package io.trino.plugin.hive;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.trino.Session;
import io.trino.plugin.hive.HiveQueryRunner;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SelectedRole;
import io.trino.spi.type.Type;
import io.trino.spi.type.VarcharType;
import io.trino.testing.AbstractTestQueryFramework;
import io.trino.testing.MaterializedResult;
import io.trino.testing.QueryAssertions;
import io.trino.testing.QueryRunner;
import java.util.Iterator;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.Test;

@Test(singleThreaded = true)
/* loaded from: input_file:io/trino/plugin/hive/AbstractTestHiveRoles.class */
abstract class AbstractTestHiveRoles extends AbstractTestQueryFramework {
    private final boolean legacyCommands;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractTestHiveRoles(boolean z) {
        this.legacyCommands = z;
    }

    protected QueryRunner createQueryRunner() throws Exception {
        return ((HiveQueryRunner.Builder) HiveQueryRunner.builder().addExtraProperty("deprecated.legacy-catalog-roles", String.valueOf(this.legacyCommands))).build();
    }

    @AfterMethod(alwaysRun = true)
    public void afterMethod() {
        Iterator<String> it = listRoles().iterator();
        while (it.hasNext()) {
            executeFromAdmin(dropRoleSql(it.next()));
        }
    }

    @Test
    public void testCreateRole() {
        executeFromAdmin(createRoleSql("role1"));
        Assert.assertEquals(listRoles(), ImmutableSet.of("role1", "admin"));
        Assert.assertEquals(listRoles(), ImmutableSet.of("role1", "admin"));
    }

    @Test
    public void testCreateDuplicateRole() {
        executeFromAdmin(createRoleSql("duplicate_role"));
        assertQueryFails(createAdminSession(), createRoleSql("duplicate_role"), ".*?Role 'duplicate_role' already exists");
    }

    @Test
    public void testCreateRoleWithAdminOption() {
        assertQueryFails(createAdminSession(), "CREATE ROLE role1 WITH ADMIN admin" + optionalCatalogDeclaration(), ".*?Hive Connector does not support WITH ADMIN statement");
    }

    @Test
    public void testCreateReservedRole() {
        assertQueryFails(createAdminSession(), createRoleSql("all"), "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
        assertQueryFails(createAdminSession(), createRoleSql("default"), "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
        assertQueryFails(createAdminSession(), createRoleSql("none"), "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
        assertQueryFails(createAdminSession(), createRoleSql("None"), "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
    }

    @Test
    public void testCreateRoleByNonAdminUser() {
        assertQueryFails(createUserSession("non_admin_user"), createRoleSql("role1"), "Access Denied: Cannot create role role1");
    }

    @Test
    public void testDropRole() {
        executeFromAdmin(createRoleSql("role1"));
        Assert.assertEquals(listRoles(), ImmutableSet.of("role1", "admin"));
        executeFromAdmin(dropRoleSql("role1"));
        Assert.assertEquals(listRoles(), ImmutableSet.of("admin"));
    }

    @Test
    public void testDropNonExistentRole() {
        assertQueryFails(createAdminSession(), dropRoleSql("non_existent_role"), ".*?Role 'non_existent_role' does not exist in catalog '.*'");
    }

    @Test
    public void testDropRoleByNonAdminUser() {
        assertQueryFails(createUserSession("non_admin_user"), dropRoleSql("role1"), "Access Denied: Cannot drop role role1");
    }

    @Test
    public void testListRolesByNonAdminUser() {
        assertQueryFails(createUserSession("non_admin_user"), "SELECT * FROM hive.information_schema.roles", "Access Denied: Cannot select from table information_schema.roles");
    }

    @Test
    public void testPublicRoleIsGrantedToAnyone() {
        QueryAssertions.assertContains(listApplicableRoles("some_user"), applicableRoles("some_user", "USER", "public", "NO"));
    }

    @Test
    public void testAdminRoleIsGrantedToAdmin() {
        QueryAssertions.assertContains(listApplicableRoles("admin"), applicableRoles("admin", "USER", "admin", "YES"));
    }

    @Test
    public void testGrantRoleToUser() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO"));
    }

    @Test
    public void testGrantRoleToRole() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO"));
    }

    @Test
    public void testGrantRoleWithAdminOption() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(grantRoleToUserWithAdminSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleWithAdminSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "YES", "role1", "ROLE", "role2", "YES"));
    }

