package io.trino.plugin.opa;

import com.fasterxml.jackson.databind.JsonNode;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.opa.HttpClientUtils;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.Identity;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControlFiltering.class */
public class TestOpaAccessControlFiltering {
    @Test
    public void testFilterViewQueryOwnedBy() {
        Identity ofUser = Identity.ofUser("user-one");
        ImmutableList of = ImmutableList.of(ofUser, Identity.ofUser("user-two"));
        TestHelpers.assertAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterViewQueryOwnedBy(TestConstants.TEST_IDENTITY, of);
        }, TestConstants.simpleOpaConfig(), TestConstants.OPA_SERVER_URI);
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterViewQueryOwnedBy(TestConstants.TEST_IDENTITY, ImmutableList.of());
        });
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, buildHandler("/input/action/resource/user/user", "user-one"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient).filterViewQueryOwnedBy(TestConstants.TEST_IDENTITY, of)).containsExactly(new Identity[]{ofUser});
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.builder().add("{\n    \"operation\": \"FilterViewQueryOwnedBy\",\n    \"resource\": {\n        \"user\": {\n            \"user\": \"user-one\",\n            \"groups\": []\n        }\n    }\n}\n").add("{\n    \"operation\": \"FilterViewQueryOwnedBy\",\n    \"resource\": {\n        \"user\": {\n            \"user\": \"user-two\",\n            \"groups\": []\n        }\n    }\n}\n").build(), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterCatalogs() {
        ImmutableSet of = ImmutableSet.of("catalog_one", "catalog_two");
        TestHelpers.assertAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterCatalogs(TestConstants.TEST_SECURITY_CONTEXT, of);
        }, TestConstants.simpleOpaConfig(), TestConstants.OPA_SERVER_URI);
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterCatalogs(TestConstants.TEST_SECURITY_CONTEXT, ImmutableSet.of());
        });
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, buildHandler("/input/action/resource/catalog/name", "catalog_two"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient).filterCatalogs(TestConstants.TEST_SECURITY_CONTEXT, of)).containsExactly(new String[]{"catalog_two"});
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.builder().add("{\n    \"operation\": \"FilterCatalogs\",\n    \"resource\": {\n        \"catalog\": {\n            \"name\": \"catalog_one\"\n        }\n    }\n}\n").add("{\n    \"operation\": \"FilterCatalogs\",\n    \"resource\": {\n        \"catalog\": {\n            \"name\": \"catalog_two\"\n        }\n    }\n}\n").build(), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterSchemas() {
        ImmutableSet of = ImmutableSet.of("schema_one", "schema_two");
        TestHelpers.assertAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterSchemas(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", of);
        }, TestConstants.simpleOpaConfig(), TestConstants.OPA_SERVER_URI);
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterSchemas(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", ImmutableSet.of());
        });
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, buildHandler("/input/action/resource/schema/schemaName", "schema_one"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient).filterSchemas(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", of)).containsExactly(new String[]{"schema_one"});
        String str = "{\n    \"operation\": \"FilterSchemas\",\n    \"resource\": {\n        \"schema\": {\n            \"schemaName\": \"%s\",\n            \"catalogName\": \"my_catalog\"\n        }\n    }\n}\n";
        RequestTestUtilities.assertStringRequestsEqual((Set) of.stream().map(obj -> {
            return "{\n    \"operation\": \"FilterSchemas\",\n    \"resource\": {\n        \"schema\": {\n            \"schemaName\": \"%s\",\n            \"catalogName\": \"my_catalog\"\n        }\n    }\n}\n".formatted(obj);
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterTables() {
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("schema_one", "table_one")).add(new SchemaTableName("schema_one", "table_two")).add(new SchemaTableName("schema_two", "table_one")).add(new SchemaTableName("schema_two", "table_two")).build();
        TestHelpers.assertAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterTables(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", build);
        }, TestConstants.simpleOpaConfig(), TestConstants.OPA_SERVER_URI);
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterTables(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", ImmutableSet.of());
        });
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, buildHandler("/input/action/resource/table/tableName", "table_one"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient).filterTables(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", build)).containsExactlyInAnyOrderElementsOf((Iterable) build.stream().filter(schemaTableName -> {
            return schemaTableName.getTableName().equals("table_one");
        }).collect(ImmutableSet.toImmutableSet()));
        RequestTestUtilities.assertStringRequestsEqual((Set) build.stream().map(schemaTableName2 -> {
            return "{\n    \"operation\": \"FilterTables\",\n    \"resource\": {\n        \"table\": {\n            \"tableName\": \"%s\",\n            \"schemaName\": \"%s\",\n            \"catalogName\": \"my_catalog\"\n        }\n    }\n}\n".formatted(schemaTableName2.getTableName(), schemaTableName2.getSchemaName());
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterColumns() {
        SchemaTableName schemaTableName = SchemaTableName.schemaTableName("my_schema", "table_one");
        SchemaTableName schemaTableName2 = SchemaTableName.schemaTableName("my_schema", "table_two");
        SchemaTableName schemaTableName3 = SchemaTableName.schemaTableName("my_schema", "table_three");
        ImmutableMap buildOrThrow = ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_one", "table_two_column_two")).put(schemaTableName3, ImmutableSet.of("table_three_column_one", "table_three_column_two")).buildOrThrow();
        TestHelpers.assertAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", buildOrThrow);
        }, TestConstants.simpleOpaConfig(), TestConstants.OPA_SERVER_URI);
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", ImmutableMap.of()).entrySet();
        });
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl3 -> {
            return opaAccessControl3.filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", ImmutableMap.builder().put(schemaTableName, ImmutableSet.of()).put(schemaTableName2, ImmutableSet.of()).put(schemaTableName3, ImmutableSet.of()).buildOrThrow()).entrySet();
        });
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, buildHandler("/input/action/resource/table/columns/0", (Set<String>) ImmutableSet.builder().add("table_one_column_one").add("table_one_column_two").add("table_two_column_two").build()));
        Map filterColumns = TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient).filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", buildOrThrow);
        RequestTestUtilities.assertStringRequestsEqual((Set) buildOrThrow.entrySet().stream().mapMulti((entry, consumer) -> {
            ((Set) entry.getValue()).forEach(str -> {
                consumer.accept("{\n    \"operation\": \"FilterColumns\",\n    \"resource\": {\n        \"table\": {\n            \"tableName\": \"%s\",\n            \"schemaName\": \"my_schema\",\n            \"catalogName\": \"my_catalog\",\n            \"columns\": [\"%s\"]\n        }\n    }\n}\n".formatted(((SchemaTableName) entry.getKey()).getTableName(), str));
            });
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
        Assertions.assertThat(filterColumns).containsExactlyInAnyOrderEntriesOf(ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_two")).buildOrThrow());
    }

