package io.trino.testing;

import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Inject;
import io.opentelemetry.api.OpenTelemetry;
import io.trino.client.NodeVersion;
import io.trino.eventlistener.EventListenerManager;
import io.trino.metadata.QualifiedObjectName;
import io.trino.security.AccessControlConfig;
import io.trino.security.AccessControlManager;
import io.trino.security.SecurityContext;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import io.trino.transaction.TransactionManager;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiPredicate;
import java.util.function.Predicate;

/* loaded from: input_file:io/trino/testing/TestingAccessControlManager.class */
public class TestingAccessControlManager extends AccessControlManager {
    private static final BiPredicate<Identity, String> IDENTITY_TABLE_TRUE = (identity, str) -> {
        return true;
    };
    private final Set<TestingPrivilege> denyPrivileges;
    private final Map<RowFilterKey, List<ViewExpression>> rowFilters;
    private final Map<ColumnMaskKey, ViewExpression> columnMasks;
    private Predicate<String> deniedCatalogs;
    private Predicate<String> deniedSchemas;
    private Predicate<SchemaTableName> deniedTables;
    private BiPredicate<Identity, String> denyIdentityTable;

    /* loaded from: input_file:io/trino/testing/TestingAccessControlManager$ColumnMaskKey.class */
    private static final class ColumnMaskKey extends Record {
        private final String identity;
        private final QualifiedObjectName table;
        private final String column;

        private ColumnMaskKey(String str, QualifiedObjectName qualifiedObjectName, String str2) {
            Objects.requireNonNull(str, "identity is null");
            Objects.requireNonNull(qualifiedObjectName, "table is null");
            Objects.requireNonNull(str2, "column is null");
            this.identity = str;
            this.table = qualifiedObjectName;
            this.column = str2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ColumnMaskKey.class), ColumnMaskKey.class, "identity;table;column", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->identity:Ljava/lang/String;", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->table:Lio/trino/metadata/QualifiedObjectName;", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->column:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ColumnMaskKey.class), ColumnMaskKey.class, "identity;table;column", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->identity:Ljava/lang/String;", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->table:Lio/trino/metadata/QualifiedObjectName;", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->column:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ColumnMaskKey.class, Object.class), ColumnMaskKey.class, "identity;table;column", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->identity:Ljava/lang/String;", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->table:Lio/trino/metadata/QualifiedObjectName;", "FIELD:Lio/trino/testing/TestingAccessControlManager$ColumnMaskKey;->column:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String identity() {
            return this.identity;
        }

        public QualifiedObjectName table() {
            return this.table;
        }

        public String column() {
            return this.column;
        }
    }

    /* loaded from: input_file:io/trino/testing/TestingAccessControlManager$RowFilterKey.class */
    private static final class RowFilterKey extends Record {
        private final String identity;
        private final QualifiedObjectName table;

        private RowFilterKey(String str, QualifiedObjectName qualifiedObjectName) {
            Objects.requireNonNull(str, "identity is null");
            Objects.requireNonNull(qualifiedObjectName, "table is null");
            this.identity = str;
            this.table = qualifiedObjectName;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, RowFilterKey.class), RowFilterKey.class, "identity;table", "FIELD:Lio/trino/testing/TestingAccessControlManager$RowFilterKey;->identity:Ljava/lang/String;", "FIELD:Lio/trino/testing/TestingAccessControlManager$RowFilterKey;->table:Lio/trino/metadata/QualifiedObjectName;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, RowFilterKey.class), RowFilterKey.class, "identity;table", "FIELD:Lio/trino/testing/TestingAccessControlManager$RowFilterKey;->identity:Ljava/lang/String;", "FIELD:Lio/trino/testing/TestingAccessControlManager$RowFilterKey;->table:Lio/trino/metadata/QualifiedObjectName;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, RowFilterKey.class, Object.class), RowFilterKey.class, "identity;table", "FIELD:Lio/trino/testing/TestingAccessControlManager$RowFilterKey;->identity:Ljava/lang/String;", "FIELD:Lio/trino/testing/TestingAccessControlManager$RowFilterKey;->table:Lio/trino/metadata/QualifiedObjectName;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String identity() {
            return this.identity;
        }

        public QualifiedObjectName table() {
            return this.table;
        }
    }

