package io.trino.sql.query;

import com.google.common.collect.ImmutableMap;
import io.trino.FeaturesConfig;
import io.trino.Session;
import io.trino.metadata.QualifiedObjectName;
import io.trino.plugin.tpch.TpchConnectorFactory;
import io.trino.spi.security.Identity;
import io.trino.spi.security.ViewExpression;
import io.trino.sql.query.QueryAssertions;
import io.trino.testing.LocalQueryRunner;
import io.trino.testing.MaterializedRow;
import io.trino.testing.QueryRunner;
import io.trino.testing.TestingAccessControlManager;
import io.trino.testing.TestingSession;
import java.util.Optional;
import org.assertj.core.api.Assertions;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

@Test(singleThreaded = true)
/* loaded from: input_file:io/trino/sql/query/TestFilterInaccessibleColumns.class */
public class TestFilterInaccessibleColumns {
    private static final String ADMIN = "admin";
    private QueryAssertions assertions;
    private TestingAccessControlManager accessControl;
    private static final String USER = "user";
    private static final Session SESSION = TestingSession.testSessionBuilder().setCatalog("test-catalog").setSchema("tiny").setSystemProperty("hide_inaccessible_columns", "true").setIdentity(Identity.forUser(USER).build()).build();

    @BeforeClass
    public void init() {
        LocalQueryRunner build = LocalQueryRunner.builder(SESSION).withFeaturesConfig(new FeaturesConfig().setHideInaccessibleColumns(true)).build();
        build.createCatalog("test-catalog", new TpchConnectorFactory(1), ImmutableMap.of());
        this.assertions = new QueryAssertions((QueryRunner) build);
        this.accessControl = this.assertions.getQueryRunner().getAccessControl();
    }

    @AfterClass(alwaysRun = true)
    public void teardown() {
        this.assertions.close();
        this.assertions = null;
    }

    @BeforeMethod
    public void beforeMethod() {
        this.accessControl.reset();
    }

    @Test
    public void testSelectBaseline() {
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (BIGINT '6', CAST('FRANCE' AS VARCHAR(25)), BIGINT '3', CAST('refully final requests. regular, ironi' AS VARCHAR(152)))");
    }

    @Test
    public void testSimpleTableSchemaFilter() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (BIGINT '6', CAST('FRANCE' AS VARCHAR(25)), BIGINT '3')");
    }

    @Test
    public void testDescribeBaseline() {
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("DESCRIBE nation"))).matches(materializedResult -> {
            return materializedResult.getMaterializedRows().stream().anyMatch(materializedRow -> {
                return materializedRow.getField(0).equals("comment");
            });
        });
    }

    @Test
    public void testDescribe() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("DESCRIBE nation"))).matches(materializedResult -> {
            return materializedResult.getMaterializedRows().stream().noneMatch(materializedRow -> {
                return materializedRow.getField(0).equals("comment");
            });
        });
    }

    @Test
    public void testShowColumnsBaseline() {
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SHOW COLUMNS FROM nation"))).matches(materializedResult -> {
            return materializedResult.getMaterializedRows().stream().anyMatch(materializedRow -> {
                return materializedRow.getField(0).equals("comment");
            });
        });
    }

    @Test
    public void testShowColumns() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SHOW COLUMNS FROM nation"))).matches(materializedResult -> {
            return materializedResult.getMaterializedRows().stream().noneMatch(materializedRow -> {
                return materializedRow.getField(0).equals("comment");
            });
        });
    }

    @Test
    public void testFilterExplicitSelect() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT nationkey, name, regionkey FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (BIGINT '6', CAST('FRANCE' AS VARCHAR(25)), BIGINT '3')");
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query("SELECT nationkey, name, regionkey, comment FROM nation WHERE name = 'FRANCE'");
        }).hasMessage("Access Denied: Cannot select from columns [nationkey, regionkey, name, comment] in table or view test-catalog.tiny.nation");
    }

    @Test
    public void testRowFilterWithAccessToInaccessibleColumn() {
        this.accessControl.rowFilter(new QualifiedObjectName("test-catalog", "tiny", "nation"), USER, new ViewExpression(Optional.of(ADMIN), Optional.of("test-catalog"), Optional.of("tiny"), "comment IS NOT null"));
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (BIGINT '6', CAST('FRANCE' AS VARCHAR(25)), BIGINT '3')");
    }

    @Test
    public void testRowFilterWithoutAccessToInaccessibleColumn() {
        this.accessControl.rowFilter(new QualifiedObjectName("test-catalog", "tiny", "nation"), USER, new ViewExpression(Optional.of(USER), Optional.of("test-catalog"), Optional.of("tiny"), "comment IS NOT null"));
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'");
        }).hasMessage("Access Denied: Cannot select from columns [nationkey, regionkey, name, comment] in table or view test-catalog.tiny.nation");
    }

    @Test
    public void testRowFilterAsSessionUserOnInaccessibleColumn() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("test-catalog", "tiny", "nation");
        ViewExpression viewExpression = new ViewExpression(Optional.empty(), Optional.of("test-catalog"), Optional.of("tiny"), "comment IS NOT null");
        this.accessControl.rowFilter(qualifiedObjectName, ADMIN, viewExpression);
        this.accessControl.rowFilter(qualifiedObjectName, USER, viewExpression);
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query(user(USER), "SELECT * FROM nation WHERE name = 'FRANCE'");
        }).hasMessage("Access Denied: Cannot select from columns [nationkey, regionkey, name, comment] in table or view test-catalog.tiny.nation");
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query(user(ADMIN), "SELECT * FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (BIGINT '6', CAST('FRANCE' AS VARCHAR(25)), BIGINT '3', CAST('refully final requests. regular, ironi' AS VARCHAR(152)))");
    }

