package org.apache.kylin.rest.service;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Stream;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.msg.Message;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.common.util.NLocalFileMetadataTestCase;
import org.apache.kylin.metadata.acl.AclTCR;
import org.apache.kylin.metadata.acl.AclTCRManager;
import org.apache.kylin.metadata.acl.SensitiveDataMask;
import org.apache.kylin.metadata.model.NTableMetadataManager;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.metadata.user.ManagedUser;
import org.apache.kylin.metadata.user.NKylinUserManager;
import org.apache.kylin.rest.request.AccessRequest;
import org.apache.kylin.rest.request.AclTCRRequest;
import org.apache.kylin.rest.response.AclTCRResponse;
import org.apache.kylin.rest.response.SidPermissionWithAclResponse;
import org.apache.kylin.rest.security.AclEntityFactory;
import org.apache.kylin.rest.security.AclManager;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.MutableAclRecord;
import org.apache.kylin.rest.security.ObjectIdentityImpl;
import org.apache.kylin.rest.service.AclServiceTest;
import org.apache.kylin.rest.util.AclEvaluate;
import org.apache.kylin.rest.util.AclUtil;
import org.apache.kylin.rest.util.SpringContext;
import org.hamcrest.BaseMatcher;
import org.hamcrest.Description;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.core.classloader.annotations.PowerMockIgnore;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import org.springframework.context.ApplicationContext;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.test.util.ReflectionTestUtils;

@PrepareForTest({SpringContext.class, UserGroupInformation.class})
@RunWith(PowerMockRunner.class)
@PowerMockIgnore({"javax.management.*"})
/* loaded from: input_file:org/apache/kylin/rest/service/AclTCRServiceTest.class */
public class AclTCRServiceTest extends NLocalFileMetadataTestCase {
    private final String user1 = "u1";
    private final String user2 = "u2";
    private final String user3 = "u3";
    private final String user4 = "u4";
    private final String user5 = "u5";
    private final String user6 = "u6";
    private final String group1 = "g1";
    private final String group2 = "g2";
    private final String group3 = "g3";
    private final String allAuthorizedUser1 = "a1u1";
    private final String allAuthorizedGroup1 = "a1g1";
    private final String projectDefault = "default";
    private final String dbTblUnload = "db.tbl_unload";
    private final String revokeUser = "revoke_user";
    private final String revokeGroup = "revoke_group";

    @Rule
    public ExpectedException thrown = ExpectedException.none();

    @Mock
    private AclTCRService aclTCRService = (AclTCRService) Mockito.spy(AclTCRService.class);

    @Mock
    private UserAclService userAclService = (UserAclService) Mockito.spy(UserAclService.class);

    @Mock
    private AclEvaluate aclEvaluate = (AclEvaluate) Mockito.spy(AclEvaluate.class);

    @Mock
    private AccessService accessService = (AccessService) Mockito.spy(AccessService.class);

    @Mock
    private UserService userService = (UserService) Mockito.spy(KylinUserService.class);

    @Mock
    private IUserGroupService userGroupService = (IUserGroupService) Mockito.spy(IUserGroupService.class);

    @Mock
    private AclService aclService = (AclService) Mockito.spy(AclService.class);

    @Mock
    private ProjectService projectService = (ProjectService) Mockito.spy(ProjectService.class);

    @Before
    public void setUp() throws IOException {
        PowerMockito.mockStatic(SpringContext.class, new Class[0]);
        PowerMockito.mockStatic(UserGroupInformation.class, new Class[0]);
        PowerMockito.when(UserGroupInformation.getCurrentUser()).thenReturn((UserGroupInformation) Mockito.mock(UserGroupInformation.class));
        overwriteSystemProp("HADOOP_USER_NAME", "root");
        createTestMetadata(new String[]{"src/test/resources/ut_acl"});
        ReflectionTestUtils.setField(this.userAclService, "userService", this.userService);
        ReflectionTestUtils.setField(this.aclEvaluate, "aclUtil", Mockito.spy(AclUtil.class));
        ReflectionTestUtils.setField(this.aclEvaluate, "userAclService", this.userAclService);
        ReflectionTestUtils.setField(this.aclTCRService, "aclEvaluate", this.aclEvaluate);
        ReflectionTestUtils.setField(this.aclTCRService, "accessService", this.accessService);
        ReflectionTestUtils.setField(this.aclTCRService, "userGroupService", this.userGroupService);
        ReflectionTestUtils.setField(this.userService, "userAclService", this.userAclService);
        ReflectionTestUtils.setField(this.aclTCRService, "userService", this.userService);
        ReflectionTestUtils.setField(this.accessService, "userService", this.userService);
        ReflectionTestUtils.setField(this.accessService, "aclService", this.aclService);
        ReflectionTestUtils.setField(this.aclTCRService, "projectService", this.projectService);
        ReflectionTestUtils.setField(this.accessService, "aclTCRService", this.aclTCRService);
        ReflectionTestUtils.setField(this.accessService, "userGroupService", this.userGroupService);
        ReflectionTestUtils.setField(this.accessService, "userAclService", this.userAclService);
        initUsers();
        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("ADMIN", "ADMIN", new String[]{"ROLE_ADMIN"}));
    }

    private void initUsers() throws IOException {
        NKylinUserManager nKylinUserManager = NKylinUserManager.getInstance(getTestConfig());
        nKylinUserManager.update(new ManagedUser("ADMIN", "KYLIN", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"), new SimpleGrantedAuthority("ROLE_ANALYST"), new SimpleGrantedAuthority("ROLE_MODELER"))));
        nKylinUserManager.update(new ManagedUser("ANALYST", "ANALYST", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ANALYST"))));
        nKylinUserManager.update(new ManagedUser("u1", "Q`w11g23", false, Arrays.asList(new SimpleGrantedAuthority("ALL_USERS"))));
        nKylinUserManager.update(new ManagedUser("u2", "Q`w11g23", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ANALYST"))));
        nKylinUserManager.update(new ManagedUser("u3", "Q`w11g23", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_MODELER"))));
        nKylinUserManager.update(new ManagedUser("u4", "Q`w11g23", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        nKylinUserManager.update(new ManagedUser("u5", "Q`w11g23", false, Arrays.asList(new SimpleGrantedAuthority("ALL_USERS"))));
        nKylinUserManager.update(new ManagedUser("u6", "Q`w11g23", false, Arrays.asList(new SimpleGrantedAuthority("ALL_USERS"), new SimpleGrantedAuthority("g3"))));
        switchToAdmin();
        PowerMockito.when(SpringContext.getApplicationContext()).thenReturn((ApplicationContext) PowerMockito.mock(ApplicationContext.class));
        PowerMockito.when(SpringContext.getBean(PermissionFactory.class)).thenReturn(PowerMockito.mock(PermissionFactory.class));
        PowerMockito.when(SpringContext.getBean(PermissionGrantingStrategy.class)).thenReturn(PowerMockito.mock(PermissionGrantingStrategy.class));
        AclManager aclManager = AclManager.getInstance(KylinConfig.getInstanceFromEnv());
        RootPersistentEntity createAclEntity = AclEntityFactory.createAclEntity("ProjectInstance", NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject("default").getUuid());
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("u5");
        MutableAclRecord createAcl = this.aclService.createAcl(new ObjectIdentityImpl(createAclEntity));
        this.aclService.createAcl(new ObjectIdentityImpl(mockAclEntity));
        Sid sid = this.accessService.getSid("u5", true);
        Sid sid2 = this.accessService.getSid("g3", false);
        HashMap hashMap = new HashMap();
        hashMap.put(sid, BasePermission.ADMINISTRATION);
        hashMap.put(sid2, BasePermission.ADMINISTRATION);
        aclManager.batchUpsertAce(createAcl, hashMap);
    }

    private void switchToAdmin() {
        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("ADMIN", "ADMIN", new String[]{"ROLE_ADMIN"}));
    }

