package io.trino.security;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.io.Resources;
import io.trino.execution.BaseDataDefinitionTaskTest;
import io.trino.metadata.QualifiedObjectName;
import io.trino.plugin.base.security.FileBasedSystemAccessControl;
import io.trino.spi.QueryId;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.testing.TestingEventListenerManager;
import io.trino.transaction.InMemoryTransactionManager;
import io.trino.transaction.TransactionBuilder;
import io.trino.transaction.TransactionManager;
import java.io.File;
import java.net.URISyntaxException;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.assertj.core.api.Assertions;
import org.assertj.core.util.Files;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/security/TestFileBasedSystemAccessControl.class */
public class TestFileBasedSystemAccessControl {
    private static final Identity alice = Identity.forUser("alice").withGroups(ImmutableSet.of("staff")).build();
    private static final Identity kerberosValidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("alice/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidNonAsciiUser = Identity.forUser("ƔƔƔ").withPrincipal(new KerberosPrincipal("ƔƔƔ/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInvalidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("mallory/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("valid/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("invalid/example.com@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexWildDot = Identity.forUser(".*").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexEndQuote = Identity.forUser("\\E").withPrincipal(new KerberosPrincipal("special/\\E@EXAMPLE.COM")).build();
    private static final Identity invalidSpecialRegex = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity bob = Identity.forUser("bob").withGroups(ImmutableSet.of("staff")).build();
    private static final Identity admin = Identity.forUser("alberto").withEnabledRoles(ImmutableSet.of("admin")).build();
    private static final Identity nonAsciiUser = Identity.forUser("ƔƔƔ").withGroups(ImmutableSet.of("ƔƔƔ")).build();
    private static final Set<String> allCatalogs = ImmutableSet.of("secret", "open-to-all", "all-allowed", "alice-catalog", "ȀȀȀ", "staff-catalog", new String[0]);
    private static final QualifiedObjectName aliceTable = new QualifiedObjectName("alice-catalog", BaseDataDefinitionTaskTest.SCHEMA, "table");
    private static final QualifiedObjectName aliceView = new QualifiedObjectName("alice-catalog", BaseDataDefinitionTaskTest.SCHEMA, "view");
    private static final QualifiedObjectName aliceMaterializedView = new QualifiedObjectName("alice-catalog", BaseDataDefinitionTaskTest.SCHEMA, "materialized-view");
    private static final CatalogSchemaName aliceSchema = new CatalogSchemaName("alice-catalog", BaseDataDefinitionTaskTest.SCHEMA);
    private static final QualifiedObjectName staffTable = new QualifiedObjectName("staff-catalog", "schema2", "table");
    private static final QualifiedObjectName staffView = new QualifiedObjectName("staff-catalog", "schema2", "view");
    private static final QualifiedObjectName staffMaterializedView = new QualifiedObjectName("staff-catalog", "schema2", "materialized-view");
    private static final QueryId queryId = new QueryId("query_id");

    @Test
    public void testCanImpersonateUserOperations() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_impersonation.json");
        newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("alice"), "bob");
        newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("alice"), "charlie");
        try {
            newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("alice"), "admin");
            throw new AssertionError("expected AccessDeniedException");
        } catch (AccessDeniedException e) {
            newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("admin"), "alice");
            newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("admin"), "bob");
            newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("admin"), "anything");
            newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("admin-other"), "anything");
            try {
                newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("admin-test"), "alice");
                throw new AssertionError("expected AccessDeniedException");
            } catch (AccessDeniedException e2) {
                try {
                    newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("invalid"), "alice");
                    throw new AssertionError("expected AccessDeniedException");
                } catch (AccessDeniedException e3) {
                    newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("anything"), "test");
                    try {
                        newAccessControlManager.checkCanImpersonateUser(Identity.ofUser("invalid-other"), "test");
                        throw new AssertionError("expected AccessDeniedException");
                    } catch (AccessDeniedException e4) {
                        newAccessControlManager(createTestTransactionManager, "catalog_principal.json").checkCanImpersonateUser(Identity.ofUser("anything"), "anythingElse");
                    }
                }
            }
        }
    }

