package io.trino.plugin.opa;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Streams;
import io.trino.plugin.opa.FunctionalHelpers;
import io.trino.plugin.opa.HttpClientUtils;
import io.trino.plugin.opa.OpaQueryException;
import io.trino.plugin.opa.TestHelpers;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.SystemAccessControlFactory;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import java.net.URI;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.stream.Stream;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Named;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;

/* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControl.class */
public class TestOpaAccessControl {
    private static final URI OPA_SERVER_URI = URI.create("http://my-uri/");
    private static final Identity TEST_IDENTITY = Identity.forUser("source-user").withGroups(ImmutableSet.of("some-group")).build();
    private static final SystemSecurityContext TEST_SECURITY_CONTEXT = TestHelpers.systemSecurityContextFromIdentity(TEST_IDENTITY);
    private final Identity requestingIdentity = Identity.ofUser("source-user");
    private final SystemSecurityContext requestingSecurityContext = TestHelpers.systemSecurityContextFromIdentity(this.requestingIdentity);

    @Test
    public void testResponseHasExtraFields() {
        TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, 200, "{\n    \"result\": true,\n    \"decision_id\": \"foo\",\n    \"some_debug_info\": {\"test\": \"\"}\n}"))).checkCanExecuteQuery(this.requestingIdentity);
    }

    @Test
    public void testNoResourceAction() {
        testNoResourceAction("ExecuteQuery", (v0, v1) -> {
            v0.checkCanExecuteQuery(v1);
        });
        testNoResourceAction("ReadSystemInformation", (v0, v1) -> {
            v0.checkCanReadSystemInformation(v1);
        });
        testNoResourceAction("WriteSystemInformation", (v0, v1) -> {
            v0.checkCanWriteSystemInformation(v1);
        });
    }

    private void testNoResourceAction(String str, BiConsumer<OpaAccessControl, Identity> biConsumer) {
        assertAccessControlMethodBehaviour(new TestHelpers.ThrowingMethodWrapper(opaAccessControl -> {
            biConsumer.accept(opaAccessControl, TEST_IDENTITY);
        }), ImmutableSet.of("{\n    \"operation\": \"%s\"\n}".formatted(str)));
    }

