package io.prestosql.plugin.base.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.prestosql.spi.QueryId;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.ConnectorAccessControl;
import io.prestosql.spi.connector.ConnectorSecurityContext;
import io.prestosql.spi.connector.ConnectorTransactionHandle;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.ConnectorIdentity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.PrincipalType;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.testing.InterfaceTestUtils;
import io.prestosql.spi.type.VarcharType;
import java.util.Optional;
import java.util.Set;
import org.assertj.core.api.Assertions;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:io/prestosql/plugin/base/security/TestFileBasedAccessControl.class */
public class TestFileBasedAccessControl {
    private static final ConnectorSecurityContext ADMIN = user("admin", ImmutableSet.of("admin", "staff"));
    private static final ConnectorSecurityContext ALICE = user("alice", ImmutableSet.of("staff"));
    private static final ConnectorSecurityContext BOB = user("bob", ImmutableSet.of("staff"));
    private static final ConnectorSecurityContext CHARLIE = user("charlie", ImmutableSet.of("guests"));
    private static final ConnectorSecurityContext JOE = user("joe", ImmutableSet.of());
    private static final ConnectorSecurityContext UNKNOWN = user("unknown", ImmutableSet.of());

    @Test
    public void testEmptyFile() {
        ConnectorAccessControl createAccessControl = createAccessControl("empty.json");
        createAccessControl.checkCanCreateSchema(UNKNOWN, "unknown");
        createAccessControl.checkCanDropSchema(UNKNOWN, "unknown");
        createAccessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown");
        createAccessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        createAccessControl.checkCanShowCreateSchema(UNKNOWN, "unknown");
        createAccessControl.checkCanSelectFromColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"), ImmutableSet.of());
        createAccessControl.checkCanShowColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanInsertIntoTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanDeleteFromTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanCreateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanDropTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanRenameTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), new SchemaTableName("unknown", "new_unknown"));
        createAccessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "anything");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(createAccessControl.filterTables(UNKNOWN, build), build);
        PrestoPrincipal prestoPrincipal = new PrestoPrincipal(PrincipalType.USER, "some_user");
        assertDenied(() -> {
            createAccessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), prestoPrincipal, false);
        });
        assertDenied(() -> {
            createAccessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), prestoPrincipal, false);
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateRole(ADMIN, "role", Optional.empty());
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropRole(ADMIN, "role");
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(prestoPrincipal), false, Optional.empty(), "any");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRevokeRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(prestoPrincipal), false, Optional.empty(), "any");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetRole(ADMIN, "role", "any");
        });
        createAccessControl.checkCanShowRoleAuthorizationDescriptors(UNKNOWN, "any");
        createAccessControl.checkCanShowRoles(UNKNOWN, "any");
        createAccessControl.checkCanShowCurrentRoles(UNKNOWN, "any");
        createAccessControl.checkCanShowRoleGrants(UNKNOWN, "any");
    }

    @Test
    public void testSchemaRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("schema.json");
        createAccessControl.checkCanCreateSchema(ADMIN, "bob");
        createAccessControl.checkCanCreateSchema(ADMIN, "staff");
        createAccessControl.checkCanCreateSchema(ADMIN, "authenticated");
        createAccessControl.checkCanCreateSchema(ADMIN, "test");
        createAccessControl.checkCanCreateSchema(BOB, "bob");
        createAccessControl.checkCanCreateSchema(BOB, "staff");
        createAccessControl.checkCanCreateSchema(BOB, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(BOB, "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(CHARLIE, "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(CHARLIE, "staff");
        });
        createAccessControl.checkCanCreateSchema(CHARLIE, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(CHARLIE, "test");
        });
        createAccessControl.checkCanDropSchema(ADMIN, "bob");
        createAccessControl.checkCanDropSchema(ADMIN, "staff");
        createAccessControl.checkCanDropSchema(ADMIN, "authenticated");
        createAccessControl.checkCanDropSchema(ADMIN, "test");
        createAccessControl.checkCanDropSchema(BOB, "bob");
        createAccessControl.checkCanDropSchema(BOB, "staff");
        createAccessControl.checkCanDropSchema(BOB, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(BOB, "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(CHARLIE, "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(CHARLIE, "staff");
        });
        createAccessControl.checkCanDropSchema(CHARLIE, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(CHARLIE, "test");
        });
        createAccessControl.checkCanRenameSchema(ADMIN, "bob", "new_schema");
        createAccessControl.checkCanRenameSchema(ADMIN, "staff", "new_schema");
        createAccessControl.checkCanRenameSchema(ADMIN, "authenticated", "new_schema");
        createAccessControl.checkCanRenameSchema(ADMIN, "test", "new_schema");
        createAccessControl.checkCanRenameSchema(BOB, "bob", "staff");
        createAccessControl.checkCanRenameSchema(BOB, "staff", "authenticated");
        createAccessControl.checkCanRenameSchema(BOB, "authenticated", "bob");
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(BOB, "test", "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(BOB, "bob", "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(CHARLIE, "bob", "new_schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(CHARLIE, "staff", "new_schema");
        });
        createAccessControl.checkCanRenameSchema(CHARLIE, "authenticated", "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(CHARLIE, "test", "new_schema");
        });
        createAccessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        createAccessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new PrestoPrincipal(PrincipalType.USER, "some_user"));
        createAccessControl.checkCanSetSchemaAuthorization(BOB, "bob", new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        createAccessControl.checkCanSetSchemaAuthorization(BOB, "bob", new PrestoPrincipal(PrincipalType.USER, "some_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(BOB, "test", new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(BOB, "test", new PrestoPrincipal(PrincipalType.USER, "some_user"));
        });
        createAccessControl.checkCanShowCreateSchema(ADMIN, "bob");
        createAccessControl.checkCanShowCreateSchema(ADMIN, "staff");
        createAccessControl.checkCanShowCreateSchema(ADMIN, "authenticated");
        createAccessControl.checkCanShowCreateSchema(ADMIN, "test");
        createAccessControl.checkCanShowCreateSchema(BOB, "bob");
        createAccessControl.checkCanShowCreateSchema(BOB, "staff");
        createAccessControl.checkCanShowCreateSchema(BOB, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(BOB, "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(CHARLIE, "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(CHARLIE, "staff");
        });
        createAccessControl.checkCanShowCreateSchema(CHARLIE, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(CHARLIE, "test");
        });
    }