    @Test
    public void testDocsExample() {
        AccessControlManager accessControlManager = new AccessControlManager(InMemoryTransactionManager.createTestTransactionManager(), TestingEventListenerManager.emptyEventListenerManager(), new AccessControlConfig(), "default");
        accessControlManager.loadSystemAccessControl("file", ImmutableMap.of("security.config-file", new File("../../docs/src/main/sphinx/security/user-impersonation.json").getAbsolutePath()));
        accessControlManager.checkCanImpersonateUser(admin, "charlie");
        Assertions.assertThatThrownBy(() -> {
            accessControlManager.checkCanImpersonateUser(admin, "bob");
        }).isInstanceOf(AccessDeniedException.class).hasMessageContaining("Access Denied: User alberto cannot impersonate user bob");
        Assertions.assertThatThrownBy(() -> {
            accessControlManager.checkCanImpersonateUser(Identity.ofUser("charlie"), "doris");
        }).isInstanceOf(AccessDeniedException.class).hasMessageContaining("Access Denied: User charlie cannot impersonate user doris");
        accessControlManager.checkCanImpersonateUser(Identity.ofUser("charlie"), "test");
    }

    @Test
    public void testCanSetUserOperations() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_principal.json");
        try {
            newAccessControlManager.checkCanSetUser(Optional.empty(), alice.getUser());
            throw new AssertionError("expected AccessDeniedExeption");
        } catch (AccessDeniedException e) {
            newAccessControlManager.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
            newAccessControlManager.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser());
            try {
                newAccessControlManager.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser());
                throw new AssertionError("expected AccessDeniedExeption");
            } catch (AccessDeniedException e2) {
                newAccessControlManager.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser());
                try {
                    newAccessControlManager.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser());
                    throw new AssertionError("expected AccessDeniedExeption");
                } catch (AccessDeniedException e3) {
                    newAccessControlManager.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser());
                    newAccessControlManager.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser());
                    try {
                        newAccessControlManager.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser());
                        throw new AssertionError("expected AccessDeniedExeption");
                    } catch (AccessDeniedException e4) {
                        newAccessControlManager(createTestTransactionManager, "catalog.json").checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
                    }
                }
            }
        }
    }

    @Test
    public void testSystemInformation() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "system_information.json");
        newAccessControlManager.checkCanReadSystemInformation(admin);
        newAccessControlManager.checkCanWriteSystemInformation(admin);
        newAccessControlManager.checkCanReadSystemInformation(nonAsciiUser);
        newAccessControlManager.checkCanWriteSystemInformation(nonAsciiUser);
        newAccessControlManager.checkCanReadSystemInformation(admin);
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
                newAccessControlManager.checkCanWriteSystemInformation(alice);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
                newAccessControlManager.checkCanReadSystemInformation(bob);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot read system information");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
                newAccessControlManager.checkCanWriteSystemInformation(bob);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot write system information");
    }

    @Test
    public void testCatalogOperations() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, admin, queryId), allCatalogs), allCatalogs);
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, alice, queryId), allCatalogs), ImmutableSet.of("open-to-all", "alice-catalog", "all-allowed", "staff-catalog"));
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, bob, queryId), allCatalogs), ImmutableSet.of("open-to-all", "all-allowed", "staff-catalog"));
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, nonAsciiUser, queryId), allCatalogs), ImmutableSet.of("open-to-all", "all-allowed", "ȀȀȀ"));
        });
    }

    @Test
    public void testCatalogOperationsReadOnly() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_read_only.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, admin, queryId), allCatalogs), allCatalogs);
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, alice, queryId), allCatalogs), ImmutableSet.of("open-to-all", "alice-catalog", "all-allowed"));
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, bob, queryId), allCatalogs), ImmutableSet.of("open-to-all", "all-allowed"));
            Assert.assertEquals(newAccessControlManager.filterCatalogs(new SecurityContext(transactionId, nonAsciiUser, queryId), allCatalogs), ImmutableSet.of("open-to-all", "all-allowed", "ȀȀȀ"));
        });
    }

