package org.apache.sentry.provider.db.generic.service.thrift;

import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
import org.apache.sentry.core.model.solr.Collection;
import org.apache.sentry.core.model.solr.Field;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.service.thrift.Status;
import org.apache.sentry.service.thrift.TSentryResponseStatus;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Matchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.class */
public class TestSentryGenericPolicyProcessor extends Assert {
    private static final String ADMIN_GROUP = "admin_group";
    private static final String ADMIN_USER = "admin_user";
    private SentryStoreLayer mockStore = (SentryStoreLayer) Mockito.mock(SentryStoreLayer.class);
    private SentryGenericPolicyProcessor processor;

    /* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor$MockGroupMapping.class */
    public static class MockGroupMapping implements GroupMappingService {
        public MockGroupMapping(Configuration configuration, String str) {
        }

        public Set<String> getGroups(String str) {
            return str.equalsIgnoreCase(TestSentryGenericPolicyProcessor.ADMIN_USER) ? Sets.newHashSet(new String[]{TestSentryGenericPolicyProcessor.ADMIN_GROUP}) : Sets.newHashSet(new String[]{"notadmin_group"});
        }
    }

    @Before
    public void setup() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("sentry.service.admin.group", ADMIN_GROUP);
        configuration.set("sentry.store.group.mapping", MockGroupMapping.class.getName());
        this.processor = new SentryGenericPolicyProcessor(configuration, this.mockStore);
    }

    @Test
    public void testNotAdminOperation() throws Exception {
        testOperation("not_admin_user", Status.ACCESS_DENIED);
    }

    private void testOperation(String str, Status status) throws Exception {
        TCreateSentryRoleRequest tCreateSentryRoleRequest = new TCreateSentryRoleRequest();
        tCreateSentryRoleRequest.setRequestorUserName(str);
        tCreateSentryRoleRequest.setRoleName("r1");
        assertEquals(status, fromTSentryStatus(this.processor.create_sentry_role(tCreateSentryRoleRequest).getStatus()));
        TDropSentryRoleRequest tDropSentryRoleRequest = new TDropSentryRoleRequest();
        tDropSentryRoleRequest.setRequestorUserName(str);
        tDropSentryRoleRequest.setRoleName("r1");
        assertEquals(status, fromTSentryStatus(this.processor.drop_sentry_role(tDropSentryRoleRequest).getStatus()));
        TAlterSentryRoleAddGroupsRequest tAlterSentryRoleAddGroupsRequest = new TAlterSentryRoleAddGroupsRequest();
        tAlterSentryRoleAddGroupsRequest.setRequestorUserName(str);
        tAlterSentryRoleAddGroupsRequest.setRoleName("r1");
        tAlterSentryRoleAddGroupsRequest.setGroups(Sets.newHashSet(new String[]{"g1"}));
        assertEquals(status, fromTSentryStatus(this.processor.alter_sentry_role_add_groups(tAlterSentryRoleAddGroupsRequest).getStatus()));
        TAlterSentryRoleDeleteGroupsRequest tAlterSentryRoleDeleteGroupsRequest = new TAlterSentryRoleDeleteGroupsRequest();
        tAlterSentryRoleDeleteGroupsRequest.setRequestorUserName(str);
        tAlterSentryRoleDeleteGroupsRequest.setRoleName("r1");
        tAlterSentryRoleDeleteGroupsRequest.setGroups(Sets.newHashSet(new String[]{"g1"}));
        assertEquals(status, fromTSentryStatus(this.processor.alter_sentry_role_delete_groups(tAlterSentryRoleDeleteGroupsRequest).getStatus()));
        TDropPrivilegesRequest tDropPrivilegesRequest = new TDropPrivilegesRequest();
        tDropPrivilegesRequest.setRequestorUserName(str);
        tDropPrivilegesRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList(), "test"));
        assertEquals(status, fromTSentryStatus(this.processor.drop_sentry_privilege(tDropPrivilegesRequest).getStatus()));
        TRenamePrivilegesRequest tRenamePrivilegesRequest = new TRenamePrivilegesRequest();
        tRenamePrivilegesRequest.setRequestorUserName(str);
        assertEquals(status, fromTSentryStatus(this.processor.rename_sentry_privilege(tRenamePrivilegesRequest).getStatus()));
    }

    private Status fromTSentryStatus(TSentryResponseStatus tSentryResponseStatus) {
        return Status.fromCode(tSentryResponseStatus.getValue());
    }

