package io.unitycatalog.server.service;

import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.server.annotation.ExceptionHandler;
import com.linecorp.armeria.server.annotation.Post;
import io.unitycatalog.server.auth.UnityCatalogAuthorizer;
import io.unitycatalog.server.auth.decorator.KeyMapperUtil;
import io.unitycatalog.server.auth.decorator.UnityAccessEvaluator;
import io.unitycatalog.server.exception.BaseException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.exception.GlobalExceptionHandler;
import io.unitycatalog.server.model.GenerateTemporaryTableCredential;
import io.unitycatalog.server.model.SecurableType;
import io.unitycatalog.server.model.TableOperation;
import io.unitycatalog.server.persist.TableRepository;
import io.unitycatalog.server.service.credential.CredentialContext;
import io.unitycatalog.server.service.credential.CredentialOperations;
import io.unitycatalog.server.utils.IdentityUtils;
import java.util.Collections;
import java.util.Map;
import java.util.Set;

@ExceptionHandler(GlobalExceptionHandler.class)
/* loaded from: input_file:io/unitycatalog/server/service/TemporaryTableCredentialsService.class */
public class TemporaryTableCredentialsService {
    private static final TableRepository TABLE_REPOSITORY = TableRepository.getInstance();
    private final UnityAccessEvaluator evaluator;
    private final CredentialOperations credentialOps;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.unitycatalog.server.service.TemporaryTableCredentialsService$1, reason: invalid class name */
    /* loaded from: input_file:io/unitycatalog/server/service/TemporaryTableCredentialsService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$unitycatalog$server$model$TableOperation = new int[TableOperation.values().length];

        static {
            try {
                $SwitchMap$io$unitycatalog$server$model$TableOperation[TableOperation.READ.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$TableOperation[TableOperation.READ_WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$unitycatalog$server$model$TableOperation[TableOperation.UNKNOWN_TABLE_OPERATION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public TemporaryTableCredentialsService(UnityCatalogAuthorizer unityCatalogAuthorizer, CredentialOperations credentialOperations) {
        this.evaluator = new UnityAccessEvaluator(unityCatalogAuthorizer);
        this.credentialOps = credentialOperations;
    }

    @Post("")
    public HttpResponse generateTemporaryTableCredential(GenerateTemporaryTableCredential generateTemporaryTableCredential) {
        authorizeForOperation(generateTemporaryTableCredential);
        return HttpResponse.ofJson(this.credentialOps.vendCredential(TABLE_REPOSITORY.getTableById(generateTemporaryTableCredential.getTableId()).getStorageLocation(), tableOperationToPrivileges(generateTemporaryTableCredential.getOperation())));
    }

    private Set<CredentialContext.Privilege> tableOperationToPrivileges(TableOperation tableOperation) {
        switch (AnonymousClass1.$SwitchMap$io$unitycatalog$server$model$TableOperation[tableOperation.ordinal()]) {
            case 1:
                return Set.of(CredentialContext.Privilege.SELECT);
            case 2:
                return Set.of(CredentialContext.Privilege.SELECT, CredentialContext.Privilege.UPDATE);
            case 3:
                return Collections.emptySet();
            default:
                throw new IncompatibleClassChangeError();
        }
    }

    private void authorizeForOperation(GenerateTemporaryTableCredential generateTemporaryTableCredential) {
        if (!this.evaluator.evaluate(IdentityUtils.findPrincipalId(), generateTemporaryTableCredential.getOperation() == TableOperation.READ ? "#authorizeAny(#principal, #schema, OWNER, USE_SCHEMA) && #authorizeAny(#principal, #catalog, OWNER, USE_CATALOG) && #authorizeAny(#principal, #table, OWNER, SELECT)\n" : "#authorizeAny(#principal, #schema, OWNER, USE_SCHEMA) && #authorizeAny(#principal, #catalog, OWNER, USE_CATALOG) && #authorize(#principal, #table, OWNER)\n", KeyMapperUtil.mapResourceKeys(Map.of(SecurableType.METASTORE, "metastore", SecurableType.TABLE, generateTemporaryTableCredential.getTableId())))) {
            throw new BaseException(ErrorCode.PERMISSION_DENIED, "Access denied.");
        }
    }
}
