package io.trino.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.opentelemetry.api.OpenTelemetry;
import io.trino.SessionTestUtils;
import io.trino.client.NodeVersion;
import io.trino.connector.CatalogServiceProvider;
import io.trino.connector.MockConnectorFactory;
import io.trino.eventlistener.EventListenerManager;
import io.trino.execution.BaseDataDefinitionTaskTest;
import io.trino.metadata.Metadata;
import io.trino.metadata.MetadataManager;
import io.trino.metadata.QualifiedObjectName;
import io.trino.plugin.base.security.AllowAllAccessControl;
import io.trino.plugin.base.security.AllowAllSystemAccessControl;
import io.trino.spi.QueryId;
import io.trino.spi.TrinoException;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.ConnectorAccessControl;
import io.trino.spi.connector.ConnectorSecurityContext;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.eventlistener.EventListener;
import io.trino.spi.function.FunctionKind;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.BasicPrincipal;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SystemAccessControl;
import io.trino.spi.security.SystemAccessControlFactory;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.type.Type;
import io.trino.testing.LocalQueryRunner;
import io.trino.testing.TestingEventListenerManager;
import io.trino.transaction.InMemoryTransactionManager;
import io.trino.transaction.TransactionBuilder;
import io.trino.transaction.TransactionId;
import io.trino.transaction.TransactionManager;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.security.Principal;
import java.time.Instant;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.testng.Assert;

/* loaded from: input_file:io/trino/security/TestAccessControlManager.class */
public class TestAccessControlManager {
    private static final String USER_NAME = "user_name";
    private static final Principal PRINCIPAL = new BasicPrincipal("principal");
    private static final QueryId queryId = new QueryId("query_id");
    private static final Instant queryStart = Instant.now();

    /* loaded from: input_file:io/trino/security/TestAccessControlManager$DenyConnectorAccessControl.class */
    private static class DenyConnectorAccessControl implements ConnectorAccessControl {
        private DenyConnectorAccessControl() {
        }
    }

    /* loaded from: input_file:io/trino/security/TestAccessControlManager$TestSystemAccessControlFactory.class */
    private static class TestSystemAccessControlFactory implements SystemAccessControlFactory {
        private final String name;
        private Map<String, String> config;
        private Optional<Principal> checkedPrincipal;
        private String checkedUserName;

        public TestSystemAccessControlFactory(String str) {
            this.name = (String) Objects.requireNonNull(str, "name is null");
        }

        public Map<String, String> getConfig() {
            return this.config;
        }

        public Optional<Principal> getCheckedPrincipal() {
            return this.checkedPrincipal;
        }

        public String getCheckedUserName() {
            return this.checkedUserName;
        }

        public String getName() {
            return this.name;
        }

        public SystemAccessControl create(Map<String, String> map) {
            this.config = map;
            return new SystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.TestSystemAccessControlFactory.1
                public void checkCanSetUser(Optional<Principal> optional, String str) {
                    TestSystemAccessControlFactory.this.checkedPrincipal = optional;
                    TestSystemAccessControlFactory.this.checkedUserName = str;
                }

                public boolean canAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
                    return true;
                }

                public void checkCanSetSystemSessionProperty(Identity identity, String str) {
                    throw new UnsupportedOperationException();
                }

                public void checkCanSelectFromColumns(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
                    if (catalogSchemaTableName.getCatalogName().equals("secured_catalog")) {
                        AccessDeniedException.denySelectTable(catalogSchemaTableName.toString());
                    }
                }

                public Set<String> filterCatalogs(SystemSecurityContext systemSecurityContext, Set<String> set) {
                    return set;
                }
            };
        }
    }

    @Test
    public void testInitializing() {
        AccessControlManager createAccessControlManager = createAccessControlManager(InMemoryTransactionManager.createTestTransactionManager());
        Assertions.assertThatThrownBy(() -> {
            createAccessControlManager.checkCanSetUser(Optional.empty(), "foo");
        }).isInstanceOf(TrinoException.class).hasMessage("Trino server is still initializing");
    }