    private static Stream<Arguments> tableResourceTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"ShowCreateTable", "DropTable", "SetTableComment", "SetViewComment", "SetColumnComment", "ShowColumns", "AddColumn", "DropColumn", "AlterColumn", "RenameColumn", "InsertIntoTable", "DeleteFromTable", "TruncateTable", "CreateView", "DropView", "RefreshMaterializedView", "DropMaterializedView"}), Stream.of((Object[]) new FunctionalHelpers.Consumer3[]{(v0, v1, v2) -> {
            v0.checkCanShowCreateTable(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanDropTable(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanSetTableComment(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanSetViewComment(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanSetColumnComment(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanShowColumns(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanAddColumn(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanDropColumn(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanAlterColumn(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanRenameColumn(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanInsertIntoTable(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanDeleteFromTable(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanTruncateTable(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanCreateView(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanDropView(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanRefreshMaterializedView(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanDropMaterializedView(v1, v2);
        }}), (str, consumer3) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer3});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#tableResourceTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testTableResourceActions(String str, FunctionalHelpers.Consumer3<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName> consumer3) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer3.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"table\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"tableName\": \"my_table\"\n        }\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    private static Stream<Arguments> tableResourceFailureTestCases() {
        return TestHelpers.createFailingTestCases(tableResourceTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#tableResourceFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {3}")
    public void testTableResourceFailure(String str, FunctionalHelpers.Consumer3<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName> consumer3, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            consumer3.accept(createOpaAuthorizer, this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"));
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    private static Stream<Arguments> tableWithPropertiesTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"SetTableProperties", "SetMaterializedViewProperties", "CreateTable", "CreateMaterializedView"}), Stream.of((Object[]) new FunctionalHelpers.Consumer4[]{(v0, v1, v2, v3) -> {
            v0.checkCanSetTableProperties(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanSetMaterializedViewProperties(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanCreateTable(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanCreateMaterializedView(v1, v2, v3);
        }}), (str, consumer4) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer4});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#tableWithPropertiesTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testTableWithPropertiesActions(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, Map> consumer4) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer4.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"), ImmutableMap.builder().put("string_item", Optional.of("string_value")).put("empty_item", Optional.empty()).put("boxed_number_item", Optional.of(32)).buildOrThrow());
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"table\": {\n            \"tableName\": \"my_table\",\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"properties\": {\n                \"string_item\": \"string_value\",\n                \"empty_item\": null,\n                \"boxed_number_item\": 32\n            }\n        }\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    private static Stream<Arguments> tableWithPropertiesFailureTestCases() {
        return TestHelpers.createFailingTestCases(tableWithPropertiesTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#tableWithPropertiesFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {3}")
    public void testTableWithPropertiesActionFailure(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, Map> consumer4, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            consumer4.accept(createOpaAuthorizer, this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"), ImmutableMap.of());
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    private static Stream<Arguments> identityResourceTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"ViewQueryOwnedBy", "KillQueryOwnedBy"}), Stream.of((Object[]) new FunctionalHelpers.Consumer3[]{(v0, v1, v2) -> {
            v0.checkCanViewQueryOwnedBy(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanKillQueryOwnedBy(v1, v2);
        }}), (str, consumer3) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer3});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#identityResourceTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testIdentityResourceActions(String str, FunctionalHelpers.Consumer3<OpaAccessControl, Identity, Identity> consumer3) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer3.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingIdentity, Identity.forUser("dummy-user").withGroups(ImmutableSet.of("some-group")).build());
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"user\": {\n            \"user\": \"dummy-user\",\n            \"groups\": [\"some-group\"]\n        }\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    private static Stream<Arguments> identityResourceFailureTestCases() {
        return TestHelpers.createFailingTestCases(identityResourceTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#identityResourceFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {2}")
    public void testIdentityResourceActionsFailure(String str, FunctionalHelpers.Consumer3<OpaAccessControl, Identity, Identity> consumer3, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            consumer3.accept(createOpaAuthorizer, this.requestingIdentity, Identity.ofUser("dummy-user"));
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    private static Stream<Arguments> stringResourceTestCases() {
        return Streams.zip(Stream.of((Object[]) new FunctionalHelpers.Pair[]{FunctionalHelpers.Pair.of("SetSystemSessionProperty", "systemSessionProperty"), FunctionalHelpers.Pair.of("CreateCatalog", "catalog"), FunctionalHelpers.Pair.of("DropCatalog", "catalog"), FunctionalHelpers.Pair.of("ShowSchemas", "catalog")}), Stream.of((Object[]) new FunctionalHelpers.Consumer3[]{(opaAccessControl, systemSecurityContext, str) -> {
            opaAccessControl.checkCanSetSystemSessionProperty(systemSecurityContext.getIdentity(), str);
        }, (v0, v1, v2) -> {
            v0.checkCanCreateCatalog(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanDropCatalog(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanShowSchemas(v1, v2);
        }}), (pair, consumer3) -> {
            return Arguments.of(new Object[]{Named.of((String) pair.first(), (String) pair.first()), pair.second(), consumer3});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#stringResourceTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testStringResourceAction(String str, String str2, FunctionalHelpers.Consumer3<OpaAccessControl, SystemSecurityContext, String> consumer3) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer3.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, "resource_name");
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"%s\": {\n            \"name\": \"resource_name\"\n        }\n    }\n}\n".formatted(str, str2)), createMockHttpClient.getRequests(), "/input/action");
    }

    public static Stream<Arguments> stringResourceFailureTestCases() {
        return TestHelpers.createFailingTestCases(stringResourceTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#stringResourceFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {3}")
    public void testStringResourceActionsFailure(String str, String str2, FunctionalHelpers.Consumer3<OpaAccessControl, SystemSecurityContext, String> consumer3, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str3) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            consumer3.accept(createOpaAuthorizer, this.requestingSecurityContext, "dummy_value");
        }).isInstanceOf(cls).hasMessageContaining(str3);
    }

    @Test
    public void testCanImpersonateUser() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).checkCanImpersonateUser(this.requestingIdentity, "some_other_user");
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"ImpersonateUser\",\n    \"resource\": {\n        \"user\": {\n            \"user\": \"some_other_user\"\n        }\n    }\n}\n"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestHelpers#allErrorCasesArgumentProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testCanImpersonateUserFailure(HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.checkCanImpersonateUser(this.requestingIdentity, "some_other_user");
        }).isInstanceOf(cls).hasMessageContaining(str);
    }

