package io.trino.plugin.opa;

import com.fasterxml.jackson.databind.JsonNode;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.opa.HttpClientUtils;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SystemSecurityContext;
import java.net.URI;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.MethodSource;

/* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControlFiltering.class */
public class TestOpaAccessControlFiltering {
    private static final URI OPA_SERVER_URI = URI.create("http://my-uri/");
    private final Identity requestingIdentity = Identity.ofUser("source-user");
    private final SystemSecurityContext requestingSecurityContext = TestHelpers.systemSecurityContextFromIdentity(this.requestingIdentity);

    @Test
    public void testFilterViewQueryOwnedBy() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, buildHandler("/input/action/resource/user/user", "user-one"));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient);
        Identity ofUser = Identity.ofUser("user-one");
        Assertions.assertThat(createOpaAuthorizer.filterViewQueryOwnedBy(this.requestingIdentity, ImmutableList.of(ofUser, Identity.ofUser("user-two")))).containsExactly(new Identity[]{ofUser});
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.builder().add("{\n    \"operation\": \"FilterViewQueryOwnedBy\",\n    \"resource\": {\n        \"user\": {\n            \"user\": \"user-one\",\n            \"groups\": []\n        }\n    }\n}\n").add("{\n    \"operation\": \"FilterViewQueryOwnedBy\",\n    \"resource\": {\n        \"user\": {\n            \"user\": \"user-two\",\n            \"groups\": []\n        }\n    }\n}\n").build(), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterCatalogs() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, buildHandler("/input/action/resource/catalog/name", "catalog_two"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).filterCatalogs(this.requestingSecurityContext, ImmutableSet.of("catalog_one", "catalog_two"))).containsExactly(new String[]{"catalog_two"});
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.builder().add("{\n    \"operation\": \"FilterCatalogs\",\n    \"resource\": {\n        \"catalog\": {\n            \"name\": \"catalog_one\"\n        }\n    }\n}\n").add("{\n    \"operation\": \"FilterCatalogs\",\n    \"resource\": {\n        \"catalog\": {\n            \"name\": \"catalog_two\"\n        }\n    }\n}\n").build(), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterSchemas() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, buildHandler("/input/action/resource/schema/schemaName", "schema_one"));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient);
        ImmutableSet of = ImmutableSet.of("schema_one", "schema_two");
        Assertions.assertThat(createOpaAuthorizer.filterSchemas(this.requestingSecurityContext, "my_catalog", of)).containsExactly(new String[]{"schema_one"});
        String str = "{\n    \"operation\": \"FilterSchemas\",\n    \"resource\": {\n        \"schema\": {\n            \"schemaName\": \"%s\",\n            \"catalogName\": \"my_catalog\"\n        }\n    }\n}\n";
        RequestTestUtilities.assertStringRequestsEqual((Set) of.stream().map(obj -> {
            return "{\n    \"operation\": \"FilterSchemas\",\n    \"resource\": {\n        \"schema\": {\n            \"schemaName\": \"%s\",\n            \"catalogName\": \"my_catalog\"\n        }\n    }\n}\n".formatted(obj);
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterTables() {
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("schema_one", "table_one")).add(new SchemaTableName("schema_one", "table_two")).add(new SchemaTableName("schema_two", "table_one")).add(new SchemaTableName("schema_two", "table_two")).build();
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, buildHandler("/input/action/resource/table/tableName", "table_one"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).filterTables(this.requestingSecurityContext, "my_catalog", build)).containsExactlyInAnyOrderElementsOf((Iterable) build.stream().filter(schemaTableName -> {
            return schemaTableName.getTableName().equals("table_one");
        }).collect(ImmutableSet.toImmutableSet()));
        RequestTestUtilities.assertStringRequestsEqual((Set) build.stream().map(schemaTableName2 -> {
            return "{\n    \"operation\": \"FilterTables\",\n    \"resource\": {\n        \"table\": {\n            \"tableName\": \"%s\",\n            \"schemaName\": \"%s\",\n            \"catalogName\": \"my_catalog\"\n        }\n    }\n}\n".formatted(schemaTableName2.getTableName(), schemaTableName2.getSchemaName());
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testFilterColumns() {
        SchemaTableName schemaTableName = SchemaTableName.schemaTableName("my_schema", "table_one");
        SchemaTableName schemaTableName2 = SchemaTableName.schemaTableName("my_schema", "table_two");
        ImmutableMap buildOrThrow = ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_one", "table_two_column_two")).put(SchemaTableName.schemaTableName("my_schema", "table_three"), ImmutableSet.of("table_three_column_one", "table_three_column_two")).buildOrThrow();
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, buildHandler("/input/action/resource/table/columns/0", (Set<String>) ImmutableSet.builder().add("table_one_column_one").add("table_one_column_two").add("table_two_column_two").build()));
        Map filterColumns = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).filterColumns(this.requestingSecurityContext, "my_catalog", buildOrThrow);
        RequestTestUtilities.assertStringRequestsEqual((Set) buildOrThrow.entrySet().stream().mapMulti((entry, consumer) -> {
            ((Set) entry.getValue()).forEach(str -> {
                consumer.accept("{\n    \"operation\": \"FilterColumns\",\n    \"resource\": {\n        \"table\": {\n            \"tableName\": \"%s\",\n            \"schemaName\": \"my_schema\",\n            \"catalogName\": \"my_catalog\",\n            \"columns\": [\"%s\"]\n        }\n    }\n}\n".formatted(((SchemaTableName) entry.getKey()).getTableName(), str));
            });
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
        Assertions.assertThat(filterColumns).containsExactlyInAnyOrderEntriesOf(ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_two")).buildOrThrow());
    }