    @Test
    public void testNoneSystemAccessControl() {
        AccessControlManager createAccessControlManager = createAccessControlManager(InMemoryTransactionManager.createTestTransactionManager());
        createAccessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
        createAccessControlManager.checkCanSetUser(Optional.empty(), USER_NAME);
    }

    @Test
    public void testReadOnlySystemAccessControl() {
        Identity build = Identity.forUser(USER_NAME).withPrincipal(PRINCIPAL).build();
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "table");
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        MetadataManager build2 = MetadataManager.testMetadataManagerBuilder().withTransactionManager(createTestTransactionManager).build();
        AccessControlManager createAccessControlManager = createAccessControlManager(createTestTransactionManager);
        createAccessControlManager.loadSystemAccessControl("read-only", ImmutableMap.of());
        createAccessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
        createAccessControlManager.checkCanSetSystemSessionProperty(build, "property");
        TransactionBuilder.transaction(createTestTransactionManager, build2, createAccessControlManager).execute(transactionId -> {
            SecurityContext securityContext = new SecurityContext(transactionId, build, queryId, queryStart);
            createAccessControlManager.checkCanSetCatalogSessionProperty(securityContext, "test-catalog", "property");
            createAccessControlManager.checkCanShowSchemas(securityContext, "test-catalog");
            createAccessControlManager.checkCanShowTables(securityContext, new CatalogSchemaName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA));
            createAccessControlManager.checkCanSelectFromColumns(securityContext, qualifiedObjectName, ImmutableSet.of("column"));
            createAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, qualifiedObjectName, ImmutableSet.of("column"));
            ImmutableSet of = ImmutableSet.of("test-catalog");
            Assert.assertEquals(createAccessControlManager.filterCatalogs(securityContext, of), of);
            ImmutableSet of2 = ImmutableSet.of(BaseDataDefinitionTaskTest.SCHEMA);
            Assert.assertEquals(createAccessControlManager.filterSchemas(securityContext, "test-catalog", of2), of2);
            ImmutableSet of3 = ImmutableSet.of(new SchemaTableName(BaseDataDefinitionTaskTest.SCHEMA, "table"));
            Assert.assertEquals(createAccessControlManager.filterTables(securityContext, "test-catalog", of3), of3);
        });
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, build2, createAccessControlManager).execute(transactionId2 -> {
                createAccessControlManager.checkCanInsertIntoTable(new SecurityContext(transactionId2, build, queryId, queryStart), qualifiedObjectName);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot insert into table test-catalog.schema.table");
    }

    @Test
    public void testSetAccessControl() {
        AccessControlManager createAccessControlManager = createAccessControlManager(InMemoryTransactionManager.createTestTransactionManager());
        TestSystemAccessControlFactory testSystemAccessControlFactory = new TestSystemAccessControlFactory("test");
        createAccessControlManager.addSystemAccessControlFactory(testSystemAccessControlFactory);
        createAccessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
        createAccessControlManager.checkCanSetUser(Optional.of(PRINCIPAL), USER_NAME);
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedUserName(), USER_NAME);
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedPrincipal(), Optional.of(PRINCIPAL));
    }

    @Test
    public void testNoCatalogAccessControl() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(createTestTransactionManager).build();
        AccessControlManager createAccessControlManager = createAccessControlManager(createTestTransactionManager);
        createAccessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
        createAccessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
        TransactionBuilder.transaction(createTestTransactionManager, build, createAccessControlManager).execute(transactionId -> {
            createAccessControlManager.checkCanSelectFromColumns(context(transactionId), new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "table"), ImmutableSet.of("column"));
        });
    }

