package io.trino.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.UnmodifiableIterator;
import com.google.inject.Key;
import com.google.inject.Scopes;
import com.google.inject.multibindings.OptionalBinder;
import io.trino.Session;
import io.trino.connector.MockConnectorFactory;
import io.trino.connector.MockConnectorPlugin;
import io.trino.connector.MockConnectorTableHandle;
import io.trino.metadata.QualifiedObjectName;
import io.trino.metadata.SystemSecurityMetadata;
import io.trino.plugin.base.security.AllowAllSystemAccessControl;
import io.trino.plugin.base.security.DefaultSystemAccessControl;
import io.trino.plugin.base.security.ForwardingSystemAccessControl;
import io.trino.plugin.blackhole.BlackHolePlugin;
import io.trino.plugin.jdbc.JdbcPlugin;
import io.trino.plugin.jdbc.TestingH2JdbcModule;
import io.trino.plugin.memory.MemoryPlugin;
import io.trino.plugin.tpch.TpchPlugin;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.ConnectorMaterializedViewDefinition;
import io.trino.spi.connector.ConnectorSession;
import io.trino.spi.connector.ConnectorViewDefinition;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.connector.SchemaTablePrefix;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.RoleGrant;
import io.trino.spi.security.SelectedRole;
import io.trino.spi.security.SystemAccessControl;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.session.PropertyMetadata;
import io.trino.spi.type.BigintType;
import io.trino.sql.query.QueryAssertions;
import io.trino.testing.AbstractTestQueryFramework;
import io.trino.testing.DataProviders;
import io.trino.testing.DistributedQueryRunner;
import io.trino.testing.QueryRunner;
import io.trino.testing.TestingAccessControlManager;
import io.trino.testing.TestingGroupProvider;
import io.trino.testing.TestingNames;
import io.trino.testing.TestingSession;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import org.assertj.core.api.Assertions;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

@Test(singleThreaded = true)
/* loaded from: input_file:io/trino/security/TestAccessControl.class */
public class TestAccessControl extends AbstractTestQueryFramework {
    private final AtomicReference<SystemAccessControl> systemAccessControl = new AtomicReference<>(new DefaultSystemAccessControl());
    private final TestingGroupProvider groupProvider = new TestingGroupProvider();
    private TestingSystemSecurityMetadata systemSecurityMetadata;

    /* loaded from: input_file:io/trino/security/TestAccessControl$DenySetPropertiesSystemAccessControl.class */
    private static final class DenySetPropertiesSystemAccessControl extends AllowAllSystemAccessControl {
        private DenySetPropertiesSystemAccessControl() {
        }

        public void checkCanCreateSchema(SystemSecurityContext systemSecurityContext, CatalogSchemaName catalogSchemaName, Map<String, Object> map) {
            checkProperties(map);
        }

        public void checkCanCreateTable(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Object> map) {
            checkProperties(map);
        }

        public void checkCanCreateMaterializedView(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Object> map) {
            checkProperties(map);
        }

        public void checkCanSetTableProperties(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Optional<Object>> map) {
            checkProperties(map);
        }

        public void checkCanSetMaterializedViewProperties(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Map<String, Optional<Object>> map) {
            checkProperties(map);
        }

        private static void checkProperties(Map<?, ?> map) {
            if (!map.isEmpty()) {
                throw new AccessDeniedException("Cannot access properties: " + ((List) map.keySet().stream().map((v0) -> {
                    return v0.toString();
                }).sorted().collect(Collectors.toList())));
            }
        }
    }

    protected QueryRunner createQueryRunner() throws Exception {
        DistributedQueryRunner build = DistributedQueryRunner.builder(TestingSession.testSessionBuilder().setSource("test").setCatalog("blackhole").setSchema("default").build()).setAdditionalModule(binder -> {
            OptionalBinder.newOptionalBinder(binder, SystemSecurityMetadata.class).setBinding().to(TestingSystemSecurityMetadata.class).in(Scopes.SINGLETON);
        }).setNodeCount(1).setSystemAccessControl(new ForwardingSystemAccessControl() { // from class: io.trino.security.TestAccessControl.1
            protected SystemAccessControl delegate() {
                return TestAccessControl.this.systemAccessControl.get();
            }
        }).build();
        build.getGroupProvider().setConfiguredGroupProvider(this.groupProvider);
        build.installPlugin(new BlackHolePlugin());
        build.createCatalog("blackhole", "blackhole");
        build.installPlugin(new MemoryPlugin());
        build.createCatalog("memory", "memory", Map.of());
        build.installPlugin(new TpchPlugin());
        build.createCatalog("tpch", "tpch");
        build.installPlugin(new MockConnectorPlugin(MockConnectorFactory.builder().withGetTableHandle((connectorSession, schemaTableName) -> {
            if (schemaTableName.getTableName().startsWith("new")) {
                return null;
            }
            return new MockConnectorTableHandle(schemaTableName);
        }).withGetViews((connectorSession2, schemaTablePrefix) -> {
            return ImmutableMap.of(new SchemaTableName("default", "test_view_definer"), new ConnectorViewDefinition("SELECT 1 AS test", Optional.of("mock"), Optional.of("default"), ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BigintType.BIGINT.getTypeId(), Optional.empty())), Optional.of("comment"), Optional.of("admin"), false), new SchemaTableName("default", "test_view_invoker"), new ConnectorViewDefinition("SELECT 1 AS test", Optional.of("mock"), Optional.of("default"), ImmutableList.of(new ConnectorViewDefinition.ViewColumn("test", BigintType.BIGINT.getTypeId(), Optional.empty())), Optional.of("comment"), Optional.empty(), true));
        }).withGetMaterializedViews(new BiFunction<ConnectorSession, SchemaTablePrefix, Map<SchemaTableName, ConnectorMaterializedViewDefinition>>() { // from class: io.trino.security.TestAccessControl.2
            @Override // java.util.function.BiFunction
            public Map<SchemaTableName, ConnectorMaterializedViewDefinition> apply(ConnectorSession connectorSession3, SchemaTablePrefix schemaTablePrefix2) {
                return ImmutableMap.of(new SchemaTableName("default", "test_materialized_view"), new ConnectorMaterializedViewDefinition("SELECT 1 AS test", Optional.empty(), Optional.empty(), Optional.empty(), ImmutableList.of(new ConnectorMaterializedViewDefinition.Column("test", BigintType.BIGINT.getTypeId())), Optional.of("comment"), Optional.of("owner"), ImmutableMap.of()));
            }
        }).withListRoleGrants((connectorSession3, optional, optional2, optionalLong) -> {
            return ImmutableSet.of(new RoleGrant(new TrinoPrincipal(PrincipalType.USER, "alice"), "alice_role", false));
        }).withAnalyzeProperties(() -> {
            return ImmutableList.of(PropertyMetadata.integerProperty("another_property", "description", 0, false), PropertyMetadata.integerProperty("integer_analyze_property", "description", 0, false));
        }).withGetMaterializedViewProperties(() -> {
            return ImmutableList.of(PropertyMetadata.integerProperty("another_property", "description", 0, false), PropertyMetadata.stringProperty("string_materialized_view_property", "description", "", false));
        }).withSchemaProperties(() -> {
            return ImmutableList.of(PropertyMetadata.integerProperty("another_property", "description", 0, false), PropertyMetadata.booleanProperty("boolean_schema_property", "description", false, false));
        }).withTableProperties(() -> {
            return ImmutableList.of(PropertyMetadata.integerProperty("another_property", "description", 0, false), PropertyMetadata.doubleProperty("double_table_property", "description", Double.valueOf(0.0d), false));
        }).withColumnProperties(() -> {
            return ImmutableList.of(PropertyMetadata.integerProperty("another_property", "description", 0, false), PropertyMetadata.stringProperty("string_column_property", "description", "", false));
        }).build()));
        build.createCatalog("mock", "mock");
        build.installPlugin(new JdbcPlugin("base_jdbc", new TestingH2JdbcModule()));
        build.createCatalog("jdbc", "base_jdbc", TestingH2JdbcModule.createProperties());
        UnmodifiableIterator it = ImmutableList.of("orders", "nation", "region", "lineitem").iterator();
        while (it.hasNext()) {
            build.execute(String.format("CREATE TABLE %1$s AS SELECT * FROM tpch.tiny.%1$s WITH NO DATA", (String) it.next()));
        }
        this.systemSecurityMetadata = (TestingSystemSecurityMetadata) build.getCoordinator().getInstance(Key.get(SystemSecurityMetadata.class));
        return build;
    }

