package io.prestosql.plugin.base.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import io.prestosql.plugin.base.security.FileBasedSystemAccessControl;
import io.prestosql.spi.QueryId;
import io.prestosql.spi.connector.CatalogSchemaName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
import io.prestosql.spi.security.Identity;
import io.prestosql.spi.security.PrestoPrincipal;
import io.prestosql.spi.security.PrincipalType;
import io.prestosql.spi.security.Privilege;
import io.prestosql.spi.security.SystemAccessControl;
import io.prestosql.spi.security.SystemSecurityContext;
import io.prestosql.spi.security.ViewExpression;
import io.prestosql.spi.testing.InterfaceTestUtils;
import io.prestosql.spi.type.VarcharType;
import java.io.File;
import java.util.Optional;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.ThrowableAssert;
import org.assertj.core.util.Files;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:io/prestosql/plugin/base/security/TestFileBasedSystemAccessControl.class */
public class TestFileBasedSystemAccessControl {
    private static final Identity alice = Identity.forUser("alice").withGroups(ImmutableSet.of("staff")).build();
    private static final Identity kerberosValidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("alice/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidNonAsciiUser = Identity.forUser("ƔƔƔ").withPrincipal(new KerberosPrincipal("ƔƔƔ/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInvalidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("mallory/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("valid/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("invalid/example.com@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexWildDot = Identity.forUser(".*").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexEndQuote = Identity.forUser("\\E").withPrincipal(new KerberosPrincipal("special/\\E@EXAMPLE.COM")).build();
    private static final Identity invalidSpecialRegex = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity bob = Identity.forUser("bob").withGroups(ImmutableSet.of("staff")).build();
    private static final Identity admin = Identity.forUser("admin").withGroups(ImmutableSet.of("admin", "staff")).build();
    private static final Identity nonAsciiUser = Identity.ofUser("ƔƔƔ");
    private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema", "view");
    private static final Optional<QueryId> queryId = Optional.empty();
    private static final Identity charlie = Identity.forUser("charlie").withGroups(ImmutableSet.of("guests")).build();
    private static final Identity joe = Identity.ofUser("joe");
    private static final SystemSecurityContext ADMIN = new SystemSecurityContext(admin, queryId);
    private static final SystemSecurityContext BOB = new SystemSecurityContext(bob, queryId);
    private static final SystemSecurityContext CHARLIE = new SystemSecurityContext(charlie, queryId);
    private static final SystemSecurityContext ALICE = new SystemSecurityContext(alice, queryId);
    private static final SystemSecurityContext JOE = new SystemSecurityContext(joe, queryId);
    private static final SystemSecurityContext UNKNOWN = new SystemSecurityContext(Identity.ofUser("some-unknown-user-id"), queryId);
    private static final String SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show schemas";
    private static final String CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot create schema .*";
    private static final String DROP_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop schema .*";
    private static final String RENAME_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot rename schema from .* to .*";
    private static final String AUTH_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set authorization for schema .* to .*";
    private static final String SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show create schema for .*";
    private static final String SHOWN_TABLES_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show tables of .*";
    private static final String SELECT_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot select from table .*";
    private static final String SHOW_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show columns of table .*";
    private static final String ADD_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot add a column to table .*";
    private static final String DROP_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop a column from table .*";
    private static final String RENAME_COLUMNS_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot rename a column in table .*";
    private static final String TABLE_COMMENT_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot comment table to .*";
    private static final String INSERT_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot insert into table .*";
    private static final String DELETE_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot delete from table .*";
    private static final String DROP_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot drop table .*";
    private static final String CREATE_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot show create table for .*";
    private static final String RENAME_TABLE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot rename table .*";
    private static final String CREATE_VIEW_ACCESS_DENIED_MESSAGE = "Access Denied: View owner '.*' cannot create view that selects from .*";
    private static final String GRANT_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot grant privilege DELETE on table .*";
    private static final String REVOKE_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot revoke privilege DELETE on table .*";
    private static final String SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set system session property .*";
    private static final String SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Access Denied: Cannot set catalog session property .*";