    /* loaded from: input_file:io/trino/testing/TestingAccessControlManager$TestingPrivilege.class */
    public static class TestingPrivilege {
        private final Optional<String> actorName;
        private final Predicate<String> entityPredicate;
        private final TestingPrivilegeType type;

        /* JADX WARN: 'this' call moved to the top of the method (can break code semantics) */
        public TestingPrivilege(Optional<String> optional, String str, TestingPrivilegeType testingPrivilegeType) {
            this(optional, (Predicate<String>) (v1) -> {
                return r2.equals(v1);
            }, testingPrivilegeType);
            Objects.requireNonNull(str);
        }

        public TestingPrivilege(Optional<String> optional, Predicate<String> predicate, TestingPrivilegeType testingPrivilegeType) {
            this.actorName = (Optional) Objects.requireNonNull(optional, "actorName is null");
            this.entityPredicate = (Predicate) Objects.requireNonNull(predicate, "entityPredicate is null");
            this.type = (TestingPrivilegeType) Objects.requireNonNull(testingPrivilegeType, "type is null");
        }

        public boolean matches(Optional<String> optional, String str, TestingPrivilegeType testingPrivilegeType) {
            return (this.actorName.isEmpty() || this.actorName.equals(optional)) && this.type == testingPrivilegeType && this.entityPredicate.test(str);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            TestingPrivilege testingPrivilege = (TestingPrivilege) obj;
            return Objects.equals(this.actorName, testingPrivilege.actorName) && Objects.equals(this.entityPredicate, testingPrivilege.entityPredicate) && this.type == testingPrivilege.type;
        }

        public int hashCode() {
            return Objects.hash(this.actorName, this.entityPredicate, this.type);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("actorName", this.actorName).add("type", this.type).toString();
        }
    }

    /* loaded from: input_file:io/trino/testing/TestingAccessControlManager$TestingPrivilegeType.class */
    public enum TestingPrivilegeType {
        SET_USER,
        IMPERSONATE_USER,
        EXECUTE_QUERY,
        VIEW_QUERY,
        KILL_QUERY,
        EXECUTE_FUNCTION,
        EXECUTE_TABLE_PROCEDURE,
        CREATE_SCHEMA,
        DROP_SCHEMA,
        RENAME_SCHEMA,
        SHOW_CREATE_TABLE,
        CREATE_TABLE,
        DROP_TABLE,
        RENAME_TABLE,
        COMMENT_TABLE,
        COMMENT_VIEW,
        COMMENT_COLUMN,
        INSERT_TABLE,
        DELETE_TABLE,
        MERGE_TABLE,
        UPDATE_TABLE,
        TRUNCATE_TABLE,
        SET_TABLE_PROPERTIES,
        SHOW_COLUMNS,
        ADD_COLUMN,
        DROP_COLUMN,
        RENAME_COLUMN,
        ALTER_COLUMN,
        SELECT_COLUMN,
        CREATE_VIEW,
        RENAME_VIEW,
        DROP_VIEW,
        CREATE_VIEW_WITH_SELECT_COLUMNS,
        CREATE_MATERIALIZED_VIEW,
        REFRESH_MATERIALIZED_VIEW,
        DROP_MATERIALIZED_VIEW,
        RENAME_MATERIALIZED_VIEW,
        SET_MATERIALIZED_VIEW_PROPERTIES,
        GRANT_EXECUTE_FUNCTION,
        SET_SESSION
    }

