package io.trino.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.inject.multibindings.OptionalBinder;
import io.trino.Session;
import io.trino.connector.MockConnectorFactory;
import io.trino.connector.MockConnectorPlugin;
import io.trino.connector.MockConnectorTableHandle;
import io.trino.metadata.DisabledSystemSecurityMetadata;
import io.trino.metadata.QualifiedObjectName;
import io.trino.metadata.SystemSecurityMetadata;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.ColumnMetadata;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.type.IntegerType;
import io.trino.spi.type.VarcharType;
import io.trino.testing.AbstractTestQueryFramework;
import io.trino.testing.DistributedQueryRunner;
import io.trino.testing.QueryRunner;
import io.trino.testing.TestingAccessControlManager;
import io.trino.testing.TestingSession;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/security/TestAccessControlTableRedirection.class */
public class TestAccessControlTableRedirection extends AbstractTestQueryFramework {
    private static final String CATALOG_NAME = "test_catalog";
    private static final String DATA_COLUMN_NAME = "data_column";
    private static final String ID_COLUMN_NAME = "id_column";
    private static final String SCHEMA_NAME = "test_schema";
    private static final String REDIRECTION_TARGET_TABLE_NAME = "redirection_target";
    private static final SchemaTableName REDIRECTION_TARGET_SCHEMA_TABLE_NAME = new SchemaTableName(SCHEMA_NAME, REDIRECTION_TARGET_TABLE_NAME);
    private static final String REDIRECTION_SOURCE_TABLE_NAME = "redirection_source";
    private static final Map<String, Set<String>> SCHEMA_TABLE_MAPPING = ImmutableMap.of(SCHEMA_NAME, ImmutableSet.of(REDIRECTION_SOURCE_TABLE_NAME, REDIRECTION_TARGET_TABLE_NAME));
    private static final Map<SchemaTableName, SchemaTableName> TABLE_REDIRECTIONS = ImmutableMap.builder().put(SchemaTableName.schemaTableName(SCHEMA_NAME, REDIRECTION_SOURCE_TABLE_NAME), SchemaTableName.schemaTableName(SCHEMA_NAME, REDIRECTION_TARGET_TABLE_NAME)).buildOrThrow();

    protected QueryRunner createQueryRunner() throws Exception {
        DistributedQueryRunner build = DistributedQueryRunner.builder(TestingSession.testSessionBuilder().setCatalog(CATALOG_NAME).setSchema(SCHEMA_NAME).build()).setAdditionalModule(binder -> {
            OptionalBinder.newOptionalBinder(binder, SystemSecurityMetadata.class).setBinding().toInstance(new DisabledSystemSecurityMetadata() { // from class: io.trino.security.TestAccessControlTableRedirection.1
                public void grantTablePrivileges(Session session, QualifiedObjectName qualifiedObjectName, Set<Privilege> set, TrinoPrincipal trinoPrincipal, boolean z) {
                }

                public void revokeTablePrivileges(Session session, QualifiedObjectName qualifiedObjectName, Set<Privilege> set, TrinoPrincipal trinoPrincipal, boolean z) {
                }

                public boolean roleExists(Session session, String str) {
                    return true;
                }

                public void setTableOwner(Session session, CatalogSchemaTableName catalogSchemaTableName, TrinoPrincipal trinoPrincipal) {
                }

                public void denyTablePrivileges(Session session, QualifiedObjectName qualifiedObjectName, Set<Privilege> set, TrinoPrincipal trinoPrincipal) {
                }
            });
        }).build();
        build.installPlugin(new MockConnectorPlugin(createMockConnectorFactory()));
        build.createCatalog(CATALOG_NAME, "mock", ImmutableMap.of());
        return build;
    }

    @Test
    public void testSelect() {
        assertAccessAllowed("SELECT * FROM redirection_source", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("SELECT * FROM redirection_source", "Cannot select from columns \\[data_column, id_column] in table or view test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege("redirection_target.data_column", TestingAccessControlManager.TestingPrivilegeType.SELECT_COLUMN)});
    }

    @Test
    public void testDropTable() {
        assertAccessAllowed("DROP TABLE redirection_source", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("DROP TABLE redirection_source", "Cannot drop table test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.DROP_TABLE)});
    }

    @Test
    public void testCommentTable() {
        assertAccessAllowed("COMMENT ON TABLE redirection_source IS 'This is my redirection target table'", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("COMMENT ON TABLE redirection_source IS 'This is my redirection target table'", "Cannot comment table to test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.COMMENT_TABLE)});
    }

    @Test
    public void testCommentColumn() {
        assertAccessAllowed("COMMENT ON COLUMN redirection_source.data_column IS 'Data is the new oil'", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("COMMENT ON COLUMN redirection_source.data_column IS 'Data is the new oil'", "Cannot comment column to test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.COMMENT_COLUMN)});
    }