    @After
    public void tearDown() {
        cleanupTestMetadata();
    }

    @Test
    public void testGrantProjectPermission() {
        AclTCRManager aclTCRManager = (AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default");
        String uuid = ((NProjectManager) this.aclTCRService.getManager(NProjectManager.class)).getProject("default").getUuid();
        ArrayList newArrayList = Lists.newArrayList();
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setSid("u1");
        accessRequest.setPrincipal(true);
        newArrayList.add(accessRequest);
        AccessRequest accessRequest2 = new AccessRequest();
        accessRequest2.setSid("g1");
        accessRequest2.setPrincipal(false);
        newArrayList.add(accessRequest2);
        this.aclTCRService.updateAclTCR(uuid, newArrayList);
        Set authorizedTables = aclTCRManager.getAuthorizedTables("u1", Sets.newHashSet(new String[]{"g1"}));
        Assert.assertTrue(authorizedTables.contains("DEFAULT.TEST_ORDER"));
        Assert.assertTrue(authorizedTables.contains("DEFAULT.TEST_COUNTRY"));
        getTestConfig().setProperty("kylin.acl.project-internal-default-permission-granted", "false");
        ArrayList newArrayList2 = Lists.newArrayList();
        AccessRequest accessRequest3 = new AccessRequest();
        accessRequest.setSid("u2");
        accessRequest.setPrincipal(true);
        newArrayList2.add(accessRequest3);
        AccessRequest accessRequest4 = new AccessRequest();
        accessRequest4.setSid("g2");
        accessRequest4.setPrincipal(false);
        newArrayList2.add(accessRequest4);
        this.aclTCRService.updateAclTCR(uuid, newArrayList2);
        Set authorizedTables2 = aclTCRManager.getAuthorizedTables("u2", Sets.newHashSet(new String[]{"g2"}));
        Assert.assertFalse(authorizedTables2.contains("DEFAULT.TEST_ORDER"));
        Assert.assertFalse(authorizedTables2.contains("DEFAULT.TEST_COUNTRY"));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v19, types: [java.util.List] */
    private List<AclTCRRequest.Row> getAclTCRRequestRow(AclTCRRequest aclTCRRequest, String str, String str2) {
        ArrayList arrayList = new ArrayList();
        if (aclTCRRequest.getDatabaseName().equals(str)) {
            for (AclTCRRequest.Table table : aclTCRRequest.getTables()) {
                if (table.getTableName().equals(str2) && table.getRows() != null) {
                    arrayList = table.getRows();
                }
            }
        }
        return arrayList;
    }

    private boolean getTableAuthorized(AclTCRRequest aclTCRRequest, String str, String str2) {
        if (!aclTCRRequest.getDatabaseName().equals(str)) {
            return false;
        }
        for (AclTCRRequest.Table table : aclTCRRequest.getTables()) {
            if (table.getTableName().equals(str2)) {
                return table.isAuthorized();
            }
        }
        return false;
    }

    private boolean getColumnAuthorized(AclTCRRequest aclTCRRequest, String str, String str2, String str3) {
        if (!aclTCRRequest.getDatabaseName().equals(str)) {
            return false;
        }
        for (AclTCRRequest.Table table : aclTCRRequest.getTables()) {
            if (table.getTableName().equals(str2)) {
                if (!table.isAuthorized()) {
                    return false;
                }
                for (AclTCRRequest.Column column : table.getColumns()) {
                    if (column.getColumnName().equals(str3)) {
                        return column.isAuthorized();
                    }
                }
            }
        }
        return false;
    }

    private SensitiveDataMask.MaskType getColumnDataMask(AclTCRRequest aclTCRRequest, String str, String str2, String str3) {
        if (!aclTCRRequest.getDatabaseName().equals(str)) {
            return null;
        }
        for (AclTCRRequest.Table table : aclTCRRequest.getTables()) {
            if (table.getTableName().equals(str2)) {
                if (!table.isAuthorized()) {
                    return null;
                }
                for (AclTCRRequest.Column column : table.getColumns()) {
                    if (column.getColumnName().equals(str3)) {
                        return column.getDataMaskType();
                    }
                }
            }
        }
        return null;
    }

    private List<AclTCRRequest> fillAclTCRRequest(AclTCRRequest aclTCRRequest) {
        List listAllTables = NTableMetadataManager.getInstance(getTestConfig(), "default").listAllTables();
        HashMap hashMap = new HashMap();
        hashMap.put("DEFAULT", new AclTCRRequest());
        hashMap.put("EDW", new AclTCRRequest());
        hashMap.put("SSB", new AclTCRRequest());
        listAllTables.forEach(tableDesc -> {
            String database = tableDesc.getDatabase();
            AclTCRRequest aclTCRRequest2 = (AclTCRRequest) hashMap.get(database);
            aclTCRRequest2.setDatabaseName(database);
            AclTCRRequest.Table table = new AclTCRRequest.Table();
            table.setTableName(tableDesc.getName());
            table.setRows(getAclTCRRequestRow(aclTCRRequest, database, tableDesc.getName()));
            table.setAuthorized(getTableAuthorized(aclTCRRequest, database, tableDesc.getName()));
            ArrayList arrayList = new ArrayList();
            Arrays.stream(tableDesc.getColumns()).forEach(columnDesc -> {
                AclTCRRequest.Column column = new AclTCRRequest.Column();
                column.setAuthorized(getColumnAuthorized(aclTCRRequest, database, tableDesc.getName(), columnDesc.getName()));
                column.setDataMaskType(getColumnDataMask(aclTCRRequest, database, tableDesc.getName(), columnDesc.getName()));
                column.setColumnName(columnDesc.getName());
                arrayList.add(column);
            });
            table.setColumns(arrayList);
            ArrayList arrayList2 = new ArrayList();
            if (aclTCRRequest2.getTables() != null) {
                arrayList2.addAll(aclTCRRequest2.getTables());
            }
            arrayList2.add(table);
            aclTCRRequest2.setTables(arrayList2);
        });
        ArrayList arrayList = new ArrayList();
        arrayList.add(hashMap.get("DEFAULT"));
        arrayList.add(hashMap.get("EDW"));
        arrayList.add(hashMap.get("SSB"));
        return arrayList;
    }