    @BeforeMethod
    public void reset() {
        this.systemAccessControl.set(new DefaultSystemAccessControl());
        ((TestingSystemSecurityMetadata) Objects.requireNonNull(this.systemSecurityMetadata, "systemSecurityMetadata is null")).reset();
        getQueryRunner().getAccessControl().reset();
        this.groupProvider.reset();
    }

    @Test
    public void testAccessControl() {
        assertAccessDenied("SELECT * FROM orders", "Cannot execute query", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("query", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_QUERY)});
        assertAccessDenied("INSERT INTO orders SELECT * FROM orders", "Cannot insert into table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.INSERT_TABLE)});
        assertAccessDenied("DELETE FROM orders", "Cannot delete from table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.DELETE_TABLE)});
        assertAccessDenied("TRUNCATE TABLE orders", "Cannot truncate table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.TRUNCATE_TABLE)});
        assertAccessDenied("CREATE TABLE foo AS SELECT * FROM orders", "Cannot create table .*.foo.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("foo", TestingAccessControlManager.TestingPrivilegeType.CREATE_TABLE)});
        assertAccessDenied("ALTER TABLE orders SET PROPERTIES field_length = 32", "Cannot set table properties to .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SET_TABLE_PROPERTIES)});
        assertAccessDenied("ALTER TABLE orders ALTER COLUMN orderkey SET DATA TYPE char(100)", "Cannot alter a column for table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.ALTER_COLUMN)});
        assertAccessDenied("SELECT * FROM nation", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT * FROM (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT name FROM (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT name FROM nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT n1.nationkey, n2.regionkey FROM nation n1, nation n2", "Cannot select from columns \\[nationkey, regionkey] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT count(name) as c FROM nation where comment > 'abc' GROUP BY regionkey having max(nationkey) > 10", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT 1 FROM region, nation where region.regionkey = nation.nationkey", "Cannot select from columns \\[nationkey] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT count(*) FROM nation", "Cannot select from columns \\[] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("WITH t1 AS (SELECT * FROM nation) SELECT * FROM t1", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT name AS my_alias FROM nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("my_alias", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT my_alias from (SELECT name AS my_alias FROM nation)", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("my_alias", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT name AS my_alias FROM nation", "Cannot select from columns \\[name] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.name", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT 1 FROM mock.default.test_materialized_view", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT 1 FROM mock.default.test_materialized_view", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_materialized_view", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT * FROM mock.default.test_materialized_view", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT * FROM mock.default.test_materialized_view", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_materialized_view", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT 1 FROM mock.default.test_view_definer", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT 1 FROM mock.default.test_view_definer", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_view_definer", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT * FROM mock.default.test_view_definer", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT * FROM mock.default.test_view_definer", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_view_definer", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT 1 FROM mock.default.test_view_invoker", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT 1 FROM mock.default.test_view_invoker", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_view_invoker", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT * FROM mock.default.test_view_invoker", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT * FROM mock.default.test_view_invoker", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_view_invoker", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT count(*) FROM mock.default.test_materialized_view", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT count(*) FROM mock.default.test_materialized_view", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_materialized_view", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT count(*) FROM mock.default.test_view_invoker", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT count(*) FROM mock.default.test_view_invoker", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_view_invoker", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SELECT count(*) FROM mock.default.test_view_definer", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT count(*) FROM mock.default.test_view_definer", "Cannot select from columns.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_view_definer", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT orders.custkey, lineitem.quantity FROM orders JOIN lineitem USING (orderkey)", "Cannot select from columns \\[orderkey, custkey] in table .*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders.orderkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT orders.custkey, lineitem.quantity FROM orders JOIN lineitem USING (orderkey)", "Cannot select from columns \\[orderkey, quantity] in table .*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("lineitem.orderkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW CREATE TABLE orders", "Cannot show create table for .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SHOW_CREATE_TABLE)});
        assertAccessAllowed("SHOW CREATE TABLE lineitem", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SHOW_CREATE_TABLE)});
        assertAccessDenied("SELECT abs(1)", "Cannot execute function abs", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("abs", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION)});
        assertAccessAllowed("SELECT abs(1)", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("max", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION)});
        assertAccessAllowed("SHOW STATS FOR lineitem", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed("SHOW STATS FOR lineitem", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("SHOW STATS FOR (SELECT * FROM lineitem)", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed("SHOW STATS FOR (SELECT * FROM lineitem)", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT nationkey FROM nation)", "Cannot select from columns \\[nationkey] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT nationkey FROM nation)", "Cannot select from columns \\[nationkey] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT *, nationkey FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT *, * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT linenumber, orderkey FROM lineitem)", "Cannot select from columns \\[linenumber, orderkey] in table or view .*.lineitem.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("lineitem", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT linenumber, orderkey, quantity FROM lineitem)", "Cannot select from columns \\[linenumber, orderkey, quantity] in table or view .*.lineitem.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("lineitem.linenumber", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN), TestingAccessControlManager.privilege("lineitem.orderkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT nationkey FROM nation)", "Cannot select from columns \\[nationkey] in table or view .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SHOW STATS FOR (SELECT * FROM nation)", "Cannot select from columns \\[nationkey, regionkey, name, comment] in table or view .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testViewColumnAccessControl() {
        Session build = TestingSession.testSessionBuilder().setIdentity(Identity.ofUser("test_view_access_owner")).setCatalog(getSession().getCatalog()).setSchema(getSession().getSchema()).build();
        String str = "test_view_column_access_" + TestingNames.randomNameSuffix();
        assertAccessAllowed(build, "CREATE VIEW " + str + " AS SELECT * FROM orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessDenied("SELECT * FROM " + str, "View owner does not have sufficient privileges: View owner 'test_view_access_owner' cannot create view that selects from \\w+.\\w+.orders\\w*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(build.getUser(), "orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessAllowed(build, "SELECT * FROM " + str, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(build.getUser(), "orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessAllowed("SELECT * FROM " + str, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), "orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessAllowed("SELECT * FROM " + str, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), "orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        Session build2 = TestingSession.testSessionBuilder().setIdentity(Identity.ofUser("test_nested_view_access_owner")).setCatalog(getSession().getCatalog()).setSchema(getSession().getSchema()).build();
