package org.apache.cassandra.auth;

import com.google.common.base.Function;
import com.google.common.base.Joiner;
import com.google.common.base.Objects;
import com.google.common.base.Optional;
import com.google.common.base.Predicates;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import org.apache.batik.util.CSSConstants;
import org.apache.cassandra.auth.IRoleManager;
import org.apache.cassandra.concurrent.ScheduledExecutors;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.Schema;
import org.apache.cassandra.cql3.CQLStatement;
import org.apache.cassandra.cql3.QueryOptions;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.net.MessagingService;
import org.apache.cassandra.service.QueryState;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.lang3.StringUtils;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.Marker;

/* loaded from: input_file:org/apache/cassandra/auth/CassandraRoleManager.class */
public class CassandraRoleManager implements IRoleManager {
    static final String DEFAULT_SUPERUSER_NAME = "cassandra";
    static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
    public static final String LEGACY_USERS_TABLE = "users";
    private static final String GENSALT_LOG2_ROUNDS_PROPERTY = "cassandra.auth_bcrypt_gensalt_log2_rounds";
    private SelectStatement loadRoleStatement;
    private SelectStatement legacySelectUserStatement;
    private final Set<IRoleManager.Option> supportedOptions;
    private final Set<IRoleManager.Option> alterableOptions;
    private volatile boolean isClusterReady = false;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) CassandraRoleManager.class);
    private static final Function<UntypedResultSet.Row, Role> ROW_TO_ROLE = new Function<UntypedResultSet.Row, Role>() { // from class: org.apache.cassandra.auth.CassandraRoleManager.1
        @Override // com.google.common.base.Function
        public Role apply(UntypedResultSet.Row row) {
            return new Role(row.getString("role"), row.getBoolean("is_superuser"), row.getBoolean("can_login"), row.has("member_of") ? row.getSet("member_of", UTF8Type.instance) : Collections.emptySet());
        }
    };
    private static final Function<UntypedResultSet.Row, Role> LEGACY_ROW_TO_ROLE = new Function<UntypedResultSet.Row, Role>() { // from class: org.apache.cassandra.auth.CassandraRoleManager.2
        @Override // com.google.common.base.Function
        public Role apply(UntypedResultSet.Row row) {
            return new Role(row.getString("name"), row.getBoolean(CSSConstants.CSS_SUPER_VALUE), true, Collections.emptySet());
        }
    };
    private static final int GENSALT_LOG2_ROUNDS = getGensaltLogRounds();
    private static final Role NULL_ROLE = new Role(null, false, false, Collections.emptySet());

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.cassandra.auth.CassandraRoleManager$6, reason: invalid class name */
    /* loaded from: input_file:org/apache/cassandra/auth/CassandraRoleManager$6.class */
    public static /* synthetic */ class AnonymousClass6 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$cassandra$auth$IRoleManager$Option = new int[IRoleManager.Option.values().length];

        static {
            try {
                $SwitchMap$org$apache$cassandra$auth$IRoleManager$Option[IRoleManager.Option.LOGIN.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$cassandra$auth$IRoleManager$Option[IRoleManager.Option.SUPERUSER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$cassandra$auth$IRoleManager$Option[IRoleManager.Option.PASSWORD.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/cassandra/auth/CassandraRoleManager$Role.class */
    public static final class Role {
        private String name;
        private final boolean isSuper;
        private final boolean canLogin;
        private Set<String> memberOf;

        private Role(String str, boolean z, boolean z2, Set<String> set) {
            this.name = str;
            this.isSuper = z;
            this.canLogin = z2;
            this.memberOf = set;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj instanceof Role) {
                return Objects.equal(this.name, ((Role) obj).name);
            }
            return false;
        }

        public int hashCode() {
            return Objects.hashCode(this.name);
        }
    }

    static int getGensaltLogRounds() {
        int intValue = Integer.getInteger(GENSALT_LOG2_ROUNDS_PROPERTY, 10).intValue();
        if (intValue < 4 || intValue > 31) {
            throw new ConfigurationException(String.format("Bad value for system property -D%s.Please use a value between 4 and 31 inclusively", GENSALT_LOG2_ROUNDS_PROPERTY));
        }
        return intValue;
    }