    @Test
    public void testEmptyFile() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("empty.json");
        newFileBasedSystemAccessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
        newFileBasedSystemAccessControl.checkCanDropSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
        newFileBasedSystemAccessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanShowColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanInsertIntoTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanDeleteFromTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanCreateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanDropTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanRenameTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new CatalogSchemaTableName("some-catalog", "unknown", "new_unknown"));
        newFileBasedSystemAccessControl.checkCanSetUser(Optional.empty(), "unknown");
        newFileBasedSystemAccessControl.checkCanSetUser(Optional.of(new KerberosPrincipal("stuff@example.com")), "unknown");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(UNKNOWN, "anything");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "unknown", "anything");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(UNKNOWN);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(UNKNOWN, "anyone");
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(UNKNOWN, "anyone");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(UNKNOWN);
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(UNKNOWN);
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    }

    @Test
    public void testSchemaRulesForCheckCanCreateSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
        newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test"));
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"));
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"));
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"));
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanDropSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
        newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "test"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanRenameSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "staff");
        newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), "authenticated");
        newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), "bob");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "test"), "bob");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "test");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), "authenticated");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), "new_schema");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanSetSchemaAuthorization() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(ADMIN, new CatalogSchemaName("some-catalog", "test"), new PrestoPrincipal(PrincipalType.USER, "some_user"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "bob"), new PrestoPrincipal(PrincipalType.USER, "some_user"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new PrestoPrincipal(PrincipalType.ROLE, "some_role"));
        }, AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(BOB, new CatalogSchemaName("some-catalog", "test"), new PrestoPrincipal(PrincipalType.USER, "some_user"));
        }, AUTH_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanShowCreateSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanSelectFromColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn", "private", "restricted"));
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn", "private"));
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSelectFromColumns(ADMIN, new CatalogSchemaTableName("secret", "secret", "secret"), ImmutableSet.of());
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("secret", "secret", "secret"), ImmutableSet.of());
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanCreateViewWithSelectFromColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of());
        }, CREATE_VIEW_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of("bobcolumn", "private"));
        newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of("bobcolumn"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of("bobcolumn", "private"));
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanShowColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanShowColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        newFileBasedSystemAccessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
    }

    @Test
    public void testTableRulesForCheckCanShowColumnsWithNoAccess() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, SHOW_COLUMNS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("some-catalog", "bobschema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForFilterColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableList.of(column("private"), column("a"), column("restricted"), column("b"))), ImmutableList.of(column("private"), column("a"), column("restricted"), column("b")));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableList.of(column("private"), column("a"), column("restricted"), column("b"))), ImmutableList.of(column("private"), column("a"), column("restricted"), column("b")));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableList.of(column("private"), column("a"), column("restricted"), column("b"))), ImmutableList.of(column("a"), column("b")));
    }

    @Test
    public void testTableFilter() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table-filter.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(newFileBasedSystemAccessControl.filterTables(ALICE, "any", build), ImmutableSet.builder().add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).build());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterTables(BOB, "any", build), ImmutableSet.builder().add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).build());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterTables(ADMIN, "any", build), ImmutableSet.builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build());
    }

    @Test
    public void testTableFilterNoAccess() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(newFileBasedSystemAccessControl.filterTables(ALICE, "any", build), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterTables(BOB, "any", build), ImmutableSet.of());
    }

    @Test
    public void testTableRulesForFilterColumnsWithNoAccess() {
        Assert.assertEquals(newFileBasedSystemAccessControl("file-based-system-no-access.json").filterColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), ImmutableList.of(column("a"))), ImmutableList.of());
    }