        String str2 = "test_nested_view_column_access_" + TestingNames.randomNameSuffix();
        assertAccessAllowed(build2, "CREATE VIEW " + str2 + " AS SELECT * FROM " + str, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str, TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessDenied("SELECT * FROM " + str2, "View owner does not have sufficient privileges: View owner 'test_nested_view_access_owner' cannot create view that selects from \\w+.\\w+.test_view_column_access\\w*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(build2.getUser(), str, TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessAllowed("SELECT * FROM " + str2, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), str, TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessAllowed("SELECT * FROM " + str2, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), str, TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        String str3 = "test_invoker_view_column_access_" + TestingNames.randomNameSuffix();
        assertAccessAllowed(build, "CREATE VIEW " + str3 + " SECURITY INVOKER AS SELECT * FROM orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        assertAccessAllowed("SELECT * FROM " + str3, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(build.getUser(), "orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("SELECT * FROM " + str3, "Cannot select from columns \\[.*] in table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), "orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        getQueryRunner().getAccessControl().denyIdentityTable((identity, str4) -> {
            return identity.getGroups().contains("testgroup") || !"orders".equals(str4);
        });
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute(getSession(), "SELECT * FROM " + str);
        }).hasMessageMatching("Access Denied: View owner does not have sufficient privileges: View owner 'test_view_access_owner' cannot create view that selects from \\w+.\\w+.orders");
        this.groupProvider.setUserGroups(ImmutableMap.of(build.getUser(), ImmutableSet.of("testgroup")));
        getQueryRunner().execute(getSession(), "SELECT * FROM " + str);
        assertAccessDenied("SHOW CREATE VIEW " + str2, "Cannot show create table for .*test_nested_view_column_access.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str2, TestingAccessControlManager.TestingPrivilegeType.SHOW_CREATE_TABLE)});
        assertAccessAllowed("SHOW CREATE VIEW " + str2, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("test_denied_access_view", TestingAccessControlManager.TestingPrivilegeType.SHOW_CREATE_TABLE)});
        assertAccessAllowed(build2, "DROP VIEW " + str2, new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed(build, "DROP VIEW " + str, new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed(build, "DROP VIEW " + str3, new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testViewOwnersRoleGrants() {
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "view_owner");
        String str = "test_view_column_access_" + TestingNames.randomNameSuffix();
        this.systemSecurityMetadata.grantRoles(getSession(), Set.of("view_owner_role"), Set.of(trinoPrincipal), false, Optional.empty());
        this.systemSecurityMetadata.setViewOwner(getSession(), new CatalogSchemaTableName("blackhole", "default", str), trinoPrincipal);
        Session build = TestingSession.testSessionBuilder().setIdentity(Identity.forUser("view_owner").withEnabledRoles(Set.of("view_owner_role")).build()).setCatalog(getSession().getCatalog()).setSchema(getSession().getSchema()).build();
        assertAccessAllowed(build, "CREATE VIEW " + str + " AS SELECT * FROM orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        getQueryRunner().getAccessControl().denyIdentityTable((identity, str2) -> {
            return (identity.getEnabledRoles().contains("view_owner_role_without_access") && "orders".equals(str2)) ? false : true;
        });
        this.systemSecurityMetadata.grantRoles(getSession(), Set.of("view_owner_role_without_access"), Set.of(trinoPrincipal), false, Optional.empty());
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute(build, "SELECT * FROM " + str);
        }).hasMessageMatching("Access Denied: Cannot select from columns \\[.*] in table or view \\w+\\.\\w+\\.orders");
        this.systemSecurityMetadata.revokeRoles(getSession(), Set.of("view_owner_role_without_access"), Set.of(trinoPrincipal), false, Optional.empty());
        getQueryRunner().execute(build, "SELECT * FROM " + str);
        assertAccessAllowed(build, "DROP VIEW " + str, new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testJoinBaseTableWithView() {
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "view_owner");
        String str = "test_join_base_table_with_view_" + TestingNames.randomNameSuffix();
        this.systemSecurityMetadata.grantRoles(getSession(), Set.of("view_owner_role"), Set.of(trinoPrincipal), false, Optional.empty());
        this.systemSecurityMetadata.setViewOwner(getSession(), new CatalogSchemaTableName("blackhole", "default", str), trinoPrincipal);
        Session build = TestingSession.testSessionBuilder().setIdentity(Identity.forUser("view_owner").withEnabledRoles(Set.of("view_owner_role")).build()).setCatalog(getSession().getCatalog()).setSchema(getSession().getSchema()).build();
        assertAccessAllowed(build, "CREATE VIEW " + str + " AS SELECT * FROM orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW_WITH_SELECT_COLUMNS)});
        getQueryRunner().getAccessControl().denyIdentityTable((identity, str2) -> {
            return (identity.getEnabledRoles().contains("view_owner_role_without_access") && "orders".equals(str2)) ? false : true;
        });
        this.systemSecurityMetadata.grantRoles(getSession(), Set.of("view_owner_role_without_access"), Set.of(trinoPrincipal), false, Optional.empty());
        getQueryRunner().execute(build, "SELECT * FROM orders");
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute(build, "SELECT * FROM " + str);
        }).hasMessageMatching("Access Denied: Cannot select from columns \\[.*] in table or view \\w+\\.\\w+\\.orders");
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute(build, "SELECT * FROM orders, " + str);
        }).hasMessageMatching("Access Denied: Cannot select from columns \\[.*] in table or view \\w+\\.\\w+\\.orders");
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute(build, "SELECT * FROM %s, orders".formatted(str));
        }).hasMessageMatching("Access Denied: Cannot select from columns \\[.*] in table or view \\w+\\.\\w+\\.orders");
        assertAccessAllowed(build, "DROP VIEW " + str, new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testViewFunctionAccessControl() {
        Session build = TestingSession.testSessionBuilder().setIdentity(Identity.ofUser("test_view_access_owner")).setCatalog(getSession().getCatalog()).setSchema(getSession().getSchema()).build();
        String str = "test_view_function_access_" + TestingNames.randomNameSuffix();
        assertAccessAllowed(build, "CREATE VIEW " + str + " AS SELECT abs(1) AS c", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("abs", TestingAccessControlManager.TestingPrivilegeType.GRANT_EXECUTE_FUNCTION)});
        assertAccessDenied("SELECT * FROM " + str, "View owner does not have sufficient privileges: 'test_view_access_owner' cannot grant 'abs' execution to user '\\w*'", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(build.getUser(), "abs", TestingAccessControlManager.TestingPrivilegeType.GRANT_EXECUTE_FUNCTION)});
        assertAccessAllowed("SELECT * FROM " + str, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), "abs", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION)});
        String str2 = "test_invoker_view_function_access_" + TestingNames.randomNameSuffix();
        assertAccessAllowed(build, "CREATE VIEW " + str2 + " SECURITY INVOKER AS SELECT abs(1) AS c", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("abs", TestingAccessControlManager.TestingPrivilegeType.GRANT_EXECUTE_FUNCTION)});
        assertAccessAllowed("SELECT * FROM " + str2, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(build.getUser(), "abs", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION)});
        assertAccessDenied("SELECT * FROM " + str2, "Cannot execute function abs", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), "abs", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION)});
        assertAccessAllowed(build, "DROP VIEW " + str, new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed(build, "DROP VIEW " + str2, new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testFunctionAccessControl() {
        assertAccessDenied("SELECT reverse('a')", "Cannot execute function reverse", new TestingAccessControlManager.TestingPrivilege[]{new TestingAccessControlManager.TestingPrivilege(Optional.empty(), "reverse", TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION)});
        TestingAccessControlManager.TestingPrivilege testingPrivilege = new TestingAccessControlManager.TestingPrivilege(Optional.empty(), str -> {
            return !str.equals("reverse");
        }, TestingAccessControlManager.TestingPrivilegeType.EXECUTE_FUNCTION);
        assertAccessAllowed("SELECT reverse('a')", new TestingAccessControlManager.TestingPrivilege[]{testingPrivilege});
        assertAccessDenied("SELECT concat('a', 'b')", "Cannot execute function concat", new TestingAccessControlManager.TestingPrivilege[]{testingPrivilege});
    }