    @Test
    public void testCanAccessCatalog() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).canAccessCatalog(this.requestingSecurityContext, "test_catalog")).isTrue();
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient2 = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.NO_ACCESS_RESPONSE));
        Assertions.assertThat(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient2).canAccessCatalog(this.requestingSecurityContext, "test_catalog")).isFalse();
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"AccessCatalog\",\n    \"resource\": {\n        \"catalog\": {\n            \"name\": \"test_catalog\"\n        }\n    }\n}"), createMockHttpClient.getRequests(), "/input/action");
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"AccessCatalog\",\n    \"resource\": {\n        \"catalog\": {\n            \"name\": \"test_catalog\"\n        }\n    }\n}"), createMockHttpClient2.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestHelpers#illegalResponseArgumentProvider"})
    @ParameterizedTest(name = "{index}: {0} - {3}")
    public void testCanAccessCatalogIllegalResponses(HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.canAccessCatalog(this.requestingSecurityContext, "my_catalog");
        }).isInstanceOf(cls).hasMessageContaining(str);
    }

    private static Stream<Arguments> schemaResourceTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"DropSchema", "ShowCreateSchema", "ShowTables", "ShowFunctions"}), Stream.of((Object[]) new FunctionalHelpers.Consumer3[]{(v0, v1, v2) -> {
            v0.checkCanDropSchema(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanShowCreateSchema(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanShowTables(v1, v2);
        }, (v0, v1, v2) -> {
            v0.checkCanShowFunctions(v1, v2);
        }}), (str, consumer3) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer3});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#schemaResourceTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testSchemaResourceActions(String str, FunctionalHelpers.Consumer3<OpaAccessControl, SystemSecurityContext, CatalogSchemaName> consumer3) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer3.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, new CatalogSchemaName("my_catalog", "my_schema"));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"schema\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\"\n        }\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    public static Stream<Arguments> schemaResourceFailureTestCases() {
        return TestHelpers.createFailingTestCases(schemaResourceTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#schemaResourceFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {2}")
    public void testSchemaResourceActionsFailure(String str, FunctionalHelpers.Consumer3<OpaAccessControl, SystemSecurityContext, CatalogSchemaName> consumer3, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            consumer3.accept(createOpaAuthorizer, this.requestingSecurityContext, new CatalogSchemaName("dummy_catalog", "dummy_schema"));
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    @Test
    public void testCreateSchema() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient);
        CatalogSchemaName catalogSchemaName = new CatalogSchemaName("my_catalog", "my_schema");
        createOpaAuthorizer.checkCanCreateSchema(this.requestingSecurityContext, catalogSchemaName, ImmutableMap.of("some_key", "some_value"));
        createOpaAuthorizer.checkCanCreateSchema(this.requestingSecurityContext, catalogSchemaName, ImmutableMap.of());
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.builder().add("{\n    \"operation\": \"CreateSchema\",\n    \"resource\": {\n        \"schema\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"properties\": {\n                \"some_key\": \"some_value\"\n            }\n        }\n    }\n}\n").add("{\n    \"operation\": \"CreateSchema\",\n    \"resource\": {\n        \"schema\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"properties\": {}\n        }\n    }\n}\n").build(), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestHelpers#allErrorCasesArgumentProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testCreateSchemaFailure(HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.checkCanCreateSchema(this.requestingSecurityContext, new CatalogSchemaName("my_catalog", "my_schema"), ImmutableMap.of());
        }).isInstanceOf(cls).hasMessageContaining(str);
    }

    @Test
    public void testCanRenameSchema() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).checkCanRenameSchema(this.requestingSecurityContext, new CatalogSchemaName("my_catalog", "my_schema"), "new_schema_name");
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"RenameSchema\",\n    \"resource\": {\n        \"schema\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\"\n        }\n    },\n    \"targetResource\": {\n        \"schema\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"new_schema_name\"\n        }\n    }\n}\n"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestHelpers#allErrorCasesArgumentProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testCanRenameSchemaFailure(HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.checkCanRenameSchema(this.requestingSecurityContext, new CatalogSchemaName("my_catalog", "my_schema"), "new_schema_name");
        }).isInstanceOf(cls).hasMessageContaining(str);
    }