    @Test
    public void testShowGrants() {
        assertAccessAllowed("SHOW GRANTS ON redirection_target", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQueryFails("SHOW GRANTS ON redirection_source", ".* Table redirection_source is redirected to test_catalog.test_schema.redirection_target and SHOW GRANTS is not supported with table redirections");
    }

    @Test
    public void testGrant() {
        assertAccessAllowed("GRANT SELECT ON redirection_target TO ROLE PUBLIC", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQueryFails("GRANT SELECT ON redirection_source TO ROLE PUBLIC", ".* Table test_catalog.test_schema.redirection_source is redirected to test_catalog.test_schema.redirection_target and GRANT is not supported with table redirections");
    }

    @Test
    public void testRevoke() {
        assertAccessAllowed("REVOKE SELECT ON redirection_target FROM ROLE PUBLIC", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQueryFails("REVOKE SELECT ON redirection_source FROM ROLE PUBLIC", ".* Table test_catalog.test_schema.redirection_source is redirected to test_catalog.test_schema.redirection_target and REVOKE is not supported with table redirections");
    }

    @Test
    public void testSetTableAuthorization() {
        assertAccessAllowed("ALTER TABLE redirection_target SET AUTHORIZATION ROLE PUBLIC", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQueryFails("ALTER TABLE redirection_source SET AUTHORIZATION ROLE PUBLIC", ".* Table test_catalog.test_schema.redirection_source is redirected to test_catalog.test_schema.redirection_target and SET TABLE AUTHORIZATION is not supported with table redirections");
    }

    @Test
    public void testDeny() {
        assertAccessAllowed("DENY DELETE ON redirection_target TO ROLE PUBLIC", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQueryFails("DENY DELETE ON redirection_source TO ROLE PUBLIC", ".* Table test_catalog.test_schema.redirection_source is redirected to test_catalog.test_schema.redirection_target and DENY is not supported with table redirections");
    }

    @Test
    public void testAddColumn() {
        assertAccessAllowed("ALTER TABLE redirection_source ADD COLUMN a_new_column integer", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE redirection_source ADD COLUMN a_new_column integer", "Cannot add a column to table test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.ADD_COLUMN)});
    }

    @Test
    public void testDropColumn() {
        assertAccessAllowed("ALTER TABLE redirection_source DROP COLUMN data_column", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE redirection_source DROP COLUMN data_column", "Cannot drop a column from table test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.DROP_COLUMN)});
    }

    @Test
    public void testRenameColumn() {
        assertAccessAllowed("ALTER TABLE redirection_source RENAME COLUMN data_column TO new_oil_column", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE redirection_source RENAME COLUMN data_column TO new_oil_column", "Cannot rename a column in table test_catalog.test_schema.redirection_target", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.RENAME_COLUMN)});
    }

    @Test
    public void testRenameTable() {
        assertAccessAllowed("ALTER TABLE redirection_source RENAME TO renamed_table", new TestingAccessControlManager.TestingPrivilege[0]);
        assertAccessDenied("ALTER TABLE redirection_source RENAME TO renamed_table", "Cannot rename table from test_catalog.test_schema.redirection_target to test_catalog.test_schema.renamed_table", new TestingAccessControlManager.TestingPrivilege[]{TestingAccessControlManager.privilege(REDIRECTION_TARGET_TABLE_NAME, TestingAccessControlManager.TestingPrivilegeType.RENAME_TABLE)});
    }

    private static MockConnectorFactory createMockConnectorFactory() {
        return MockConnectorFactory.builder().withListTables((connectorSession, str) -> {
            return (List) SCHEMA_TABLE_MAPPING.getOrDefault(str, ImmutableSet.of()).stream().map(str -> {
                return new SchemaTableName(str, str);
            }).collect(ImmutableList.toImmutableList());
        }).withGetTableHandle((connectorSession2, schemaTableName) -> {
            if (!SCHEMA_TABLE_MAPPING.getOrDefault(schemaTableName.getSchemaName(), ImmutableSet.of()).contains(schemaTableName.getTableName()) || TABLE_REDIRECTIONS.containsKey(schemaTableName)) {
                return null;
            }
            return new MockConnectorTableHandle(schemaTableName);
        }).withGetViews((connectorSession3, schemaTablePrefix) -> {
            return ImmutableMap.of();
        }).withRedirectTable((connectorSession4, schemaTableName2) -> {
            return Optional.ofNullable(TABLE_REDIRECTIONS.get(schemaTableName2)).map(schemaTableName2 -> {
                return new CatalogSchemaTableName(CATALOG_NAME, schemaTableName2);
            });
        }).withGetColumns(schemaTableName3 -> {
            if (REDIRECTION_TARGET_SCHEMA_TABLE_NAME.equals(schemaTableName3)) {
                return ImmutableList.of(new ColumnMetadata(ID_COLUMN_NAME, IntegerType.INTEGER), new ColumnMetadata(DATA_COLUMN_NAME, VarcharType.VARCHAR));
            }
            throw new RuntimeException("Columns do not exist for: " + schemaTableName3);
        }).build();
    }
}