    @Test
    public void testGrantRoleMultipleTimes() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        executeFromAdmin(grantRoleToUserWithAdminSql("role1", "user"));
        executeFromAdmin(grantRoleToUserWithAdminSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleWithAdminSql("role2", "role1"));
        executeFromAdmin(grantRoleToRoleWithAdminSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "YES", "role1", "ROLE", "role2", "YES"));
    }

    @Test
    public void testGrantNonExistingRole() {
        assertQueryFails(grantRoleToUserSql("grant_revoke_role_existing_1", "grant_revoke_existing_user_1"), ".*?Role 'grant_revoke_role_existing_1' does not exist in catalog '.*'");
        executeFromAdmin(createRoleSql("grant_revoke_role_existing_1"));
        assertQueryFails(grantRoleToRoleSql("grant_revoke_role_existing_1", "grant_revoke_role_existing_2"), ".*?Role 'grant_revoke_role_existing_2' does not exist in catalog '.*'");
    }

    @Test
    public void testRevokeRoleFromUser() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO"));
        executeFromAdmin(revokeRoleFromUserSql("role1", "user"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO"));
    }

    @Test
    public void testRevokeRoleFromRole() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO"));
        executeFromAdmin(revokeRoleFromRoleSql("role2", "role1"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO", "user", "USER", "role1", "NO"));
    }

    @Test
    public void testDropGrantedRole() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO"));
        executeFromAdmin(dropRoleSql("role1"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO"));
    }

    @Test
    public void testRevokeTransitiveRoleFromUser() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(createRoleSql("role3"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        executeFromAdmin(grantRoleToRoleSql("role3", "role2"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO", "role2", "ROLE", "role3", "NO"));
        executeFromAdmin(revokeRoleFromUserSql("role1", "user"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO"));
    }

    @Test
    public void testRevokeTransitiveRoleFromRole() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(createRoleSql("role3"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        executeFromAdmin(grantRoleToRoleSql("role3", "role2"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO", "role2", "ROLE", "role3", "NO"));
        executeFromAdmin(revokeRoleFromRoleSql("role2", "role1"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO", "user", "USER", "role1", "NO"));
    }

    @Test
    public void testDropTransitiveRole() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(createRoleSql("role3"));
        executeFromAdmin(grantRoleToUserSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleSql("role2", "role1"));
        executeFromAdmin(grantRoleToRoleSql("role3", "role2"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO", "role2", "ROLE", "role3", "NO"));
        executeFromAdmin(dropRoleSql("role2"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO", "user", "USER", "role1", "NO"));
    }

    @Test
    public void testRevokeAdminOption() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(grantRoleToUserWithAdminSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleWithAdminSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "YES", "role1", "ROLE", "role2", "YES"));
        executeFromAdmin(revokeAdminOptionForRoleFromUserSql("role1", "user"));
        executeFromAdmin(revokeAdminOptionForRoleFromRoleSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO"));
    }

    @Test
    public void testRevokeRoleMultipleTimes() {
        executeFromAdmin(createRoleSql("role1"));
        executeFromAdmin(createRoleSql("role2"));
        executeFromAdmin(grantRoleToUserWithAdminSql("role1", "user"));
        executeFromAdmin(grantRoleToRoleWithAdminSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "YES", "role1", "ROLE", "role2", "YES"));
        executeFromAdmin(revokeAdminOptionForRoleFromUserSql("role1", "user"));
        executeFromAdmin(revokeAdminOptionForRoleFromUserSql("role1", "user"));
        executeFromAdmin(revokeAdminOptionForRoleFromRoleSql("role2", "role1"));
        executeFromAdmin(revokeAdminOptionForRoleFromRoleSql("role2", "role1"));
        QueryAssertions.assertContains(listApplicableRoles("user"), applicableRoles("user", "USER", "role1", "NO", "role1", "ROLE", "role2", "NO"));
        executeFromAdmin(revokeRoleFromUserSql("role1", "user"));
        executeFromAdmin(revokeRoleFromUserSql("role1", "user"));
        executeFromAdmin(revokeRoleFromRoleSql("role2", "role1"));
        executeFromAdmin(revokeRoleFromRoleSql("role2", "role1"));
        QueryAssertions.assertEqualsIgnoreOrder(listApplicableRoles("user"), applicableRoles("user", "USER", "public", "NO"));
    }