    @Test
    public void testEmptyFilterColumns() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, jsonNode -> {
            return TestHelpers.OK_RESPONSE;
        });
        Map filterColumns = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).filterColumns(this.requestingSecurityContext, "my_catalog", ImmutableMap.of(SchemaTableName.schemaTableName("my_schema", "my_table"), ImmutableSet.of()));
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
        Assertions.assertThat(filterColumns).isEmpty();
    }

    @Test
    public void testFilterFunctions() {
        SchemaFunctionName schemaFunctionName = new SchemaFunctionName("my_schema", "function_one");
        SchemaFunctionName schemaFunctionName2 = new SchemaFunctionName("my_schema", "function_two");
        ImmutableSet of = ImmutableSet.of(schemaFunctionName, schemaFunctionName2);
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, buildHandler("/input/action/resource/function/functionName", "function_two"));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).filterFunctions(this.requestingSecurityContext, "my_catalog", of)).containsExactly(new SchemaFunctionName[]{schemaFunctionName2});
        RequestTestUtilities.assertStringRequestsEqual((Set) of.stream().map(schemaFunctionName3 -> {
            return "{\n    \"operation\": \"FilterFunctions\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"%s\",\n            \"functionName\": \"%s\"\n        }\n    }\n}".formatted(schemaFunctionName3.getSchemaName(), schemaFunctionName3.getFunctionName());
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.FilteringTestHelpers#emptyInputTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testEmptyRequests(BiFunction<OpaAccessControl, SystemSecurityContext, Collection> biFunction) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, jsonNode -> {
            return TestHelpers.OK_RESPONSE;
        });
        Assertions.assertThat(biFunction.apply(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext)).isEmpty();
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
    }

    @MethodSource({"io.trino.plugin.opa.FilteringTestHelpers#prepopulatedErrorCases"})
    @ParameterizedTest(name = "{index}: {0} - {1}")
    public void testIllegalResponseThrows(BiFunction<OpaAccessControl, SystemSecurityContext, ?> biFunction, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient);
        Assertions.assertThatThrownBy(() -> {
            biFunction.apply(createOpaAuthorizer, this.requestingSecurityContext);
        }).isInstanceOf(cls).hasMessageContaining(str);
        Assertions.assertThat(createMockHttpClient.getRequests()).hasSize(1);
    }

    private Function<JsonNode, HttpClientUtils.MockResponse> buildHandler(String str, Set<String> set) {
        return RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, (Function<JsonNode, HttpClientUtils.MockResponse>) jsonNode -> {
            return set.contains(jsonNode.at(str).asText()) ? TestHelpers.OK_RESPONSE : TestHelpers.NO_ACCESS_RESPONSE;
        });
    }

    private Function<JsonNode, HttpClientUtils.MockResponse> buildHandler(String str, String str2) {
        return buildHandler(str, (Set<String>) ImmutableSet.of(str2));
    }
}