    @Test
    public void testTableFunctionRequiredColumns() {
        assertAccessDenied("SELECT * FROM TABLE(exclude_columns(TABLE(nation), descriptor(regionkey, comment)))", "Cannot select from columns \\[nationkey, name] in table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testAnalyzeAccessControl() {
        assertAccessAllowed("ANALYZE nation", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ANALYZE nation", "Cannot ANALYZE \\(missing insert privilege\\) table .*.nation.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.INSERT_TABLE)});
        assertAccessDenied("ANALYZE nation", "Cannot select from columns \\[.*] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessDenied("ANALYZE nation", "Cannot select from columns \\[.*nationkey.*] in table or view .*.nation", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.nationkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testMetadataFilterColumns() {
        getQueryRunner().getAccessControl().deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("nation.regionkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        ((QueryAssertions.QueryAssert) Assertions.assertThat(query("SELECT column_name FROM information_schema.columns WHERE table_catalog = CURRENT_CATALOG AND table_schema = CURRENT_SCHEMA and table_name = 'nation'"))).matches("VALUES VARCHAR 'nationkey', 'name', 'comment'");
        ((QueryAssertions.QueryAssert) Assertions.assertThat(query("SELECT column_name FROM system.jdbc.columns WHERE table_cat = CURRENT_CATALOG AND table_schem = CURRENT_SCHEMA and table_name = 'nation'"))).matches("VALUES VARCHAR 'nationkey', 'name', 'comment'");
    }