    @Test
    public void testTableRulesForCheckCanInsertIntoTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanInsertIntoTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        newFileBasedSystemAccessControl.checkCanInsertIntoTable(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanInsertIntoTable(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, INSERT_TABLE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanInsertIntoTable(BOB, new CatalogSchemaTableName("some-catalog", "test", "test"));
        }, INSERT_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDropTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDropTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, DROP_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDeleteFromTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDeleteFromTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDeleteFromTable(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, DELETE_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanGrantTablePrivilege() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (PrestoPrincipal) null, false);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanGrantTablePrivilege(BOB, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (PrestoPrincipal) null, false);
        }, GRANT_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRevokeTablePrivilege() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (PrestoPrincipal) null, false);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRevokeTablePrivilege(BOB, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (PrestoPrincipal) null, false);
        }, REVOKE_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanShowCreateTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanShowCreateTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, CREATE_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanAddColumn() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanAddColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanAddColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, ADD_COLUMNS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDropColumn() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDropColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, DROP_COLUMNS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRenameColumn() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRenameColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, RENAME_COLUMNS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanSetTableComment() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanSetTableComment(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableComment(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, TABLE_COMMENT_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRenameTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRenameTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), new CatalogSchemaTableName("some-catalog", "aliceschema", "newbobtable"));
        newFileBasedSystemAccessControl.checkCanRenameTable(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alicetable"), new CatalogSchemaTableName("some-catalog", "aliceschema", "newalicetable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), new CatalogSchemaTableName("some-catalog", "bobschema", "newbobtable"));
        }, RENAME_TABLE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameTable(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alicetable"), new CatalogSchemaTableName("some-catalog", "bobschema", "newalicetable"));
        }, RENAME_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testCanSetUserOperations() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog_principal.json");
        try {
            newFileBasedSystemAccessControl.checkCanSetUser(Optional.empty(), alice.getUser());
            throw new AssertionError("expected AccessDeniedException");
        } catch (AccessDeniedException e) {
            newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
            newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser());
            try {
                newFileBasedSystemAccessControl.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser());
                throw new AssertionError("expected AccessDeniedException");
            } catch (AccessDeniedException e2) {
                newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser());
                try {
                    newFileBasedSystemAccessControl.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser());
                    throw new AssertionError("expected AccessDeniedException");
                } catch (AccessDeniedException e3) {
                    newFileBasedSystemAccessControl.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser());
                    newFileBasedSystemAccessControl.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser());
                    try {
                        newFileBasedSystemAccessControl.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser());
                        throw new AssertionError("expected AccessDeniedException");
                    } catch (AccessDeniedException e4) {
                        newFileBasedSystemAccessControl("catalog.json").checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
                    }
                }
            }
        }
    }

    @Test
    public void testQuery() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("query.json");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(nonAsciiUser, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(nonAsciiUser, queryId), "any");
    }

    @Test
    public void testQueryNotSet() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog.json");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
    }

    @Test
    public void testQueryDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", new File("../presto-docs/src/main/sphinx/security/query-access.json").getAbsolutePath()));
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(admin, queryId));
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(admin, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of("a", "b"));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(admin, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(alice, queryId));
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(alice, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(alice, queryId), "any");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(new SystemSecurityContext(bob, queryId));
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(new SystemSecurityContext(bob, queryId), ImmutableSet.of("a", "b")), ImmutableSet.of());
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(new SystemSecurityContext(bob, queryId), "any");
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot view query");
    }

    @Test
    public void testSystemInformation() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("system-information.json");
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
        newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(nonAsciiUser, Optional.empty()));
        newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(nonAsciiUser, Optional.empty()));
    }

    @Test
    public void testSystemInformationNotSet() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog.json");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    }

    @Test
    public void testSystemInformationDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", new File("../presto-docs/src/main/sphinx/security/system-information-access.json").getAbsolutePath()));
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
        newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(admin, Optional.empty()));
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(alice, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(new SystemSecurityContext(bob, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(new SystemSecurityContext(bob, Optional.empty()));
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    }

    @Test
    public void testSchemaOperations() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("catalog.json");
        PrestoPrincipal prestoPrincipal = new PrestoPrincipal(PrincipalType.USER, "some_user");
        PrestoPrincipal prestoPrincipal2 = new PrestoPrincipal(PrincipalType.ROLE, "some_user");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal);
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(admin, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal2);
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal);
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal2);
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(bob, queryId), new CatalogSchemaName("alice-catalog", "some_schema"), prestoPrincipal2);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema alice-catalog.some_schema");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), prestoPrincipal);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(new SystemSecurityContext(alice, queryId), new CatalogSchemaName("secret", "some_schema"), prestoPrincipal2);
        }).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied: Cannot set authorization for schema secret.some_schema");
    }

