[Feature](nereids) support encrypt sql for audit log

fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4

@@ -256,7 +256,7 @@ supportedShowStatement
     | SHOW DELETE ((FROM | IN) database=multipartIdentifier)?                       #showDelete
     | SHOW ALL? GRANTS                                                              #showGrants
     | SHOW GRANTS FOR userIdentify                                                  #showGrantsForUser
-    | SHOW SYNC JOB ((FROM | IN) database=multipartIdentifier)?                     #showSyncJob    
+    | SHOW SYNC JOB ((FROM | IN) database=multipartIdentifier)?                     #showSyncJob
     | SHOW LOAD PROFILE loadIdPath=STRING_LITERAL? limitClause?                     #showLoadProfile
     | SHOW CREATE REPOSITORY FOR identifier                                         #showCreateRepository
     | SHOW VIEW
@@ -849,10 +849,10 @@ optionWithoutType
     | (CHAR SET | CHARSET) (charsetName=identifierOrText | DEFAULT)     #setCharset
     | NAMES (charsetName=identifierOrText | DEFAULT)
         (COLLATE collateName=identifierOrText | DEFAULT)?               #setCollate
-    | PASSWORD (FOR userIdentify)? EQ (STRING_LITERAL
-        | (isPlain=PASSWORD LEFT_PAREN STRING_LITERAL RIGHT_PAREN))             #setPassword
-    | LDAP_ADMIN_PASSWORD EQ (STRING_LITERAL
-    | (PASSWORD LEFT_PAREN STRING_LITERAL RIGHT_PAREN))                 #setLdapAdminPassword
+    | PASSWORD (FOR userIdentify)? EQ (pwd=STRING_LITERAL
+        | (isPlain=PASSWORD LEFT_PAREN pwd=STRING_LITERAL RIGHT_PAREN)) #setPassword
+    | LDAP_ADMIN_PASSWORD EQ (pwd=STRING_LITERAL
+        | (PASSWORD LEFT_PAREN pwd=STRING_LITERAL RIGHT_PAREN))         #setLdapAdminPassword
     | variable                                                          #setVariableWithoutType
     ;
 

fe/fe-core/src/main/java/org/apache/doris/nereids/analyzer/UnboundResultSink.java

@@ -27,6 +27,7 @@
 import org.apache.doris.nereids.trees.plans.Plan;
 import org.apache.doris.nereids.trees.plans.PlanType;
 import org.apache.doris.nereids.trees.plans.algebra.Sink;
+import org.apache.doris.nereids.trees.plans.commands.NeedAuditEncryption;
 import org.apache.doris.nereids.trees.plans.logical.LogicalSink;
 import org.apache.doris.nereids.trees.plans.visitor.PlanVisitor;
 import org.apache.doris.nereids.util.Utils;
@@ -41,7 +42,7 @@
  * unbound result sink
  */
 public class UnboundResultSink<CHILD_TYPE extends Plan> extends LogicalSink<CHILD_TYPE>
-        implements Unbound, Sink, BlockFuncDepsPropagation {
+        implements NeedAuditEncryption, Unbound, Sink, BlockFuncDepsPropagation {
 
     public UnboundResultSink(CHILD_TYPE child) {
         super(PlanType.LOGICAL_UNBOUND_RESULT_SINK, ImmutableList.of(), child);
@@ -94,4 +95,9 @@ public String toString() {
     public StmtType stmtType() {
         return StmtType.SELECT;
     }
+
+    @Override
+    public boolean needAuditEncryption() {
+        return anyMatch(node -> node instanceof UnboundTVFRelation);
+    }
 }

fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java

@@ -0,0 +1,138 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.nereids.parser;
+
+import org.apache.doris.analysis.BrokerDesc;
+import org.apache.doris.common.Pair;
+import org.apache.doris.common.util.PrintableMap;
+import org.apache.doris.nereids.DorisParser;
+import org.apache.doris.nereids.trees.plans.commands.info.SetVarOp;
+import org.apache.doris.nereids.trees.plans.logical.LogicalPlan;
+
+import org.antlr.v4.runtime.ParserRuleContext;
+import org.apache.commons.collections.MapUtils;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+/**LogicalPlanBuilderForEncryption*/
+public class LogicalPlanBuilderForEncryption extends LogicalPlanBuilder {
+    private final Map<Pair<Integer, Integer>, String> indexInSqlToString;
+
+    public LogicalPlanBuilderForEncryption(Map<Integer, ParserRuleContext> selectHintMap,
+                                           Map<Pair<Integer, Integer>, String> indexInSqlToString) {
+        super(selectHintMap);
+        this.indexInSqlToString = Objects.requireNonNull(indexInSqlToString, "indexInSqlToString is null");
+    }
+
+    // select into outfile clause
+    @Override
+    public LogicalPlan visitStatementDefault(DorisParser.StatementDefaultContext ctx) {
+        if (ctx.outFileClause() != null && ctx.outFileClause().propertyClause() != null) {
+            DorisParser.PropertyClauseContext propertyClauseContext = ctx.outFileClause().propertyClause();
+            encryptProperty(visitPropertyClause(propertyClauseContext),
+                    propertyClauseContext.fileProperties.start.getStartIndex(),
+                    propertyClauseContext.fileProperties.stop.getStopIndex());
+        }
+        return super.visitStatementDefault(ctx);
+    }
+
+    // export into outfile clause
+    @Override
+    public BrokerDesc visitWithRemoteStorageSystem(DorisParser.WithRemoteStorageSystemContext ctx) {
+        Map<String, String> properties = visitPropertyItemList(ctx.brokerProperties);
+        encryptProperty(properties, ctx.brokerProperties.start.getStartIndex(),
+                ctx.brokerProperties.stop.getStopIndex());
+        return super.visitWithRemoteStorageSystem(ctx);
+    }
+
+    // load into outfile clause
+    @Override
+    public LogicalPlan visitLoad(DorisParser.LoadContext ctx) {
+        if (ctx.withRemoteStorageSystem() != null) {
+            Map<String, String> properties =
+                    new HashMap<>(visitPropertyItemList(ctx.withRemoteStorageSystem().brokerProperties));
+            encryptProperty(properties, ctx.withRemoteStorageSystem().brokerProperties.start.getStartIndex(),
+                    ctx.withRemoteStorageSystem().brokerProperties.stop.getStopIndex());
+        }
+        return super.visitLoad(ctx);
+    }
+
+    // set password clause
+    @Override
+    public SetVarOp visitSetPassword(DorisParser.SetPasswordContext ctx) {
+        encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex());
+        return super.visitSetPassword(ctx);
+    }
+
+    // set ldap password clause
+    @Override
+    public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) {
+        encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex());
+        return super.visitSetLdapAdminPassword(ctx);
+    }
+
+    // create catalog clause
+    @Override
+    public LogicalPlan visitCreateCatalog(DorisParser.CreateCatalogContext ctx) {
+        if (ctx.propertyClause() != null) {
+            DorisParser.PropertyClauseContext context = ctx.propertyClause();
+            encryptProperty(visitPropertyClause(context), context.fileProperties.start.getStartIndex(),
+                    context.fileProperties.stop.getStopIndex());
+        }
+        return super.visitCreateCatalog(ctx);
+    }
+
+    // create table clause
+    @Override
+    public LogicalPlan visitCreateTable(DorisParser.CreateTableContext ctx) {
+        // property or ext property
+        if (ctx.propertyClause() != null) {
+            List<DorisParser.PropertyClauseContext> propertyClauseContexts = ctx.propertyClause();
+            for (DorisParser.PropertyClauseContext propertyClauseContext : propertyClauseContexts) {
+                encryptProperty(visitPropertyClause(propertyClauseContext),
+                        propertyClauseContext.fileProperties.start.getStartIndex(),
+                        propertyClauseContext.fileProperties.stop.getStopIndex());
+            }
+        }
+        return super.visitCreateTable(ctx);
+    }
+
+    // select from tvf
+    @Override
+    public LogicalPlan visitTableValuedFunction(DorisParser.TableValuedFunctionContext ctx) {
+        DorisParser.PropertyItemListContext properties = ctx.properties;
+        encryptProperty(visitPropertyItemList(properties), properties.start.getStartIndex(),
+                properties.stop.getStopIndex());
+        return super.visitTableValuedFunction(ctx);
+    }
+
+    private void encryptProperty(Map<String, String> properties, int start, int stop) {
+        if (MapUtils.isNotEmpty(properties)) {
+            PrintableMap<String, String> printableMap = new PrintableMap<>(properties, "=",
+                    true, false, true);
+            indexInSqlToString.put(Pair.of(start, stop), printableMap.toString());
+        }
+    }
+
+    private void encryptPassword(int start, int stop) {
+        indexInSqlToString.put(Pair.of(start, stop), "'*XXX'");
+    }
+}