    @Test
    public void testUpdateAclTCRRequest() throws IOException {
        AclTCRManager aclTCRManager = (AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default");
        String uuid = ((NProjectManager) this.aclTCRService.getManager(NProjectManager.class)).getProject("default").getUuid();
        ArrayList newArrayList = Lists.newArrayList();
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setSid("u1");
        accessRequest.setPrincipal(true);
        accessRequest.setPermission("ADMINISTRATION");
        newArrayList.add(accessRequest);
        getTestConfig().setProperty("kylin.acl.project-internal-default-permission-granted", "false");
        this.aclTCRService.updateAclTCR(uuid, newArrayList);
        AccessRequest accessRequest2 = new AccessRequest();
        accessRequest2.setSid("g1");
        accessRequest2.setPrincipal(false);
        newArrayList.add(accessRequest2);
        this.aclTCRService.updateAclTCR(uuid, newArrayList);
        Assert.assertTrue(aclTCRManager.getAuthorizedTables("u1", Sets.newHashSet(new String[]{"g1"})).contains("DEFAULT.TEST_COUNTRY"));
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        AclTCRRequest.Table table2 = new AclTCRRequest.Table();
        table2.setTableName("TEST_ACCOUNT");
        table2.setAuthorized(false);
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setColumnName("ORDER_ID");
        column.setAuthorized(true);
        AclTCRRequest.Column column2 = new AclTCRRequest.Column();
        column2.setColumnName("BUYER_ID");
        column2.setAuthorized(false);
        AclTCRRequest.Column column3 = new AclTCRRequest.Column();
        column3.setColumnName("TEST_DATE_ENC");
        column3.setAuthorized(true);
        column3.setDataMaskType(SensitiveDataMask.MaskType.DEFAULT);
        table.setColumns(Arrays.asList(column, column2, column3));
        AclTCRRequest.Row row = new AclTCRRequest.Row();
        row.setColumnName("ORDER_ID");
        row.setItems(Arrays.asList("100100", "100101", "100102"));
        table.setRows(Arrays.asList(row));
        aclTCRRequest.setTables(Arrays.asList(table, table2));
        this.aclTCRService.updateAclTCR("default", "u1", true, fillAclTCRRequest(aclTCRRequest));
        Assert.assertFalse(aclTCRManager.getAuthorizedTables("u1", (Set) null).contains("DEFAULT.TEST_COUNTRY"));
        Assert.assertNotNull(aclTCRManager.getSensitiveDataMaskInfo("u1", (Set) null).getMask("DEFAULT", "TEST_ORDER", "TEST_DATE_ENC"));
        Assert.assertTrue(aclTCRManager.getAuthorizedTables("u1", (Set) null).contains("DEFAULT.TEST_ORDER"));
        this.aclTCRService.revokeAclTCR(uuid, "u1", true);
        Assert.assertFalse(aclTCRManager.getAuthorizedTables("u1", (Set) null).contains("DEFAULT.TEST_ORDER"));
        Assert.assertFalse(aclTCRManager.getAuthorizedTables((String) null, Sets.newHashSet(new String[]{"g1"})).contains("DEFAULT.TEST_COUNTRY"));
        Mockito.when(this.projectService.getOwnedProjects()).thenReturn(Lists.newArrayList(new String[]{"default"}));
        this.aclTCRService.revokeAclTCR("g1", false);
        Assert.assertFalse(aclTCRManager.getAuthorizedTables((String) null, Sets.newHashSet(new String[]{"g1"})).contains("DEFAULT.TEST_COUNTRY"));
        this.aclTCRService.updateAclTCR("default", "u1", true, fillAclTCRRequest(aclTCRRequest));
        Assert.assertTrue(aclTCRManager.getAuthorizedTables("u1", (Set) null).contains("DEFAULT.TEST_ORDER"));
        this.aclTCRService.unloadTable("default", "DEFAULT.TEST_ORDER");
        Assert.assertFalse(aclTCRManager.getAuthorizedTables("u1", (Set) null).contains("DEFAULT.TEST_ORDER"));
        assertKylinExeption(() -> {
            this.aclTCRService.updateAclTCR("default", "u4", true, fillAclTCRRequest(aclTCRRequest));
        }, "Admin is not supported to update permission.");
        assertKylinExeption(() -> {
            this.aclTCRService.updateAclTCR("default", "u5", true, fillAclTCRRequest(aclTCRRequest));
        }, "Admin is not supported to update permission.");
    }

    @Test
    public void testInvalidAclTCRRequest() {
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setColumnName("ORDER_ID");
        column.setAuthorized(true);
        table.setColumns(Arrays.asList(column));
        AclTCRRequest.Row row = new AclTCRRequest.Row();
        row.setColumnName("TEST_EXTENDED_COLUMN");
        row.setItems(Arrays.asList("abc"));
        AclTCRRequest.Row row2 = new AclTCRRequest.Row();
        row2.setColumnName("ORDER_ID");
        row2.setItems(Arrays.asList("bbb"));
        table.setRows(Arrays.asList(row, row2));
        AclTCRRequest.Table table2 = new AclTCRRequest.Table();
        table2.setTableName("TEST_ACCOUNT");
        table2.setAuthorized(false);
        aclTCRRequest.setTables(Arrays.asList(table2, table));
        try {
            this.aclTCRService.updateAclTCR("default", "u1", true, fillAclTCRRequest(aclTCRRequest));
            Assert.fail();
        } catch (Exception e) {
            e.printStackTrace();
            Assert.assertTrue(e.getCause() instanceof KylinException);
            Assert.assertTrue(e.getCause().getMessage().contains("Can’t assign value(s) for the column \"DEFAULT.TEST_ORDER.ORDER_ID\""));
        }
    }

