package io.trino.plugin.base.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Module;
import io.airlift.bootstrap.Bootstrap;
import io.trino.plugin.base.CatalogNameModule;
import io.trino.spi.QueryId;
import io.trino.spi.connector.ConnectorAccessControl;
import io.trino.spi.connector.ConnectorSecurityContext;
import io.trino.spi.connector.ConnectorTransactionHandle;
import io.trino.spi.connector.SchemaRoutineName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.FunctionKind;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.ConnectorIdentity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.testing.InterfaceTestUtils;
import io.trino.spi.type.VarcharType;
import java.io.File;
import java.net.URL;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import org.assertj.core.api.Assertions;
import org.assertj.core.util.Files;
import org.testng.Assert;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/plugin/base/security/BaseFileBasedConnectorAccessControlTest.class */
public abstract class BaseFileBasedConnectorAccessControlTest {
    private static final ConnectorSecurityContext ADMIN = user("admin", (Set<String>) ImmutableSet.of("admin", "staff"));
    private static final ConnectorSecurityContext ALICE = user("alice", (Set<String>) ImmutableSet.of("staff"));
    private static final ConnectorSecurityContext BOB = user("bob", (Set<String>) ImmutableSet.of("staff"));
    private static final ConnectorSecurityContext CHARLIE = user("charlie", (Set<String>) ImmutableSet.of("guests"));
    private static final ConnectorSecurityContext JOE = user("joe", (Set<String>) ImmutableSet.of());
    private static final ConnectorSecurityContext UNKNOWN = user("unknown", (Set<String>) ImmutableSet.of());

    protected abstract ConnectorAccessControl createAccessControl(File file, Map<String, String> map);

    @Test
    public void testEmptyFile() {
        ConnectorAccessControl createAccessControl = createAccessControl("empty.json");
        createAccessControl.checkCanCreateSchema(UNKNOWN, "unknown", ImmutableMap.of());
        createAccessControl.checkCanDropSchema(UNKNOWN, "unknown");
        createAccessControl.checkCanRenameSchema(UNKNOWN, "unknown", "new_unknown");
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(UNKNOWN, "unknown", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        createAccessControl.checkCanShowCreateSchema(UNKNOWN, "unknown");
        createAccessControl.checkCanSelectFromColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"), ImmutableSet.of());
        createAccessControl.checkCanShowColumns(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanInsertIntoTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanDeleteFromTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanCreateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), Map.of());
        createAccessControl.checkCanDropTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanTruncateTable(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanRenameTable(UNKNOWN, new SchemaTableName("unknown", "unknown"), new SchemaTableName("unknown", "new_unknown"));
        createAccessControl.checkCanAlterColumn(UNKNOWN, new SchemaTableName("unknown", "unknown"));
        createAccessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "anything");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(createAccessControl.filterTables(UNKNOWN, build), build);
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "some_user");
        assertDenied(() -> {
            createAccessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), trinoPrincipal, false);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDenyTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), trinoPrincipal);
        });
        assertDenied(() -> {
            createAccessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.SELECT, new SchemaTableName("any", "any"), trinoPrincipal, false);
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateRole(ADMIN, "role", Optional.empty());
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropRole(ADMIN, "role");
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(trinoPrincipal), false, Optional.empty());
        });
        assertDenied(() -> {
            createAccessControl.checkCanRevokeRoles(ADMIN, ImmutableSet.of("test"), ImmutableSet.of(trinoPrincipal), false, Optional.empty());
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetRole(ADMIN, "role");
        });
        createAccessControl.checkCanShowRoles(UNKNOWN);
        createAccessControl.checkCanShowCurrentRoles(UNKNOWN);
        createAccessControl.checkCanShowRoleGrants(UNKNOWN);
    }

    @Test
    public void testEmptyFunctionKind() {
        Assertions.assertThatThrownBy(() -> {
            createAccessControl("empty-functions-kind.json");
        }).hasRootCauseInstanceOf(IllegalStateException.class).hasRootCauseMessage("functionKinds cannot be empty, provide at least one function kind [SCALAR, AGGREGATE, WINDOW, TABLE]");
    }