    @Test
    public void testSchemaOperations() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            ImmutableSet of = ImmutableSet.of(BaseDataDefinitionTaskTest.SCHEMA);
            Assert.assertEquals(newAccessControlManager.filterSchemas(new SecurityContext(transactionId, alice, queryId), "alice-catalog", of), of);
            Assert.assertEquals(newAccessControlManager.filterSchemas(new SecurityContext(transactionId, bob, queryId), "alice-catalog", of), ImmutableSet.of());
            newAccessControlManager.checkCanCreateSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema);
            newAccessControlManager.checkCanDropSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema);
            newAccessControlManager.checkCanRenameSchema(new SecurityContext(transactionId, alice, queryId), aliceSchema, "new-schema");
            newAccessControlManager.checkCanShowSchemas(new SecurityContext(transactionId, alice, queryId), "alice-catalog");
        });
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateSchema(new SecurityContext(transactionId2, bob, queryId), aliceSchema);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
    }

    @Test
    public void testSchemaOperationsReadOnly() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_read_only.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            ImmutableSet of = ImmutableSet.of(BaseDataDefinitionTaskTest.SCHEMA);
            Assert.assertEquals(newAccessControlManager.filterSchemas(new SecurityContext(transactionId, alice, queryId), "alice-catalog", of), of);
            Assert.assertEquals(newAccessControlManager.filterSchemas(new SecurityContext(transactionId, bob, queryId), "alice-catalog", of), ImmutableSet.of());
            newAccessControlManager.checkCanShowSchemas(new SecurityContext(transactionId, alice, queryId), "alice-catalog");
        });
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateSchema(new SecurityContext(transactionId2, alice, queryId), aliceSchema);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot create schema alice-catalog.schema");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanDropSchema(new SecurityContext(transactionId2, alice, queryId), aliceSchema);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot drop schema alice-catalog.schema");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanRenameSchema(new SecurityContext(transactionId2, alice, queryId), aliceSchema, "new-schema");
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot rename schema from alice-catalog.schema to new-schema");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateSchema(new SecurityContext(transactionId2, bob, queryId), aliceSchema);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
    }

