package org.apache.kylin.query.security;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import org.apache.calcite.avatica.util.Quoting;
import org.apache.calcite.sql.SqlCall;
import org.apache.calcite.sql.SqlExplain;
import org.apache.calcite.sql.SqlNode;
import org.apache.calcite.sql.SqlOrderBy;
import org.apache.calcite.sql.SqlSelect;
import org.apache.calcite.sql.parser.SqlParseException;
import org.apache.calcite.sql.util.SqlBasicVisitor;
import org.apache.commons.collections.CollectionUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.QueryContext;
import org.apache.kylin.common.exception.KylinRuntimeException;
import org.apache.kylin.common.util.Pair;
import org.apache.kylin.metadata.acl.AclTCRManager;
import org.apache.kylin.metadata.model.ColumnDesc;
import org.apache.kylin.metadata.model.NTableMetadataManager;
import org.apache.kylin.metadata.model.TableDesc;
import org.apache.kylin.metadata.model.tool.CalciteParser;
import org.apache.kylin.query.IQueryTransformer;
import org.apache.kylin.query.exception.NoAuthorizedColsError;
import org.apache.kylin.query.security.RowFilter;
import org.apache.kylin.source.adhocquery.IPushDownConverter;

/* loaded from: input_file:org/apache/kylin/query/security/HackSelectStarWithColumnACL.class */
public class HackSelectStarWithColumnACL implements IQueryTransformer, IPushDownConverter {
    private static final String SELECT_STAR = "*";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kylin/query/security/HackSelectStarWithColumnACL$SelectNumVisitor.class */
    public static class SelectNumVisitor extends SqlBasicVisitor<SqlNode> {
        int selectNum = 0;

        SelectNumVisitor() {
        }

        static int getSelectNum(SqlNode sqlNode) {
            SelectNumVisitor selectNumVisitor = new SelectNumVisitor();
            sqlNode.accept(selectNumVisitor);
            return selectNumVisitor.getNum();
        }

        /* renamed from: visit, reason: merged with bridge method [inline-methods] */
        public SqlNode m49visit(SqlCall sqlCall) {
            if (sqlCall instanceof SqlSelect) {
                this.selectNum++;
            }
            if (sqlCall instanceof SqlOrderBy) {
                ((SqlOrderBy) sqlCall).query.accept(this);
                return null;
            }
            for (SqlNode sqlNode : sqlCall.getOperandList()) {
                if (sqlNode != null) {
                    sqlNode.accept(this);
                }
            }
            return null;
        }

        private int getNum() {
            return this.selectNum;
        }
    }

    static String getNewSelectClause(SqlNode sqlNode, String str, String str2, QueryContext.AclInfo aclInfo) {
        StringBuilder sb = new StringBuilder();
        List<String> colsCanAccess = getColsCanAccess(sqlNode, str, str2, aclInfo);
        if (CollectionUtils.isEmpty(colsCanAccess)) {
            throw new NoAuthorizedColsError();
        }
        for (String str3 : colsCanAccess) {
            if (str3.equals(colsCanAccess.get(colsCanAccess.size() - 1))) {
                sb.append(str3);
            } else {
                sb.append(str3).append(", ");
            }
        }
        return sb.toString();
    }

    static List<String> getColsCanAccess(SqlNode sqlNode, String str, String str2, QueryContext.AclInfo aclInfo) {
        ArrayList arrayList = new ArrayList();
        List aclTCRs = AclTCRManager.getInstance(KylinConfig.getInstanceFromEnv(), str).getAclTCRs(Objects.nonNull(aclInfo) ? aclInfo.getUsername() : null, Objects.nonNull(aclInfo) ? aclInfo.getGroups() : null);
        for (RowFilter.Table table : RowFilter.getTblWithAlias(str2, getSingleSelect(sqlNode))) {
            TableDesc tableDesc = NTableMetadataManager.getInstance(KylinConfig.getInstanceFromEnv(), str).getTableDesc(table.getName());
            if (Objects.isNull(tableDesc)) {
                throw new IllegalStateException("Table " + table.getAlias() + " not found. Please add table " + table.getAlias() + " to data source. If this table does exist, mention it as DATABASE.TABLE.");
            }
            ArrayList<ColumnDesc> newArrayList = Lists.newArrayList(tableDesc.getColumns());
            Collections.sort(newArrayList, Comparator.comparing((v0) -> {
                return v0.getZeroBasedIndex();
            }));
            String str3 = Quoting.valueOf(KylinConfig.getInstanceFromEnv().getCalciteQuoting()).string;
            for (ColumnDesc columnDesc : newArrayList) {
                if (aclTCRs.stream().anyMatch(aclTCR -> {
                    return aclTCR.isAuthorized(tableDesc.getIdentity(), columnDesc.getName());
                })) {
                    StringBuilder sb = new StringBuilder();
                    sb.append(str3).append(table.getAlias()).append(str3).append('.').append(str3).append(columnDesc.getName()).append(str3);
                    arrayList.add(sb.toString());
                }
            }
        }
        return arrayList;
    }

    private static boolean isSingleSelectStar(SqlNode sqlNode) {
        if (SelectNumVisitor.getSelectNum(sqlNode) != 1 || (sqlNode instanceof SqlExplain)) {
            return false;
        }
        return getSingleSelect(sqlNode).getSelectList().toString().equals(SELECT_STAR);
    }

    private static int getSelectStarPos(String str, SqlNode sqlNode) {
        Pair replacePos = CalciteParser.getReplacePos(getSingleSelect(sqlNode).getSelectList(), str);
        Preconditions.checkState(((Integer) replacePos.getSecond()).intValue() - ((Integer) replacePos.getFirst()).intValue() == 1);
        return ((Integer) replacePos.getFirst()).intValue();
    }

    private static SqlSelect getSingleSelect(SqlNode sqlNode) {
        return sqlNode instanceof SqlOrderBy ? ((SqlOrderBy) sqlNode).query : (SqlSelect) sqlNode;
    }

    private static boolean hasAdminPermission(QueryContext.AclInfo aclInfo) {
        if (Objects.isNull(aclInfo) || Objects.isNull(aclInfo.getGroups())) {
            return false;
        }
        String str = "ROLE_ADMIN";
        return aclInfo.getGroups().stream().anyMatch((v1) -> {
            return r1.equals(v1);
        }) || aclInfo.isHasAdminPermission();
    }

    public String convert(String str, String str2, String str3) {
        return transform(str, str2, str3);
    }

    @Override // org.apache.kylin.query.IQueryTransformer
    public String transform(String str, String str2, String str3) {
        QueryContext.AclInfo aclInfo = QueryContext.current().getAclInfo();
        if (!KylinConfig.getInstanceFromEnv().isAclTCREnabled() || hasAdminPermission(aclInfo)) {
            return str;
        }
        try {
            SqlNode parse = CalciteParser.parse(str, str2);
            if (!isSingleSelectStar(parse)) {
                return str;
            }
            String newSelectClause = getNewSelectClause(parse, str2, str3, aclInfo);
            int selectStarPos = getSelectStarPos(str, parse);
            StringBuilder sb = new StringBuilder(str);
            sb.replace(selectStarPos, selectStarPos + 1, newSelectClause);
            return sb.toString();
        } catch (SqlParseException e) {
            throw new KylinRuntimeException("Failed to parse SQL '" + str + "', please make sure the SQL is valid");
        }
    }
}
