package io.trino.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.io.Resources;
import io.trino.Session;
import io.trino.connector.MockConnectorFactory;
import io.trino.connector.MockConnectorPlugin;
import io.trino.connector.TestingTableFunctions;
import io.trino.plugin.blackhole.BlackHolePlugin;
import io.trino.spi.connector.TableFunctionApplicationResult;
import io.trino.spi.function.BoundSignature;
import io.trino.spi.function.FunctionDependencies;
import io.trino.spi.function.FunctionId;
import io.trino.spi.function.FunctionMetadata;
import io.trino.spi.function.FunctionProvider;
import io.trino.spi.function.InvocationConvention;
import io.trino.spi.function.ScalarFunctionImplementation;
import io.trino.spi.function.Signature;
import io.trino.spi.security.Identity;
import io.trino.spi.type.BigintType;
import io.trino.sql.SqlPath;
import io.trino.testing.AbstractTestQueryFramework;
import io.trino.testing.DistributedQueryRunner;
import io.trino.testing.QueryRunner;
import io.trino.testing.TestingAccessControlManager;
import io.trino.testing.TestingSession;
import java.io.File;
import java.lang.invoke.MethodHandles;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/security/TestFunctionsInViewsWithFileBasedSystemAccessControl.class */
public class TestFunctionsInViewsWithFileBasedSystemAccessControl extends AbstractTestQueryFramework {
    public static final Session ALICE_USER = user("alice");
    public static final Session BOB_USER = user("bob");
    public static final Session CHARLIE_USER = user("charlie");

    protected QueryRunner createQueryRunner() throws Exception {
        DistributedQueryRunner build = DistributedQueryRunner.builder(TestingSession.testSessionBuilder().setCatalog(Optional.empty()).setSchema(Optional.empty()).setPath(SqlPath.buildPath("mock.function", Optional.empty())).build()).setWorkerCount(0).setSystemAccessControl("file", Map.of("security.config-file", new File(Resources.getResource("file-based-system-functions-access.json").toURI()).getPath())).build();
        build.installPlugin(new BlackHolePlugin());
        build.createCatalog("blackhole", "blackhole");
        build.installPlugin(new MockConnectorPlugin(MockConnectorFactory.builder().withTableFunctions(ImmutableSet.of(new TestingTableFunctions.SimpleTableFunction())).withApplyTableFunction((connectorSession, connectorTableFunctionHandle) -> {
            if (!(connectorTableFunctionHandle instanceof TestingTableFunctions.SimpleTableFunction.SimpleTableFunctionHandle)) {
                throw new IllegalStateException("Unsupported table function handle: " + connectorTableFunctionHandle.getClass().getSimpleName());
            }
            TestingTableFunctions.SimpleTableFunction.SimpleTableFunctionHandle simpleTableFunctionHandle = (TestingTableFunctions.SimpleTableFunction.SimpleTableFunctionHandle) connectorTableFunctionHandle;
            return Optional.of(new TableFunctionApplicationResult(simpleTableFunctionHandle.getTableHandle(), (List) simpleTableFunctionHandle.getTableHandle().getColumns().orElseThrow()));
        }).withFunctions(ImmutableList.builder().add(FunctionMetadata.scalarBuilder("my_function").signature(Signature.builder().returnType(BigintType.BIGINT).build()).noDescription().build()).build()).withFunctionProvider(Optional.of(new FunctionProvider(this) { // from class: io.trino.security.TestFunctionsInViewsWithFileBasedSystemAccessControl.1
            public ScalarFunctionImplementation getScalarFunctionImplementation(FunctionId functionId, BoundSignature boundSignature, FunctionDependencies functionDependencies, InvocationConvention invocationConvention) {
                return ScalarFunctionImplementation.builder().methodHandle(MethodHandles.constant(Long.TYPE, 42L)).build();
            }
        })).build()));
        build.createCatalog("mock", "mock");
        return build;
    }

    @Test
    public void testPtfSecurityDefinerViewCreatedByAlice() {
        assertQuerySucceeds(ALICE_USER, "CREATE VIEW blackhole.default.view_ptf_alice_security_definer SECURITY DEFINER AS SELECT * FROM TABLE(mock.system.simple_table_function())");
        assertQuerySucceeds(ALICE_USER, "SELECT * FROM blackhole.default.view_ptf_alice_security_definer");
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_ptf_alice_security_definer");
        assertQuerySucceeds(CHARLIE_USER, "SELECT * FROM blackhole.default.view_ptf_alice_security_definer");
    }