    @Test
    public void testTableOperations() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            ImmutableSet of = ImmutableSet.of(new SchemaTableName(BaseDataDefinitionTaskTest.SCHEMA, "table"));
            SecurityContext securityContext = new SecurityContext(transactionId, alice, queryId);
            SecurityContext securityContext2 = new SecurityContext(transactionId, bob, queryId);
            SecurityContext securityContext3 = new SecurityContext(transactionId, nonAsciiUser, queryId);
            Assert.assertEquals(newAccessControlManager.filterTables(securityContext, "alice-catalog", of), of);
            Assert.assertEquals(newAccessControlManager.filterTables(securityContext, "staff-catalog", of), of);
            Assert.assertEquals(newAccessControlManager.filterTables(securityContext2, "alice-catalog", of), ImmutableSet.of());
            Assert.assertEquals(newAccessControlManager.filterTables(securityContext2, "staff-catalog", of), of);
            Assert.assertEquals(newAccessControlManager.filterTables(securityContext3, "alice-catalog", of), ImmutableSet.of());
            Assert.assertEquals(newAccessControlManager.filterTables(securityContext3, "staff-catalog", of), ImmutableSet.of());
            newAccessControlManager.checkCanCreateTable(securityContext, aliceTable, Map.of());
            newAccessControlManager.checkCanDropTable(securityContext, aliceTable);
            newAccessControlManager.checkCanTruncateTable(securityContext, aliceTable);
            newAccessControlManager.checkCanSelectFromColumns(securityContext, aliceTable, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, aliceTable, ImmutableSet.of());
            newAccessControlManager.checkCanInsertIntoTable(securityContext, aliceTable);
            newAccessControlManager.checkCanDeleteFromTable(securityContext, aliceTable);
            newAccessControlManager.checkCanSetTableProperties(securityContext, aliceTable, ImmutableMap.of());
            newAccessControlManager.checkCanAddColumns(securityContext, aliceTable);
            newAccessControlManager.checkCanRenameColumn(securityContext, aliceTable);
            newAccessControlManager.checkCanCreateTable(securityContext, staffTable, Map.of());
            newAccessControlManager.checkCanDropTable(securityContext, staffTable);
            newAccessControlManager.checkCanTruncateTable(securityContext, staffTable);
            newAccessControlManager.checkCanSelectFromColumns(securityContext, staffTable, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, staffTable, ImmutableSet.of());
            newAccessControlManager.checkCanInsertIntoTable(securityContext, staffTable);
            newAccessControlManager.checkCanDeleteFromTable(securityContext, staffTable);
            newAccessControlManager.checkCanSetTableProperties(securityContext, staffTable, ImmutableMap.of());
            newAccessControlManager.checkCanAddColumns(securityContext, staffTable);
            newAccessControlManager.checkCanRenameColumn(securityContext, staffTable);
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateTable(securityContext2, aliceTable, Map.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropTable(securityContext2, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanTruncateTable(securityContext2, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSelectFromColumns(securityContext2, aliceTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext2, aliceTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanInsertIntoTable(securityContext2, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDeleteFromTable(securityContext2, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetTableProperties(securityContext2, aliceTable, ImmutableMap.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanAddColumns(securityContext2, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRenameColumn(securityContext2, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            newAccessControlManager.checkCanCreateTable(securityContext2, staffTable, Map.of());
            newAccessControlManager.checkCanDropTable(securityContext2, staffTable);
            newAccessControlManager.checkCanTruncateTable(securityContext2, staffTable);
            newAccessControlManager.checkCanSelectFromColumns(securityContext2, staffTable, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext2, staffTable, ImmutableSet.of());
            newAccessControlManager.checkCanInsertIntoTable(securityContext2, staffTable);
            newAccessControlManager.checkCanDeleteFromTable(securityContext2, staffTable);
            newAccessControlManager.checkCanSetTableProperties(securityContext2, staffTable, ImmutableMap.of());
            newAccessControlManager.checkCanAddColumns(securityContext2, staffTable);
            newAccessControlManager.checkCanRenameColumn(securityContext2, staffTable);
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateTable(securityContext3, aliceTable, Map.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropTable(securityContext3, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanTruncateTable(securityContext3, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSelectFromColumns(securityContext3, aliceTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext3, aliceTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanInsertIntoTable(securityContext3, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDeleteFromTable(securityContext3, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetTableProperties(securityContext3, aliceTable, ImmutableMap.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanAddColumns(securityContext3, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRenameColumn(securityContext3, aliceTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateTable(securityContext3, staffTable, Map.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropTable(securityContext3, staffTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanTruncateTable(securityContext3, staffTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSelectFromColumns(securityContext3, staffTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext3, staffTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanInsertIntoTable(securityContext3, staffTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDeleteFromTable(securityContext3, staffTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetTableProperties(securityContext3, staffTable, ImmutableMap.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanAddColumns(securityContext3, staffTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRenameColumn(securityContext3, staffTable);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        });
    }

    @Test
    public void testTableOperationsReadOnly() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_read_only.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            ImmutableSet of = ImmutableSet.of(new SchemaTableName(BaseDataDefinitionTaskTest.SCHEMA, "table"));
            Assert.assertEquals(newAccessControlManager.filterTables(new SecurityContext(transactionId, alice, queryId), "alice-catalog", of), of);
            Assert.assertEquals(newAccessControlManager.filterTables(new SecurityContext(transactionId, bob, queryId), "alice-catalog", of), ImmutableSet.of());
            newAccessControlManager.checkCanSelectFromColumns(new SecurityContext(transactionId, alice, queryId), aliceTable, ImmutableSet.of());
        });
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateTable(new SecurityContext(transactionId2, alice, queryId), aliceTable, Map.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot create table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanDropTable(new SecurityContext(transactionId2, alice, queryId), aliceTable);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot drop table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanTruncateTable(new SecurityContext(transactionId2, alice, queryId), aliceTable);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot truncate table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanInsertIntoTable(new SecurityContext(transactionId2, alice, queryId), aliceTable);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot insert into table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanDeleteFromTable(new SecurityContext(transactionId2, alice, queryId), aliceTable);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot delete from table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanSetTableProperties(new SecurityContext(transactionId2, alice, queryId), aliceTable, ImmutableMap.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot set table properties to alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanAddColumns(new SecurityContext(transactionId2, alice, queryId), aliceTable);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot add a column to table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanRenameColumn(new SecurityContext(transactionId2, alice, queryId), aliceTable);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot rename a column in table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateTable(new SecurityContext(transactionId2, bob, queryId), aliceTable, Map.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
    }