    public CassandraRoleManager() {
        this.supportedOptions = DatabaseDescriptor.getAuthenticator().getClass() == PasswordAuthenticator.class ? ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER, IRoleManager.Option.PASSWORD) : ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER);
        this.alterableOptions = DatabaseDescriptor.getAuthenticator().getClass().equals(PasswordAuthenticator.class) ? ImmutableSet.of(IRoleManager.Option.PASSWORD) : ImmutableSet.of();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void setup() {
        this.loadRoleStatement = (SelectStatement) prepare("SELECT * from %s.%s WHERE role = ?", AuthKeyspace.NAME, AuthKeyspace.ROLES);
        if (Schema.instance.getCFMetaData(AuthKeyspace.NAME, LEGACY_USERS_TABLE) == null) {
            scheduleSetupTask(() -> {
                setupDefaultRole();
                return null;
            });
        } else {
            this.legacySelectUserStatement = (SelectStatement) prepare("SELECT * FROM %s.%s WHERE name = ?", AuthKeyspace.NAME, LEGACY_USERS_TABLE);
            scheduleSetupTask(() -> {
                convertLegacyData();
                return null;
            });
        }
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<IRoleManager.Option> supportedOptions() {
        return this.supportedOptions;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<IRoleManager.Option> alterableOptions() {
        return this.alterableOptions;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void createRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) throws RequestValidationException, RequestExecutionException {
        process(roleOptions.getPassword().isPresent() ? String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) VALUES ('%s', %s, %s, '%s')", AuthKeyspace.NAME, AuthKeyspace.ROLES, escape(roleResource.getRoleName()), roleOptions.getSuperuser().or((Optional<Boolean>) false), roleOptions.getLogin().or((Optional<Boolean>) false), escape(hashpw(roleOptions.getPassword().get()))) : String.format("INSERT INTO %s.%s (role, is_superuser, can_login) VALUES ('%s', %s, %s)", AuthKeyspace.NAME, AuthKeyspace.ROLES, escape(roleResource.getRoleName()), roleOptions.getSuperuser().or((Optional<Boolean>) false), roleOptions.getLogin().or((Optional<Boolean>) false)), consistencyForRole(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void dropRole(AuthenticatedUser authenticatedUser, RoleResource roleResource) throws RequestValidationException, RequestExecutionException {
        process(String.format("DELETE FROM %s.%s WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLES, escape(roleResource.getRoleName())), consistencyForRole(roleResource.getRoleName()));
        removeAllMembers(roleResource.getRoleName());
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void alterRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleOptions roleOptions) {
        String join = Joiner.on(',').join(Iterables.filter(optionsToAssignments(roleOptions.getOptions()), Predicates.notNull()));
        if (Strings.isNullOrEmpty(join)) {
            return;
        }
        process(String.format("UPDATE %s.%s SET %s WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLES, join, escape(roleResource.getRoleName())), consistencyForRole(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void grantRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) throws RequestValidationException, RequestExecutionException {
        if (getRoles(roleResource2, true).contains(roleResource)) {
            throw new InvalidRequestException(String.format("%s is a member of %s", roleResource2.getRoleName(), roleResource.getRoleName()));
        }
        if (getRoles(roleResource, true).contains(roleResource2)) {
            throw new InvalidRequestException(String.format("%s is a member of %s", roleResource.getRoleName(), roleResource2.getRoleName()));
        }
        modifyRoleMembership(roleResource2.getRoleName(), roleResource.getRoleName(), Marker.ANY_NON_NULL_MARKER);
        process(String.format("INSERT INTO %s.%s (role, member) values ('%s', '%s')", AuthKeyspace.NAME, AuthKeyspace.ROLE_MEMBERS, escape(roleResource.getRoleName()), escape(roleResource2.getRoleName())), consistencyForRole(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void revokeRole(AuthenticatedUser authenticatedUser, RoleResource roleResource, RoleResource roleResource2) throws RequestValidationException, RequestExecutionException {
        if (!getRoles(roleResource2, false).contains(roleResource)) {
            throw new InvalidRequestException(String.format("%s is not a member of %s", roleResource2.getRoleName(), roleResource.getRoleName()));
        }
        modifyRoleMembership(roleResource2.getRoleName(), roleResource.getRoleName(), HelpFormatter.DEFAULT_OPT_PREFIX);
        process(String.format("DELETE FROM %s.%s WHERE role = '%s' and member = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLE_MEMBERS, escape(roleResource.getRoleName()), escape(roleResource2.getRoleName())), consistencyForRole(roleResource.getRoleName()));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<RoleResource> getRoles(RoleResource roleResource, boolean z) throws RequestValidationException, RequestExecutionException {
        HashSet hashSet = new HashSet();
        Role role = getRole(roleResource.getRoleName());
        if (!role.equals(NULL_ROLE)) {
            hashSet.add(RoleResource.role(role.name));
            collectRoles(role, hashSet, z);
        }
        return hashSet;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<RoleResource> getAllRoles() throws RequestValidationException, RequestExecutionException {
        return ImmutableSet.builder().addAll(Iterables.transform(process(String.format("SELECT role from %s.%s", AuthKeyspace.NAME, AuthKeyspace.ROLES), ConsistencyLevel.QUORUM), new Function<UntypedResultSet.Row, RoleResource>() { // from class: org.apache.cassandra.auth.CassandraRoleManager.3
            @Override // com.google.common.base.Function
            public RoleResource apply(UntypedResultSet.Row row) {
                return RoleResource.role(row.getString("role"));
            }
        })).build();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean isSuper(RoleResource roleResource) {
        return getRole(roleResource.getRoleName()).isSuper;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean canLogin(RoleResource roleResource) {
        return getRole(roleResource.getRoleName()).canLogin;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Map<String, String> getCustomOptions(RoleResource roleResource) {
        return Collections.emptyMap();
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public boolean isExistingRole(RoleResource roleResource) {
        return getRole(roleResource.getRoleName()) != NULL_ROLE;
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public Set<? extends IResource> protectedResources() {
        return ImmutableSet.of(DataResource.table(AuthKeyspace.NAME, AuthKeyspace.ROLES), DataResource.table(AuthKeyspace.NAME, AuthKeyspace.ROLE_MEMBERS));
    }