    @Inject
    public TestingAccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager, AccessControlConfig accessControlConfig, OpenTelemetry openTelemetry) {
        super(NodeVersion.UNKNOWN, transactionManager, eventListenerManager, accessControlConfig, openTelemetry, "default");
        this.denyPrivileges = new HashSet();
        this.rowFilters = new HashMap();
        this.columnMasks = new HashMap();
        this.deniedCatalogs = str -> {
            return true;
        };
        this.deniedSchemas = str2 -> {
            return true;
        };
        this.deniedTables = schemaTableName -> {
            return true;
        };
        this.denyIdentityTable = IDENTITY_TABLE_TRUE;
    }

    public TestingAccessControlManager(TransactionManager transactionManager, EventListenerManager eventListenerManager) {
        this(transactionManager, eventListenerManager, new AccessControlConfig(), OpenTelemetry.noop());
    }

    public static TestingPrivilege privilege(String str, TestingPrivilegeType testingPrivilegeType) {
        return new TestingPrivilege((Optional<String>) Optional.empty(), str, testingPrivilegeType);
    }

    public static TestingPrivilege privilege(String str, String str2, TestingPrivilegeType testingPrivilegeType) {
        return new TestingPrivilege((Optional<String>) Optional.of(str), str2, testingPrivilegeType);
    }

    public void deny(TestingPrivilege... testingPrivilegeArr) {
        Collections.addAll(this.denyPrivileges, testingPrivilegeArr);
    }

    public void rowFilter(QualifiedObjectName qualifiedObjectName, String str, ViewExpression viewExpression) {
        this.rowFilters.computeIfAbsent(new RowFilterKey(str, qualifiedObjectName), rowFilterKey -> {
            return new ArrayList();
        }).add(viewExpression);
    }

    public void columnMask(QualifiedObjectName qualifiedObjectName, String str, String str2, ViewExpression viewExpression) {
        this.columnMasks.put(new ColumnMaskKey(str2, qualifiedObjectName, str), viewExpression);
    }

    public void reset() {
        this.denyPrivileges.clear();
        this.deniedCatalogs = str -> {
            return true;
        };
        this.deniedSchemas = str2 -> {
            return true;
        };
        this.deniedTables = schemaTableName -> {
            return true;
        };
        this.denyIdentityTable = IDENTITY_TABLE_TRUE;
        this.rowFilters.clear();
        this.columnMasks.clear();
    }

    public void denyCatalogs(Predicate<String> predicate) {
        this.deniedCatalogs = this.deniedCatalogs.and(predicate);
    }

    public void denySchemas(Predicate<String> predicate) {
        this.deniedSchemas = this.deniedSchemas.and(predicate);
    }

    public void denyTables(Predicate<SchemaTableName> predicate) {
        this.deniedTables = this.deniedTables.and(predicate);
    }