    @Test
    public void testDisallowFunctionKindRuleCombination() {
        Assertions.assertThatThrownBy(() -> {
            createAccessControl("disallow-function-rule-combination.json");
        }).hasRootCauseInstanceOf(IllegalStateException.class).hasRootCauseMessage("Cannot define schema for others function kinds than TABLE");
        Assertions.assertThatThrownBy(() -> {
            createAccessControl("disallow-function-rule-combination-without-table.json");
        }).hasRootCauseInstanceOf(IllegalStateException.class).hasRootCauseMessage("Cannot define schema for others function kinds than TABLE");
    }

    @Test
    public void testSchemaRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("schema.json");
        ImmutableMap of = ImmutableMap.of();
        createAccessControl.checkCanCreateSchema(ADMIN, "bob", of);
        createAccessControl.checkCanCreateSchema(ADMIN, "staff", of);
        createAccessControl.checkCanCreateSchema(ADMIN, "authenticated", of);
        createAccessControl.checkCanCreateSchema(ADMIN, "test", of);
        createAccessControl.checkCanCreateSchema(BOB, "bob", of);
        createAccessControl.checkCanCreateSchema(BOB, "staff", of);
        createAccessControl.checkCanCreateSchema(BOB, "authenticated", of);
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(BOB, "test", of);
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(CHARLIE, "bob", of);
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(CHARLIE, "staff", of);
        });
        createAccessControl.checkCanCreateSchema(CHARLIE, "authenticated", of);
        assertDenied(() -> {
            createAccessControl.checkCanCreateSchema(CHARLIE, "test", of);
        });
        createAccessControl.checkCanDropSchema(ADMIN, "bob");
        createAccessControl.checkCanDropSchema(ADMIN, "staff");
        createAccessControl.checkCanDropSchema(ADMIN, "authenticated");
        createAccessControl.checkCanDropSchema(ADMIN, "test");
        createAccessControl.checkCanDropSchema(BOB, "bob");
        createAccessControl.checkCanDropSchema(BOB, "staff");
        createAccessControl.checkCanDropSchema(BOB, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(BOB, "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(CHARLIE, "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(CHARLIE, "staff");
        });
        createAccessControl.checkCanDropSchema(CHARLIE, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanDropSchema(CHARLIE, "test");
        });
        createAccessControl.checkCanRenameSchema(ADMIN, "bob", "new_schema");
        createAccessControl.checkCanRenameSchema(ADMIN, "staff", "new_schema");
        createAccessControl.checkCanRenameSchema(ADMIN, "authenticated", "new_schema");
        createAccessControl.checkCanRenameSchema(ADMIN, "test", "new_schema");
        createAccessControl.checkCanRenameSchema(BOB, "bob", "staff");
        createAccessControl.checkCanRenameSchema(BOB, "staff", "authenticated");
        createAccessControl.checkCanRenameSchema(BOB, "authenticated", "bob");
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(BOB, "test", "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(BOB, "bob", "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(CHARLIE, "bob", "new_schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(CHARLIE, "staff", "new_schema");
        });
        createAccessControl.checkCanRenameSchema(CHARLIE, "authenticated", "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanRenameSchema(CHARLIE, "test", "new_schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(ADMIN, "test", new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(BOB, "bob", new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(BOB, "test", new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        createAccessControl.checkCanShowCreateSchema(ADMIN, "bob");
        createAccessControl.checkCanShowCreateSchema(ADMIN, "staff");
        createAccessControl.checkCanShowCreateSchema(ADMIN, "authenticated");
        createAccessControl.checkCanShowCreateSchema(ADMIN, "test");
        createAccessControl.checkCanShowCreateSchema(BOB, "bob");
        createAccessControl.checkCanShowCreateSchema(BOB, "staff");
        createAccessControl.checkCanShowCreateSchema(BOB, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(BOB, "test");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(CHARLIE, "bob");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(CHARLIE, "staff");
        });
        createAccessControl.checkCanShowCreateSchema(CHARLIE, "authenticated");
        assertDenied(() -> {
            createAccessControl.checkCanShowCreateSchema(CHARLIE, "test");
        });
    }

