package io.prestosql.plugin.base.security;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.prestosql.plugin.base.security.FileBasedSystemAccessControl;
import io.prestosql.spi.QueryId;
import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.PrincipalType;
import io.prestosql.spi.security.SystemAccessControl;
import io.prestosql.spi.security.SystemSecurityContext;
import io.prestosql.spi.testing.InterfaceTestUtils;
import java.io.File;
import java.util.Optional;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.assertj.core.api.Assertions;
import org.assertj.core.util.Files;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:io/prestosql/plugin/base/security/TestFileBasedSystemAccessControl.class */
public class TestFileBasedSystemAccessControl {
    private static final Identity alice = Identity.ofUser("alice");
    private static final Identity kerberosValidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("alice/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidNonAsciiUser = Identity.forUser("ƔƔƔ").withPrincipal(new KerberosPrincipal("ƔƔƔ/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInvalidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("mallory/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("valid/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("invalid/example.com@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexWildDot = Identity.forUser(".*").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexEndQuote = Identity.forUser("\\E").withPrincipal(new KerberosPrincipal("special/\\E@EXAMPLE.COM")).build();
    private static final Identity invalidSpecialRegex = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity bob = Identity.ofUser("bob");
    private static final Identity admin = Identity.ofUser("admin");
    private static final Identity nonAsciiUser = Identity.ofUser("ƔƔƔ");
    private static final Set<String> allCatalogs = ImmutableSet.of("secret", "open-to-all", "all-allowed", "alice-catalog", "allowed-absent", "ȀȀȀ", new String[0]);
    private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema", "view");
    private static final Optional<QueryId> queryId = Optional.empty();

    @Test
    public void testCanSetUserOperations() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog_principal.json");
        try {
            newFileBasedSystemAccessControl.checkCanSetUser(Optional.empty(), alice.getUser());
            throw new AssertionError("expected AccessDeniedException");
        } catch (AccessDeniedException e) {
            newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
            newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser());
            try {
                newFileBasedSystemAccessControl.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser());
                throw new AssertionError("expected AccessDeniedException");
            } catch (AccessDeniedException e2) {
                newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser());
                try {
                    newFileBasedSystemAccessControl.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser());
                    throw new AssertionError("expected AccessDeniedException");
                } catch (AccessDeniedException e3) {
                    newFileBasedSystemAccessControl.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser());
                    newFileBasedSystemAccessControl.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser());
                    try {
                        newFileBasedSystemAccessControl.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser());
                        throw new AssertionError("expected AccessDeniedException");
                    } catch (AccessDeniedException e4) {
                        newFileBasedSystemAccessControl("catalog.json").checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
                    }
                }
            }
        }
    }

    @Test
    public void testQuery() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("query.json");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        Assert.assertThrows(AccessDeniedException.class, () -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        });
        Assert.assertThrows(AccessDeniedException.class, () -> {
            newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
        });
        Assert.assertThrows(AccessDeniedException.class, () -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        });
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(nonAsciiUser, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), "any");
    }

    @Test
    public void testQueryNotSet() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog.json");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
    }

    @Test
    public void testDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", new File("../presto-docs/src/main/sphinx/security/query-access.json").getAbsolutePath()));
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
        Assert.assertThrows(AccessDeniedException.class, () -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        });
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
        Assert.assertThrows(AccessDeniedException.class, () -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        });
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
        Assert.assertThrows(AccessDeniedException.class, () -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        });
    }

    @Test
    public void testSchemaOperations() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog.json");
        PrestoPrincipal prestoPrincipal = new PrestoPrincipal(PrincipalType.USER, "some_user");
        PrestoPrincipal prestoPrincipal2 = new PrestoPrincipal(PrincipalType.ROLE, "some_user");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal);
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal2);
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal);
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal2);
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal2);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), prestoPrincipal);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), prestoPrincipal2);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
    }

    @Test
    public void testCatalogOperations() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog.json");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(new SystemSecurityContext(admin, queryId), allCatalogs), allCatalogs);
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(new SystemSecurityContext(alice, queryId), allCatalogs), ImmutableSet.of("open-to-all", "alice-catalog", "all-allowed"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(new SystemSecurityContext(bob, queryId), allCatalogs), ImmutableSet.of("open-to-all", "all-allowed"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(new SystemSecurityContext(nonAsciiUser, queryId), allCatalogs), ImmutableSet.of("open-to-all", "all-allowed", "ȀȀȀ"));
    }

    @Test
    public void testEverythingImplemented() {
        InterfaceTestUtils.assertAllMethodsOverridden(SystemAccessControl.class, FileBasedSystemAccessControl.class);
    }

    @Test
    public void testRefreshing() throws Exception {
        File newTemporaryFile = Files.newTemporaryFile();
        newTemporaryFile.deleteOnExit();
        com.google.common.io.Files.copy(new File(getResourcePath("catalog.json")), newTemporaryFile);
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", newTemporaryFile.getAbsolutePath(), "security.refresh-period", "1ms"));
        SystemSecurityContext systemSecurityContext = new SystemSecurityContext(alice, queryId);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        com.google.common.io.Files.copy(new File(getResourcePath("security-config-file-with-unknown-rules.json")), newTemporaryFile);
        Thread.sleep(2L);
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
        com.google.common.io.Files.copy(new File(getResourcePath("catalog.json")), newTemporaryFile);
        Thread.sleep(2L);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
    }

    @Test
    public void parseUnknownRules() {
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl("security-config-file-with-unknown-rules.json");
        }).hasMessageContaining("Invalid JSON");
    }

    private SystemAccessControl newFileBasedSystemAccessControl(String str) {
        return newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", getResourcePath(str)));
    }

    private SystemAccessControl newFileBasedSystemAccessControl(ImmutableMap<String, String> immutableMap) {
        return new FileBasedSystemAccessControl.Factory().create(immutableMap);
    }

    private String getResourcePath(String str) {
        return getClass().getClassLoader().getResource(str).getPath();
    }
}