    @Test
    public void testPtfSecurityInvokerViewCreatedByAlice() {
        assertQuerySucceeds(ALICE_USER, "CREATE VIEW blackhole.default.view_ptf_alice_security_invoker SECURITY INVOKER AS SELECT * FROM TABLE(mock.system.simple_table_function())");
        assertQuerySucceeds(ALICE_USER, "SELECT * FROM blackhole.default.view_ptf_alice_security_invoker");
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_ptf_alice_security_invoker");
        assertAccessDenied(CHARLIE_USER, "SELECT * FROM blackhole.default.view_ptf_alice_security_invoker", "Cannot execute function mock.system.simple_table_function", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testFunctionSecurityDefinerViewCreatedByAlice() {
        assertQuerySucceeds(ALICE_USER, "CREATE VIEW blackhole.default.view_function_alice_security_definer SECURITY DEFINER AS SELECT my_function() AS t");
        assertQuerySucceeds(ALICE_USER, "SELECT * FROM blackhole.default.view_function_alice_security_definer");
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_function_alice_security_definer");
        assertQuerySucceeds(CHARLIE_USER, "SELECT * FROM blackhole.default.view_function_alice_security_definer");
    }

    @Test
    public void testFunctionSecurityInvokerViewCreatedByAlice() {
        assertQuerySucceeds(ALICE_USER, "CREATE VIEW blackhole.default.view_function_alice_security_invoker SECURITY INVOKER AS SELECT my_function() AS t");
        assertQuerySucceeds(ALICE_USER, "SELECT * FROM blackhole.default.view_function_alice_security_invoker");
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_function_alice_security_invoker");
        assertAccessDenied(CHARLIE_USER, "SELECT * FROM blackhole.default.view_function_alice_security_invoker", "Cannot execute function my_function", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testPtfSecurityDefinerViewCreatedByBob() {
        assertQuerySucceeds(BOB_USER, "CREATE VIEW blackhole.default.view_ptf_bob_security_definer SECURITY DEFINER AS SELECT * FROM TABLE(mock.system.simple_table_function())");
        assertAccessDenied(ALICE_USER, "SELECT * FROM blackhole.default.view_ptf_bob_security_definer", "Cannot execute function mock.system.simple_table_function", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_ptf_bob_security_definer");
        assertAccessDenied(CHARLIE_USER, "SELECT * FROM blackhole.default.view_ptf_bob_security_definer", "Cannot execute function mock.system.simple_table_function", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testPtfSecurityInvokerViewCreatedByBob() {
        assertQuerySucceeds(BOB_USER, "CREATE VIEW blackhole.default.view_ptf_bob_security_invoker SECURITY INVOKER AS SELECT * FROM TABLE(mock.system.simple_table_function())");
        assertQuerySucceeds(ALICE_USER, "SELECT * FROM blackhole.default.view_ptf_bob_security_invoker");
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_ptf_bob_security_invoker");
        assertAccessDenied(CHARLIE_USER, "SELECT * FROM blackhole.default.view_ptf_bob_security_invoker", "Cannot execute function mock.system.simple_table_function", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testFunctionSecurityDefinerViewCreatedByBob() {
        assertQuerySucceeds(BOB_USER, "CREATE VIEW blackhole.default.view_function_bob_security_definer SECURITY DEFINER AS SELECT my_function() AS t");
        assertAccessDenied(ALICE_USER, "SELECT * FROM blackhole.default.view_function_bob_security_definer", "Cannot execute function my_function", new TestingAccessControlManager.TestingPrivilege[0]);
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_function_bob_security_definer");
        assertAccessDenied(CHARLIE_USER, "SELECT * FROM blackhole.default.view_function_bob_security_definer", "Cannot execute function my_function", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    @Test
    public void testFunctionSecurityInvokerViewCreatedByBob() {
        assertQuerySucceeds(BOB_USER, "CREATE VIEW blackhole.default.view_function_bob_security_invoker SECURITY INVOKER AS SELECT my_function() AS t");
        assertQuerySucceeds(ALICE_USER, "SELECT * FROM blackhole.default.view_function_bob_security_invoker");
        assertQuerySucceeds(BOB_USER, "SELECT * FROM blackhole.default.view_function_bob_security_invoker");
        assertAccessDenied(CHARLIE_USER, "SELECT * FROM blackhole.default.view_function_bob_security_invoker", "Cannot execute function my_function", new TestingAccessControlManager.TestingPrivilege[0]);
    }

    private static Session user(String str) {
        return TestingSession.testSessionBuilder().setIdentity(Identity.ofUser(str)).setPath(SqlPath.buildPath("mock.function", Optional.empty())).build();
    }
}