    @Test(dataProvider = "privilegeGrantOption")
    public void testGrantSchemaPrivilege(Privilege privilege, boolean z) {
        ConnectorAccessControl createAccessControl = createAccessControl("schema.json");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "alice");
        createAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "bob", trinoPrincipal, z);
        createAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "staff", trinoPrincipal, z);
        createAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "authenticated", trinoPrincipal, z);
        createAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, "test", trinoPrincipal, z);
        createAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "bob", trinoPrincipal, z);
        createAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "staff", trinoPrincipal, z);
        createAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "authenticated", trinoPrincipal, z);
        assertDenied(() -> {
            createAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, "test", trinoPrincipal, z);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "bob", trinoPrincipal, z);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "staff", trinoPrincipal, z);
        });
        createAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "authenticated", trinoPrincipal, z);
        assertDenied(() -> {
            createAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, "test", trinoPrincipal, z);
        });
    }

    @Test
    public void testDenySchemaPrivilege() {
        ConnectorAccessControl createAccessControl = createAccessControl("schema.json");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "alice");
        createAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, "bob", trinoPrincipal);
        createAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, "staff", trinoPrincipal);
        createAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, "authenticated", trinoPrincipal);
        createAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, "test", trinoPrincipal);
        createAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, "bob", trinoPrincipal);
        createAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, "staff", trinoPrincipal);
        createAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, "authenticated", trinoPrincipal);
        assertDenied(() -> {
            createAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, "test", trinoPrincipal);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, "bob", trinoPrincipal);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, "staff", trinoPrincipal);
        });
        createAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, "authenticated", trinoPrincipal);
        assertDenied(() -> {
            createAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, "test", trinoPrincipal);
        });
    }

    @Test(dataProvider = "privilegeGrantOption")
    public void testRevokeSchemaPrivilege(Privilege privilege, boolean z) {
        ConnectorAccessControl createAccessControl = createAccessControl("schema.json");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "alice");
        createAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "bob", trinoPrincipal, z);
        createAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "staff", trinoPrincipal, z);
        createAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "authenticated", trinoPrincipal, z);
        createAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, "test", trinoPrincipal, z);
        createAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "bob", trinoPrincipal, z);
        createAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "staff", trinoPrincipal, z);
        createAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "authenticated", trinoPrincipal, z);
        assertDenied(() -> {
            createAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, "test", trinoPrincipal, z);
        });
        assertDenied(() -> {
            createAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "bob", trinoPrincipal, z);
        });
        assertDenied(() -> {
            createAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "staff", trinoPrincipal, z);
        });
        createAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "authenticated", trinoPrincipal, z);
        assertDenied(() -> {
            createAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, "test", trinoPrincipal, z);
        });
    }

    @DataProvider(name = "privilegeGrantOption")
    public Object[][] privilegeGrantOption() {
        return (Object[][]) EnumSet.allOf(Privilege.class).stream().flatMap(privilege -> {
            return Stream.of((Object[]) new Boolean[]{true, false}).map(bool -> {
                return new Object[]{privilege, bool};
            });
        }).toArray(i -> {
            return new Object[i];
        });
    }