    @Test
    public void testGetAclTCRResponse() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        AclTCRManager aclTCRManager = (AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default");
        aclTCRManager.updateAclTCR(new AclTCR(), "u1", true);
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, true).stream().anyMatch(aclTCRResponse -> {
            return aclTCRResponse.getTables().stream().anyMatch(table -> {
                return "TEST_ORDER".equals(table.getTableName());
            });
        }));
        AclTCR aclTCR = new AclTCR();
        AclTCR.Table table = new AclTCR.Table();
        AclTCR.ColumnRow columnRow = new AclTCR.ColumnRow();
        AclTCR.Column column = new AclTCR.Column();
        AclTCR.Row row = new AclTCR.Row();
        AclTCR.RealRow realRow = new AclTCR.RealRow();
        realRow.addAll(Arrays.asList("100100", "100101", "100102"));
        row.put("ORDER_ID", realRow);
        row.put("BUYER_ID", (Object) null);
        columnRow.setRow(row);
        column.addAll(Arrays.asList("ORDER_ID", "BUYER_ID", "TEST_DATE_ENC"));
        columnRow.setColumn(column);
        columnRow.setColumnSensitiveDataMask(Lists.newArrayList(new SensitiveDataMask[]{new SensitiveDataMask("ORDER_ID", SensitiveDataMask.MaskType.AS_NULL)}));
        table.put("DEFAULT.TEST_ORDER", columnRow);
        table.put("DEFAULT.TEST_ACCOUNT", (Object) null);
        AclTCR.ColumnRow columnRow2 = new AclTCR.ColumnRow();
        AclTCR.Row row2 = new AclTCR.Row();
        AclTCR.RealRow realRow2 = new AclTCR.RealRow();
        realRow2.addAll(Arrays.asList("country_a", "country_b"));
        row2.put("COUNTRY", realRow2);
        columnRow2.setRow(row2);
        table.put("DEFAULT.TEST_COUNTRY", columnRow2);
        aclTCR.setTable(table);
        aclTCRManager.updateAclTCR(aclTCR, "u1", true);
        List aclTCRResponse2 = this.aclTCRService.getAclTCRResponse("default", "u1", true, true);
        Assert.assertTrue(aclTCRResponse2.stream().anyMatch(aclTCRResponse3 -> {
            return aclTCRResponse3.getTables().stream().anyMatch(table2 -> {
                return "TEST_ORDER".equals(table2.getTableName());
            });
        }));
        Assert.assertTrue(aclTCRResponse2.stream().anyMatch(aclTCRResponse4 -> {
            return aclTCRResponse4.getTables().stream().noneMatch(table2 -> {
                return "TEST_SITES".equals(table2.getTableName());
            });
        }));
        List aclTCRResponse5 = this.aclTCRService.getAclTCRResponse("default", "u1", true, false);
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse6 -> {
            return aclTCRResponse6.getTables().stream().anyMatch(table2 -> {
                return table2.isAuthorized() && "TEST_ORDER".equals(table2.getTableName());
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse7 -> {
            return aclTCRResponse7.getTables().stream().anyMatch(table2 -> {
                return !table2.isAuthorized() && "TEST_SITES".equals(table2.getTableName());
            });
        }));
        Assert.assertEquals(3L, ((AclTCRResponse) aclTCRResponse5.stream().filter(aclTCRResponse8 -> {
            return "DEFAULT".equals(aclTCRResponse8.getDatabaseName());
        }).findAny().get()).getAuthorizedTableNum());
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse9 -> {
            return aclTCRResponse9.getTables().stream().anyMatch(table2 -> {
                return table2.getColumns().stream().anyMatch(column2 -> {
                    return column2.isAuthorized() && "ORDER_ID".equals(column2.getColumnName());
                });
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse10 -> {
            return aclTCRResponse10.getTables().stream().anyMatch(table2 -> {
                return table2.getColumns().stream().anyMatch(column2 -> {
                    return column2.isAuthorized() && "BUYER_ID".equals(column2.getColumnName());
                });
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse11 -> {
            return aclTCRResponse11.getTables().stream().anyMatch(table2 -> {
                return table2.getColumns().stream().anyMatch(column2 -> {
                    return column2.isAuthorized() && "COUNTRY".equals(column2.getColumnName());
                });
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse12 -> {
            return aclTCRResponse12.getTables().stream().anyMatch(table2 -> {
                return table2.getColumns().stream().anyMatch(column2 -> {
                    return !column2.isAuthorized() && "TEST_TIME_ENC".equals(column2.getColumnName());
                });
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse13 -> {
            return aclTCRResponse13.getTables().stream().anyMatch(table2 -> {
                return table2.getRows().stream().anyMatch(row3 -> {
                    return "COUNTRY".equals(row3.getColumnName()) && "country_a,country_b".equals(String.join(",", row3.getItems()));
                });
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse14 -> {
            return aclTCRResponse14.getTables().stream().anyMatch(table2 -> {
                return table2.getColumns().stream().anyMatch(column2 -> {
                    return "ORDER_ID".equals(column2.getColumnName()) && column2.getDataMaskType() == SensitiveDataMask.MaskType.AS_NULL;
                });
            });
        }));
        Assert.assertTrue(aclTCRResponse5.stream().anyMatch(aclTCRResponse15 -> {
            return aclTCRResponse15.getTables().stream().anyMatch(table2 -> {
                return table2.getColumns().stream().anyMatch(column2 -> {
                    return "BUYER_ID".equals(column2.getColumnName()) && "bigint".equals(column2.getDatatype());
                });
            });
        }));
    }

    @Test
    public void testGetAclTCRResponseWithAdmin() throws IOException {
        ((UserService) Mockito.doReturn(true).when(this.userService)).isGlobalAdmin("u1");
        List aclTCRResponse = this.aclTCRService.getAclTCRResponse("default", "u1", true, true);
        Assert.assertEquals(3L, aclTCRResponse.size());
        Assert.assertTrue(aclTCRResponse.stream().anyMatch(aclTCRResponse2 -> {
            return aclTCRResponse2.getTables().stream().anyMatch(table -> {
                return table.isAuthorized() && "TEST_ORDER".equals(table.getTableName());
            });
        }));
        Assert.assertTrue(aclTCRResponse.stream().anyMatch(aclTCRResponse3 -> {
            return "DEFAULT".equals(aclTCRResponse3.getDatabaseName()) && aclTCRResponse3.getTables().size() == 13;
        }));
        Assert.assertTrue(aclTCRResponse.stream().anyMatch(aclTCRResponse4 -> {
            return "EDW".equals(aclTCRResponse4.getDatabaseName()) && aclTCRResponse4.getTables().size() == 3;
        }));
        Assert.assertTrue(aclTCRResponse.stream().anyMatch(aclTCRResponse5 -> {
            return "SSB".equals(aclTCRResponse5.getDatabaseName()) && aclTCRResponse5.getTables().size() == 6;
        }));
    }

    @Test
    public void testGetAuthorizedTables() {
        HashSet newHashSet = Sets.newHashSet(new String[]{"group1"});
        NKylinUserManager nKylinUserManager = (NKylinUserManager) Mockito.mock(NKylinUserManager.class);
        ((AclTCRService) Mockito.doReturn(nKylinUserManager).when(this.aclTCRService)).getKylinUserManager();
        ((NKylinUserManager) Mockito.doReturn(newHashSet).when(nKylinUserManager)).getUserGroups("user1");
        ((AclTCRService) Mockito.doReturn((Object) null).when(this.aclTCRService)).getAuthorizedTables("default", "user1", Sets.newHashSet(new String[]{"group1"}));
        Assert.assertNull(this.aclTCRService.getAuthorizedTables("default", "user1"));
        Mockito.reset(new AclTCRService[]{this.aclTCRService});
        AclTCRManager aclTCRManager = (AclTCRManager) Mockito.mock(AclTCRManager.class);
        ((AclTCRService) Mockito.doReturn(aclTCRManager).when(this.aclTCRService)).getManager(AclTCRManager.class, "default");
        ((AclTCRManager) Mockito.doReturn(Lists.newArrayList()).when(aclTCRManager)).getAclTCRs("user1", newHashSet);
        NTableMetadataManager nTableMetadataManager = (NTableMetadataManager) Mockito.mock(NTableMetadataManager.class);
        ((AclTCRService) Mockito.doReturn(nTableMetadataManager).when(this.aclTCRService)).getTableMetadataManager("default");
        ((NTableMetadataManager) Mockito.doReturn(Lists.newArrayList()).when(nTableMetadataManager)).listAllTables();
        ((AclTCRService) Mockito.doReturn(false).when(this.aclTCRService)).canUseACLGreenChannel("default");
        Assert.assertEquals(0L, this.aclTCRService.getAuthorizedTables("default", "user1", newHashSet).size());
    }

    private List<AclTCRRequest> getFillRequest() {
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        table.setColumns(new ArrayList());
        table.setRows(new ArrayList());
        aclTCRRequest.setTables(Arrays.asList(table));
        return fillAclTCRRequest(aclTCRRequest);
    }