    public void denyIdentityTable(BiPredicate<Identity, String> biPredicate) {
        this.denyIdentityTable = (BiPredicate) Objects.requireNonNull(biPredicate, "denyIdentityTable is null");
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public Set<String> filterCatalogs(SecurityContext securityContext, Set<String> set) {
        return super.filterCatalogs(securityContext, (Set) set.stream().filter(this.deniedCatalogs).collect(ImmutableSet.toImmutableSet()));
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public Set<String> filterSchemas(SecurityContext securityContext, String str, Set<String> set) {
        return super.filterSchemas(securityContext, str, (Set) set.stream().filter(this.deniedSchemas).collect(ImmutableSet.toImmutableSet()));
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public Set<SchemaTableName> filterTables(SecurityContext securityContext, String str, Set<SchemaTableName> set) {
        return super.filterTables(securityContext, str, (Set) set.stream().filter(this.deniedTables).collect(ImmutableSet.toImmutableSet()));
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanImpersonateUser(Identity identity, String str) {
        if (shouldDenyPrivilege(str, str, TestingPrivilegeType.IMPERSONATE_USER)) {
            AccessDeniedException.denyImpersonateUser(identity.getUser(), str);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanImpersonateUser(identity, str);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    @Deprecated
    public void checkCanSetUser(Optional<Principal> optional, String str) {
        if (shouldDenyPrivilege(optional.map((v0) -> {
            return v0.getName();
        }), str, TestingPrivilegeType.SET_USER)) {
            AccessDeniedException.denySetUser(optional, str);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetUser(optional, str);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanExecuteQuery(Identity identity) {
        if (shouldDenyPrivilege(identity.getUser(), "query", TestingPrivilegeType.EXECUTE_QUERY)) {
            AccessDeniedException.denyExecuteQuery();
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanExecuteQuery(identity);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanViewQueryOwnedBy(Identity identity, Identity identity2) {
        if (shouldDenyPrivilege(identity.getUser(), "query", TestingPrivilegeType.VIEW_QUERY)) {
            AccessDeniedException.denyViewQuery();
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanViewQueryOwnedBy(identity, identity2);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public Collection<Identity> filterQueriesOwnedBy(Identity identity, Collection<Identity> collection) {
        return shouldDenyPrivilege(identity.getUser(), "query", TestingPrivilegeType.VIEW_QUERY) ? ImmutableSet.of() : this.denyPrivileges.isEmpty() ? super.filterQueriesOwnedBy(identity, collection) : collection;
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanKillQueryOwnedBy(Identity identity, Identity identity2) {
        if (shouldDenyPrivilege(identity.getUser(), "query", TestingPrivilegeType.KILL_QUERY)) {
            AccessDeniedException.denyKillQuery();
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanKillQueryOwnedBy(identity, identity2);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanCreateSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName, Map<String, Object> map) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), catalogSchemaName.getSchemaName(), TestingPrivilegeType.CREATE_SCHEMA)) {
            AccessDeniedException.denyCreateSchema(catalogSchemaName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanCreateSchema(securityContext, catalogSchemaName, map);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanDropSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), catalogSchemaName.getSchemaName(), TestingPrivilegeType.DROP_SCHEMA)) {
            AccessDeniedException.denyDropSchema(catalogSchemaName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanDropSchema(securityContext, catalogSchemaName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanRenameSchema(SecurityContext securityContext, CatalogSchemaName catalogSchemaName, String str) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), catalogSchemaName.getSchemaName(), TestingPrivilegeType.RENAME_SCHEMA)) {
            AccessDeniedException.denyRenameSchema(catalogSchemaName.toString(), str);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanRenameSchema(securityContext, catalogSchemaName, str);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanShowCreateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.SHOW_CREATE_TABLE)) {
            AccessDeniedException.denyShowCreateTable(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanShowCreateTable(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanCreateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Map<String, Object> map) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.CREATE_TABLE)) {
            AccessDeniedException.denyCreateTable(qualifiedObjectName.toString());
        }
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.SET_TABLE_PROPERTIES)) {
            AccessDeniedException.denySetTableProperties(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanCreateTable(securityContext, qualifiedObjectName, map);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanDropTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.DROP_TABLE)) {
            AccessDeniedException.denyDropTable(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanDropTable(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanRenameTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.RENAME_TABLE)) {
            AccessDeniedException.denyRenameTable(qualifiedObjectName.toString(), qualifiedObjectName2.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanRenameTable(securityContext, qualifiedObjectName, qualifiedObjectName2);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetTableProperties(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Map<String, Optional<Object>> map) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.SET_TABLE_PROPERTIES)) {
            AccessDeniedException.denySetTableProperties(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetTableProperties(securityContext, qualifiedObjectName, map);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetTableComment(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.COMMENT_TABLE)) {
            AccessDeniedException.denyCommentTable(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetTableComment(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetViewComment(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.COMMENT_VIEW)) {
            AccessDeniedException.denyCommentView(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetViewComment(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetColumnComment(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.COMMENT_COLUMN)) {
            AccessDeniedException.denyCommentColumn(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetColumnComment(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanAddColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.ADD_COLUMN)) {