    @Test
    public void testAdminOperation() throws Exception {
        testOperation(ADMIN_USER, Status.OK);
    }

    @Test
    public void testGrantAndRevokePrivilege() throws Exception {
        setup();
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("test", "test", new ArrayList(), "test");
        tSentryPrivilege.setGrantOption(TSentryGrantOption.UNSET);
        TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest = new TAlterSentryRoleGrantPrivilegeRequest();
        tAlterSentryRoleGrantPrivilegeRequest.setRequestorUserName(ADMIN_USER);
        tAlterSentryRoleGrantPrivilegeRequest.setRoleName("r1");
        tAlterSentryRoleGrantPrivilegeRequest.setPrivilege(tSentryPrivilege);
        assertEquals(Status.OK, fromTSentryStatus(this.processor.alter_sentry_role_grant_privilege(tAlterSentryRoleGrantPrivilegeRequest).getStatus()));
        TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
        tAlterSentryRoleRevokePrivilegeRequest.setRequestorUserName(ADMIN_USER);
        tAlterSentryRoleRevokePrivilegeRequest.setRoleName("r1");
        tAlterSentryRoleRevokePrivilegeRequest.setPrivilege(tSentryPrivilege);
        assertEquals(Status.OK, fromTSentryStatus(this.processor.alter_sentry_role_revoke_privilege(tAlterSentryRoleRevokePrivilegeRequest).getStatus()));
    }