    @Test
    public void testACLTCRDuplicateDatabaseException() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Database [DEFAULT] is duplicated in API requests");
        List<AclTCRRequest> fillRequest = getFillRequest();
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        fillRequest.add(aclTCRRequest);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRDuplicateTableException() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Table [DEFAULT.TEST_ACCOUNT] is duplicated in API requests");
        List<AclTCRRequest> fillRequest = getFillRequest();
        ArrayList arrayList = new ArrayList(fillRequest.get(0).getTables());
        Stream filter = fillRequest.get(0).getTables().stream().filter(table -> {
            return table.getTableName().equals("TEST_ACCOUNT");
        });
        arrayList.getClass();
        filter.forEach((v1) -> {
            r1.add(v1);
        });
        fillRequest.get(0).setTables(arrayList);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRDuplicateColumnException() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Column [DEFAULT.TEST_ACCOUNT.ACCOUNT_ID] is duplicated in API requests");
        List<AclTCRRequest> fillRequest = getFillRequest();
        fillRequest.get(0).getTables().forEach(table -> {
            if (table.getTableName().equals("TEST_ACCOUNT")) {
                List<AclTCRRequest.Column> columns = table.getColumns();
                AclTCRRequest.Column column = null;
                for (AclTCRRequest.Column column2 : columns) {
                    if (column2.getColumnName().equals("ACCOUNT_ID")) {
                        column = column2;
                    }
                }
                columns.add(column);
            }
        });
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCREmptyDatabaseName() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Invalid value for parameter ‘database_name’ which should not be empty");
        List<AclTCRRequest> fillRequest = getFillRequest();
        fillRequest.get(0).setDatabaseName((String) null);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCREmptyTables() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage(Message.getInstance().getEmptyTableList());
        List<AclTCRRequest> fillRequest = getFillRequest();
        fillRequest.get(0).setTables((List) null);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRDatabaseMiss() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("All the databases should be defined and the database below are missing: (DEFAULT)");
        List<AclTCRRequest> fillRequest = getFillRequest();
        fillRequest.remove(0);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCREmptyTableName() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Invalid value for parameter ‘table_name’ which should not be empty");
        List<AclTCRRequest> fillRequest = getFillRequest();
        ((AclTCRRequest.Table) fillRequest.get(0).getTables().get(0)).setTableName((String) null);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRTableNotExist() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Can’t find table \"DEFAULT.NOTEXIST\". Please check and try again.");
        List<AclTCRRequest> fillRequest = getFillRequest();
        ArrayList arrayList = new ArrayList(fillRequest.get(0).getTables());
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("notexist");
        table.setRows(new ArrayList());
        fillRequest.get(0).getTables().stream().filter(table2 -> {
            return table2.getTableName().equals("TEST_ACCOUNT");
        }).forEach(table3 -> {
            table.setColumns(table3.getColumns());
        });
        arrayList.add(table);
        fillRequest.get(0).setTables(arrayList);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRColumnNotExist() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Column:[DEFAULT.TEST_ACCOUNT.NOTEXIST] is not exist");
        List<AclTCRRequest> fillRequest = getFillRequest();
        fillRequest.get(0).getTables().forEach(table -> {
            if (table.getTableName().equals("TEST_ACCOUNT")) {
                List columns = table.getColumns();
                AclTCRRequest.Column column = new AclTCRRequest.Column();
                column.setColumnName("notexist");
                columns.add(column);
            }
        });
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRDatabaseNotExist() throws IOException {
        List<AclTCRRequest> fillRequest = getFillRequest();
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("notexist");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        Optional<AclTCRRequest> findAny = fillRequest.stream().filter(aclTCRRequest2 -> {
            return aclTCRRequest2.getTables().stream().noneMatch(table2 -> {
                return table2.getColumns().isEmpty();
            });
        }).findAny();
        Assert.assertTrue(findAny.isPresent());
        table.setColumns(Collections.singletonList(((AclTCRRequest.Table) findAny.get().getTables().get(0)).getColumns().get(0)));
        table.setRows(new ArrayList());
        aclTCRRequest.setTables(Collections.singletonList(table));
        fillRequest.add(aclTCRRequest);
        Assert.assertThrows("Can’t find database \"NOTEXIST\". Please check and try again.", KylinException.class, () -> {
            this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
        });
    }

    @Test
    public void testACLTCREmptyColumns() throws IOException {
        List<AclTCRRequest> fillRequest = getFillRequest();
        Optional<AclTCRRequest> findAny = fillRequest.stream().filter(aclTCRRequest -> {
            return aclTCRRequest.getTables().stream().noneMatch(table -> {
                return table.getColumns().isEmpty();
            });
        }).findAny();
        Assert.assertTrue(findAny.isPresent());
        ((AclTCRRequest.Table) findAny.get().getTables().get(0)).setColumns((List) null);
        Assert.assertThrows("Invalid value for parameter ‘columns’ which should not be empty", KylinException.class, () -> {
            this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
        });
    }

    @Test
    public void testACLTCREmptyRows() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("Invalid value for parameter ‘rows’ which should not be empty");
        List<AclTCRRequest> fillRequest = getFillRequest();
        ((AclTCRRequest.Table) fillRequest.get(0).getTables().get(0)).setRows((List) null);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCREmptyColumnName() throws IOException {
        List<AclTCRRequest> fillRequest = getFillRequest();
        Optional<AclTCRRequest> findAny = fillRequest.stream().filter(aclTCRRequest -> {
            return aclTCRRequest.getTables().stream().noneMatch(table -> {
                return table.getColumns().isEmpty();
            });
        }).findAny();
        Assert.assertTrue(findAny.isPresent());
        ((AclTCRRequest.Column) ((AclTCRRequest.Table) findAny.get().getTables().get(0)).getColumns().get(0)).setColumnName((String) null);
        Assert.assertThrows("Invalid value for parameter ‘column_name’ which should not be empty", KylinException.class, () -> {
            this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
        });
    }

    @Test
    public void testACLTCRTableMiss() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("All the tables should be defined and the table below are missing: (DEFAULT.TEST_ACCOUNT)");
        List<AclTCRRequest> fillRequest = getFillRequest();
        ArrayList arrayList = new ArrayList(fillRequest.get(0).getTables());
        Stream filter = fillRequest.get(0).getTables().stream().filter(table -> {
            return table.getTableName().equals("TEST_ACCOUNT");
        });
        arrayList.getClass();
        filter.forEach((v1) -> {
            r1.remove(v1);
        });
        fillRequest.get(0).setTables(arrayList);
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testACLTCRColumnMiss() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage("All the columns should be defined and the column below are missing: (DEFAULT.TEST_ACCOUNT.ACCOUNT_ID)");
        List<AclTCRRequest> fillRequest = getFillRequest();
        fillRequest.get(0).getTables().forEach(table -> {
            if (table.getTableName().equals("TEST_ACCOUNT")) {
                List<AclTCRRequest.Column> columns = table.getColumns();
                AclTCRRequest.Column column = null;
                for (AclTCRRequest.Column column2 : columns) {
                    if (column2.getColumnName().equals("ACCOUNT_ID")) {
                        column = column2;
                    }
                }
                columns.remove(column);
            }
        });
        this.aclTCRService.updateAclTCR("default", "u1", true, fillRequest);
    }