    @Override // org.apache.cassandra.auth.IRoleManager
    public void validateConfiguration() throws ConfigurationException {
    }

    private static void setupDefaultRole() {
        try {
            if (!hasExistingRoles()) {
                QueryProcessor.process(String.format("INSERT INTO %s.%s (role, is_superuser, can_login, salted_hash) VALUES ('%s', true, true, '%s')", AuthKeyspace.NAME, AuthKeyspace.ROLES, Resources.ROOT, escape(hashpw(Resources.ROOT))), consistencyForRole(Resources.ROOT));
                logger.info("Created default superuser role '{}'", Resources.ROOT);
            }
        } catch (RequestExecutionException e) {
            logger.warn("CassandraRoleManager skipped default role setup: some nodes were not ready");
            throw e;
        }
    }

    private static boolean hasExistingRoles() throws RequestExecutionException {
        String format = String.format("SELECT * FROM %s.%s WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLES, Resources.ROOT);
        return (QueryProcessor.process(format, ConsistencyLevel.ONE).isEmpty() && QueryProcessor.process(format, ConsistencyLevel.QUORUM).isEmpty() && QueryProcessor.process(String.format("SELECT * FROM %s.%s LIMIT 1", AuthKeyspace.NAME, AuthKeyspace.ROLES), ConsistencyLevel.QUORUM).isEmpty()) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void scheduleSetupTask(final Callable<Void> callable) {
        ScheduledExecutors.optionalTasks.schedule(new Runnable() { // from class: org.apache.cassandra.auth.CassandraRoleManager.4
            @Override // java.lang.Runnable
            public void run() {
                if (!MessagingService.instance().areAllNodesAtLeast22()) {
                    CassandraRoleManager.logger.trace("Not all nodes are upgraded to a version that supports Roles yet, rescheduling setup task");
                    CassandraRoleManager.this.scheduleSetupTask(callable);
                    return;
                }
                CassandraRoleManager.this.isClusterReady = true;
                try {
                    callable.call();
                } catch (Exception e) {
                    CassandraRoleManager.logger.info("Setup task failed with error, rescheduling");
                    CassandraRoleManager.this.scheduleSetupTask(callable);
                }
            }
        }, AuthKeyspace.SUPERUSER_SETUP_DELAY, TimeUnit.MILLISECONDS);
    }

    private void convertLegacyData() throws Exception {
        try {
            if (Schema.instance.getCFMetaData(AuthKeyspace.NAME, LEGACY_USERS_TABLE) != null) {
                logger.info("Converting legacy users");
                Iterator<UntypedResultSet.Row> it2 = QueryProcessor.process("SELECT * FROM system_auth.users", ConsistencyLevel.QUORUM).iterator();
                while (it2.hasNext()) {
                    UntypedResultSet.Row next = it2.next();
                    RoleOptions roleOptions = new RoleOptions();
                    roleOptions.setOption(IRoleManager.Option.SUPERUSER, Boolean.valueOf(next.getBoolean(CSSConstants.CSS_SUPER_VALUE)));
                    roleOptions.setOption(IRoleManager.Option.LOGIN, true);
                    createRole(null, RoleResource.role(next.getString("name")), roleOptions);
                }
                logger.info("Completed conversion of legacy users");
            }
            if (Schema.instance.getCFMetaData(AuthKeyspace.NAME, PasswordAuthenticator.LEGACY_CREDENTIALS_TABLE) != null) {
                logger.info("Migrating legacy credentials data to new system table");
                Iterator<UntypedResultSet.Row> it3 = QueryProcessor.process("SELECT * FROM system_auth.credentials", ConsistencyLevel.QUORUM).iterator();
                while (it3.hasNext()) {
                    UntypedResultSet.Row next2 = it3.next();
                    QueryProcessor.process(String.format("UPDATE %s.%s SET salted_hash = '%s' WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLES, next2.getString("salted_hash"), next2.getString("username")), consistencyForRole(next2.getString("username")));
                }
                logger.info("Completed conversion of legacy credentials");
            }
        } catch (Exception e) {
            logger.info("Unable to complete conversion of legacy auth data (perhaps not enough nodes are upgraded yet). Conversion should not be considered complete");
            logger.trace("Conversion error", (Throwable) e);
            throw e;
        }
    }