    @Test
    public void testTableRules() {
        SchemaTableName schemaTableName = new SchemaTableName("test", "test");
        SchemaTableName schemaTableName2 = new SchemaTableName("aliceschema", "alicetable");
        SchemaTableName schemaTableName3 = new SchemaTableName("bobschema", "bobtable");
        ConnectorAccessControl createAccessControl = createAccessControl("table.json");
        createAccessControl.checkCanSelectFromColumns(ALICE, schemaTableName, ImmutableSet.of());
        createAccessControl.checkCanSelectFromColumns(ALICE, schemaTableName3, ImmutableSet.of());
        createAccessControl.checkCanSelectFromColumns(ALICE, schemaTableName3, ImmutableSet.of("bobcolumn"));
        createAccessControl.checkCanShowColumns(ALICE, schemaTableName3);
        Assert.assertEquals(createAccessControl.filterColumns(ALICE, schemaTableName3, ImmutableSet.of("a")), ImmutableSet.of("a"));
        createAccessControl.checkCanSelectFromColumns(BOB, schemaTableName3, ImmutableSet.of());
        createAccessControl.checkCanShowColumns(BOB, schemaTableName3);
        Assert.assertEquals(createAccessControl.filterColumns(BOB, schemaTableName3, ImmutableSet.of("a")), ImmutableSet.of("a"));
        createAccessControl.checkCanInsertIntoTable(BOB, schemaTableName3);
        createAccessControl.checkCanDeleteFromTable(BOB, schemaTableName3);
        createAccessControl.checkCanTruncateTable(BOB, schemaTableName3);
        createAccessControl.checkCanSelectFromColumns(CHARLIE, schemaTableName3, ImmutableSet.of());
        createAccessControl.checkCanSelectFromColumns(CHARLIE, schemaTableName3, ImmutableSet.of("bobcolumn"));
        createAccessControl.checkCanInsertIntoTable(CHARLIE, schemaTableName3);
        createAccessControl.checkCanSelectFromColumns(JOE, schemaTableName3, ImmutableSet.of());
        createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("bob", "test"), Map.of());
        createAccessControl.checkCanCreateTable(ADMIN, schemaTableName, Map.of());
        createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("authenticated", "test"), Map.of());
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(ADMIN, new SchemaTableName("secret", "test"), Map.of());
        });
        createAccessControl.checkCanCreateTable(ALICE, new SchemaTableName("aliceschema", "test"), Map.of());
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(ALICE, schemaTableName, Map.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(CHARLIE, new SchemaTableName("aliceschema", "test"), Map.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(CHARLIE, schemaTableName, Map.of());
        });
        createAccessControl.checkCanCreateViewWithSelectFromColumns(BOB, schemaTableName3, ImmutableSet.of());
        createAccessControl.checkCanDropTable(ADMIN, schemaTableName3);
        createAccessControl.checkCanTruncateTable(ADMIN, schemaTableName3);
        createAccessControl.checkCanRenameTable(ADMIN, schemaTableName3, new SchemaTableName("aliceschema", "newbobtable"));
        createAccessControl.checkCanRenameTable(ALICE, schemaTableName2, new SchemaTableName("aliceschema", "newalicetable"));
        createAccessControl.checkCanRenameView(ADMIN, new SchemaTableName("bobschema", "bobview"), new SchemaTableName("aliceschema", "newbobview"));
        createAccessControl.checkCanRenameView(ALICE, new SchemaTableName("aliceschema", "aliceview"), new SchemaTableName("aliceschema", "newaliceview"));
        createAccessControl.checkCanRenameMaterializedView(ADMIN, new SchemaTableName("bobschema", "bobmaterializedview"), new SchemaTableName("aliceschema", "newbobaterializedview"));
        createAccessControl.checkCanRenameMaterializedView(ALICE, new SchemaTableName("aliceschema", "alicevaterializediew"), new SchemaTableName("aliceschema", "newaliceaterializedview"));
        createAccessControl.checkCanSetMaterializedViewProperties(ADMIN, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of());
        createAccessControl.checkCanSetMaterializedViewProperties(ALICE, new SchemaTableName("aliceschema", "alicevaterializediew"), ImmutableMap.of());
        createAccessControl.checkCanSetViewComment(ALICE, new SchemaTableName("aliceschema", "aliceview"));
        createAccessControl.checkCanAlterColumn(ADMIN, schemaTableName3);
        createAccessControl.checkCanAlterColumn(ALICE, schemaTableName2);
        createAccessControl.checkCanSetTableProperties(ADMIN, schemaTableName3, ImmutableMap.of());
        createAccessControl.checkCanSetTableProperties(ALICE, schemaTableName2, ImmutableMap.of());
        assertDenied(() -> {
            createAccessControl.checkCanInsertIntoTable(ALICE, schemaTableName3);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropTable(BOB, schemaTableName3);
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameTable(BOB, schemaTableName3, new SchemaTableName("bobschema", "newbobtable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameTable(ALICE, schemaTableName2, new SchemaTableName("bobschema", "newalicetable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewComment(ALICE, new SchemaTableName("bobschema", "newalicetable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanAlterColumn(BOB, schemaTableName3);
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableProperties(BOB, schemaTableName3, ImmutableMap.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanInsertIntoTable(BOB, schemaTableName);
        });
        assertDenied(() -> {
            createAccessControl.checkCanSelectFromColumns(ADMIN, new SchemaTableName("secret", "secret"), ImmutableSet.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanSelectFromColumns(JOE, new SchemaTableName("secret", "secret"), ImmutableSet.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanCreateViewWithSelectFromColumns(JOE, schemaTableName3, ImmutableSet.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameView(BOB, new SchemaTableName("bobschema", "bobview"), new SchemaTableName("bobschema", "newbobview"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameView(ALICE, schemaTableName2, new SchemaTableName("bobschema", "newalicetable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameMaterializedView(BOB, new SchemaTableName("bobschema", "bobmaterializedview"), new SchemaTableName("bobschema", "newbobaterializedview"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanRenameMaterializedView(ALICE, schemaTableName2, new SchemaTableName("bobschema", "newaliceaterializedview"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetMaterializedViewProperties(ALICE, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetMaterializedViewProperties(BOB, new SchemaTableName("bobschema", "bobmaterializedview"), ImmutableMap.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(ADMIN, schemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(ADMIN, schemaTableName, new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(ALICE, schemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(ALICE, schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(ALICE, schemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(ALICE, schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(ADMIN, schemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(ADMIN, schemaTableName, new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(ALICE, schemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(ALICE, schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(ALICE, schemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(ALICE, schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "some_user"));
        });
    }