    @Test
    public void testDenyCatalogAccessControl() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            TransactionManager transactionManager = create.getTransactionManager();
            MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(transactionManager).build();
            AccessControlManager createAccessControlManager = createAccessControlManager(transactionManager);
            createAccessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
            createAccessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
            create.createCatalog("test-catalog", MockConnectorFactory.create(), ImmutableMap.of());
            createAccessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(create.getCatalogHandle("test-catalog"), Optional.of(new DenyConnectorAccessControl())));
            Assertions.assertThatThrownBy(() -> {
                TransactionBuilder.transaction(transactionManager, build, createAccessControlManager).execute(transactionId -> {
                    createAccessControlManager.checkCanSelectFromColumns(context(transactionId), new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "table"), ImmutableSet.of("column"));
                });
            }).isInstanceOf(TrinoException.class).hasMessageMatching("Access Denied: Cannot select from columns \\[column\\] in table or view schema.table");
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testDenyTableFunctionCatalogAccessControl() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            AccessControlManager createAccessControlManager = createAccessControlManager(create.getTransactionManager());
            createAccessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
            createAccessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
            create.createCatalog("test-catalog", MockConnectorFactory.create(), ImmutableMap.of());
            createAccessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(create.getCatalogHandle("test-catalog"), Optional.of(new DenyConnectorAccessControl())));
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testColumnMaskOrdering() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            AccessControlManager createAccessControlManager = createAccessControlManager(create.getTransactionManager());
            createAccessControlManager.addSystemAccessControlFactory(new SystemAccessControlFactory() { // from class: io.trino.security.TestAccessControlManager.1
                public String getName() {
                    return "test";
                }

                public SystemAccessControl create(Map<String, String> map) {
                    return new SystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.1.1
                        public Optional<ViewExpression> getColumnMask(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String str, Type type) {
                            return Optional.of(ViewExpression.builder().identity("user").expression("system mask").build());
                        }

                        public void checkCanSetSystemSessionProperty(Identity identity, String str) {
                        }
                    };
                }
            });
            createAccessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
            create.createCatalog("test-catalog", MockConnectorFactory.create(), ImmutableMap.of());
            createAccessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(create.getCatalogHandle("test-catalog"), Optional.of(new ConnectorAccessControl() { // from class: io.trino.security.TestAccessControlManager.2
                public Optional<ViewExpression> getColumnMask(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName, String str, Type type) {
                    return Optional.of(ViewExpression.builder().identity("user").expression("connector mask").build());
                }

                public void checkCanShowCreateTable(ConnectorSecurityContext connectorSecurityContext, SchemaTableName schemaTableName) {
                }
            })));
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static SecurityContext context(TransactionId transactionId) {
        return new SecurityContext(transactionId, Identity.forUser(USER_NAME).withPrincipal(PRINCIPAL).build(), queryId, queryStart);
    }

    @Test
    public void testDenySystemAccessControl() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            TransactionManager transactionManager = create.getTransactionManager();
            MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(transactionManager).build();
            AccessControlManager createAccessControlManager = createAccessControlManager(transactionManager);
            createAccessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
            createAccessControlManager.loadSystemAccessControl("test", ImmutableMap.of());
            create.createCatalog("test-catalog", MockConnectorFactory.create(), ImmutableMap.of());
            createAccessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(create.getCatalogHandle("test-catalog"), Optional.of(new DenyConnectorAccessControl())));
            Assertions.assertThatThrownBy(() -> {
                TransactionBuilder.transaction(transactionManager, build, createAccessControlManager).execute(transactionId -> {
                    createAccessControlManager.checkCanSelectFromColumns(context(transactionId), new QualifiedObjectName("secured_catalog", BaseDataDefinitionTaskTest.SCHEMA, "table"), ImmutableSet.of("column"));
                });
            }).isInstanceOf(TrinoException.class).hasMessageMatching("Access Denied: Cannot select from table secured_catalog.schema.table");
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testDenyExecuteProcedureBySystem() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(createTestTransactionManager).build();
        AccessControlManager createAccessControlManager = createAccessControlManager(createTestTransactionManager);
        createAccessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("deny-all"));
        createAccessControlManager.loadSystemAccessControl("deny-all", ImmutableMap.of());
        assertDenyExecuteProcedure(createTestTransactionManager, build, createAccessControlManager, "Access Denied: Cannot execute procedure test-catalog.schema.procedure");
    }