    private CQLStatement prepare(String str, String str2, String str3) {
        try {
            return QueryProcessor.parseStatement(String.format(str, str2, str3)).prepare().statement;
        } catch (RequestValidationException e) {
            throw new AssertionError(e);
        }
    }

    private void collectRoles(Role role, Set<RoleResource> set, boolean z) throws RequestValidationException, RequestExecutionException {
        Iterator it2 = role.memberOf.iterator();
        while (it2.hasNext()) {
            Role role2 = getRole((String) it2.next());
            if (!role2.equals(NULL_ROLE)) {
                set.add(RoleResource.role(role2.name));
                if (z) {
                    collectRoles(role2, set, true);
                }
            }
        }
    }

    private Role getRole(String str) {
        try {
            return Schema.instance.getCFMetaData(AuthKeyspace.NAME, LEGACY_USERS_TABLE) != null ? getRoleFromTable(str, this.legacySelectUserStatement, LEGACY_ROW_TO_ROLE) : getRoleFromTable(str, this.loadRoleStatement, ROW_TO_ROLE);
        } catch (RequestExecutionException | RequestValidationException e) {
            throw new RuntimeException(e);
        }
    }

    private Role getRoleFromTable(String str, SelectStatement selectStatement, Function<UntypedResultSet.Row, Role> function) throws RequestExecutionException, RequestValidationException {
        ResultMessage.Rows execute = selectStatement.execute(QueryState.forInternalCalls(), QueryOptions.forInternalCalls(consistencyForRole(str), Collections.singletonList(ByteBufferUtil.bytes(str))));
        return execute.result.isEmpty() ? NULL_ROLE : function.apply(UntypedResultSet.create(execute.result).one());
    }

    private void modifyRoleMembership(String str, String str2, String str3) throws RequestExecutionException {
        process(String.format("UPDATE %s.%s SET member_of = member_of %s {'%s'} WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLES, str3, escape(str2), escape(str)), consistencyForRole(str));
    }

    private void removeAllMembers(String str) throws RequestValidationException, RequestExecutionException {
        UntypedResultSet process = process(String.format("SELECT member FROM %s.%s WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLE_MEMBERS, escape(str)), consistencyForRole(str));
        if (process.isEmpty()) {
            return;
        }
        Iterator<UntypedResultSet.Row> it2 = process.iterator();
        while (it2.hasNext()) {
            modifyRoleMembership(it2.next().getString("member"), str, HelpFormatter.DEFAULT_OPT_PREFIX);
        }
        process(String.format("DELETE FROM %s.%s WHERE role = '%s'", AuthKeyspace.NAME, AuthKeyspace.ROLE_MEMBERS, escape(str)), consistencyForRole(str));
    }

    private Iterable<String> optionsToAssignments(Map<IRoleManager.Option, Object> map) {
        return Iterables.transform(map.entrySet(), new Function<Map.Entry<IRoleManager.Option, Object>, String>() { // from class: org.apache.cassandra.auth.CassandraRoleManager.5
            @Override // com.google.common.base.Function
            public String apply(Map.Entry<IRoleManager.Option, Object> entry) {
                switch (AnonymousClass6.$SwitchMap$org$apache$cassandra$auth$IRoleManager$Option[entry.getKey().ordinal()]) {
                    case 1:
                        return String.format("can_login = %s", entry.getValue());
                    case 2:
                        return String.format("is_superuser = %s", entry.getValue());
                    case 3:
                        return String.format("salted_hash = '%s'", CassandraRoleManager.escape(CassandraRoleManager.hashpw((String) entry.getValue())));
                    default:
                        return null;
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static ConsistencyLevel consistencyForRole(String str) {
        return str.equals(Resources.ROOT) ? ConsistencyLevel.QUORUM : ConsistencyLevel.LOCAL_ONE;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String hashpw(String str) {
        return BCrypt.hashpw(str, BCrypt.gensalt(GENSALT_LOG2_ROUNDS));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    private UntypedResultSet process(String str, ConsistencyLevel consistencyLevel) throws RequestValidationException, RequestExecutionException {
        if (this.isClusterReady) {
            return QueryProcessor.process(str, consistencyLevel);
        }
        throw new InvalidRequestException("Cannot process role related query as the role manager isn't yet setup. This is likely because some of nodes in the cluster are on version 2.1 or earlier. You need to upgrade all nodes to Cassandra 2.2 or more to use roles.");
    }
}