            AccessDeniedException.denyAddColumn(qualifiedObjectName.toString());
        }
        super.checkCanAddColumns(securityContext, qualifiedObjectName);
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanDropColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.DROP_COLUMN)) {
            AccessDeniedException.denyDropColumn(qualifiedObjectName.toString());
        }
        super.checkCanDropColumn(securityContext, qualifiedObjectName);
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanRenameColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.RENAME_COLUMN)) {
            AccessDeniedException.denyRenameColumn(qualifiedObjectName.toString());
        }
        super.checkCanRenameColumn(securityContext, qualifiedObjectName);
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanAlterColumn(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.ALTER_COLUMN)) {
            AccessDeniedException.denyAlterColumn(qualifiedObjectName.toString());
        }
        super.checkCanAlterColumn(securityContext, qualifiedObjectName);
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanInsertIntoTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.INSERT_TABLE)) {
            AccessDeniedException.denyInsertTable(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanInsertIntoTable(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanDeleteFromTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.DELETE_TABLE)) {
            AccessDeniedException.denyDeleteTable(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanDeleteFromTable(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanTruncateTable(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.TRUNCATE_TABLE)) {
            AccessDeniedException.denyTruncateTable(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanTruncateTable(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanUpdateTableColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.UPDATE_TABLE)) {
            AccessDeniedException.denyUpdateTableColumns(qualifiedObjectName.toString(), set);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanUpdateTableColumns(securityContext, qualifiedObjectName, set);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanCreateView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.CREATE_VIEW)) {
            AccessDeniedException.denyCreateView(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanCreateView(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanRenameView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.RENAME_VIEW)) {
            AccessDeniedException.denyRenameView(qualifiedObjectName.toString(), qualifiedObjectName2.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanRenameView(securityContext, qualifiedObjectName, qualifiedObjectName2);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanDropView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.DROP_VIEW)) {
            AccessDeniedException.denyDropView(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanDropView(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetSystemSessionProperty(Identity identity, String str) {
        if (shouldDenyPrivilege(identity.getUser(), str, TestingPrivilegeType.SET_SESSION)) {
            AccessDeniedException.denySetSystemSessionProperty(str);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetSystemSessionProperty(identity, str);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanCreateViewWithSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        if (!this.denyIdentityTable.test(securityContext.getIdentity(), qualifiedObjectName.getObjectName())) {
            AccessDeniedException.denyCreateViewWithSelect(qualifiedObjectName.toString(), securityContext.getIdentity());
        }
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)) {
            AccessDeniedException.denyCreateViewWithSelect(qualifiedObjectName.toString(), securityContext.getIdentity());
        }
        if (this.denyPrivileges.isEmpty() && this.denyIdentityTable.equals(IDENTITY_TABLE_TRUE)) {
            super.checkCanCreateViewWithSelectFromColumns(securityContext, qualifiedObjectName, set);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanCreateMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Map<String, Object> map) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.CREATE_MATERIALIZED_VIEW)) {
            AccessDeniedException.denyCreateMaterializedView(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanCreateMaterializedView(securityContext, qualifiedObjectName, map);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanRefreshMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.REFRESH_MATERIALIZED_VIEW)) {
            AccessDeniedException.denyRefreshMaterializedView(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanRefreshMaterializedView(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanDropMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.DROP_MATERIALIZED_VIEW)) {
            AccessDeniedException.denyDropMaterializedView(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanDropMaterializedView(securityContext, qualifiedObjectName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanRenameMaterializedView(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, QualifiedObjectName qualifiedObjectName2) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.RENAME_MATERIALIZED_VIEW)) {
            AccessDeniedException.denyRenameMaterializedView(qualifiedObjectName.toString(), qualifiedObjectName2.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanRenameMaterializedView(securityContext, qualifiedObjectName, qualifiedObjectName2);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetMaterializedViewProperties(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Map<String, Optional<Object>> map) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.SET_MATERIALIZED_VIEW_PROPERTIES)) {
            AccessDeniedException.denySetMaterializedViewProperties(qualifiedObjectName.toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetMaterializedViewProperties(securityContext, qualifiedObjectName, map);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanShowColumns(SecurityContext securityContext, CatalogSchemaTableName catalogSchemaTableName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), catalogSchemaTableName.getSchemaTableName().getTableName(), TestingPrivilegeType.SHOW_COLUMNS)) {
            AccessDeniedException.denyShowColumns(catalogSchemaTableName.getSchemaTableName().toString());
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanShowColumns(securityContext, catalogSchemaTableName);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public Map<SchemaTableName, Set<String>> filterColumns(SecurityContext securityContext, String str, Map<SchemaTableName, Set<String>> map) {
        return super.filterColumns(securityContext, str, (Map) map.entrySet().stream().collect(ImmutableMap.toImmutableMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return localFilterColumns(securityContext, (SchemaTableName) entry.getKey(), (Set) entry.getValue());
        })));
    }