    @Test
    public void testTableRulesForMixedGroupUsers() {
        SchemaTableName schemaTableName = new SchemaTableName("my_schema", "my_table");
        ConnectorAccessControl createAccessControl = createAccessControl("table-mixed-groups.json");
        ConnectorSecurityContext user = user("user_1_2", (Set<String>) ImmutableSet.of("group1", "group2"));
        ConnectorSecurityContext user2 = user("user_2", (Set<String>) ImmutableSet.of("group2"));
        createAccessControl.checkCanCreateTable(user, schemaTableName, Map.of());
        createAccessControl.checkCanInsertIntoTable(user, schemaTableName);
        createAccessControl.checkCanDeleteFromTable(user, schemaTableName);
        createAccessControl.checkCanDropTable(user, schemaTableName);
        createAccessControl.checkCanSelectFromColumns(user, schemaTableName, ImmutableSet.of());
        Assert.assertEquals(createAccessControl.getColumnMask(user, schemaTableName, "col_a", VarcharType.VARCHAR), Optional.empty());
        Assert.assertEquals(createAccessControl.getRowFilters(user, schemaTableName), ImmutableList.of());
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(user2, schemaTableName, Map.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanInsertIntoTable(user2, schemaTableName);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDeleteFromTable(user2, schemaTableName);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropTable(user2, schemaTableName);
        });
        createAccessControl.checkCanSelectFromColumns(user2, schemaTableName, ImmutableSet.of());
        assertViewExpressionEquals((ViewExpression) createAccessControl.getColumnMask(user2, schemaTableName, "col_a", VarcharType.VARCHAR).orElseThrow(), new ViewExpression(Optional.empty(), Optional.of("test_catalog"), Optional.of("my_schema"), "'mask_a'"));
        Assert.assertEquals(createAccessControl.getRowFilters(user2, schemaTableName), ImmutableList.of());
        ConnectorSecurityContext user3 = user("user_1_3", (Set<String>) ImmutableSet.of("group1", "group3"));
        ConnectorSecurityContext user4 = user("user_3", (Set<String>) ImmutableSet.of("group3"));
        createAccessControl.checkCanCreateTable(user3, schemaTableName, Map.of());
        createAccessControl.checkCanInsertIntoTable(user3, schemaTableName);
        createAccessControl.checkCanDeleteFromTable(user3, schemaTableName);
        createAccessControl.checkCanDropTable(user3, schemaTableName);
        createAccessControl.checkCanSelectFromColumns(user3, schemaTableName, ImmutableSet.of());
        Assert.assertEquals(createAccessControl.getColumnMask(user3, schemaTableName, "col_a", VarcharType.VARCHAR), Optional.empty());
        assertDenied(() -> {
            createAccessControl.checkCanCreateTable(user4, schemaTableName, Map.of());
        });
        assertDenied(() -> {
            createAccessControl.checkCanInsertIntoTable(user4, schemaTableName);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDeleteFromTable(user4, schemaTableName);
        });
        assertDenied(() -> {
            createAccessControl.checkCanDropTable(user4, schemaTableName);
        });
        createAccessControl.checkCanSelectFromColumns(user4, schemaTableName, ImmutableSet.of());
        assertViewExpressionEquals((ViewExpression) createAccessControl.getColumnMask(user4, schemaTableName, "col_a", VarcharType.VARCHAR).orElseThrow(), new ViewExpression(Optional.empty(), Optional.of("test_catalog"), Optional.of("my_schema"), "'mask_a'"));
        List rowFilters = createAccessControl.getRowFilters(user4, schemaTableName);
        Assert.assertEquals(rowFilters.size(), 1);
        assertViewExpressionEquals((ViewExpression) rowFilters.get(0), new ViewExpression(Optional.empty(), Optional.of("test_catalog"), Optional.of("my_schema"), "country='US'"));
    }