    @Test
    public void testViewOperations() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            SecurityContext securityContext = new SecurityContext(transactionId, alice, queryId);
            SecurityContext securityContext2 = new SecurityContext(transactionId, bob, queryId);
            SecurityContext securityContext3 = new SecurityContext(transactionId, nonAsciiUser, queryId);
            newAccessControlManager.checkCanCreateView(securityContext, aliceView);
            newAccessControlManager.checkCanDropView(securityContext, aliceView);
            newAccessControlManager.checkCanSelectFromColumns(securityContext, aliceView, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, aliceTable, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, aliceView, ImmutableSet.of());
            newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext, "alice-catalog", "property");
            newAccessControlManager.checkCanGrantTablePrivilege(securityContext, Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            newAccessControlManager.checkCanRevokeTablePrivilege(securityContext, Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            newAccessControlManager.checkCanCreateView(securityContext, staffView);
            newAccessControlManager.checkCanDropView(securityContext, staffView);
            newAccessControlManager.checkCanSelectFromColumns(securityContext, staffView, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, staffTable, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext, staffView, ImmutableSet.of());
            newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext, "alice-catalog", "property");
            newAccessControlManager.checkCanGrantTablePrivilege(securityContext, Privilege.SELECT, staffTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            newAccessControlManager.checkCanRevokeTablePrivilege(securityContext, Privilege.SELECT, staffTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateView(securityContext2, aliceView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropView(securityContext2, aliceView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSelectFromColumns(securityContext2, aliceView, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext2, aliceTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext2, aliceView, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext2, "alice-catalog", "property");
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanGrantTablePrivilege(securityContext2, Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRevokeTablePrivilege(securityContext2, Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            newAccessControlManager.checkCanCreateView(securityContext2, staffView);
            newAccessControlManager.checkCanDropView(securityContext2, staffView);
            newAccessControlManager.checkCanSelectFromColumns(securityContext2, staffView, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext2, staffTable, ImmutableSet.of());
            newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext2, staffView, ImmutableSet.of());
            newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext2, "staff-catalog", "property");
            newAccessControlManager.checkCanGrantTablePrivilege(securityContext2, Privilege.SELECT, staffTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            newAccessControlManager.checkCanRevokeTablePrivilege(securityContext2, Privilege.SELECT, staffTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateView(securityContext3, aliceView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropView(securityContext3, aliceView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSelectFromColumns(securityContext3, aliceView, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext3, aliceTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext3, aliceView, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext3, "alice-catalog", "property");
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanGrantTablePrivilege(securityContext3, Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRevokeTablePrivilege(securityContext3, Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateView(securityContext3, staffView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropView(securityContext3, staffView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSelectFromColumns(securityContext3, staffView, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext3, staffTable, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateViewWithSelectFromColumns(securityContext3, staffView, ImmutableSet.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext3, "staff-catalog", "property");
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanGrantTablePrivilege(securityContext3, Privilege.SELECT, staffTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRevokeTablePrivilege(securityContext3, Privilege.SELECT, staffTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog staff-catalog");
        });
    }

