package io.trino.security;

import com.google.common.base.Verify;
import io.trino.metadata.QualifiedObjectName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import java.util.List;
import java.util.Objects;
import java.util.Set;

/* loaded from: input_file:io/trino/security/ViewAccessControl.class */
public class ViewAccessControl extends ForwardingAccessControl {
    private final AccessControl delegate;
    private final Identity invoker;

    public ViewAccessControl(AccessControl accessControl, Identity identity) {
        this.delegate = (AccessControl) Objects.requireNonNull(accessControl, "delegate is null");
        this.invoker = (Identity) Objects.requireNonNull(identity, "invoker is null");
    }

    @Override // io.trino.security.ForwardingAccessControl
    protected AccessControl delegate() {
        throw new UnsupportedOperationException();
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public void checkCanSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        wrapAccessDeniedException(() -> {
            this.delegate.checkCanCreateViewWithSelectFromColumns(securityContext, qualifiedObjectName, set);
        });
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public Set<String> filterColumns(SecurityContext securityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
        return this.delegate.filterColumns(securityContext, catalogSchemaTableName, set);
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public void checkCanCreateViewWithSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        wrapAccessDeniedException(() -> {
            this.delegate.checkCanCreateViewWithSelectFromColumns(securityContext, qualifiedObjectName, set);
        });
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public void checkCanExecuteFunction(SecurityContext securityContext, String str) {
        wrapAccessDeniedException(() -> {
            this.delegate.checkCanGrantExecuteFunctionPrivilege(securityContext, str, this.invoker, false);
        });
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public void checkCanGrantExecuteFunctionPrivilege(SecurityContext securityContext, String str, Identity identity, boolean z) {
        wrapAccessDeniedException(() -> {
            this.delegate.checkCanGrantExecuteFunctionPrivilege(securityContext, str, identity, z);
        });
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public List<ViewExpression> getRowFilters(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        return this.delegate.getRowFilters(securityContext, qualifiedObjectName);
    }

    @Override // io.trino.security.ForwardingAccessControl, io.trino.security.AccessControl
    public List<ViewExpression> getColumnMasks(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, String str, Type type) {
        return this.delegate.getColumnMasks(securityContext, qualifiedObjectName, str, type);
    }

    private static void wrapAccessDeniedException(Runnable runnable) {
        try {
            runnable.run();
        } catch (AccessDeniedException e) {
            Verify.verify(e.getMessage().startsWith("Access Denied: "));
            throw new AccessDeniedException("View owner does not have sufficient privileges: " + e.getMessage().substring("Access Denied: ".length()), e);
        }
    }
}