    @Test
    public void testCommentView() {
        String str = "comment_view" + TestingNames.randomNameSuffix();
        assertUpdate("CREATE VIEW " + str + " COMMENT 'old comment' AS SELECT * FROM orders");
        assertAccessDenied("COMMENT ON VIEW " + str + " IS 'new comment'", "Cannot comment view to .*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str, TestingAccessControlManager.TestingPrivilegeType.COMMENT_VIEW)});
        assertAccessAllowed("COMMENT ON VIEW " + str + " IS 'new comment'", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test(dataProviderClass = DataProviders.class, dataProvider = "trueFalse")
    public void testViewWithTableFunction(boolean z) {
        Session session = getSession();
        Session build = Session.builder(getSession()).setIdentity(Identity.ofUser(getSession().getUser() + "-someone-else")).build();
        assertUpdate(session, "CREATE VIEW " + "memory.default.definer_view_with_ptf" + " SECURITY " + (z ? "DEFINER" : "INVOKER") + " AS SELECT * FROM TABLE (jdbc.system.query('SELECT ''from h2'', monthname(CAST(''2005-09-10'' AS date))'))");
        ((QueryAssertions.QueryAssert) Assertions.assertThat(query(session, "TABLE " + "memory.default.definer_view_with_ptf"))).matches("VALUES ('from h2', 'September') ");
        ((QueryAssertions.QueryAssert) Assertions.assertThat(query(build, "TABLE " + "memory.default.definer_view_with_ptf"))).matches("VALUES ('from h2', 'September') ");
        TestingAccessControlManager.TestingPrivilege privilege = TestingAccessControlManager.privilege("jdbc.system.query", TestingAccessControlManager.TestingPrivilegeType.GRANT_EXECUTE_FUNCTION);
        assertAccessAllowed(session, "TABLE " + "memory.default.definer_view_with_ptf", new TestingAccessControlManager.TestingPrivilege[]{privilege});
        if (z) {
            assertAccessDenied(build, "TABLE " + "memory.default.definer_view_with_ptf", "View owner does not have sufficient privileges: 'user' cannot grant 'jdbc.system.query' execution to user 'user-someone-else'", new TestingAccessControlManager.TestingPrivilege[]{privilege});
        } else {
            assertAccessAllowed(build, "TABLE " + "memory.default.definer_view_with_ptf", new TestingAccessControlManager.TestingPrivilege[]{privilege});
        }
        assertUpdate("DROP VIEW " + "memory.default.definer_view_with_ptf");
    }

    @Test
    public void testCommentColumnView() {
        String str = "comment_view" + TestingNames.randomNameSuffix();
        assertUpdate("CREATE VIEW " + str + " AS SELECT * FROM orders");
        assertAccessDenied("COMMENT ON COLUMN " + str + ".orderkey IS 'new order key comment'", "Cannot comment column to .*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str, TestingAccessControlManager.TestingPrivilegeType.COMMENT_COLUMN)});
        assertUpdate(getSession(), "COMMENT ON COLUMN " + str + ".orderkey IS 'new comment'");
    }

    @Test
    public void testCommentColumnMaterializedView() {
        String str = "comment_materialized_view" + TestingNames.randomNameSuffix();
        assertUpdate("CREATE MATERIALIZED VIEW mock.default." + str + " AS SELECT * FROM orders");
        assertAccessDenied("COMMENT ON COLUMN mock.default." + str + ".column_0 IS 'new comment'", "Cannot comment column to .*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str, TestingAccessControlManager.TestingPrivilegeType.COMMENT_COLUMN)});
        assertUpdate(getSession(), "COMMENT ON COLUMN mock.default." + str + ".column_0 IS 'new comment'");
    }

    @Test
    public void testSetColumnType() {
        String str = "test_set_colun_type" + TestingNames.randomNameSuffix();
        assertUpdate("CREATE TABLE " + str + " AS SELECT * FROM orders", 0L);
        assertAccessDenied("ALTER TABLE " + str + " ALTER COLUMN orderkey SET DATA TYPE char(100)", "Cannot alter a column for table .*." + str + ".*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str, TestingAccessControlManager.TestingPrivilegeType.ALTER_COLUMN)});
        assertAccessAllowed("ALTER TABLE " + str + " ALTER COLUMN orderkey SET DATA TYPE char(100)", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str + ".orderkey", TestingAccessControlManager.TestingPrivilegeType.ALTER_COLUMN)});
    }

    @Test
    public void testSetTableProperties() {
        assertAccessDenied("ALTER TABLE orders SET PROPERTIES field_length = 32", "Cannot set table properties to .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SET_TABLE_PROPERTIES)});
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute(getSession(), "ALTER TABLE orders SET PROPERTIES field_length = 32");
        }).hasMessageContaining("This connector does not support setting table properties");
    }