    @Test
    public void testTableRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("table.json");
        createAccessControl.checkCanSelectFromColumns(ALICE, new SchemaTableName("test", "test"), ImmutableSet.of());
        createAccessControl.checkCanSelectFromColumns(ALICE, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        createAccessControl.checkCanSelectFromColumns(ALICE, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of("bobcolumn"));
        createAccessControl.checkCanShowColumns(ALICE, new SchemaTableName("bobschema", "bobtable"));
        Assert.assertEquals(createAccessControl.filterColumns(ALICE, new SchemaTableName("bobschema", "bobtable"), ImmutableList.of(column("a"))), ImmutableList.of(column("a")));
        createAccessControl.checkCanSelectFromColumns(BOB, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        createAccessControl.checkCanShowColumns(BOB, new SchemaTableName("bobschema", "bobtable"));
        Assert.assertEquals(createAccessControl.filterColumns(BOB, new SchemaTableName("bobschema", "bobtable"), ImmutableList.of(column("a"))), ImmutableList.of(column("a")));
        createAccessControl.checkCanInsertIntoTable(BOB, new SchemaTableName("bobschema", "bobtable"));
        createAccessControl.checkCanDeleteFromTable(BOB, new SchemaTableName("bobschema", "bobtable"));
        createAccessControl.checkCanSelectFromColumns(CHARLIE, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        createAccessControl.checkCanSelectFromColumns(CHARLIE, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of("bobcolumn"));
        createAccessControl.checkCanInsertIntoTable(CHARLIE, new SchemaTableName("bobschema", "bobtable"));
        createAccessControl.checkCanSelectFromColumns(JOE, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("bob", "test"));
        createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("test", "test"));
        createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("authenticated", "test"));
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("secret", "test"));
        });
        createAccessControl.checkCanCreateTable(ALICE, new SchemaTableName("aliceschema", "test"));
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(ALICE, new SchemaTableName("test", "test"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(CHARLIE, new SchemaTableName("aliceschema", "test"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(CHARLIE, new SchemaTableName("test", "test"));
        });
        createAccessControl.checkCanCreateViewWithSelectFromColumns(BOB, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        createAccessControl.checkCanDropTable(ADMIN, new SchemaTableName("bobschema", "bobtable"));
        createAccessControl.checkCanRenameTable(ADMIN, new SchemaTableName("bobschema", "bobtable"), new SchemaTableName("aliceschema", "newbobtable"));
        createAccessControl.checkCanRenameTable(ALICE, new SchemaTableName("aliceschema", "alicetable"), new SchemaTableName("aliceschema", "newalicetable"));
        createAccessControl.checkCanRenameView(ADMIN, new SchemaTableName("bobschema", "bobview"), new SchemaTableName("aliceschema", "newbobview"));
        createAccessControl.checkCanRenameView(ALICE, new SchemaTableName("aliceschema", "aliceview"), new SchemaTableName("aliceschema", "newaliceview"));
        assertDenied(() -> {
            createAccessControl.checkCanInsertIntoTable(ALICE, new SchemaTableName("bobschema", "bobtable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropTable(BOB, new SchemaTableName("bobschema", "bobtable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameTable(BOB, new SchemaTableName("bobschema", "bobtable"), new SchemaTableName("bobschema", "newbobtable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameTable(ALICE, new SchemaTableName("aliceschema", "alicetable"), new SchemaTableName("bobschema", "newalicetable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanInsertIntoTable(BOB, new SchemaTableName("test", "test"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSelectFromColumns(ADMIN, new SchemaTableName("secret", "secret"), ImmutableSet.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanSelectFromColumns(JOE, new SchemaTableName("secret", "secret"), ImmutableSet.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateViewWithSelectFromColumns(JOE, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameView(BOB, new SchemaTableName("bobschema", "bobview"), new SchemaTableName("bobschema", "newbobview"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameView(ALICE, new SchemaTableName("aliceschema", "alicetable"), new SchemaTableName("bobschema", "newalicetable"));
        });
    }