    @Test
    public void testViewOperationsReadOnly() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_read_only.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            SecurityContext securityContext = new SecurityContext(transactionId, alice, queryId);
            newAccessControlManager.checkCanSelectFromColumns(securityContext, aliceView, ImmutableSet.of());
            newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext, "alice-catalog", "property");
        });
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateView(new SecurityContext(transactionId2, alice, queryId), aliceView);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot create view alice-catalog.schema.view");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanDropView(new SecurityContext(transactionId2, alice, queryId), aliceView);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot drop view alice-catalog.schema.view");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanGrantTablePrivilege(new SecurityContext(transactionId2, alice, queryId), Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "grantee"), true);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot grant privilege SELECT on table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanRevokeTablePrivilege(new SecurityContext(transactionId2, alice, queryId), Privilege.SELECT, aliceTable, new TrinoPrincipal(PrincipalType.USER, "revokee"), true);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot revoke privilege SELECT on table alice-catalog.schema.table");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateView(new SecurityContext(transactionId2, bob, queryId), aliceView);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
    }

    @Test
    public void testMaterializedViewAccess() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            SecurityContext securityContext = new SecurityContext(transactionId, alice, queryId);
            SecurityContext securityContext2 = new SecurityContext(transactionId, bob, queryId);
            SecurityContext securityContext3 = new SecurityContext(transactionId, nonAsciiUser, queryId);
            newAccessControlManager.checkCanCreateMaterializedView(securityContext, aliceMaterializedView, Map.of());
            newAccessControlManager.checkCanDropMaterializedView(securityContext, aliceMaterializedView);
            newAccessControlManager.checkCanRefreshMaterializedView(securityContext, aliceMaterializedView);
            newAccessControlManager.checkCanSetMaterializedViewProperties(securityContext, aliceMaterializedView, ImmutableMap.of());
            newAccessControlManager.checkCanCreateMaterializedView(securityContext, staffMaterializedView, Map.of());
            newAccessControlManager.checkCanDropMaterializedView(securityContext, staffMaterializedView);
            newAccessControlManager.checkCanRefreshMaterializedView(securityContext, staffMaterializedView);
            newAccessControlManager.checkCanSetMaterializedViewProperties(securityContext, staffMaterializedView, ImmutableMap.of());
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateMaterializedView(securityContext2, aliceMaterializedView, Map.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropMaterializedView(securityContext2, aliceMaterializedView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRefreshMaterializedView(securityContext2, aliceMaterializedView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetMaterializedViewProperties(securityContext2, aliceMaterializedView, ImmutableMap.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            newAccessControlManager.checkCanCreateMaterializedView(securityContext2, staffMaterializedView, Map.of());
            newAccessControlManager.checkCanDropMaterializedView(securityContext2, staffMaterializedView);
            newAccessControlManager.checkCanRefreshMaterializedView(securityContext2, staffMaterializedView);
            newAccessControlManager.checkCanSetMaterializedViewProperties(securityContext2, staffMaterializedView, ImmutableMap.of());
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanCreateMaterializedView(securityContext3, aliceMaterializedView, Map.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanDropMaterializedView(securityContext3, aliceMaterializedView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanRefreshMaterializedView(securityContext3, aliceMaterializedView);
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
            Assertions.assertThatThrownBy(() -> {
                newAccessControlManager.checkCanSetMaterializedViewProperties(securityContext3, aliceMaterializedView, ImmutableMap.of());
            }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        });
    }