    @Test
    public void testDeleteAccessControl() {
        assertAccessDenied("DELETE FROM orders WHERE orderkey < 12", "Cannot select from columns \\[orderkey] in table or view .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders.orderkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("DELETE FROM orders WHERE orderkey < 12", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders.orderdate", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("DELETE FROM orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testTruncateAccessControl() {
        assertAccessAllowed("TRUNCATE TABLE orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testUpdateAccessControl() {
        assertAccessDenied("UPDATE orders SET orderkey=123", "Cannot update columns \\[orderkey] in table .*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.UPDATE_TABLE)});
        assertAccessDenied("UPDATE orders SET orderkey=123 WHERE custkey < 12", "Cannot select from columns \\[custkey] in table or view .*.default.orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders.custkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertAccessAllowed("UPDATE orders SET orderkey=123", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testMergeAccessControl() {
        String str = (String) getSession().getCatalog().orElseThrow();
        String str2 = (String) getSession().getSchema().orElseThrow();
        String str3 = "merge_nation_target_" + TestingNames.randomNameSuffix();
        String format = String.format("%s.%s.%s", str, str2, str3);
        String str4 = "merge_nation_source_" + TestingNames.randomNameSuffix();
        String format2 = String.format("%s.%s.%s", str, str2, str4);
        assertUpdate(String.format("CREATE TABLE %s (nation_name VARCHAR, region_name VARCHAR)", str3));
        assertUpdate(String.format("CREATE TABLE %s (nation_name VARCHAR, region_name VARCHAR)", str4));
        String str5 = String.format("MERGE INTO %s t USING %s s", str3, str4) + "    ON (t.nation_name = s.nation_name)";
        UnmodifiableIterator it = ImmutableList.of("    WHEN MATCHED AND t.nation_name > (SELECT name FROM tpch.tiny.region WHERE name = t.region_name AND name LIKE ('A%'))        THEN DELETE", "    WHEN MATCHED AND t.nation_name = 'GERMANY'        THEN UPDATE SET nation_name = concat(s.nation_name, '_foo')", "    WHEN NOT MATCHED AND s.region_name = 'EUROPE'        THEN INSERT VALUES(s.nation_name, (SELECT 'EUROPE'))").iterator();
        while (it.hasNext()) {
            assertAccessDenied(str5 + ((String) it.next()), "Cannot select from columns .* in table or view " + format2, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str4, TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        }
        UnmodifiableIterator it2 = ImmutableList.of("    WHEN MATCHED AND t.nation_name > (SELECT name FROM tpch.tiny.region WHERE name = t.region_name AND name LIKE ('A%'))        THEN DELETE", "    WHEN MATCHED AND t.nation_name = 'GERMANY'        THEN UPDATE SET nation_name = concat(s.nation_name, '_foo')", "    WHEN NOT MATCHED AND s.region_name = 'EUROPE'        THEN INSERT VALUES(s.nation_name, (SELECT 'EUROPE'))").iterator();
        while (it2.hasNext()) {
            assertAccessDenied(str5 + ((String) it2.next()), "Cannot select from columns .* in table or view " + format, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str3, TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        }
        assertAccessDenied(str5 + "    WHEN NOT MATCHED AND s.region_name = 'EUROPE'        THEN INSERT VALUES(s.nation_name, (SELECT 'EUROPE'))", "Cannot insert into table " + format, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str3, TestingAccessControlManager.TestingPrivilegeType.INSERT_TABLE)});
        assertAccessDenied(str5 + "    WHEN MATCHED AND t.nation_name > (SELECT name FROM tpch.tiny.region WHERE name = t.region_name AND name LIKE ('A%'))        THEN DELETE", "Cannot delete from table " + format, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str3, TestingAccessControlManager.TestingPrivilegeType.DELETE_TABLE)});
        assertAccessDenied(str5 + "    WHEN MATCHED AND t.nation_name = 'GERMANY'        THEN UPDATE SET nation_name = concat(s.nation_name, '_foo')", "Cannot update columns \\[nation_name] in table " + format, new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str3, TestingAccessControlManager.TestingPrivilegeType.UPDATE_TABLE)});
        assertAccessAllowed("MERGE INTO orders o USING region r ON (o.orderkey = r.regionkey)\nWHEN MATCHED AND o.orderkey % 2 = 0 THEN DELETE\nWHEN MATCHED AND o.orderkey % 2 = 1 THEN UPDATE SET orderkey = null\nWHEN NOT MATCHED THEN INSERT VALUES (null, null, null, null, null, null, null, null, null)\n", new TestingAccessControlManager.TestingPrivilege[0]);
        assertUpdate("DROP TABLE " + str4);
        assertUpdate("DROP TABLE " + str3);
    }

    @Test
    public void testNonQueryAccessControl() {
        assertAccessDenied("SET SESSION query_max_memory = '10MB'", "Cannot set system session property query_max_memory", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("query_max_memory", TestingAccessControlManager.TestingPrivilegeType.SET_SESSION)});
        assertAccessDenied("CREATE TABLE foo (pk bigint)", "Cannot create table .*.foo.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("foo", TestingAccessControlManager.TestingPrivilegeType.CREATE_TABLE)});
        assertAccessDenied("DROP TABLE orders", "Cannot drop table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.DROP_TABLE)});
        assertAccessDenied("ALTER TABLE orders RENAME TO foo", "Cannot rename table .*.orders.* to .*.foo.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.RENAME_TABLE)});
        assertAccessDenied("ALTER TABLE orders SET PROPERTIES field_length = 32", "Cannot set table properties to .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SET_TABLE_PROPERTIES)});
        assertAccessDenied("ALTER TABLE orders ADD COLUMN foo bigint", "Cannot add a column to table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.ADD_COLUMN)});
        assertAccessDenied("ALTER TABLE orders DROP COLUMN foo", "Cannot drop a column from table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.DROP_COLUMN)});
        assertAccessDenied("ALTER TABLE orders RENAME COLUMN orderkey TO foo", "Cannot rename a column in table .*.orders.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.RENAME_COLUMN)});
        assertAccessDenied("CREATE VIEW foo as SELECT * FROM orders", "Cannot create view .*.foo.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("foo", TestingAccessControlManager.TestingPrivilegeType.CREATE_VIEW)});
        assertAccessDenied("CREATE MATERIALIZED VIEW foo as SELECT * FROM orders", "Cannot create materialized view .*.foo.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("foo", TestingAccessControlManager.TestingPrivilegeType.CREATE_MATERIALIZED_VIEW)});
        try {
            assertAccessDenied("SELECT 1", "Principal .* cannot become user " + getSession().getUser() + ".*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(getSession().getUser(), TestingAccessControlManager.TestingPrivilegeType.SET_USER)});
        } catch (AssertionError e) {
            io.airlift.testing.Assertions.assertContains(e.getMessage(), "statusCode=403");
        }
    }

    @Test
    public void testDescribe() {
        assertAccessDenied("DESCRIBE orders", "Cannot show columns of table default.orders", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders", TestingAccessControlManager.TestingPrivilegeType.SHOW_COLUMNS)});
        getQueryRunner().getAccessControl().deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("orders.orderkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertQuery("DESCRIBE orders", "VALUES ('custkey', 'bigint', '', ''),('orderstatus', 'varchar(1)', '', ''),('totalprice', 'double', '', ''),('orderdate', 'date', '', ''),('orderpriority', 'varchar(15)', '', ''),('clerk', 'varchar(15)', '', ''),('shippriority', 'integer', '', ''),('comment', 'varchar(79)', '', '')");
    }

    @Test
    public void testDescribeForViews() {
        String str = "describe_orders_view" + TestingNames.randomNameSuffix();
        assertUpdate("CREATE VIEW " + str + " AS SELECT * FROM orders");
        assertAccessDenied("DESCRIBE " + str, "Cannot show columns of table default.*", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str, TestingAccessControlManager.TestingPrivilegeType.SHOW_COLUMNS)});
        getQueryRunner().getAccessControl().deny(new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(str + ".orderkey", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
        assertQuery("DESCRIBE " + str, "VALUES ('custkey', 'bigint', '', ''),('orderstatus', 'varchar(1)', '', ''),('totalprice', 'double', '', ''),('orderdate', 'date', '', ''),('orderpriority', 'varchar(15)', '', ''),('clerk', 'varchar(15)', '', ''),('shippriority', 'integer', '', ''),('comment', 'varchar(79)', '', '')");
        assertUpdate("DROP VIEW " + str);
    }