fe/fe-core/src/main/java/org/apache/doris/nereids/parser/NereidsParser.java

@@ -343,6 +343,14 @@ public LogicalPlan parseForCreateView(String sql) {
         return (LogicalPlan) realLogicalPlanBuilder.visit(tree);
     }
 
+    public LogicalPlan parseForEncryption(String sql, Map<Pair<Integer, Integer>, String> indexInSqlToString) {
+        CommonTokenStream tokenStream = parseAllTokens(sql);
+        ParserRuleContext tree = toAst(tokenStream, DorisParser::singleStatement);
+        LogicalPlanBuilder realLogicalPlanBuilder = new LogicalPlanBuilderForEncryption(
+                getHintMap(sql, tokenStream, DorisParser::selectHint), indexInSqlToString);
+        return (LogicalPlan) realLogicalPlanBuilder.visit(tree);
+    }
+
     /** parseForSyncMv */
     public Optional<String> parseForSyncMv(String sql) {
         CommonTokenStream tokenStream = parseAllTokens(sql);

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/CreateCatalogCommand.java

@@ -22,7 +22,6 @@
 import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
-import org.apache.doris.common.util.PrintableMap;
 import org.apache.doris.common.util.PropertyAnalyzer;
 import org.apache.doris.common.util.Util;
 import org.apache.doris.datasource.ExternalCatalog;
@@ -122,23 +121,5 @@ public Map<String, String> getProperties() {
     public boolean needAuditEncryption() {
         return true;
     }
-
-    @Override
-    public String toSql() {
-        StringBuilder stringBuilder = new StringBuilder();
-        stringBuilder.append("CREATE CATALOG ").append("`").append(catalogName).append("`");
-        if (!Strings.isNullOrEmpty(resourceName)) {
-            stringBuilder.append(" WITH RESOURCE `").append(resourceName).append("`");
-        }
-        if (!Strings.isNullOrEmpty(comment)) {
-            stringBuilder.append("\nCOMMENT \"").append(comment).append("\"");
-        }
-        if (properties.size() > 0) {
-            stringBuilder.append("\nPROPERTIES (\n");
-            stringBuilder.append(new PrintableMap<>(properties, "=", true, true, true));
-            stringBuilder.append("\n)");
-        }
-        return stringBuilder.toString();
-    }
 }
 

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/CreateTableCommand.java

@@ -70,7 +70,7 @@
  * create table command
  */
 @Developing
-public class CreateTableCommand extends Command implements ForwardWithSync {
+public class CreateTableCommand extends Command implements NeedAuditEncryption, ForwardWithSync {
     public static final Logger LOG = LogManager.getLogger(CreateTableCommand.class);
 
     private final Optional<LogicalPlan> ctasQuery;
@@ -208,7 +208,6 @@ public <R, C> R accept(PlanVisitor<R, C> visitor, C context) {
         return visitor.visitCreateTableCommand(this, context);
     }
 
