package io.trino.plugin.opa;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Inject;
import io.airlift.bootstrap.LifeCycleManager;
import io.airlift.json.JsonCodec;
import io.trino.plugin.opa.schema.OpaBatchQueryResult;
import io.trino.plugin.opa.schema.OpaPluginContext;
import io.trino.plugin.opa.schema.OpaQueryContext;
import io.trino.plugin.opa.schema.OpaQueryInput;
import io.trino.plugin.opa.schema.OpaQueryInputAction;
import io.trino.plugin.opa.schema.OpaQueryInputResource;
import io.trino.plugin.opa.schema.TrinoFunction;
import io.trino.plugin.opa.schema.TrinoSchema;
import io.trino.plugin.opa.schema.TrinoTable;
import io.trino.plugin.opa.schema.TrinoUser;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SystemSecurityContext;
import java.net.URI;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;

/* loaded from: input_file:io/trino/plugin/opa/OpaBatchAccessControl.class */
public final class OpaBatchAccessControl extends OpaAccessControl {
    private final JsonCodec<OpaBatchQueryResult> batchResultCodec;
    private final URI opaBatchedPolicyUri;
    private final OpaHttpClient opaHttpClient;

    @Inject
    public OpaBatchAccessControl(LifeCycleManager lifeCycleManager, OpaHighLevelClient opaHighLevelClient, JsonCodec<OpaBatchQueryResult> jsonCodec, OpaHttpClient opaHttpClient, OpaConfig opaConfig, OpaPluginContext opaPluginContext) {
        super(lifeCycleManager, opaHighLevelClient, opaConfig, opaPluginContext);
        this.opaBatchedPolicyUri = opaConfig.getOpaBatchUri().orElseThrow();
        this.batchResultCodec = (JsonCodec) Objects.requireNonNull(jsonCodec, "batchResultCodec is null");
        this.opaHttpClient = (OpaHttpClient) Objects.requireNonNull(opaHttpClient, "opaHttpClient is null");
    }

    @Override // io.trino.plugin.opa.OpaAccessControl
    public Collection<Identity> filterViewQueryOwnedBy(Identity identity, Collection<Identity> collection) {
        return batchFilterFromOpa(buildQueryContext(identity), "FilterViewQueryOwnedBy", collection, identity2 -> {
            return OpaQueryInputResource.builder().user(new TrinoUser(identity2)).build();
        });
    }

    @Override // io.trino.plugin.opa.OpaAccessControl
    public Set<String> filterCatalogs(SystemSecurityContext systemSecurityContext, Set<String> set) {
        return batchFilterFromOpa(buildQueryContext(systemSecurityContext), "FilterCatalogs", set, str -> {
            return OpaQueryInputResource.builder().catalog(str).build();
        });
    }

    @Override // io.trino.plugin.opa.OpaAccessControl
    public Set<String> filterSchemas(SystemSecurityContext systemSecurityContext, String str, Set<String> set) {
        return batchFilterFromOpa(buildQueryContext(systemSecurityContext), "FilterSchemas", set, str2 -> {
            return OpaQueryInputResource.builder().schema(new TrinoSchema(str, str2)).build();
        });
    }

    @Override // io.trino.plugin.opa.OpaAccessControl
    public Set<SchemaTableName> filterTables(SystemSecurityContext systemSecurityContext, String str, Set<SchemaTableName> set) {
        return batchFilterFromOpa(buildQueryContext(systemSecurityContext), "FilterTables", set, schemaTableName -> {
            return OpaQueryInputResource.builder().table(new TrinoTable(str, schemaTableName.getSchemaName(), schemaTableName.getTableName())).build();
        });
    }

    @Override // io.trino.plugin.opa.OpaAccessControl
    public Map<SchemaTableName, Set<String>> filterColumns(SystemSecurityContext systemSecurityContext, String str, Map<SchemaTableName, Set<String>> map) {
        return this.opaHttpClient.parallelBatchFilterFromOpa(map, batchRequestBuilder(buildQueryContext(systemSecurityContext), "FilterColumns", (schemaTableName, list) -> {
            return OpaQueryInputResource.builder().table(new TrinoTable(str, schemaTableName.getSchemaName(), schemaTableName.getTableName()).withColumns(ImmutableSet.copyOf(list))).build();
        }), this.opaBatchedPolicyUri, this.batchResultCodec);
    }

    @Override // io.trino.plugin.opa.OpaAccessControl
    public Set<SchemaFunctionName> filterFunctions(SystemSecurityContext systemSecurityContext, String str, Set<SchemaFunctionName> set) {
        return batchFilterFromOpa(buildQueryContext(systemSecurityContext), "FilterFunctions", set, schemaFunctionName -> {
            return OpaQueryInputResource.builder().function(new TrinoFunction(new TrinoSchema(str, schemaFunctionName.getSchemaName()), schemaFunctionName.getFunctionName())).build();
        });
    }

    private <T> Set<T> batchFilterFromOpa(OpaQueryContext opaQueryContext, String str, Collection<T> collection, Function<T, OpaQueryInputResource> function) {
        return this.opaHttpClient.batchFilterFromOpa(collection, batchRequestBuilder(opaQueryContext, str, function), this.opaBatchedPolicyUri, this.batchResultCodec);
    }

    private static <V> Function<List<V>, OpaQueryInput> batchRequestBuilder(OpaQueryContext opaQueryContext, String str, Function<V, OpaQueryInputResource> function) {
        return list -> {
            return new OpaQueryInput(opaQueryContext, OpaQueryInputAction.builder().operation(str).filterResources((Collection) list.stream().map(function).collect(ImmutableList.toImmutableList())).build());
        };
    }

    private static <K, V> BiFunction<K, List<V>, OpaQueryInput> batchRequestBuilder(OpaQueryContext opaQueryContext, String str, BiFunction<K, List<V>, OpaQueryInputResource> biFunction) {
        return (obj, list) -> {
            return new OpaQueryInput(opaQueryContext, OpaQueryInputAction.builder().operation(str).filterResources(ImmutableList.of((OpaQueryInputResource) biFunction.apply(obj, list))).build());
        };
    }
}