    @Test
    public void testOperationWithException() throws Exception {
        String anyString = Matchers.anyString();
        Mockito.when(this.mockStore.createRole(Matchers.anyString(), anyString, Matchers.anyString())).thenThrow(new Throwable[]{new SentryAlreadyExistsException("Role: " + anyString)});
        String anyString2 = Matchers.anyString();
        Mockito.when(this.mockStore.dropRole(Matchers.anyString(), anyString2, Matchers.anyString())).thenThrow(new Throwable[]{new SentryNoSuchObjectException("Role: " + anyString2)});
        String anyString3 = Matchers.anyString();
        Mockito.when(this.mockStore.alterRoleAddGroups(Matchers.anyString(), anyString3, Matchers.anySetOf(String.class), Matchers.anyString())).thenThrow(new Throwable[]{new SentryNoSuchObjectException("Role: " + anyString3)});
        String anyString4 = Matchers.anyString();
        Mockito.when(this.mockStore.alterRoleDeleteGroups(Matchers.anyString(), anyString4, Matchers.anySetOf(String.class), Matchers.anyString())).thenThrow(new Throwable[]{new SentryNoSuchObjectException("Role: " + anyString4)});
        String anyString5 = Matchers.anyString();
        Mockito.when(this.mockStore.alterRoleGrantPrivilege(Matchers.anyString(), anyString5, (PrivilegeObject) Matchers.any(PrivilegeObject.class), Matchers.anyString())).thenThrow(new Throwable[]{new SentryGrantDeniedException("Role: " + anyString5 + " is not allowed to do grant")});
        String anyString6 = Matchers.anyString();
        Mockito.when(this.mockStore.alterRoleRevokePrivilege(Matchers.anyString(), anyString6, (PrivilegeObject) Matchers.any(PrivilegeObject.class), Matchers.anyString())).thenThrow(new Throwable[]{new SentryGrantDeniedException("Role: " + anyString6 + " is not allowed to do grant")});
        Mockito.when(this.mockStore.dropPrivilege(Matchers.anyString(), (PrivilegeObject) Matchers.any(PrivilegeObject.class), Matchers.anyString())).thenThrow(new Throwable[]{new SentryInvalidInputException("Invalid input privilege object")});
        Mockito.when(this.mockStore.renamePrivilege(Matchers.anyString(), Matchers.anyString(), Matchers.anyListOf(Authorizable.class), Matchers.anyListOf(Authorizable.class), Matchers.anyString())).thenThrow(new Throwable[]{new RuntimeException("Unknown error")});
        setup();
        TCreateSentryRoleRequest tCreateSentryRoleRequest = new TCreateSentryRoleRequest();
        tCreateSentryRoleRequest.setRequestorUserName(ADMIN_USER);
        tCreateSentryRoleRequest.setRoleName("r1");
        assertEquals(Status.ALREADY_EXISTS, fromTSentryStatus(this.processor.create_sentry_role(tCreateSentryRoleRequest).getStatus()));
        TDropSentryRoleRequest tDropSentryRoleRequest = new TDropSentryRoleRequest();
        tDropSentryRoleRequest.setRequestorUserName(ADMIN_USER);
        tDropSentryRoleRequest.setRoleName("r1");
        assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(this.processor.drop_sentry_role(tDropSentryRoleRequest).getStatus()));
        TAlterSentryRoleAddGroupsRequest tAlterSentryRoleAddGroupsRequest = new TAlterSentryRoleAddGroupsRequest();
        tAlterSentryRoleAddGroupsRequest.setRequestorUserName(ADMIN_USER);
        tAlterSentryRoleAddGroupsRequest.setRoleName("r1");
        tAlterSentryRoleAddGroupsRequest.setGroups(Sets.newHashSet(new String[]{"g1"}));
        assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(this.processor.alter_sentry_role_add_groups(tAlterSentryRoleAddGroupsRequest).getStatus()));
        TAlterSentryRoleDeleteGroupsRequest tAlterSentryRoleDeleteGroupsRequest = new TAlterSentryRoleDeleteGroupsRequest();
        tAlterSentryRoleDeleteGroupsRequest.setRequestorUserName(ADMIN_USER);
        tAlterSentryRoleDeleteGroupsRequest.setRoleName("r1");
        tAlterSentryRoleDeleteGroupsRequest.setGroups(Sets.newHashSet(new String[]{"g1"}));
        assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(this.processor.alter_sentry_role_delete_groups(tAlterSentryRoleDeleteGroupsRequest).getStatus()));
        TDropPrivilegesRequest tDropPrivilegesRequest = new TDropPrivilegesRequest();
        tDropPrivilegesRequest.setRequestorUserName(ADMIN_USER);
        tDropPrivilegesRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList(), "test"));
        assertEquals(Status.INVALID_INPUT, fromTSentryStatus(this.processor.drop_sentry_privilege(tDropPrivilegesRequest).getStatus()));
        TRenamePrivilegesRequest tRenamePrivilegesRequest = new TRenamePrivilegesRequest();
        tRenamePrivilegesRequest.setRequestorUserName(ADMIN_USER);
        assertEquals(Status.RUNTIME_ERROR, fromTSentryStatus(this.processor.rename_sentry_privilege(tRenamePrivilegesRequest).getStatus()));
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("test", "test", new ArrayList(), "test");
        tSentryPrivilege.setGrantOption(TSentryGrantOption.UNSET);
        TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest = new TAlterSentryRoleGrantPrivilegeRequest();
        tAlterSentryRoleGrantPrivilegeRequest.setRequestorUserName(ADMIN_USER);
        tAlterSentryRoleGrantPrivilegeRequest.setRoleName("r1");
        tAlterSentryRoleGrantPrivilegeRequest.setPrivilege(tSentryPrivilege);
        assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(this.processor.alter_sentry_role_grant_privilege(tAlterSentryRoleGrantPrivilegeRequest).getStatus()));
        TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
        tAlterSentryRoleRevokePrivilegeRequest.setRequestorUserName(ADMIN_USER);
        tAlterSentryRoleRevokePrivilegeRequest.setRoleName("r1");
        tAlterSentryRoleRevokePrivilegeRequest.setPrivilege(tSentryPrivilege);
        assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(this.processor.alter_sentry_role_revoke_privilege(tAlterSentryRoleRevokePrivilegeRequest).getStatus()));
    }