    private static void assertViewExpressionEquals(ViewExpression viewExpression, ViewExpression viewExpression2) {
        Assert.assertEquals(viewExpression.getSecurityIdentity(), viewExpression2.getSecurityIdentity(), "Identity");
        Assert.assertEquals(viewExpression.getCatalog(), viewExpression2.getCatalog(), "Catalog");
        Assert.assertEquals(viewExpression.getSchema(), viewExpression2.getSchema(), "Schema");
        Assert.assertEquals(viewExpression.getExpression(), viewExpression2.getExpression(), "Expression");
    }

    @Test
    public void testTableFilter() {
        ConnectorAccessControl createAccessControl = createAccessControl("table-filter.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(createAccessControl.filterTables(ALICE, build), ImmutableSet.builder().add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).build());
        Assert.assertEquals(createAccessControl.filterTables(BOB, build), ImmutableSet.builder().add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).build());
        Assert.assertEquals(createAccessControl.filterTables(ADMIN, build), ImmutableSet.builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build());
    }

    @Test
    public void testNoTableRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("no-access.json");
        assertDenied(() -> {
            createAccessControl.checkCanShowColumns(BOB, new SchemaTableName("bobschema", "bobtable"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "bobschema");
        });
        Assert.assertEquals(createAccessControl.filterColumns(BOB, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of("a")), ImmutableSet.of());
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
        Assert.assertEquals(createAccessControl.filterTables(ALICE, build), ImmutableSet.of());
        Assert.assertEquals(createAccessControl.filterTables(BOB, build), ImmutableSet.of());
    }

    @Test
    public void testNoFunctionRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("no-access.json");
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.AGGREGATE, new SchemaRoutineName("schema", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.SCALAR, new SchemaRoutineName("schema", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.WINDOW, new SchemaRoutineName("schema", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.AGGREGATE, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.SCALAR, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.WINDOW, new SchemaRoutineName("schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, "some_user"), true);
        });
    }

    @Test
    public void testSessionPropertyRules() {
        ConnectorAccessControl createAccessControl = createAccessControl("session_property.json");
        createAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "dangerous");
        createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "safe");
        createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "unsafe");
        createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "staff");
        createAccessControl.checkCanSetCatalogSessionProperty(BOB, "safe");
        createAccessControl.checkCanSetCatalogSessionProperty(BOB, "staff");
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(BOB, "unsafe");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(ALICE, "dangerous");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "safe");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "staff");
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetCatalogSessionProperty(JOE, "staff");
        });
    }

    @Test
    public void testFilterSchemas() {
        assertFilterSchemas(createAccessControl("visibility.json"));
    }

    private static void assertFilterSchemas(ConnectorAccessControl connectorAccessControl) {
        ImmutableSet of = ImmutableSet.of("specific-schema", "alice-schema", "bob-schema", "unknown", "ptf_schema");
        Assert.assertEquals(connectorAccessControl.filterSchemas(ADMIN, of), of);
        Assert.assertEquals(connectorAccessControl.filterSchemas(ALICE, of), ImmutableSet.of("specific-schema", "alice-schema", "ptf_schema"));
        Assert.assertEquals(connectorAccessControl.filterSchemas(BOB, of), ImmutableSet.of("specific-schema", "bob-schema"));
        Assert.assertEquals(connectorAccessControl.filterSchemas(CHARLIE, of), ImmutableSet.of("specific-schema"));
    }