    @Test
    public void testMergeACLTCRWithRevokeGrantColumns() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        ((AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default")).updateAclTCR(new AclTCR(), "u1", true);
        List aclTCRResponse = this.aclTCRService.getAclTCRResponse("default", "u1", true, false);
        AtomicInteger atomicInteger = new AtomicInteger();
        AtomicInteger atomicInteger2 = new AtomicInteger();
        AtomicInteger atomicInteger3 = new AtomicInteger();
        AtomicInteger atomicInteger4 = new AtomicInteger();
        Assert.assertTrue(aclTCRResponse.stream().filter(aclTCRResponse2 -> {
            return aclTCRResponse2.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse3 -> {
            return aclTCRResponse3.getTables().stream().filter(table -> {
                return table.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table2 -> {
                atomicInteger.set(aclTCRResponse3.getTotalTableNum());
                atomicInteger2.set(aclTCRResponse3.getAuthorizedTableNum());
                atomicInteger3.set(table2.getTotalColumnNum());
                atomicInteger4.set(table2.getAuthorizedColumnNum());
                return table2.getColumns().stream().anyMatch(column -> {
                    return column.isAuthorized() && column.getColumnName().equals("DIM_CRE_USER");
                });
            });
        }));
        Assert.assertTrue(atomicInteger.get() > 0);
        Assert.assertTrue(atomicInteger2.get() > 0);
        Assert.assertTrue(atomicInteger3.get() > 0);
        Assert.assertTrue(atomicInteger4.get() > 0);
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("EDW");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_SELLER_TYPE_DIM");
        table.setAuthorized(true);
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setColumnName("DIM_CRE_USER");
        column.setAuthorized(false);
        table.setColumns(Collections.singletonList(column));
        aclTCRRequest.setTables(Collections.singletonList(table));
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse4 -> {
            return aclTCRResponse4.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse5 -> {
            return aclTCRResponse5.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table3 -> {
                return table3.getAuthorizedColumnNum() == atomicInteger4.get() - 1 && table3.getColumns().stream().anyMatch(column2 -> {
                    return !column2.isAuthorized() && column2.getColumnName().equals("DIM_CRE_USER");
                });
            });
        }));
        column.setColumnName("DIM_CRE_USER");
        column.setAuthorized(true);
        table.setColumns(Collections.singletonList(column));
        aclTCRRequest.setTables(Collections.singletonList(table));
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse6 -> {
            return aclTCRResponse6.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse7 -> {
            return aclTCRResponse7.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table3 -> {
                return table3.getAuthorizedColumnNum() == atomicInteger4.get() && table3.getColumns().stream().anyMatch(column2 -> {
                    return column2.isAuthorized() && column2.getColumnName().equals("DIM_CRE_USER");
                });
            });
        }));
    }

    @Test
    public void testMergeACLTCRWithRevokeGrantTable() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        ((AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default")).updateAclTCR(new AclTCR(), "u1", true);
        AtomicInteger atomicInteger = new AtomicInteger();
        AtomicInteger atomicInteger2 = new AtomicInteger();
        AtomicInteger atomicInteger3 = new AtomicInteger();
        AtomicInteger atomicInteger4 = new AtomicInteger();
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse -> {
            return aclTCRResponse.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse2 -> {
            return aclTCRResponse2.getTables().stream().filter(table -> {
                return table.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table2 -> {
                atomicInteger.set(aclTCRResponse2.getTotalTableNum());
                atomicInteger2.set(aclTCRResponse2.getAuthorizedTableNum());
                atomicInteger3.set(table2.getTotalColumnNum());
                atomicInteger4.set(table2.getAuthorizedColumnNum());
                return table2.getColumns().stream().anyMatch(column -> {
                    return column.isAuthorized() && column.getColumnName().equals("DIM_CRE_USER");
                });
            });
        }));
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("EDW");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_SELLER_TYPE_DIM");
        table.setAuthorized(false);
        aclTCRRequest.setTables(Collections.singletonList(table));
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse3 -> {
            return aclTCRResponse3.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse4 -> {
            return aclTCRResponse4.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM") && !table2.isAuthorized();
            }).anyMatch(table3 -> {
                return table3.getAuthorizedColumnNum() == 0 && table3.getColumns().stream().noneMatch((v0) -> {
                    return v0.isAuthorized();
                });
            });
        }));
        table.setAuthorized(true);
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse5 -> {
            return aclTCRResponse5.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse6 -> {
            return aclTCRResponse6.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM") && table2.isAuthorized();
            }).anyMatch(table3 -> {
                return table3.getAuthorizedColumnNum() == atomicInteger4.get() && table3.getColumns().stream().allMatch((v0) -> {
                    return v0.isAuthorized();
                });
            });
        }));
    }

    @Test
    public void testMergeACLTCRWithBatchUpdateRowAcl() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        ((AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default")).updateAclTCR(new AclTCR(), "u1", true);
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("EDW");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setAuthorized(true);
        table.setTableName("TEST_SELLER_TYPE_DIM");
        AclTCRRequest.Row row = new AclTCRRequest.Row();
        table.setRows(new ArrayList());
        row.setColumnName("DIM_CRE_USER");
        row.setItems(Arrays.asList("user1", "user2"));
        table.getRows().add(row);
        AclTCRRequest.Row row2 = new AclTCRRequest.Row();
        row2.setColumnName("DIM_CRE_DATE");
        row2.setItems(Arrays.asList("2020-01-01 00:00:00", "2020-01-02 00:00:00"));
        table.getRows().add(row2);
        aclTCRRequest.setTables(Collections.singletonList(table));
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setAuthorized(true);
        column.setColumnName("NOT_EXIST_COLUMN");
        table.setColumns(Lists.newArrayList(new AclTCRRequest.Column[]{column}));
        assertKylinExeption(() -> {
            this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        }, "Column:[EDW.TEST_SELLER_TYPE_DIM.NOT_EXIST_COLUMN] is not exist.");
        column.setColumnName("DIM_CRE_DATE");
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse -> {
            return aclTCRResponse.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse2 -> {
            return aclTCRResponse2.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table3 -> {
                return table3.getColumns().stream().allMatch((v0) -> {
                    return v0.isAuthorized();
                }) && table3.getRows().size() == 2;
            });
        }));
        table.setRows(new ArrayList());
        row2.setColumnName("DIM_CRE_USER");
        row2.setItems(Arrays.asList("user1", "user2"));
        table.getRows().add(row2);
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse3 -> {
            return aclTCRResponse3.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse4 -> {
            return aclTCRResponse4.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table3 -> {
                return table3.getColumns().stream().allMatch((v0) -> {
                    return v0.isAuthorized();
                }) && table3.getRows().size() == 1;
            });
        }));
        table.setRows(new ArrayList());
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().filter(aclTCRResponse5 -> {
            return aclTCRResponse5.getDatabaseName().equals("EDW");
        }).anyMatch(aclTCRResponse6 -> {
            return aclTCRResponse6.getTables().stream().filter(table2 -> {
                return table2.getTableName().equals("TEST_SELLER_TYPE_DIM");
            }).anyMatch(table3 -> {
                return table3.getColumns().stream().allMatch((v0) -> {
                    return v0.isAuthorized();
                }) && table3.getRows().size() == 0;
            });
        }));
    }