    @Test
    public void testDenyExecuteProcedureByConnector() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            TransactionManager transactionManager = create.getTransactionManager();
            MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(transactionManager).build();
            AccessControlManager createAccessControlManager = createAccessControlManager(transactionManager);
            createAccessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
            create.createCatalog("test-catalog", MockConnectorFactory.create(), ImmutableMap.of());
            createAccessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(create.getCatalogHandle("test-catalog"), Optional.of(new DenyConnectorAccessControl())));
            assertDenyExecuteProcedure(transactionManager, build, createAccessControlManager, "Access Denied: Cannot execute procedure schema.procedure");
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testAllowExecuteProcedure() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            TransactionManager transactionManager = create.getTransactionManager();
            MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(transactionManager).build();
            AccessControlManager createAccessControlManager = createAccessControlManager(transactionManager);
            createAccessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
            create.createCatalog("test-catalog", MockConnectorFactory.create(), ImmutableMap.of());
            createAccessControlManager.setConnectorAccessControlProvider(CatalogServiceProvider.singleton(create.getCatalogHandle("test-catalog"), Optional.of(new AllowAllAccessControl())));
            TransactionBuilder.transaction(transactionManager, build, createAccessControlManager).execute(transactionId -> {
                createAccessControlManager.checkCanExecuteProcedure(context(transactionId), new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "procedure"));
            });
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testRegisterSingleEventListenerForDefaultAccessControl() {
        EventListener eventListener = new EventListener() { // from class: io.trino.security.TestAccessControlManager.3
        };
        TestingEventListenerManager emptyEventListenerManager = TestingEventListenerManager.emptyEventListenerManager();
        AccessControlManager createAccessControlManager = createAccessControlManager((EventListenerManager) emptyEventListenerManager, "event-listening-default-access-control");
        createAccessControlManager.addSystemAccessControlFactory(eventListeningSystemAccessControlFactory("event-listening-default-access-control", eventListener));
        createAccessControlManager.loadSystemAccessControl();
        Assertions.assertThat(emptyEventListenerManager.getConfiguredEventListeners()).contains(new EventListener[]{eventListener});
    }

    @Test
    public void testRegisterMultipleEventListenerForDefaultAccessControl() {
        EventListener eventListener = new EventListener() { // from class: io.trino.security.TestAccessControlManager.4
        };
        EventListener eventListener2 = new EventListener() { // from class: io.trino.security.TestAccessControlManager.5
        };
        TestingEventListenerManager emptyEventListenerManager = TestingEventListenerManager.emptyEventListenerManager();
        AccessControlManager createAccessControlManager = createAccessControlManager((EventListenerManager) emptyEventListenerManager, "event-listening-default-access-control");
        createAccessControlManager.addSystemAccessControlFactory(eventListeningSystemAccessControlFactory("event-listening-default-access-control", eventListener, eventListener2));
        createAccessControlManager.loadSystemAccessControl();
        Assertions.assertThat(emptyEventListenerManager.getConfiguredEventListeners()).contains(new EventListener[]{eventListener, eventListener2});
    }

    @Test
    public void testRegisterSingleEventListener() throws IOException {
        EventListener eventListener = new EventListener() { // from class: io.trino.security.TestAccessControlManager.6
        };
        TestingEventListenerManager emptyEventListenerManager = TestingEventListenerManager.emptyEventListenerManager();
        AccessControlManager createAccessControlManager = createAccessControlManager(emptyEventListenerManager, (List<String>) ImmutableList.of("access-control.name=" + "event-listening-sac"));
        createAccessControlManager.addSystemAccessControlFactory(eventListeningSystemAccessControlFactory("event-listening-sac", eventListener));
        createAccessControlManager.loadSystemAccessControl();
        Assertions.assertThat(emptyEventListenerManager.getConfiguredEventListeners()).contains(new EventListener[]{eventListener});
    }