    @Test
    public void testReadOnlyMaterializedViewAccess() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager newAccessControlManager = newAccessControlManager(createTestTransactionManager, "catalog_read_only.json");
        TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId -> {
            SecurityContext securityContext = new SecurityContext(transactionId, alice, queryId);
            newAccessControlManager.checkCanSelectFromColumns(securityContext, aliceMaterializedView, ImmutableSet.of());
            newAccessControlManager.checkCanSetCatalogSessionProperty(securityContext, "alice-catalog", "property");
        });
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateMaterializedView(new SecurityContext(transactionId2, alice, queryId), aliceMaterializedView, Map.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot create materialized view alice-catalog.schema.materialized-view");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanDropMaterializedView(new SecurityContext(transactionId2, alice, queryId), aliceMaterializedView);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot drop materialized view alice-catalog.schema.materialized-view");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanRefreshMaterializedView(new SecurityContext(transactionId2, alice, queryId), aliceMaterializedView);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot refresh materialized view alice-catalog.schema.materialized-view");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanSetMaterializedViewProperties(new SecurityContext(transactionId2, alice, queryId), aliceMaterializedView, ImmutableMap.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot set properties of materialized view alice-catalog.schema.materialized-view");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanCreateMaterializedView(new SecurityContext(transactionId2, bob, queryId), aliceMaterializedView, Map.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanRefreshMaterializedView(new SecurityContext(transactionId2, bob, queryId), aliceMaterializedView);
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, newAccessControlManager).execute(transactionId2 -> {
                newAccessControlManager.checkCanSetMaterializedViewProperties(new SecurityContext(transactionId2, bob, queryId), aliceMaterializedView, ImmutableMap.of());
            });
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: Cannot access catalog alice-catalog");
    }

    @Test
    public void testRefreshing() throws Exception {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager, TestingEventListenerManager.emptyEventListenerManager(), new AccessControlConfig(), "default");
        File newTemporaryFile = Files.newTemporaryFile();
        newTemporaryFile.deleteOnExit();
        com.google.common.io.Files.copy(new File(getResourcePath("catalog.json")), newTemporaryFile);
        accessControlManager.loadSystemAccessControl("file", ImmutableMap.of("security.config-file", newTemporaryFile.getAbsolutePath(), "security.refresh-period", "1ms"));
        TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanCreateView(new SecurityContext(transactionId, alice, queryId), aliceView);
            accessControlManager.checkCanCreateView(new SecurityContext(transactionId, alice, queryId), aliceView);
            accessControlManager.checkCanCreateView(new SecurityContext(transactionId, alice, queryId), aliceView);
        });
        com.google.common.io.Files.copy(new File(getResourcePath("security-config-file-with-unknown-rules.json")), newTemporaryFile);
        Thread.sleep(2L);
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId2 -> {
                accessControlManager.checkCanCreateView(new SecurityContext(transactionId2, alice, queryId), aliceView);
            });
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
        Assertions.assertThatThrownBy(() -> {
            TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId2 -> {
                accessControlManager.checkCanCreateView(new SecurityContext(transactionId2, alice, queryId), aliceView);
            });
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
        com.google.common.io.Files.copy(new File(getResourcePath("catalog.json")), newTemporaryFile);
        Thread.sleep(2L);
        TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId2 -> {
            accessControlManager.checkCanCreateView(new SecurityContext(transactionId2, alice, queryId), aliceView);
        });
    }

    @Test
    public void testAllowModeIsRequired() {
        Assertions.assertThatThrownBy(() -> {
            newAccessControlManager(InMemoryTransactionManager.createTestTransactionManager(), "catalog_allow_unset.json");
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    }

    @Test
    public void testAllowModeInvalidValue() {
        Assertions.assertThatThrownBy(() -> {
            newAccessControlManager(InMemoryTransactionManager.createTestTransactionManager(), "catalog_invalid_allow_value.json");
        }).isInstanceOf(IllegalArgumentException.class).hasMessageStartingWith("Invalid JSON file");
    }

    private AccessControlManager newAccessControlManager(TransactionManager transactionManager, String str) {
        AccessControlManager accessControlManager = new AccessControlManager(transactionManager, TestingEventListenerManager.emptyEventListenerManager(), new AccessControlConfig(), "default");
        accessControlManager.loadSystemAccessControl("file", ImmutableMap.of("security.config-file", getResourcePath(str)));
        return accessControlManager;
    }

    private String getResourcePath(String str) {
        try {
            return new File(Resources.getResource(str).toURI()).getPath();
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void parseUnknownRules() {
        Assertions.assertThatThrownBy(() -> {
            parse("src/test/resources/security-config-file-with-unknown-rules.json");
        }).hasMessageContaining("Invalid JSON");
    }

    private void parse(String str) {
        new FileBasedSystemAccessControl.Factory().create(ImmutableMap.of("security.config-file", str));
    }
}