-    // for test
     public CreateTableInfo getCreateTableInfo() {
         return createTableInfo;
     }
@@ -217,5 +216,10 @@ public CreateTableInfo getCreateTableInfo() {
     public StmtType stmtType() {
         return StmtType.CREATE;
     }
+
+    @Override
+    public boolean needAuditEncryption() {
+        return !createTableInfo.getEngineName().equalsIgnoreCase(CreateTableInfo.ENGINE_OLAP);
+    }
 }
 

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ExportCommand.java

@@ -70,7 +70,7 @@
  *          [PROPERTIES("key"="value")]
  *          WITH BROKER 'broker_name' [( $broker_attrs)]
  */
-public class ExportCommand extends Command implements ForwardWithSync {
+public class ExportCommand extends Command implements NeedAuditEncryption, ForwardWithSync {
     public static final String PARALLELISM = "parallelism";
     public static final String LABEL = "label";
     public static final String DATA_CONSISTENCY = "data_consistency";
@@ -380,4 +380,9 @@ public <R, C> R accept(PlanVisitor<R, C> visitor, C context) {
     public StmtType stmtType() {
         return StmtType.EXPORT;
     }
+
+    @Override
+    public boolean needAuditEncryption() {
+        return true;
+    }
 }

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/LoadCommand.java

@@ -84,7 +84,7 @@
 /**
  * load OLAP table data from external bulk file
  */
-public class LoadCommand extends Command implements ForwardWithSync {
+public class LoadCommand extends Command implements NeedAuditEncryption, ForwardWithSync {
 
     public static final Logger LOG = LogManager.getLogger(LoadCommand.class);
 
@@ -509,4 +509,9 @@ public <R, C> R accept(PlanVisitor<R, C> visitor, C context) {
     public StmtType stmtType() {
         return StmtType.LOAD;
     }
+
+    @Override
+    public boolean needAuditEncryption() {
+        return true;
+    }
 }

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/NeedAuditEncryption.java

@@ -17,13 +17,28 @@
 
 package org.apache.doris.nereids.trees.plans.commands;
 
+import org.apache.doris.common.Pair;
+import org.apache.doris.nereids.parser.NereidsParser;
+import org.apache.doris.nereids.trees.plans.commands.info.BaseViewInfo;
+
+import java.util.TreeMap;
+
 /**
  * NeedAuditEncryption
  */
 public interface NeedAuditEncryption {
-
     boolean needAuditEncryption();
 
-    String toSql();
-
+    /**
+     * gene encryption SQL
+     */
+    default String geneEncryptionSQL(String sql) {
+        if (!needAuditEncryption()) {
+            return sql;
+        }
+        TreeMap<Pair<Integer, Integer>, String> indexInSqlToString = new TreeMap<>(new Pair.PairComparator<>());
+        NereidsParser parser = new NereidsParser();
+        parser.parseForEncryption(sql, indexInSqlToString);
+        return BaseViewInfo.rewriteSql(indexInSqlToString, sql);
+    }
 }

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/SetOptionsCommand.java

@@ -80,21 +80,6 @@ public boolean needAuditEncryption() {
         return false;
     }
 
-    @Override
-    public String toSql() {
-        StringBuilder sb = new StringBuilder();
-        sb.append("SET ");
-        int idx = 0;
-        for (SetVarOp variableInfo : setVarOpList) {
-            if (idx != 0) {
-                sb.append(", ");
-            }
-            sb.append(variableInfo.toSql());
-            idx++;
-        }
-        return sb.toString();
-    }
-
     @Override
     public void afterForwardToMaster(ConnectContext ctx) throws Exception {
         for (SetVarOp varOp : setVarOpList) {

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/info/CreateTableInfo.java

@@ -217,6 +217,14 @@ public String getTableName() {
         return tableName;
     }
 
+    public String getEngineName() {
+        return engineName;
+    }
+
+    public Map<String, String> getProperties() {
+        return properties;
+    }
+
     /**
      * full qualifier table name.
      */