    @Test
    public void testRegisterMultipleEventListeners() throws IOException {
        EventListener eventListener = new EventListener() { // from class: io.trino.security.TestAccessControlManager.7
        };
        EventListener eventListener2 = new EventListener() { // from class: io.trino.security.TestAccessControlManager.8
        };
        TestingEventListenerManager emptyEventListenerManager = TestingEventListenerManager.emptyEventListenerManager();
        AccessControlManager createAccessControlManager = createAccessControlManager(emptyEventListenerManager, (List<String>) ImmutableList.of("access-control.name=" + "event-listening-sac"));
        createAccessControlManager.addSystemAccessControlFactory(eventListeningSystemAccessControlFactory("event-listening-sac", eventListener, eventListener2));
        createAccessControlManager.loadSystemAccessControl();
        Assertions.assertThat(emptyEventListenerManager.getConfiguredEventListeners()).contains(new EventListener[]{eventListener, eventListener2});
    }

    private void assertDenyExecuteProcedure(TransactionManager transactionManager, Metadata metadata, AccessControlManager accessControlManager, String str) {
        TransactionBuilder.transaction(transactionManager, metadata, accessControlManager).execute(transactionId -> {
            Assertions.assertThatThrownBy(() -> {
                accessControlManager.checkCanExecuteProcedure(context(transactionId), new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "procedure"));
            }).isInstanceOf(AccessDeniedException.class).hasMessage(str);
        });
    }

    @Test
    public void testDenyExecuteFunctionBySystemAccessControl() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(createTestTransactionManager).build();
        AccessControlManager createAccessControlManager = createAccessControlManager(createTestTransactionManager);
        createAccessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("deny-all"));
        createAccessControlManager.loadSystemAccessControl("deny-all", ImmutableMap.of());
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "executed_function");
        TransactionBuilder.transaction(createTestTransactionManager, build, createAccessControlManager).execute(transactionId -> {
            Assertions.assertThat(createAccessControlManager.canExecuteFunction(context(transactionId), qualifiedObjectName)).isFalse();
            Assertions.assertThat(createAccessControlManager.canCreateViewWithExecuteFunction(context(transactionId), qualifiedObjectName)).isFalse();
        });
    }

    @Test
    public void testAllowExecuteFunction() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(createTestTransactionManager).build();
        AccessControlManager createAccessControlManager = createAccessControlManager(createTestTransactionManager);
        createAccessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "executed_function");
        TransactionBuilder.transaction(createTestTransactionManager, build, createAccessControlManager).execute(transactionId -> {
            Assertions.assertThat(createAccessControlManager.canExecuteFunction(context(transactionId), qualifiedObjectName)).isTrue();
            Assertions.assertThat(createAccessControlManager.canCreateViewWithExecuteFunction(context(transactionId), qualifiedObjectName)).isTrue();
        });
    }

    @Test
    public void testAllowExecuteTableFunction() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        MetadataManager build = MetadataManager.testMetadataManagerBuilder().withTransactionManager(createTestTransactionManager).build();
        AccessControlManager createAccessControlManager = createAccessControlManager(createTestTransactionManager);
        createAccessControlManager.loadSystemAccessControl("allow-all", ImmutableMap.of());
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("test-catalog", BaseDataDefinitionTaskTest.SCHEMA, "executed_function");
        TransactionBuilder.transaction(createTestTransactionManager, build, createAccessControlManager).execute(transactionId -> {
            Assertions.assertThat(createAccessControlManager.canExecuteFunction(context(transactionId), qualifiedObjectName)).isTrue();
            Assertions.assertThat(createAccessControlManager.canCreateViewWithExecuteFunction(context(transactionId), qualifiedObjectName)).isTrue();
        });
    }