    @Test
    public void testFilterFunctions() {
        SchemaFunctionName schemaFunctionName = new SchemaFunctionName("my_schema", "function_one");
        SchemaFunctionName schemaFunctionName2 = new SchemaFunctionName("my_schema", "function_two");
        ImmutableSet of = ImmutableSet.of(schemaFunctionName, schemaFunctionName2);
        TestHelpers.assertAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterFunctions(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", of);
        }, TestConstants.simpleOpaConfig(), TestConstants.OPA_SERVER_URI);
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterFunctions(TestConstants.TEST_SECURITY_CONTEXT, "some_catalog", ImmutableSet.of());
        });
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, buildHandler("/input/action/resource/function/functionName", "function_two"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient).filterFunctions(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", of)).containsExactly(new SchemaFunctionName[]{schemaFunctionName2});
        RequestTestUtilities.assertStringRequestsEqual((Set) of.stream().map(schemaFunctionName3 -> {
            return "{\n    \"operation\": \"FilterFunctions\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"%s\",\n            \"functionName\": \"%s\"\n        }\n    }\n}".formatted(schemaFunctionName3.getSchemaName(), schemaFunctionName3.getFunctionName());
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
    }

    private static void assertFilteringAccessControlMethodDoesNotSendRequests(Function<OpaAccessControl, Collection<?>> function) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_URI, jsonNode -> {
            return TestConstants.OK_RESPONSE;
        });
        Assertions.assertThat(function.apply(TestHelpers.createOpaAuthorizer(TestConstants.simpleOpaConfig(), createMockHttpClient))).isEmpty();
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
    }

    private static Function<JsonNode, HttpClientUtils.MockResponse> buildHandler(String str, Set<String> set) {
        return RequestTestUtilities.buildValidatingRequestHandler(TestConstants.TEST_IDENTITY, (Function<JsonNode, HttpClientUtils.MockResponse>) jsonNode -> {
            return set.contains(jsonNode.at(str).asText()) ? TestConstants.OK_RESPONSE : TestConstants.NO_ACCESS_RESPONSE;
        });
    }

    private static Function<JsonNode, HttpClientUtils.MockResponse> buildHandler(String str, String str2) {
        return buildHandler(str, (Set<String>) ImmutableSet.of(str2));
    }
}