    @Test
    public void testSchemaRulesForCheckCanShowTables() {
        ConnectorAccessControl createAccessControl = createAccessControl("visibility.json");
        createAccessControl.checkCanShowTables(ADMIN, "specific-schema");
        createAccessControl.checkCanShowTables(ADMIN, "bob-schema");
        createAccessControl.checkCanShowTables(ADMIN, "alice-schema");
        createAccessControl.checkCanShowTables(ADMIN, "secret");
        createAccessControl.checkCanShowTables(ADMIN, "any");
        createAccessControl.checkCanShowTables(ALICE, "specific-schema");
        createAccessControl.checkCanShowTables(ALICE, "alice-schema");
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(ALICE, "bob-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(ALICE, "secret");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(ALICE, "any");
        });
        createAccessControl.checkCanShowTables(BOB, "specific-schema");
        createAccessControl.checkCanShowTables(BOB, "bob-schema");
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "alice-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "secret");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(BOB, "any");
        });
        createAccessControl.checkCanShowTables(CHARLIE, "specific-schema");
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "bob-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "alice-schema");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "secret");
        });
        assertDenied(() -> {
            createAccessControl.checkCanShowTables(CHARLIE, "any");
        });
    }

    @Test
    public void testFunctionRulesForCheckCanExecute() {
        ConnectorAccessControl createAccessControl = createAccessControl("visibility.json");
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ADMIN, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"));
        });
        createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"));
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(BOB, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(CHARLIE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ADMIN, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(ALICE, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"));
        });
        createAccessControl.checkCanExecuteFunction(BOB, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"));
        createAccessControl.checkCanExecuteFunction(BOB, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"));
        createAccessControl.checkCanExecuteFunction(BOB, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"));
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(CHARLIE, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(CHARLIE, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanExecuteFunction(CHARLIE, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"));
        });
    }

    @Test
    public void testFunctionRulesForCheckCanGrantExecute() {
        ConnectorAccessControl createAccessControl = createAccessControl("visibility.json");
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(ALICE, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_table_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        });
        assertDenied(() -> {
            createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.TABLE, new SchemaRoutineName("ptf_schema", "some_function"), new TrinoPrincipal(PrincipalType.USER, ADMIN.getIdentity().getUser()), true);
        });
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, ALICE.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, BOB.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.AGGREGATE, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.SCALAR, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
        createAccessControl.checkCanGrantExecuteFunctionPrivilege(BOB, FunctionKind.WINDOW, new SchemaRoutineName("any", "some_function"), new TrinoPrincipal(PrincipalType.USER, CHARLIE.getIdentity().getUser()), true);
    }

    @Test
    public void testInvalidRules() {
        Assertions.assertThatThrownBy(() -> {
            createAccessControl("invalid.json");
        }).hasMessageContaining("Failed to convert JSON tree node");
    }

    @Test
    public void testFilterSchemasWithJsonPointer() {
        assertFilterSchemas(createAccessControl(new File(getResourcePath("visibility-with-json-pointer.json")), ImmutableMap.of("security.json-pointer", "/data")));
    }

    @Test
    public void testSchemaAuthorization() {
        ConnectorAccessControl createAccessControl = createAccessControl("authorization-no-roles.json");
        String str = "test";
        String str2 = "owned_by_user";
        String str3 = "owned_by_group";
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("user", "group"), str, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        createAccessControl.checkCanSetSchemaAuthorization(user("owner_authorized", "group"), "owned_by_user", new TrinoPrincipal(PrincipalType.USER, "new_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("owner_DENY_authorized", "group"), str2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("owner", "group"), str2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("owner_authorized", "group"), str2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        createAccessControl.checkCanSetSchemaAuthorization(user("authorized", "owner"), "owned_by_group", new TrinoPrincipal(PrincipalType.USER, "new_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("DENY_authorized", "owner"), str3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("user", "owner"), str3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetSchemaAuthorization(user("authorized", "owner"), str3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
    }