    private Set<String> localFilterColumns(SecurityContext securityContext, SchemaTableName schemaTableName, Set<String> set) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (String str : set) {
            if (!shouldDenyPrivilege(securityContext.getIdentity().getUser(), schemaTableName.getTableName() + "." + str, TestingPrivilegeType.SELECT_COLUMN)) {
                builder.add(str);
            }
        }
        return builder.build();
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSetCatalogSessionProperty(SecurityContext securityContext, String str, String str2) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), str + "." + str2, TestingPrivilegeType.SET_SESSION)) {
            AccessDeniedException.denySetCatalogSessionProperty(str, str2);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanSetCatalogSessionProperty(securityContext, str, str2);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanSelectFromColumns(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, Set<String> set) {
        if (!this.denyIdentityTable.test(securityContext.getIdentity(), qualifiedObjectName.getObjectName())) {
            AccessDeniedException.denySelectColumns(qualifiedObjectName.toString(), set);
        }
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName(), TestingPrivilegeType.SELECT_COLUMN)) {
            AccessDeniedException.denySelectColumns(qualifiedObjectName.toString(), set);
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.getObjectName() + "." + it.next(), TestingPrivilegeType.SELECT_COLUMN)) {
                AccessDeniedException.denySelectColumns(qualifiedObjectName.toString(), set);
            }
        }
        if (this.denyPrivileges.isEmpty() && this.denyIdentityTable.equals(IDENTITY_TABLE_TRUE)) {
            super.checkCanSelectFromColumns(securityContext, qualifiedObjectName, set);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public boolean canExecuteFunction(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.toString(), TestingPrivilegeType.EXECUTE_FUNCTION)) {
            return false;
        }
        if (this.denyPrivileges.isEmpty()) {
            return super.canExecuteFunction(securityContext, qualifiedObjectName);
        }
        return true;
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public boolean canCreateViewWithExecuteFunction(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName.toString(), TestingPrivilegeType.GRANT_EXECUTE_FUNCTION)) {
            return false;
        }
        if (this.denyPrivileges.isEmpty()) {
            return super.canCreateViewWithExecuteFunction(securityContext, qualifiedObjectName);
        }
        return true;
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public void checkCanExecuteTableProcedure(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, String str) {
        if (shouldDenyPrivilege(securityContext.getIdentity().getUser(), qualifiedObjectName + "." + str, TestingPrivilegeType.EXECUTE_TABLE_PROCEDURE)) {
            AccessDeniedException.denyExecuteTableProcedure(qualifiedObjectName.toString(), str);
        }
        if (this.denyPrivileges.isEmpty()) {
            super.checkCanExecuteTableProcedure(securityContext, qualifiedObjectName, str);
        }
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public List<ViewExpression> getRowFilters(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName) {
        List<ViewExpression> list = this.rowFilters.get(new RowFilterKey(securityContext.getIdentity().getUser(), qualifiedObjectName));
        return list != null ? list : super.getRowFilters(securityContext, qualifiedObjectName);
    }

    @Override // io.trino.security.AccessControlManager, io.trino.security.AccessControl
    public Optional<ViewExpression> getColumnMask(SecurityContext securityContext, QualifiedObjectName qualifiedObjectName, String str, Type type) {
        ViewExpression viewExpression = this.columnMasks.get(new ColumnMaskKey(securityContext.getIdentity().getUser(), qualifiedObjectName, str));
        return viewExpression != null ? Optional.of(viewExpression) : super.getColumnMask(securityContext, qualifiedObjectName, str, type);
    }

    private boolean shouldDenyPrivilege(String str, String str2, TestingPrivilegeType testingPrivilegeType) {
        return shouldDenyPrivilege(Optional.of(str), str2, testingPrivilegeType);
    }

    private boolean shouldDenyPrivilege(Optional<String> optional, String str, TestingPrivilegeType testingPrivilegeType) {
        Iterator<TestingPrivilege> it = this.denyPrivileges.iterator();
        while (it.hasNext()) {
            if (it.next().matches(optional, str, testingPrivilegeType)) {
                return true;
            }
        }
        return false;
    }
}