    @Test
    public void testTableFilter() {
        ConnectorAccessControl createAccessControl = createAccessControl("table-filter.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(createAccessControl.filterTables(ALICE, build), ImmutableSet.builder().add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).build());
        Assert.assertEquals(createAccessControl.filterTables(BOB, build), ImmutableSet.builder().add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).build());
        Assert.assertEquals(createAccessControl.filterTables(ADMIN, build), ImmutableSet.builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build());
    }

    @Test
    public void testNoTableRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("no-access.json");
        assertDenied(() -> {
            createAccessControl.checkCanShowColumns(BOB, new SchemaTableName("bobschema", "bobtable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "bobschema");
        });
        Assert.assertEquals(createAccessControl.filterColumns(BOB, new SchemaTableName("bobschema", "bobtable"), ImmutableList.of(column("a"))), ImmutableList.of());
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(createAccessControl.filterTables(ALICE, build), ImmutableSet.of());
        Assert.assertEquals(createAccessControl.filterTables(BOB, build), ImmutableSet.of());
    }

    @Test
    public void testSessionPropertyRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("session_property.json");
        createAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "dangerous");
        createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "safe");
        createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "unsafe");
        createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "staff");
        createAccessControl.checkCanSetCatalogSessionProperty(BOB, "safe");
        createAccessControl.checkCanSetCatalogSessionProperty(BOB, "staff");
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(BOB, "unsafe");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "dangerous");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "safe");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "staff");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(JOE, "staff");
        });
    }

    @Test
    public void testInvalidRules() {
        Assertions.assertThatThrownBy(() -> {
            createAccessControl("invalid.json");
        }).hasMessageContaining("Invalid JSON");
    }

    @Test
    public void testFilterSchemas() {
        ConnectorAccessControl createAccessControl = createAccessControl("visibility.json");
        ImmutableSet of = ImmutableSet.of("specific-schema", "alice-schema", "bob-schema", "unknown");
        Assert.assertEquals(createAccessControl.filterSchemas(ADMIN, of), of);
        Assert.assertEquals(createAccessControl.filterSchemas(ALICE, of), ImmutableSet.of("specific-schema", "alice-schema"));
        Assert.assertEquals(createAccessControl.filterSchemas(BOB, of), ImmutableSet.of("specific-schema", "bob-schema"));
        Assert.assertEquals(createAccessControl.filterSchemas(CHARLIE, of), ImmutableSet.of("specific-schema"));
    }

    @Test
    public void testSchemaRulesForCheckCanShowTables() {
        ConnectorAccessControl createAccessControl = createAccessControl("visibility.json");
        createAccessControl.checkCanShowTables(ADMIN, "specific-schema");
        createAccessControl.checkCanShowTables(ADMIN, "bob-schema");
        createAccessControl.checkCanShowTables(ADMIN, "alice-schema");
        createAccessControl.checkCanShowTables(ADMIN, "secret");
        createAccessControl.checkCanShowTables(ADMIN, "any");
        createAccessControl.checkCanShowTables(ALICE, "specific-schema");
        createAccessControl.checkCanShowTables(ALICE, "alice-schema");
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(ALICE, "bob-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(ALICE, "secret");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(ALICE, "any");
        });
        createAccessControl.checkCanShowTables(BOB, "specific-schema");
        createAccessControl.checkCanShowTables(BOB, "bob-schema");
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "alice-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "secret");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "any");
        });
        createAccessControl.checkCanShowTables(CHARLIE, "specific-schema");
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "bob-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "alice-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "secret");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "any");
        });
    }

    @Test
    public void testEverythingImplemented() {
        InterfaceTestUtils.assertAllMethodsOverridden(ConnectorAccessControl.class, FileBasedAccessControl.class);
    }

    private static ConnectorSecurityContext user(String str, Set<String> set) {
        return new ConnectorSecurityContext(new ConnectorTransactionHandle() { // from class: io.prestosql.plugin.base.security.TestFileBasedAccessControl.1
        }, ConnectorIdentity.forUser(str).withGroups(set).build(), new QueryId("query_id"));
    }

    private ConnectorAccessControl createAccessControl(String str) {
        String path = getClass().getClassLoader().getResource(str).getPath();
        FileBasedAccessControlConfig fileBasedAccessControlConfig = new FileBasedAccessControlConfig();
        fileBasedAccessControlConfig.setConfigFile(path);
        return new FileBasedAccessControl(fileBasedAccessControlConfig);
    }

    private static void assertDenied(Assert.ThrowingRunnable throwingRunnable) {
        Assert.assertThrows(AccessDeniedException.class, throwingRunnable);
    }

    private static ColumnMetadata column(String str) {
        return new ColumnMetadata(str, VarcharType.VARCHAR);
    }
}