    @Test
    public void testRemovedMethodsCannotBeDeclared() {
        LocalQueryRunner create = LocalQueryRunner.create(SessionTestUtils.TEST_SESSION);
        try {
            AccessControlManager createAccessControlManager = createAccessControlManager(create.getTransactionManager());
            Assertions.assertThatThrownBy(() -> {
                createAccessControlManager.setSystemAccessControls(ImmutableList.of(new AllowAllSystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.9
                    public void checkCanAccessCatalog(SystemSecurityContext systemSecurityContext, String str) {
                    }
                }));
            }).isInstanceOf(IllegalArgumentException.class).hasMessageMatching("Access control .* must not implement removed method checkCanAccessCatalog\\(.*\\)");
            Assertions.assertThatThrownBy(() -> {
                createAccessControlManager.setSystemAccessControls(ImmutableList.of(new AllowAllSystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.10
                    public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext systemSecurityContext, String str, TrinoPrincipal trinoPrincipal, boolean z) {
                    }
                }));
            }).isInstanceOf(IllegalArgumentException.class).hasMessageMatching("Access control .* must not implement removed method checkCanGrantExecuteFunctionPrivilege\\(.*\\)");
            Assertions.assertThatThrownBy(() -> {
                createAccessControlManager.setSystemAccessControls(ImmutableList.of(new AllowAllSystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.11
                    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String str) {
                    }
                }));
            }).isInstanceOf(IllegalArgumentException.class).hasMessageMatching("Access control .* must not implement removed method checkCanExecuteFunction\\(.*\\)");
            Assertions.assertThatThrownBy(() -> {
                createAccessControlManager.setSystemAccessControls(ImmutableList.of(new AllowAllSystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.12
                    public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName catalogSchemaRoutineName) {
                    }
                }));
            }).isInstanceOf(IllegalArgumentException.class).hasMessageMatching("Access control .* must not implement removed method checkCanExecuteFunction\\(.*\\)");
            Assertions.assertThatThrownBy(() -> {
                createAccessControlManager.setSystemAccessControls(ImmutableList.of(new AllowAllSystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.13
                    public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext systemSecurityContext, FunctionKind functionKind, CatalogSchemaRoutineName catalogSchemaRoutineName, TrinoPrincipal trinoPrincipal, boolean z) {
                    }
                }));
            }).isInstanceOf(IllegalArgumentException.class).hasMessageMatching("Access control .* must not implement removed method checkCanGrantExecuteFunctionPrivilege\\(.*\\)");
            createAccessControlManager.setSystemAccessControls(ImmutableList.of(new AllowAllSystemAccessControl()));
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private AccessControlManager createAccessControlManager(TestingEventListenerManager testingEventListenerManager, List<String> list) throws IOException {
        Path createTempFile = Files.createTempFile("access-control-config-file", ".properties", new FileAttribute[0]);
        Files.write(createTempFile, list, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.CREATE, StandardOpenOption.WRITE);
        return createAccessControlManager((EventListenerManager) testingEventListenerManager, new AccessControlConfig().setAccessControlFiles(createTempFile.toFile().getAbsolutePath()));
    }

    private AccessControlManager createAccessControlManager(TransactionManager transactionManager) {
        return new AccessControlManager(NodeVersion.UNKNOWN, transactionManager, TestingEventListenerManager.emptyEventListenerManager(), new AccessControlConfig(), OpenTelemetry.noop(), "default");
    }

    private AccessControlManager createAccessControlManager(EventListenerManager eventListenerManager, AccessControlConfig accessControlConfig) {
        return new AccessControlManager(NodeVersion.UNKNOWN, InMemoryTransactionManager.createTestTransactionManager(), eventListenerManager, accessControlConfig, OpenTelemetry.noop(), "default");
    }

    private AccessControlManager createAccessControlManager(EventListenerManager eventListenerManager, String str) {
        return new AccessControlManager(NodeVersion.UNKNOWN, InMemoryTransactionManager.createTestTransactionManager(), eventListenerManager, new AccessControlConfig(), OpenTelemetry.noop(), str);
    }

    private SystemAccessControlFactory eventListeningSystemAccessControlFactory(final String str, final EventListener... eventListenerArr) {
        return new SystemAccessControlFactory() { // from class: io.trino.security.TestAccessControlManager.14
            public String getName() {
                return str;
            }

            public SystemAccessControl create(Map<String, String> map) {
                return new SystemAccessControl() { // from class: io.trino.security.TestAccessControlManager.14.1
                    public void checkCanSetSystemSessionProperty(Identity identity, String str2) {
                    }

                    public Iterable<EventListener> getEventListeners() {
                        return ImmutableSet.copyOf(eventListenerArr);
                    }
                };
            }
        };
    }
}