    @Test
    public void testTableAuthorization() {
        ConnectorAccessControl createAccessControl = createAccessControl("authorization-no-roles.json");
        SchemaTableName schemaTableName = new SchemaTableName("test", "table");
        SchemaTableName schemaTableName2 = new SchemaTableName("test", "owned_by_user");
        SchemaTableName schemaTableName3 = new SchemaTableName("test", "owned_by_group");
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("user", "group"), schemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        createAccessControl.checkCanSetTableAuthorization(user("owner_authorized", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("owner", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("owner_authorized", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("owner_DENY_authorized", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("user", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        createAccessControl.checkCanSetTableAuthorization(user("authorized", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("authorized", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetTableAuthorization(user("DENY_authorized", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
    }

    @Test
    public void testViewAuthorization() {
        ConnectorAccessControl createAccessControl = createAccessControl("authorization-no-roles.json");
        SchemaTableName schemaTableName = new SchemaTableName("test", "table");
        SchemaTableName schemaTableName2 = new SchemaTableName("test", "owned_by_user");
        SchemaTableName schemaTableName3 = new SchemaTableName("test", "owned_by_group");
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("user", "group"), schemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        createAccessControl.checkCanSetViewAuthorization(user("owner_authorized", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("owner_DENY_authorized", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("owner", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("owner_authorized", "group"), schemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
        createAccessControl.checkCanSetViewAuthorization(user("authorized", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("DENY_authorized", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("user", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        });
        assertDenied(() -> {
            createAccessControl.checkCanSetViewAuthorization(user("authorized", "owner"), schemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        });
    }

    @Test
    public void testEverythingImplemented() throws NoSuchMethodException {
        InterfaceTestUtils.assertAllMethodsOverridden(ConnectorAccessControl.class, FileBasedAccessControl.class);
    }

    @Test
    public void testRefreshing() throws Exception {
        File newTemporaryFile = Files.newTemporaryFile();
        newTemporaryFile.deleteOnExit();
        com.google.common.io.Files.copy(new File(getResourcePath("visibility.json")), newTemporaryFile);
        ConnectorAccessControl createAccessControl = createAccessControl(newTemporaryFile, ImmutableMap.of("security.refresh-period", "1ms"));
        createAccessControl.checkCanShowTables(ALICE, "alice-schema");
        createAccessControl.checkCanShowTables(ALICE, "alice-schema");
        createAccessControl.checkCanShowTables(ALICE, "alice-schema");
        com.google.common.io.Files.copy(new File(getResourcePath("no-access.json")), newTemporaryFile);
        Thread.sleep(2L);
        Assertions.assertThatThrownBy(() -> {
            createAccessControl.checkCanShowTables(ALICE, "alice-schema");
        }).hasMessageContaining("Access Denied");
        com.google.common.io.Files.copy(new File(getResourcePath("visibility.json")), newTemporaryFile);
        Thread.sleep(2L);
        createAccessControl.checkCanShowTables(ALICE, "alice-schema");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ConnectorAccessControl createAccessControl(Map<String, String> map) {
        return (ConnectorAccessControl) new Bootstrap(new Module[]{new CatalogNameModule("test_catalog"), new FileBasedAccessControlModule()}).doNotInitializeLogging().setRequiredConfigurationProperties(map).initialize().getInstance(ConnectorAccessControl.class);
    }

    private ConnectorAccessControl createAccessControl(String str) {
        return createAccessControl(new File(getResourcePath(str)), ImmutableMap.of());
    }

    private String getResourcePath(String str) {
        return ((URL) Objects.requireNonNull(getClass().getClassLoader().getResource(str), "Resource does not exist: " + str)).getPath();
    }

    private static ConnectorSecurityContext user(String str, String str2) {
        return user(str, (Set<String>) ImmutableSet.of(str2));
    }

    private static ConnectorSecurityContext user(String str, Set<String> set) {
        return new ConnectorSecurityContext(new ConnectorTransactionHandle() { // from class: io.trino.plugin.base.security.BaseFileBasedConnectorAccessControlTest.1
        }, ConnectorIdentity.forUser(str).withGroups(set).build(), new QueryId("query_id"));
    }

    private static void assertDenied(Assert.ThrowingRunnable throwingRunnable) {
        Objects.requireNonNull(throwingRunnable);
        Assertions.assertThatThrownBy(throwingRunnable::run).isInstanceOf(AccessDeniedException.class).hasMessageStartingWith("Access Denied");
    }
}