    @Test
    public void testSessionPropertyRules() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-session-property.json");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ADMIN, "dangerous");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ADMIN, "any");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ALICE, "safe");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ALICE, "unsafe");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ALICE, "staff");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(BOB, "safe");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(BOB, "staff");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(BOB, "unsafe");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ALICE, "dangerous");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(CHARLIE, "safe");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(CHARLIE, "staff");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(JOE, "staff");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "any", "dangerous");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "alice-catalog", "dangerous");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "any", "any");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "alice-catalog", "safe");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "alice-catalog", "unsafe");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "staff-catalog", "staff");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "bob-catalog", "safe");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "staff-catalog", "staff");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "bob-catalog", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "alice-catalog", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "staff-catalog", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "alice-catalog", "dangerous");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "bob-catalog", "safe");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "staff-catalog", "staff");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(JOE, "staff-catalog", "staff");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSessionPropertyDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", new File("../presto-docs/src/main/sphinx/security/session-property-access.json").getAbsolutePath()));
        SystemSecurityContext systemSecurityContext = new SystemSecurityContext(Identity.ofUser("banned_user"), queryId);
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ADMIN, "any");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ALICE, "any");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(systemSecurityContext, "any");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ADMIN, "resource_overcommit");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ALICE, "resource_overcommit");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(systemSecurityContext, "resource_overcommit");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "any");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(systemSecurityContext, "hive", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "bucket_execution_enabled");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "bucket_execution_enabled");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(systemSecurityContext, "hive", "bucket_execution_enabled");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testFilterCatalogs() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        ImmutableSet of = ImmutableSet.of("alice-catalog", "bob-catalog", "specific-catalog", "secret", "hidden", "open-to-all", new String[]{"blocked-catalog", "unknown"});
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(ADMIN, of), Sets.difference(of, ImmutableSet.of("blocked-catalog")));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(ALICE, of), ImmutableSet.of("specific-catalog", "alice-catalog"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(BOB, of), ImmutableSet.of("specific-catalog", "alice-catalog", "bob-catalog"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterCatalogs(CHARLIE, of), ImmutableSet.of("specific-catalog"));
    }

    @Test
    public void testSchemaRulesForCheckCanShowSchemas() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "specific-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "secret");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "hidden");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "open-to-all");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "unknown");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "specific-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "alice-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "alice-catalog-session");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "bob-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "bob-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "secret");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "hidden");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "open-to-all");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "unknown");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "specific-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "bob-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "bob-catalog-session");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "alice-catalog");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "alice-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "secret");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "hidden");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "open-to-all");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "unknown");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "specific-catalog");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "alice-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "alice-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "bob-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "bob-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "secret");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "hidden");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "open-to-all");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "unknown");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testFilterSchemas() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "specific-catalog", ImmutableSet.of("specific-schema", "unknown")), ImmutableSet.of("specific-schema", "unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "specific-catalog", ImmutableSet.of("specific-schema", "unknown")), ImmutableSet.of("specific-schema"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "specific-catalog", ImmutableSet.of("specific-schema", "unknown")), ImmutableSet.of("specific-schema"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "specific-catalog", ImmutableSet.of("specific-schema", "unknown")), ImmutableSet.of("specific-schema"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown")), ImmutableSet.of("alice-schema", "bob-schema", "unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown")), ImmutableSet.of("alice-schema"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown")), ImmutableSet.of("bob-schema"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "bob-catalog", ImmutableSet.of("bob-schema", "unknown")), ImmutableSet.of("bob-schema", "unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "bob-catalog", ImmutableSet.of("bob-schema", "unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "bob-catalog", ImmutableSet.of("bob-schema", "unknown")), ImmutableSet.of("bob-schema"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "bob-catalog", ImmutableSet.of("bob-schema", "unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "secret", ImmutableSet.of("unknown")), ImmutableSet.of("unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "secret", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "secret", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "secret", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "hidden", ImmutableSet.of("unknown")), ImmutableSet.of("unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "hidden", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "hidden", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "hidden", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "open-to-all", ImmutableSet.of("unknown")), ImmutableSet.of("unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "open-to-all", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "open-to-all", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "open-to-all", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "blocked-catalog", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "blocked-catalog", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "blocked-catalog", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "blocked-catalog", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "unknown", ImmutableSet.of("unknown")), ImmutableSet.of("unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "unknown", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "unknown", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "unknown", ImmutableSet.of("unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "session-catalog", ImmutableSet.of("session-schema", "unknown")), ImmutableSet.of("session-schema", "unknown"));
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(ALICE, "session-catalog", ImmutableSet.of("session-schema", "unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(BOB, "session-catalog", ImmutableSet.of("session-schema", "unknown")), ImmutableSet.of());
        Assert.assertEquals(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "session-catalog", ImmutableSet.of("session-schema", "unknown")), ImmutableSet.of());
    }