    @Test
    public void testGetRolesAndPrivileges() throws Exception {
        PrivilegeObject build = new PrivilegeObject.Builder().setComponent("SOLR").setAction("query").setService("service1").setAuthorizables(Arrays.asList(new Collection("c1"), new Field("f1"))).build();
        PrivilegeObject build2 = new PrivilegeObject.Builder(build).setAction("update").build();
        MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege("SOLR", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), "query", true);
        mSentryGMPrivilege.setRoles(Sets.newHashSet(new MSentryRole[]{new MSentryRole("r1", 290L)}));
        Mockito.when(this.mockStore.getRolesByGroups(Matchers.anyString(), Matchers.anySetOf(String.class))).thenReturn(Sets.newHashSet(new String[]{"r1"}));
        Mockito.when(this.mockStore.getPrivilegesByProvider(Matchers.anyString(), Matchers.anyString(), Matchers.anySetOf(String.class), Matchers.anySetOf(String.class), Matchers.anyListOf(Authorizable.class))).thenReturn(Sets.newHashSet(new PrivilegeObject[]{build, build2}));
        Mockito.when(this.mockStore.getGroupsByRoles(Matchers.anyString(), Matchers.anySetOf(String.class))).thenReturn(Sets.newHashSet(new String[]{"g1"}));
        Mockito.when(this.mockStore.getPrivilegesByAuthorizable(Matchers.anyString(), Matchers.anyString(), Matchers.anySetOf(String.class), Matchers.anyListOf(Authorizable.class))).thenReturn(Sets.newHashSet(new MSentryGMPrivilege[]{mSentryGMPrivilege}));
        Mockito.when(this.mockStore.getAllRoleNames()).thenReturn(Sets.newHashSet(new String[]{"r1"}));
        TListSentryPrivilegesRequest tListSentryPrivilegesRequest = new TListSentryPrivilegesRequest();
        tListSentryPrivilegesRequest.setRoleName("r1");
        tListSentryPrivilegesRequest.setRequestorUserName(ADMIN_USER);
        assertEquals(Status.OK, fromTSentryStatus(this.processor.list_sentry_privileges_by_role(tListSentryPrivilegesRequest).getStatus()));
        assertEquals(2L, r0.getPrivileges().size());
        TListSentryRolesRequest tListSentryRolesRequest = new TListSentryRolesRequest();
        tListSentryRolesRequest.setRequestorUserName(ADMIN_USER);
        tListSentryRolesRequest.setGroupName("g1");
        assertEquals(Status.OK, fromTSentryStatus(this.processor.list_sentry_roles_by_group(tListSentryRolesRequest).getStatus()));
        assertEquals(1L, r0.getRoles().size());
        TListSentryPrivilegesForProviderRequest tListSentryPrivilegesForProviderRequest = new TListSentryPrivilegesForProviderRequest();
        tListSentryPrivilegesForProviderRequest.setGroups(Sets.newHashSet(new String[]{"g1"}));
        tListSentryPrivilegesForProviderRequest.setRoleSet(new TSentryActiveRoleSet(true, (Set) null));
        assertEquals(Status.OK, fromTSentryStatus(this.processor.list_sentry_privileges_for_provider(tListSentryPrivilegesForProviderRequest).getStatus()));
        assertEquals(2L, r0.getPrivileges().size());
        TListSentryPrivilegesByAuthRequest tListSentryPrivilegesByAuthRequest = new TListSentryPrivilegesByAuthRequest();
        tListSentryPrivilegesByAuthRequest.setGroups(Sets.newHashSet(new String[]{"g1"}));
        tListSentryPrivilegesByAuthRequest.setRoleSet(new TSentryActiveRoleSet(true, (Set) null));
        tListSentryPrivilegesByAuthRequest.setRequestorUserName(ADMIN_USER);
        tListSentryPrivilegesByAuthRequest.setAuthorizablesSet(Sets.newHashSet(new String[]{"Collection=c1->Field=f1"}));
        assertEquals(Status.OK, fromTSentryStatus(this.processor.list_sentry_privileges_by_authorizable(tListSentryPrivilegesByAuthRequest).getStatus()));
        assertEquals(1L, r0.getPrivilegesMapByAuth().size());
        TListSentryPrivilegesByAuthRequest tListSentryPrivilegesByAuthRequest2 = new TListSentryPrivilegesByAuthRequest();
        tListSentryPrivilegesByAuthRequest2.setRequestorUserName("not_admin_user");
        tListSentryPrivilegesByAuthRequest2.setAuthorizablesSet(Sets.newHashSet(new String[]{"Collection=c1->Field=f2"}));
        assertEquals(Status.OK, fromTSentryStatus(this.processor.list_sentry_privileges_by_authorizable(tListSentryPrivilegesByAuthRequest2).getStatus()));
        assertEquals(1L, r0.getPrivilegesMapByAuth().size());
    }

    @Test(expected = SentrySiteConfigurationException.class)
    public void testConfigCannotCreateNotificationHandler() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("sentry.generic.policy.notification", "junk");
        SentryGenericPolicyProcessor.createHandlers(configuration);
    }
}
