package io.trino.plugin.opa;

import io.trino.plugin.blackhole.BlackHolePlugin;
import java.io.IOException;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInstance;
import org.testcontainers.junit.jupiter.Container;
import org.testcontainers.junit.jupiter.Testcontainers;

@Testcontainers
@TestInstance(TestInstance.Lifecycle.PER_CLASS)
/* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControlSystem.class */
public class TestOpaAccessControlSystem {
    private QueryRunnerHelper runner;
    private static final String OPA_ALLOW_POLICY_NAME = "allow";
    private static final String OPA_BATCH_ALLOW_POLICY_NAME = "batchAllow";

    @Container
    private static final OpaContainer OPA_CONTAINER = new OpaContainer();

    @DisplayName("Batched Authorizer Tests")
    @TestInstance(TestInstance.Lifecycle.PER_CLASS)
    @Nested
    /* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControlSystem$BatchedAuthorizerTests.class */
    class BatchedAuthorizerTests {
        BatchedAuthorizerTests() {
        }

        @BeforeAll
        public void setupTrino() {
            TestOpaAccessControlSystem.this.setupTrinoWithOpa(new OpaConfig().setOpaUri(TestOpaAccessControlSystem.OPA_CONTAINER.getOpaUriForPolicyPath(TestOpaAccessControlSystem.OPA_ALLOW_POLICY_NAME)).setOpaBatchUri(TestOpaAccessControlSystem.OPA_CONTAINER.getOpaUriForPolicyPath(TestOpaAccessControlSystem.OPA_BATCH_ALLOW_POLICY_NAME)));
        }

        @AfterAll
        public void teardown() {
            if (TestOpaAccessControlSystem.this.runner != null) {
                TestOpaAccessControlSystem.this.runner.teardown();
            }
        }

        @Test
        public void testFilterOutItemsBatch() throws IOException, InterruptedException {
            TestOpaAccessControlSystem.OPA_CONTAINER.submitPolicy("package trino\nimport future.keywords.in\nimport future.keywords.if\ndefault allow = false\n\nallow if is_admin\n\nallow {\n    is_bob\n    input.action.operation in [\"AccessCatalog\", \"ExecuteQuery\", \"ImpersonateUser\", \"ShowSchemas\", \"SelectFromColumns\"]\n}\n\nis_bob {\n    input.context.identity.user == \"bob\"\n}\n\nis_admin {\n    input.context.identity.user == \"admin\"\n}\n\nbatchAllow[i] {\n    some i\n    is_bob\n    input.action.operation == \"FilterCatalogs\"\n    input.action.filterResources[i].catalog.name == \"catalog_one\"\n}\n\nbatchAllow[i] {\n    some i\n    input.action.filterResources[i]\n    is_admin\n}\n");
            Assertions.assertThat(TestOpaAccessControlSystem.this.runner.querySetOfStrings("bob", "SHOW CATALOGS")).containsExactlyInAnyOrder(new String[]{"catalog_one"});
            Assertions.assertThat(TestOpaAccessControlSystem.this.runner.querySetOfStrings("admin", "SHOW CATALOGS")).containsExactlyInAnyOrder(new String[]{"catalog_one", "catalog_two", "system"});
        }

        @Test
        public void testDenyUnbatchedQuery() throws IOException, InterruptedException {
            TestOpaAccessControlSystem.OPA_CONTAINER.submitPolicy("package trino\nimport future.keywords.in\ndefault allow = false\n");
            Assertions.assertThatThrownBy(() -> {
                TestOpaAccessControlSystem.this.runner.querySetOfStrings("bob", "SELECT version()");
            }).isInstanceOf(RuntimeException.class).hasMessageContaining("Access Denied");
        }

        @Test
        public void testAllowUnbatchedQuery() throws IOException, InterruptedException {
            TestOpaAccessControlSystem.OPA_CONTAINER.submitPolicy("package trino\nimport future.keywords.in\ndefault allow = false\nallow {\n    input.context.identity.user == \"bob\"\n    input.action.operation in [\"ImpersonateUser\", \"ExecuteFunction\", \"AccessCatalog\", \"ExecuteQuery\"]\n}\n");
            Assertions.assertThat(TestOpaAccessControlSystem.this.runner.querySetOfStrings("bob", "SELECT version()")).isNotEmpty();
        }
    }

    @DisplayName("Unbatched Authorizer Tests")
    @TestInstance(TestInstance.Lifecycle.PER_CLASS)
    @Nested
    /* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControlSystem$UnbatchedAuthorizerTests.class */
    class UnbatchedAuthorizerTests {
        UnbatchedAuthorizerTests() {
        }

        @BeforeAll
        public void setupTrino() {
            TestOpaAccessControlSystem.this.setupTrinoWithOpa(new OpaConfig().setOpaUri(TestOpaAccessControlSystem.OPA_CONTAINER.getOpaUriForPolicyPath(TestOpaAccessControlSystem.OPA_ALLOW_POLICY_NAME)));
        }

        @AfterAll
        public void teardown() {
            TestOpaAccessControlSystem.this.runner.teardown();
        }

        @Test
        public void testAllowsQueryAndFilters() throws IOException, InterruptedException {
            TestOpaAccessControlSystem.OPA_CONTAINER.submitPolicy("package trino\nimport future.keywords.in\nimport future.keywords.if\n\ndefault allow = false\nallow {\n  is_bob\n  can_be_accessed_by_bob\n}\nallow if is_admin\n\nis_admin {\n  input.context.identity.user == \"admin\"\n}\nis_bob {\n  input.context.identity.user == \"bob\"\n}\ncan_be_accessed_by_bob {\n  input.action.operation in [\"ImpersonateUser\", \"ExecuteQuery\"]\n}\ncan_be_accessed_by_bob {\n  input.action.operation in [\"FilterCatalogs\", \"AccessCatalog\"]\n  input.action.resource.catalog.name == \"catalog_one\"\n}\n");
            Assertions.assertThat(TestOpaAccessControlSystem.this.runner.querySetOfStrings("bob", "SHOW CATALOGS")).containsExactlyInAnyOrder(new String[]{"catalog_one"});
            Assertions.assertThat(TestOpaAccessControlSystem.this.runner.querySetOfStrings("admin", "SHOW CATALOGS")).containsExactlyInAnyOrder(new String[]{"catalog_one", "catalog_two", "system"});
        }

        @Test
        public void testShouldDenyQueryIfDirected() throws IOException, InterruptedException {
            TestOpaAccessControlSystem.OPA_CONTAINER.submitPolicy("package trino\nimport future.keywords.in\ndefault allow = false\n\nallow {\n    input.context.identity.user in [\"someone\", \"admin\"]\n}\n");
            Assertions.assertThatThrownBy(() -> {
                TestOpaAccessControlSystem.this.runner.querySetOfStrings("bob", "SHOW CATALOGS");
            }).isInstanceOf(RuntimeException.class).hasMessageContaining("Access Denied");
            TestOpaAccessControlSystem.this.runner.querySetOfStrings("admin", "SHOW CATALOGS");
        }
    }

    private void setupTrinoWithOpa(OpaConfig opaConfig) {
        this.runner = QueryRunnerHelper.withOpaConfig(opaConfig);
        this.runner.getBaseQueryRunner().installPlugin(new BlackHolePlugin());
        this.runner.getBaseQueryRunner().createCatalog("catalog_one", "blackhole");
        this.runner.getBaseQueryRunner().createCatalog("catalog_two", "blackhole");
    }
}