    @Test
    public void testRevokeNonExistingRole() {
        assertQueryFails(createAdminSession(), revokeRoleFromUserSql("grant_revoke_role_existing_1", "grant_revoke_existing_user_1"), ".*?Role 'grant_revoke_role_existing_1' does not exist in catalog '.*'");
        executeFromAdmin(createRoleSql("grant_revoke_role_existing_1"));
        assertQueryFails(createAdminSession(), revokeRoleFromRoleSql("grant_revoke_role_existing_1", "grant_revoke_role_existing_2"), ".*?Role 'grant_revoke_role_existing_2' does not exist in catalog '.*'");
    }

    @Test
    public void testSetRole() {
        executeFromAdmin(createRoleSql("set_role_1"));
        executeFromAdmin(createRoleSql("set_role_2"));
        executeFromAdmin(createRoleSql("set_role_3"));
        executeFromAdmin(createRoleSql("set_role_4"));
        executeFromAdmin(grantRoleToUserSql("set_role_1", "set_user_1"));
        executeFromAdmin(grantRoleToRoleSql("set_role_2", "set_role_1"));
        executeFromAdmin(grantRoleToRoleSql("set_role_3", "set_role_2"));
        Session build = Session.builder(getSession()).setIdentity(Identity.ofUser("set_user_1")).build();
        Session build2 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.ALL, Optional.empty())).build()).build();
        Session build3 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.NONE, Optional.empty())).build()).build();
        Session build4 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_1"))).build()).build();
        Session build5 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_2"))).build()).build();
        Session build6 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_3"))).build()).build();
        Session build7 = Session.builder(getSession()).setIdentity(Identity.forUser("set_user_1").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.ROLE, Optional.of("set_role_4"))).build()).build();
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build, "SELECT * FROM hive.information_schema.applicable_roles"), MaterializedResult.resultBuilder(build, new Type[]{VarcharType.createUnboundedVarcharType(), VarcharType.createUnboundedVarcharType(), VarcharType.createUnboundedVarcharType(), VarcharType.createUnboundedVarcharType()}).row(new Object[]{"set_user_1", "USER", "public", "NO"}).row(new Object[]{"set_user_1", "USER", "set_role_1", "NO"}).row(new Object[]{"set_role_1", "ROLE", "set_role_2", "NO"}).row(new Object[]{"set_role_2", "ROLE", "set_role_3", "NO"}).build());
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build, "SELECT * FROM hive.information_schema.enabled_roles"), MaterializedResult.resultBuilder(build, new Type[]{VarcharType.createUnboundedVarcharType()}).row(new Object[]{"public"}).row(new Object[]{"set_role_1"}).row(new Object[]{"set_role_2"}).row(new Object[]{"set_role_3"}).build());
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build2, "SELECT * FROM hive.information_schema.enabled_roles"), MaterializedResult.resultBuilder(build2, new Type[]{VarcharType.createUnboundedVarcharType()}).row(new Object[]{"public"}).row(new Object[]{"set_role_1"}).row(new Object[]{"set_role_2"}).row(new Object[]{"set_role_3"}).build());
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build3, "SELECT * FROM hive.information_schema.enabled_roles"), MaterializedResult.resultBuilder(build3, new Type[]{VarcharType.createUnboundedVarcharType()}).row(new Object[]{"public"}).build());
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build4, "SELECT * FROM hive.information_schema.enabled_roles"), MaterializedResult.resultBuilder(build4, new Type[]{VarcharType.createUnboundedVarcharType()}).row(new Object[]{"public"}).row(new Object[]{"set_role_1"}).row(new Object[]{"set_role_2"}).row(new Object[]{"set_role_3"}).build());
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build5, "SELECT * FROM hive.information_schema.enabled_roles"), MaterializedResult.resultBuilder(build5, new Type[]{VarcharType.createUnboundedVarcharType()}).row(new Object[]{"public"}).row(new Object[]{"set_role_2"}).row(new Object[]{"set_role_3"}).build());
        QueryAssertions.assertEqualsIgnoreOrder(getQueryRunner().execute(build6, "SELECT * FROM hive.information_schema.enabled_roles"), MaterializedResult.resultBuilder(build6, new Type[]{VarcharType.createUnboundedVarcharType()}).row(new Object[]{"public"}).row(new Object[]{"set_role_3"}).build());
        assertQueryFails(build7, "SELECT * FROM hive.information_schema.enabled_roles", ".*?Cannot set role set_role_4");
        executeFromAdmin(dropRoleSql("set_role_1"));
        executeFromAdmin(dropRoleSql("set_role_2"));
        executeFromAdmin(dropRoleSql("set_role_3"));
        executeFromAdmin(dropRoleSql("set_role_4"));
    }