    @Test
    public void testMergeACLTCRWithGrantRowAclWithUnauthorizedColumn() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        ((AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default")).updateAclTCR(new AclTCR(), "u1", true);
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("EDW");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_SELLER_TYPE_DIM");
        table.setAuthorized(true);
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setColumnName("DIM_CRE_USER");
        column.setAuthorized(false);
        table.setColumns(Collections.singletonList(column));
        aclTCRRequest.setTables(Collections.singletonList(table));
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
        AclTCRRequest.Row row = new AclTCRRequest.Row();
        table.setRows(new ArrayList());
        row.setColumnName("DIM_CRE_USER");
        row.setItems(Arrays.asList("user1", "user2"));
        table.getRows().add(row);
        this.thrown.expectCause(new BaseMatcher<Throwable>() { // from class: org.apache.kylin.rest.service.AclTCRServiceTest.1
            public boolean matches(Object obj) {
                if (obj instanceof KylinException) {
                    return ((KylinException) obj).getMessage().contains("doesn’t have access to the column \"DIM_CRE_USER\"");
                }
                return false;
            }

            public void describeTo(Description description) {
            }
        });
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
    }

    @Test
    public void testMergeACLTCRWithDependencyColumnDependsOnDependencyColumn() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        ((AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default")).updateAclTCR(new AclTCR(), "u1", true);
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("EDW");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_SELLER_TYPE_DIM");
        table.setAuthorized(true);
        table.setColumns(new ArrayList());
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setDependentColumns(new ArrayList());
        column.setColumnName("DIM_CRE_USER");
        column.setAuthorized(true);
        AclTCRRequest.DependentColumnData dependentColumnData = new AclTCRRequest.DependentColumnData();
        dependentColumnData.setColumnIdentity("EDW.TEST_SELLER_TYPE_DIM.DIM_CRE_DATE");
        dependentColumnData.setValues(new String[]{"2020-01-01 00:00:00", "2020-01-02 00:00:00"});
        column.getDependentColumns().add(dependentColumnData);
        table.getColumns().add(column);
        AclTCRRequest.Column column2 = new AclTCRRequest.Column();
        column2.setDependentColumns(new ArrayList());
        column2.setColumnName("DIM_CRE_DATE");
        column2.setAuthorized(true);
        AclTCRRequest.DependentColumnData dependentColumnData2 = new AclTCRRequest.DependentColumnData();
        dependentColumnData2.setColumnIdentity("EDW.TEST_SELLER_TYPE_DIM.DIM_CRE_USER");
        dependentColumnData2.setValues(new String[]{"user1", "user2"});
        column2.getDependentColumns().add(dependentColumnData2);
        table.getColumns().add(column2);
        aclTCRRequest.setTables(Collections.singletonList(table));
        this.thrown.expectCause(new BaseMatcher<Throwable>() { // from class: org.apache.kylin.rest.service.AclTCRServiceTest.2
            public boolean matches(Object obj) {
                if (obj instanceof KylinException) {
                    return ((KylinException) obj).getMessage().contains("Can’t set association rules on the column \"DIM_CRE_DATE, DIM_CRE_USER\"");
                }
                return false;
            }

            public void describeTo(Description description) {
            }
        });
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
    }

    @Test
    public void testMergeACLTCRWithUnsupportedMaskDatatype() throws IOException {
        ((AccessService) Mockito.doReturn(false).when(this.accessService)).hasGlobalAdminGroup("u1");
        Assert.assertEquals(0L, this.aclTCRService.getAclTCRResponse("default", "u1", true, true).size());
        ((AclTCRManager) this.aclTCRService.getManager(AclTCRManager.class, "default")).updateAclTCR(new AclTCR(), "u1", true);
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_MEASURE");
        table.setAuthorized(true);
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setColumnName("FLAG");
        column.setAuthorized(true);
        column.setDataMaskType(SensitiveDataMask.MaskType.AS_NULL);
        table.setColumns(Collections.singletonList(column));
        aclTCRRequest.setTables(Collections.singletonList(table));
        this.thrown.expectCause(new BaseMatcher<Throwable>() { // from class: org.apache.kylin.rest.service.AclTCRServiceTest.3
            public boolean matches(Object obj) {
                if (obj instanceof KylinException) {
                    return ((KylinException) obj).getMessage().contains("boolean, map or array");
                }
                return false;
            }

            public void describeTo(Description description) {
            }
        });
        this.aclTCRService.mergeAclTCR("default", "u1", true, Collections.singletonList(aclTCRRequest));
    }

    @Test
    public void testACLTCRInvalidDataTypeLikeCondition() throws IOException {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage(Message.getInstance().getRowAclNotStringType());
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        table.setColumns(new ArrayList());
        table.setRows(new ArrayList());
        AclTCRRequest.Row row = new AclTCRRequest.Row();
        row.setColumnName("ORDER_ID");
        row.setItems(Arrays.asList("1%"));
        table.setLikeRows(Lists.newArrayList(new AclTCRRequest.Row[]{row}));
        aclTCRRequest.setTables(Arrays.asList(table));
        this.aclTCRService.mergeAclTCR("default", "u1", true, Lists.newArrayList(new AclTCRRequest[]{aclTCRRequest}));
    }

    @Test
    public void testUpdateAclTCRWithEmptyColumn() throws IOException {
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("EMPTY_COLUMN");
        table.setAuthorized(true);
        aclTCRRequest.setTables(Collections.singletonList(table));
        List<AclTCRRequest> fillAclTCRRequest = fillAclTCRRequest(aclTCRRequest);
        Assert.assertTrue(fillAclTCRRequest.stream().anyMatch(aclTCRRequest2 -> {
            return "DEFAULT".equals(aclTCRRequest2.getDatabaseName()) && aclTCRRequest2.getTables().stream().anyMatch(table2 -> {
                return "EMPTY_COLUMN".equals(table2.getTableName()) && table2.getColumns().isEmpty();
            });
        }));
        this.aclTCRService.updateAclTCR("default", "u1", true, fillAclTCRRequest);
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().anyMatch(aclTCRResponse -> {
            return "DEFAULT".equals(aclTCRResponse.getDatabaseName()) && aclTCRResponse.getTables().stream().anyMatch(table2 -> {
                return "EMPTY_COLUMN".equals(table2.getTableName()) && table2.isAuthorized();
            });
        }));
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table2 = new AclTCRRequest.Table();
        table2.setTableName("EMPTY_COLUMN");
        table2.setAuthorized(false);
        aclTCRRequest.setTables(Collections.singletonList(table2));
        List<AclTCRRequest> fillAclTCRRequest2 = fillAclTCRRequest(aclTCRRequest);
        Assert.assertTrue(fillAclTCRRequest2.stream().anyMatch(aclTCRRequest3 -> {
            return "DEFAULT".equals(aclTCRRequest3.getDatabaseName()) && aclTCRRequest3.getTables().stream().anyMatch(table3 -> {
                return "EMPTY_COLUMN".equals(table3.getTableName()) && table3.getColumns().isEmpty();
            });
        }));
        this.aclTCRService.updateAclTCR("default", "u1", true, fillAclTCRRequest2);
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, false).stream().anyMatch(aclTCRResponse2 -> {
            return "DEFAULT".equals(aclTCRResponse2.getDatabaseName()) && aclTCRResponse2.getTables().stream().anyMatch(table3 -> {
                return "EMPTY_COLUMN".equals(table3.getTableName()) && !table3.isAuthorized();
            });
        }));
    }