    @Test
    public void testNoCatalogIsNeededInSessionForShowRoles() {
        Session build = TestingSession.testSessionBuilder().setIdentity(Identity.forUser("alice").withConnectorRoles(ImmutableMap.of("mock", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("alice_role")))).build()).build();
        assertQuery(build, "SHOW ROLES IN mock", "VALUES 'alice_role'");
        assertQuery(build, "SHOW ROLE GRANTS IN mock", "VALUES 'alice_role'");
        assertQuery(build, "SHOW CURRENT ROLES FROM mock", "VALUES 'alice_role'");
        assertQuery(build, "SELECT * FROM mock.information_schema.applicable_roles", "SELECT 'alice', 'USER', 'alice_role', 'NO'");
    }

    @Test
    public void testShowRolesWithLegacyCatalogRoles() {
        Session build = TestingSession.testSessionBuilder().setCatalog("mock").setIdentity(Identity.forUser("alice").withConnectorRoles(ImmutableMap.of("mock", new SelectedRole(SelectedRole.Type.ROLE, Optional.of("alice_role")))).build()).setSystemProperty("legacy_catalog_roles", "true").build();
        assertQuery(build, "SHOW ROLES", "VALUES 'alice_role'");
        assertQuery(build, "SHOW ROLE GRANTS", "VALUES 'alice_role'");
        assertQuery(build, "SHOW CURRENT ROLES", "VALUES 'alice_role'");
        assertQuery(build, "SELECT * FROM mock.information_schema.applicable_roles", "SELECT 'alice', 'USER', 'alice_role', 'NO'");
    }

    @Test
    public void testEmptyRoles() {
        assertQueryReturnsEmptyResult("SHOW ROLES");
        assertQueryReturnsEmptyResult("SHOW ROLE GRANTS");
        assertQueryReturnsEmptyResult("SHOW CURRENT ROLES");
        assertQueryReturnsEmptyResult("SELECT * FROM information_schema.applicable_roles");
    }

    @Test
    public void testSetViewAuthorizationWithSecurityDefiner() {
        assertQuerySucceeds("ALTER VIEW mock.default.test_view_definer SET AUTHORIZATION some_other_user");
    }

    @Test
    public void testSetViewAuthorizationWithSecurityInvoker() {
        assertQuerySucceeds("ALTER VIEW mock.default.test_view_invoker SET AUTHORIZATION some_other_user");
    }

    @Test
    public void testSystemMetadataAnalyzePropertiesFilteringValues() {
        getQueryRunner().getAccessControl().denyCatalogs(str -> {
            return !str.equals("mock");
        });
        assertQueryReturnsEmptyResult("SELECT * FROM system.metadata.analyze_properties");
    }

    @Test
    public void testSystemMetadataMaterializedViewPropertiesFilteringValues() {
        getQueryRunner().getAccessControl().denyCatalogs(str -> {
            return !str.equals("mock");
        });
        assertQueryReturnsEmptyResult("SELECT * FROM system.metadata.materialized_view_properties");
    }

    @Test
    public void testSystemMetadataSchemaPropertiesFilteringValues() {
        getQueryRunner().getAccessControl().denyCatalogs(str -> {
            return !str.equals("mock");
        });
        assertQueryReturnsEmptyResult("SELECT * FROM system.metadata.schema_properties");
    }

    @Test
    public void testSystemMetadataTablePropertiesFilteringValues() {
        getQueryRunner().getAccessControl().denyCatalogs(str -> {
            return (str.equals("blackhole") || str.equals("mock")) ? false : true;
        });
        assertQueryReturnsEmptyResult("SELECT * FROM system.metadata.table_properties");
    }

    @Test
    public void testSystemMetadataColumnPropertiesFilteringValues() {
        getQueryRunner().getAccessControl().denyCatalogs(str -> {
            return !str.equals("mock");
        });
        assertQueryReturnsEmptyResult("SELECT * FROM system.metadata.column_properties");
    }

    @Test
    public void testUseStatementAccessControl() {
        getQueryRunner().execute(TestingSession.testSessionBuilder().setCatalog(Optional.empty()).setSchema(Optional.empty()).build(), "USE tpch.tiny");
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute("USE not_exists_catalog.tiny");
        }).hasMessageMatching("Catalog does not exist: not_exists_catalog");
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute("USE tpch.not_exists_schema");
        }).hasMessageMatching("Schema does not exist: tpch.not_exists_schema");
    }

    @Test
    public void testUseStatementAccessControlWithDeniedCatalog() {
        getQueryRunner().getAccessControl().denyCatalogs(str -> {
            return !str.equals("tpch");
        });
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute("USE tpch.tiny");
        }).hasMessageMatching("Access Denied: Cannot access catalog tpch");
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute("USE tpch.not_exists_schema");
        }).hasMessageMatching("Access Denied: Cannot access catalog tpch");
    }

    @Test
    public void testUseStatementAccessControlWithDeniedSchema() {
        getQueryRunner().getAccessControl().denySchemas(str -> {
            return !str.equals("tiny");
        });
        Assertions.assertThatThrownBy(() -> {
            getQueryRunner().execute("USE tpch.tiny");
        }).hasMessageMatching("Access Denied: Cannot access schema: tpch.tiny");
    }