    @Test
    public void testMaskingOnAccessibleColumn() {
        this.accessControl.columnMask(new QualifiedObjectName("test-catalog", "tiny", "nation"), "nationkey", USER, new ViewExpression(Optional.of(ADMIN), Optional.of("test-catalog"), Optional.of("tiny"), "-nationkey"));
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (BIGINT '-6',CAST('FRANCE' AS VARCHAR(25)), BIGINT '3', CAST('refully final requests. regular, ironi' AS VARCHAR(152)))");
    }

    @Test
    public void testMaskingWithoutAccessToInaccessibleColumn() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        this.accessControl.columnMask(new QualifiedObjectName("test-catalog", "tiny", "nation"), "comment", USER, new ViewExpression(Optional.of(USER), Optional.of("test-catalog"), Optional.of("tiny"), "CASE nationkey WHEN 6 THEN 'masked-comment' ELSE comment END"));
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'");
        }).hasMessage("Access Denied: Cannot select from columns [nationkey, regionkey, name, comment] in table or view test-catalog.tiny.nation");
    }

    @Test
    public void testMaskingWithAccessToInaccessibleColumn() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        this.accessControl.columnMask(new QualifiedObjectName("test-catalog", "tiny", "nation"), "comment", USER, new ViewExpression(Optional.of(ADMIN), Optional.of("test-catalog"), Optional.of("tiny"), "CASE nationkey WHEN 6 THEN 'masked-comment' ELSE comment END"));
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'"))).matches("VALUES (CAST('FRANCE' AS VARCHAR(25)), BIGINT '3', CAST('masked-comment' AS VARCHAR(152)))");
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation WHERE name = 'CANADA'"))).matches("VALUES (CAST('CANADA' AS VARCHAR(25)), BIGINT '1', CAST('eas hang ironic, silent packages. slyly regular packages are furiously over the tithes. fluffily bold' AS VARCHAR(152)))");
    }

    @Test
    public void testMaskingAsSessionUserWithCaseOnInaccessibleColumn() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("test-catalog", "tiny", "nation");
        ViewExpression viewExpression = new ViewExpression(Optional.empty(), Optional.of("test-catalog"), Optional.of("tiny"), "CASE nationkey WHEN 3 THEN 'masked-comment' ELSE comment END");
        this.accessControl.columnMask(qualifiedObjectName, "comment", ADMIN, viewExpression);
        this.accessControl.columnMask(qualifiedObjectName, "comment", USER, viewExpression);
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query(user(USER), "SELECT * FROM nation WHERE name = 'FRANCE'");
        }).hasMessage("Access Denied: Cannot select from columns [nationkey, regionkey, name, comment] in table or view test-catalog.tiny.nation");
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query(user(ADMIN), "SELECT * FROM nation WHERE name = 'CANADA'"))).matches("VALUES (BIGINT '3', CAST('CANADA' AS VARCHAR(25)), BIGINT '1', CAST('masked-comment' AS VARCHAR(152)))");
    }

    @Test
    public void testPredicateOnInaccessibleColumn() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.name", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query("SELECT * FROM nation WHERE name = 'FRANCE'");
        }).hasMessage("Access Denied: Cannot select from columns [nationkey, regionkey, name, comment] in table or view test-catalog.tiny.nation");
    }

    @Test
    public void testJoinBaseline() {
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation,customer WHERE customer.nationkey = nation.nationkey AND nation.name = 'FRANCE' AND customer.name='Customer#000001477'"))).matches(materializedResult -> {
            return ((MaterializedRow) materializedResult.getMaterializedRows().get(0)).getField(11).equals("ites nag blithely alongside of the ironic accounts. accounts use. carefully silent deposits");
        });
    }

    @Test
    public void testJoin() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.comment", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM nation,customer WHERE customer.nationkey = nation.nationkey AND nation.name = 'FRANCE' AND customer.name='Customer#000001477'"))).matches(materializedResult -> {
            return ((MaterializedRow) materializedResult.getMaterializedRows().get(0)).getFields().size() == 11;
        });
    }

    @Test
    public void testConstantFields() {
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM (SELECT 'test')"))).matches("VALUES ('test')");
    }

    @Test
    public void testFunctionFields() {
        ((QueryAssertions.QueryAssert) Assertions.assertThat(this.assertions.query("SELECT * FROM (SELECT concat(name,'-test') FROM nation WHERE name = 'FRANCE')"))).matches("VALUES (CAST('FRANCE-test' AS VARCHAR))");
    }

    @Test
    public void testFunctionOnInaccessibleColumn() {
        this.accessControl.deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(USER, "nation.name", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        Assertions.assertThatThrownBy(() -> {
            this.assertions.query("SELECT * FROM (SELECT concat(name,'-test') FROM nation WHERE name = 'FRANCE')");
        }).hasMessage("Access Denied: Cannot select from columns [name] in table or view test-catalog.tiny.nation");
    }

    private Session user(String str) {
        return Session.builder(this.assertions.getDefaultSession()).setIdentity(Identity.ofUser(str)).build();
    }
}