    @Test
    public void testSchemaRulesForCheckCanShowTables() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "bob-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "alice-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("secret", "secret"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("hidden", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("open-to-all", "any"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("unknown", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("alice-catalog", "alice-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("bob-catalog", "bob-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "bob-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "bob-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "alice-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("specific-catalog", "specific-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "bob-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "alice-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testGetColumnMask() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        Assert.assertEquals(newFileBasedSystemAccessControl.getColumnMask(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked", VarcharType.VARCHAR), Optional.empty());
        assertViewExpressionEquals(newFileBasedSystemAccessControl.getColumnMask(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked", VarcharType.VARCHAR), new ViewExpression(CHARLIE.getIdentity().getUser(), Optional.of("some-catalog"), Optional.of("bobschema"), "'mask'"));
        assertViewExpressionEquals(newFileBasedSystemAccessControl.getColumnMask(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked_with_user", VarcharType.VARCHAR), new ViewExpression("mask-user", Optional.of("some-catalog"), Optional.of("bobschema"), "'mask-with-user'"));
    }

    @Test
    public void testGetRowFilter() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        Assert.assertEquals(newFileBasedSystemAccessControl.getRowFilter(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns")), Optional.empty());
        assertViewExpressionEquals(newFileBasedSystemAccessControl.getRowFilter(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns")), new ViewExpression(CHARLIE.getIdentity().getUser(), Optional.of("some-catalog"), Optional.of("bobschema"), "starts_with(value, 'filter')"));
        assertViewExpressionEquals(newFileBasedSystemAccessControl.getRowFilter(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant")), new ViewExpression("filter-user", Optional.of("some-catalog"), Optional.of("bobschema"), "starts_with(value, 'filter-with-user')"));
    }

    private static void assertViewExpressionEquals(Optional<ViewExpression> optional, ViewExpression viewExpression) {
        Assert.assertTrue(optional.isPresent());
        ViewExpression viewExpression2 = optional.get();
        Assert.assertEquals(viewExpression2.getIdentity(), viewExpression.getIdentity(), "Identity");
        Assert.assertEquals(viewExpression2.getCatalog(), viewExpression.getCatalog(), "Catalog");
        Assert.assertEquals(viewExpression2.getSchema(), viewExpression.getSchema(), "Schema");
        Assert.assertEquals(viewExpression2.getExpression(), viewExpression.getExpression(), "Expression");
    }

    @Test
    public void testEverythingImplemented() {
        InterfaceTestUtils.assertAllMethodsOverridden(SystemAccessControl.class, FileBasedSystemAccessControl.class);
    }

    @Test
    public void testRefreshing() throws Exception {
        File newTemporaryFile = Files.newTemporaryFile();
        newTemporaryFile.deleteOnExit();
        com.google.common.io.Files.copy(new File(getResourcePath("catalog.json")), newTemporaryFile);
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", newTemporaryFile.getAbsolutePath(), "security.refresh-period", "1ms"));
        SystemSecurityContext systemSecurityContext = new SystemSecurityContext(alice, queryId);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        com.google.common.io.Files.copy(new File(getResourcePath("security-config-file-with-unknown-rules.json")), newTemporaryFile);
        Thread.sleep(2L);
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
        com.google.common.io.Files.copy(new File(getResourcePath("catalog.json")), newTemporaryFile);
        Thread.sleep(2L);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
    }

    @Test
    public void parseUnknownRules() {
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl("security-config-file-with-unknown-rules.json");
        }).hasMessageContaining("Invalid JSON");
    }

    private SystemAccessControl newFileBasedSystemAccessControl(String str) {
        return newFileBasedSystemAccessControl(ImmutableMap.of("security.config-file", getResourcePath(str)));
    }

    private SystemAccessControl newFileBasedSystemAccessControl(ImmutableMap<String, String> immutableMap) {
        return new FileBasedSystemAccessControl.Factory().create(immutableMap);
    }

    private String getResourcePath(String str) {
        return getClass().getClassLoader().getResource(str).getPath();
    }

    private static void assertAccessDenied(ThrowableAssert.ThrowingCallable throwingCallable, String str) {
        Assertions.assertThatThrownBy(throwingCallable).isInstanceOf(AccessDeniedException.class).hasMessageMatching(str);
    }

    private static ColumnMetadata column(String str) {
        return new ColumnMetadata(str, VarcharType.VARCHAR);
    }
}