    @Test
    public void testPropertiesAccessControl() {
        this.systemAccessControl.set(new DenySetPropertiesSystemAccessControl());
        assertAccessDenied("CREATE TABLE mock.default.new_table (pk bigint) WITH (double_table_property = 0.0)", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table (pk bigint) WITH (double_table_property = 1.0)", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table (pk bigint) WITH (double_table_property = 1.0, another_property = 1)", "Cannot access properties: \\[another_property, double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table (pk bigint) WITH (DOUBLE_TABLE_PROPERTY = 1.0)", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table WITH (double_table_property = 0.0) AS SELECT 1 pk", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table WITH (double_table_property = 1.0) AS SELECT 1 pk", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table WITH (double_table_property = 1.0, another_property = 1) AS SELECT 1 pk", "Cannot access properties: \\[another_property, double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE TABLE mock.default.new_table WITH (DOUBLE_TABLE_PROPERTY = 1.0) AS SELECT 1 pk", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE SCHEMA mock.new_schema WITH (boolean_schema_property = false)", "Cannot access properties: \\[boolean_schema_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE SCHEMA mock.new_schema WITH (boolean_schema_property = true)", "Cannot access properties: \\[boolean_schema_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE SCHEMA mock.new_schema WITH (another_property = 1, boolean_schema_property = true)", "Cannot access properties: \\[another_property, boolean_schema_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE SCHEMA mock.new_schema WITH (BOOLEAN_SCHEMA_PROPERTY = true)", "Cannot access properties: \\[boolean_schema_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE MATERIALIZED VIEW mock.default.new_materialized_view WITH (string_materialized_view_property = '') AS SELECT 1 a", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE MATERIALIZED VIEW mock.default.new_materialized_view WITH (string_materialized_view_property = 'value') AS SELECT 1 a", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE MATERIALIZED VIEW mock.default.new_materialized_view WITH (string_materialized_view_property = 'value', another_property = 1) AS SELECT 1 a", "Cannot access properties: \\[another_property, string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("CREATE MATERIALIZED VIEW mock.default.new_materialized_view WITH (STRING_MATERIALIZED_VIEW_PROPERTY = 'value') AS SELECT 1 a", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE mock.default.foo SET PROPERTIES double_table_property = 0.0", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE mock.default.foo SET PROPERTIES double_table_property = 1.0, another_property = 1", "Cannot access properties: \\[another_property, double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE mock.default.foo SET PROPERTIES double_table_property = 1.0", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE mock.default.foo SET PROPERTIES DOUBLE_TABLE_PROPERTY = 1.0", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE mock.default.foo SET PROPERTIES double_table_property = DEFAULT", "Cannot access properties: \\[double_table_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER MATERIALIZED VIEW mock.default.test_materialized_view SET PROPERTIES string_materialized_view_property = ''", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER MATERIALIZED VIEW mock.default.test_materialized_view SET PROPERTIES string_materialized_view_property = 'value'", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER MATERIALIZED VIEW mock.default.test_materialized_view SET PROPERTIES string_materialized_view_property = 'value', another_property = 1", "Cannot access properties: \\[another_property, string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER MATERIALIZED VIEW mock.default.test_materialized_view SET PROPERTIES STRING_MATERIALIZED_VIEW_PROPERTY = 'value'", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER MATERIALIZED VIEW mock.default.test_materialized_view SET PROPERTIES string_materialized_view_property = DEFAULT", "Cannot access properties: \\[string_materialized_view_property]", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testPropertiesAccessControlIsSkippedWhenUsingDefaults() {
        this.systemAccessControl.set(new DenySetPropertiesSystemAccessControl());
        this.systemAccessControl.set(new DenySetPropertiesSystemAccessControl());
        assertAccessAllowed("CREATE TABLE mock.default.new_table (pk bigint)", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed("CREATE SCHEMA mock.new_schema", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessAllowed("CREATE MATERIALIZED VIEW mock.default.new_materialized_view AS SELECT 1 a", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testAccessControlWithGroupsAndColumnMask() {
        this.groupProvider.setUserGroups(ImmutableMap.of(getSession().getUser(), ImmutableSet.of("group")));
        TestingAccessControlManager accessControl = getQueryRunner().getAccessControl();
        accessControl.denyIdentityTable((identity, str) -> {
            return identity.getGroups().contains("group") && "orders".equals(str);
        });
        accessControl.columnMask(new QualifiedObjectName("blackhole", "default", "orders"), "comment", getSession().getUser(), new ViewExpression(Optional.empty(), Optional.empty(), Optional.empty(), "substr(comment,1,3)"));
        assertAccessAllowed("SELECT comment FROM orders", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testAccessControlWithGroupsAndRowFilter() {
        this.groupProvider.setUserGroups(ImmutableMap.of(getSession().getUser(), ImmutableSet.of("group")));
        TestingAccessControlManager accessControl = getQueryRunner().getAccessControl();
        accessControl.denyIdentityTable((identity, str) -> {
            return identity.getGroups().contains("group") && "nation".equals(str);
        });
        accessControl.rowFilter(new QualifiedObjectName("blackhole", "default", "nation"), getSession().getUser(), new ViewExpression(Optional.empty(), Optional.empty(), Optional.empty(), "nationkey % 2 = 0"));
        assertAccessAllowed("SELECT nationkey FROM nation", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testAccessControlWithRolesAndColumnMask() {
        String str = "role";
        Session build = Session.builder(getSession()).setIdentity(Identity.forUser("user").withEnabledRoles(ImmutableSet.of("role")).build()).build();
        this.systemSecurityMetadata.grantRoles(getSession(), Set.of("role"), Set.of(new TrinoPrincipal(PrincipalType.USER, "user")), false, Optional.empty());
        TestingAccessControlManager accessControl = getQueryRunner().getAccessControl();
        accessControl.denyIdentityTable((identity, str2) -> {
            return identity.getEnabledRoles().contains(str) && "orders".equals(str2);
        });
        accessControl.columnMask(new QualifiedObjectName("blackhole", "default", "orders"), "comment", getSession().getUser(), new ViewExpression(Optional.empty(), Optional.empty(), Optional.empty(), "substr(comment,1,3)"));
        assertAccessAllowed(build, "SELECT comment FROM orders", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testAccessControlWithRolesAndRowFilter() {
        String str = "role";
        Session build = Session.builder(getSession()).setIdentity(Identity.forUser("user").withEnabledRoles(ImmutableSet.of("role")).build()).build();
        this.systemSecurityMetadata.grantRoles(getSession(), Set.of("role"), Set.of(new TrinoPrincipal(PrincipalType.USER, "user")), false, Optional.empty());
        TestingAccessControlManager accessControl = getQueryRunner().getAccessControl();
        accessControl.denyIdentityTable((identity, str2) -> {
            return identity.getEnabledRoles().contains(str) && "nation".equals(str2);
        });
        accessControl.rowFilter(new QualifiedObjectName("blackhole", "default", "nation"), getSession().getUser(), new ViewExpression(Optional.empty(), Optional.empty(), Optional.empty(), "nationkey % 2 = 0"));
        assertAccessAllowed(build, "SELECT nationkey FROM nation", new TestingAccessControlManager.TestingPrivilege[0]);
    }
}