    @Test
    public void testMergeAndGetWithRowFilter() throws IOException {
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        AclTCRRequest.RowFilter rowFilter = new AclTCRRequest.RowFilter();
        ArrayList arrayList = new ArrayList();
        AclTCRRequest.FilterGroup filterGroup = new AclTCRRequest.FilterGroup();
        filterGroup.setGroup(false);
        ArrayList arrayList2 = new ArrayList();
        AclTCRRequest.Filter filter = new AclTCRRequest.Filter();
        filter.setColumnName("TEST_EXTENDED_COLUMN");
        filter.setInItems(Lists.newArrayList(new String[]{"a", "b"}));
        filter.setLikeItems(Lists.newArrayList(new String[]{"1", "2"}));
        arrayList2.add(filter);
        filterGroup.setFilters(arrayList2);
        arrayList.add(filterGroup);
        rowFilter.setFilterGroups(arrayList);
        table.setRowFilter(rowFilter);
        aclTCRRequest.setTables(Lists.newArrayList(new AclTCRRequest.Table[]{table}));
        this.aclTCRService.mergeAclTCR("default", "u1", true, Lists.newArrayList(new AclTCRRequest[]{aclTCRRequest}));
        Assert.assertTrue(this.aclTCRService.getAclTCRResponse("default", "u1", true, true).stream().anyMatch(aclTCRResponse -> {
            if ("DEFAULT".equals(aclTCRResponse.getDatabaseName())) {
                return aclTCRResponse.getTables().stream().anyMatch(table2 -> {
                    if (!"TEST_ORDER".equals(table2.getTableName())) {
                        return false;
                    }
                    AclTCRResponse.Filter filter2 = (AclTCRResponse.Filter) ((AclTCRResponse.FilterGroup) table2.getRowFilter().getFilterGroups().get(0)).getFilters().get(0);
                    return "TEST_EXTENDED_COLUMN".equals(filter2.getColumnName()) && "a".equals(filter2.getInItems().get(0)) && "1".equals(filter2.getLikeItems().get(0));
                });
            }
            return false;
        }));
    }

    @Test
    public void testUpdateAdminAndProjectAdminGroupTableAcl() {
        AclTCRRequest aclTCRRequest = new AclTCRRequest();
        aclTCRRequest.setDatabaseName("DEFAULT");
        AclTCRRequest.Table table = new AclTCRRequest.Table();
        table.setTableName("TEST_ORDER");
        table.setAuthorized(true);
        AclTCRRequest.Column column = new AclTCRRequest.Column();
        column.setColumnName("ORDER_ID");
        column.setAuthorized(false);
        table.setColumns(Collections.singletonList(column));
        aclTCRRequest.setTables(Collections.singletonList(table));
        assertKylinExeption(() -> {
            this.aclTCRService.updateAclTCR("default", "g3", false, fillAclTCRRequest(aclTCRRequest));
        }, "Admin is not supported to update permission.");
        assertKylinExeption(() -> {
            this.aclTCRService.updateAclTCR("default", "ROLE_ADMIN", false, fillAclTCRRequest(aclTCRRequest));
        }, "Admin is not supported to update permission.");
        overwriteSystemProp("kylin.security.acl.admin-role", "ldap-admin");
        assertKylinExeption(() -> {
            this.aclTCRService.updateAclTCR("default", "ldap-admin", false, fillAclTCRRequest(aclTCRRequest));
        }, "Admin is not supported to update permission.");
    }

    @Test
    public void testGetUserOrGroupAclPermissions() throws IOException {
        List grantedProjectsOfUserOrGroup = this.accessService.getGrantedProjectsOfUserOrGroup("ADMIN", true);
        Mockito.when(Boolean.valueOf(this.userService.isGlobalAdmin("ADMIN"))).thenReturn(true);
        List userOrGroupAclPermissions = this.accessService.getUserOrGroupAclPermissions(grantedProjectsOfUserOrGroup, "ADMIN", true);
        Assert.assertEquals(28L, userOrGroupAclPermissions.size());
        Assert.assertTrue(userOrGroupAclPermissions.stream().allMatch(sidPermissionWithAclResponse -> {
            return "ADMIN".equals(sidPermissionWithAclResponse.getProjectPermission());
        }));
        addGroupAndGrantPermission("MANAGEMENT_GROUP", AclPermission.MANAGEMENT);
        Mockito.when(Boolean.valueOf(this.userGroupService.exists("MANAGEMENT_GROUP"))).thenReturn(true);
        List grantedProjectsOfUserOrGroup2 = this.accessService.getGrantedProjectsOfUserOrGroup("MANAGEMENT_GROUP", false);
        List userOrGroupAclPermissions2 = this.accessService.getUserOrGroupAclPermissions(grantedProjectsOfUserOrGroup2, "MANAGEMENT_GROUP", false);
        Assert.assertEquals(1L, userOrGroupAclPermissions2.size());
        Assert.assertEquals("MANAGEMENT", ((SidPermissionWithAclResponse) userOrGroupAclPermissions2.get(0)).getProjectPermission());
        addGroupAndGrantPermission("ROLE_ANALYST", AclPermission.OPERATION);
        Mockito.when(Boolean.valueOf(this.userGroupService.exists("ROLE_ANALYST"))).thenReturn(true);
        this.userGroupService.modifyGroupUsers("ROLE_ANALYST", Lists.newArrayList(new String[]{"ANALYST"}));
        List userOrGroupAclPermissions3 = this.accessService.getUserOrGroupAclPermissions(grantedProjectsOfUserOrGroup2, "ANALYST", true);
        Assert.assertEquals(1L, userOrGroupAclPermissions3.size());
        Assert.assertEquals("OPERATION", ((SidPermissionWithAclResponse) userOrGroupAclPermissions3.get(0)).getProjectPermission());
    }

    @Test
    public void testCheckRow() {
        Message msg = MsgPicker.getMsg();
        AclTCRRequest.Row row = new AclTCRRequest.Row();
        Assert.assertThrows(msg.getEmptyColumnName(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(AclTCRService.class, "checkRow", new Object[]{msg, row});
        });
        row.setColumnName("column");
        Assert.assertThrows(msg.getEmptyItems(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(AclTCRService.class, "checkRow", new Object[]{msg, row});
        });
    }

    private void addGroupAndGrantPermission(String str, Permission permission) throws IOException {
        RootPersistentEntity aclEntity = this.accessService.getAclEntity("ProjectInstance", NProjectManager.getInstance(getTestConfig()).getProject("default").getUuid());
        this.userGroupService.addGroup(str);
        ReflectionTestUtils.invokeMethod(this.accessService, "grant", new Object[]{aclEntity, permission, this.accessService.getSid(str, false)});
    }
}
