForRoleRead(str));
        if (process.isEmpty()) {
            return;
        }
        Iterator<UntypedResultSet.Row> it = process.iterator();
        while (it.hasNext()) {
            modifyRoleMembership(it.next().getString("member"), str, "-");
        }
        process(String.format("DELETE FROM %s.%s WHERE role = '%s'", SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS, escape(str)), consistencyForRoleWrite(str));
    }

    private String optionsToAssignments(Map<IRoleManager.Option, Object> map) {
        return (String) map.entrySet().stream().map(entry -> {
            switch ((IRoleManager.Option) entry.getKey()) {
                case LOGIN:
                    return String.format("can_login = %s", entry.getValue());
                case SUPERUSER:
                    return String.format("is_superuser = %s", entry.getValue());
                case PASSWORD:
                    return String.format("salted_hash = '%s'", escape(hashpw((String) entry.getValue())));
                case HASHED_PASSWORD:
                    return String.format("salted_hash = '%s'", (String) entry.getValue());
                default:
                    return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.joining(","));
    }

    private static String hashpw(String str) {
        return BCrypt.hashpw(str, BCrypt.gensalt(GENSALT_LOG2_ROUNDS));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    protected static ConsistencyLevel consistencyForRoleWrite(String str) {
        return str.equals("cassandra") ? DEFAULT_SUPERUSER_CONSISTENCY_LEVEL : CassandraAuthorizer.authWriteConsistencyLevel();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static ConsistencyLevel consistencyForRoleRead(String str) {
        return str.equals("cassandra") ? DEFAULT_SUPERUSER_CONSISTENCY_LEVEL : CassandraAuthorizer.authReadConsistencyLevel();
    }

    @VisibleForTesting
    UntypedResultSet process(String str, ConsistencyLevel consistencyLevel) throws RequestValidationException, RequestExecutionException {
        return QueryProcessor.process(str, consistencyLevel);
    }

    @VisibleForTesting
    ResultMessage.Rows select(SelectStatement selectStatement, QueryOptions queryOptions) {
        return selectStatement.execute(QueryState.forInternalCalls(), queryOptions, Clock.Global.nanoTime());
    }

    @Override // org.apache.cassandra.auth.AuthCache.BulkLoader
    public Supplier<Map<RoleResource, Set<Role>>> bulkLoader() {
        return () -> {
            HashMap hashMap = new HashMap();
            logger.info("Warming roles cache from roles table");
            UntypedResultSet process = process("SELECT * FROM system_auth.roles", CassandraAuthorizer.authReadConsistencyLevel());
            HashMap hashMap2 = new HashMap();
            process.forEach(row -> {
            });
            hashMap2.forEach((str, role) -> {
                RoleResource role = RoleResource.role(str);
                Predicate<String> filter = filter();
                hashMap2.getClass();
            });
            return hashMap;
        };
    }
}