    private Set<String> listRoles() {
        return (Set) executeFromAdmin("SELECT * FROM hive.information_schema.roles").getMaterializedRows().stream().map(materializedRow -> {
            return materializedRow.getField(0).toString();
        }).collect(Collectors.toSet());
    }

    private MaterializedResult listApplicableRoles(String str) {
        return executeFromUser(str, "SELECT * FROM hive.information_schema.applicable_roles");
    }

    private MaterializedResult applicableRoles(String... strArr) {
        ImmutableList of = ImmutableList.of(VarcharType.createUnboundedVarcharType(), VarcharType.createUnboundedVarcharType(), VarcharType.createUnboundedVarcharType(), VarcharType.createUnboundedVarcharType());
        int size = of.size();
        Preconditions.checkArgument(strArr.length % size == 0);
        MaterializedResult.Builder resultBuilder = MaterializedResult.resultBuilder(getSession(), of);
        Object[] objArr = null;
        for (int i = 0; i < strArr.length; i++) {
            if (i % size == 0) {
                if (objArr != null) {
                    resultBuilder.row(objArr);
                }
                objArr = new Object[size];
            }
            Preconditions.checkState(objArr != null);
            objArr[i % size] = strArr[i];
        }
        if (objArr != null) {
            resultBuilder.row(objArr);
        }
        return resultBuilder.build();
    }

    private MaterializedResult executeFromAdmin(String str) {
        return getQueryRunner().execute(createAdminSession(), str);
    }

    private MaterializedResult executeFromUser(String str, String str2) {
        return getQueryRunner().execute(createUserSession(str), str2);
    }

    private Session createAdminSession() {
        return Session.builder(getSession()).setIdentity(Identity.forUser("admin").withConnectorRole(HiveQueryRunner.HIVE_CATALOG, new SelectedRole(SelectedRole.Type.ROLE, Optional.of("admin"))).build()).build();
    }

    private Session createUserSession(String str) {
        return Session.builder(getSession()).setIdentity(Identity.ofUser(str)).build();
    }

    private String dropRoleSql(String str) {
        return "DROP ROLE " + str + optionalCatalogDeclaration();
    }

    private String createRoleSql(String str) {
        return "CREATE ROLE " + str + optionalCatalogDeclaration();
    }

    private String grantRoleToUserSql(String str, String str2) {
        return "GRANT " + str + " TO USER " + str2 + optionalCatalogDeclaration();
    }

    private String grantRoleToUserWithAdminSql(String str, String str2) {
        return "GRANT " + str + " TO USER " + str2 + " WITH ADMIN OPTION " + optionalCatalogDeclaration();
    }

    private String grantRoleToRoleSql(String str, String str2) {
        return "GRANT " + str + " TO ROLE " + str2 + optionalCatalogDeclaration();
    }

    private String grantRoleToRoleWithAdminSql(String str, String str2) {
        return "GRANT " + str + " TO ROLE " + str2 + " WITH ADMIN OPTION " + optionalCatalogDeclaration();
    }

    private String revokeRoleFromUserSql(String str, String str2) {
        return "REVOKE " + str + " FROM USER " + str2 + optionalCatalogDeclaration();
    }

    private String revokeAdminOptionForRoleFromUserSql(String str, String str2) {
        return "REVOKE ADMIN OPTION FOR " + str + " FROM USER " + str2 + optionalCatalogDeclaration();
    }

    private String revokeRoleFromRoleSql(String str, String str2) {
        return "REVOKE " + str + " FROM ROLE " + str2 + optionalCatalogDeclaration();
    }

    private String revokeAdminOptionForRoleFromRoleSql(String str, String str2) {
        return "REVOKE ADMIN OPTION FOR " + str + " FROM ROLE " + str2 + optionalCatalogDeclaration();
    }

    private String optionalCatalogDeclaration() {
        return this.legacyCommands ? "" : " IN hive";
    }
}