    private static Stream<Arguments> renameTableTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"RenameTable", "RenameView", "RenameMaterializedView"}), Stream.of((Object[]) new FunctionalHelpers.Consumer4[]{(v0, v1, v2, v3) -> {
            v0.checkCanRenameTable(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanRenameView(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanRenameMaterializedView(v1, v2, v3);
        }}), (str, consumer4) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer4});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#renameTableTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testRenameTableActions(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, CatalogSchemaTableName> consumer4) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer4.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"), new CatalogSchemaTableName("my_catalog", "new_schema_name", "new_table_name"));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"table\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"tableName\": \"my_table\"\n        }\n    },\n    \"targetResource\": {\n        \"table\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"new_schema_name\",\n            \"tableName\": \"new_table_name\"\n        }\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    public static Stream<Arguments> renameTableFailureTestCases() {
        return TestHelpers.createFailingTestCases(renameTableTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#renameTableFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {3}")
    public void testRenameTableFailure(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, CatalogSchemaTableName> consumer4, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("my_catalog", "my_schema", "my_table");
        CatalogSchemaTableName catalogSchemaTableName2 = new CatalogSchemaTableName("my_catalog", "new_schema_name", "new_table_name");
        Assertions.assertThatThrownBy(() -> {
            consumer4.accept(createOpaAuthorizer, this.requestingSecurityContext, catalogSchemaTableName, catalogSchemaTableName2);
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    @Test
    public void testCanSetSchemaAuthorization() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).checkCanSetSchemaAuthorization(this.requestingSecurityContext, new CatalogSchemaName("my_catalog", "my_schema"), new TrinoPrincipal(PrincipalType.USER, "my_user"));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"SetSchemaAuthorization\",\n    \"resource\": {\n        \"schema\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\"\n        }\n    },\n    \"grantee\": {\n        \"name\": \"my_user\",\n        \"type\": \"USER\"\n    }\n}\n"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestHelpers#allErrorCasesArgumentProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testCanSetSchemaAuthorizationFailure(HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        CatalogSchemaName catalogSchemaName = new CatalogSchemaName("my_catalog", "my_schema");
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.checkCanSetSchemaAuthorization(this.requestingSecurityContext, catalogSchemaName, new TrinoPrincipal(PrincipalType.USER, "my_user"));
        }).isInstanceOf(cls).hasMessageContaining(str);
    }

    private static Stream<Arguments> setTableAuthorizationTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"SetTableAuthorization", "SetViewAuthorization"}), Stream.of((Object[]) new FunctionalHelpers.Consumer4[]{(v0, v1, v2, v3) -> {
            v0.checkCanSetTableAuthorization(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanSetViewAuthorization(v1, v2, v3);
        }}), (str, consumer4) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer4});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#setTableAuthorizationTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testCanSetTableAuthorization(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, TrinoPrincipal> consumer4) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer4.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"), new TrinoPrincipal(PrincipalType.USER, "my_user"));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"table\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"tableName\": \"my_table\"\n        }\n    },\n    \"grantee\": {\n        \"name\": \"my_user\",\n        \"type\": \"USER\"\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    private static Stream<Arguments> setTableAuthorizationFailureTestCases() {
        return TestHelpers.createFailingTestCases(setTableAuthorizationTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#setTableAuthorizationFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {3}")
    public void testCanSetTableAuthorizationFailure(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, TrinoPrincipal> consumer4, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("my_catalog", "my_schema", "my_table");
        Assertions.assertThatThrownBy(() -> {
            consumer4.accept(createOpaAuthorizer, this.requestingSecurityContext, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.USER, "my_user"));
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    private static Stream<Arguments> tableColumnOperationTestCases() {
        return Streams.zip(Stream.of((Object[]) new String[]{"SelectFromColumns", "UpdateTableColumns", "CreateViewWithSelectFromColumns"}), Stream.of((Object[]) new FunctionalHelpers.Consumer4[]{(v0, v1, v2, v3) -> {
            v0.checkCanSelectFromColumns(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanUpdateTableColumns(v1, v2, v3);
        }, (v0, v1, v2, v3) -> {
            v0.checkCanCreateViewWithSelectFromColumns(v1, v2, v3);
        }}), (str, consumer4) -> {
            return Arguments.of(new Object[]{Named.of(str, str), consumer4});
        });
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#tableColumnOperationTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testTableColumnOperations(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, Set<String>> consumer4) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        consumer4.accept(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient), this.requestingSecurityContext, new CatalogSchemaTableName("my_catalog", "my_schema", "my_table"), ImmutableSet.of("my_column"));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"table\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"tableName\": \"my_table\",\n            \"columns\": [\"my_column\"]\n        }\n    }\n}\n".formatted(str)), createMockHttpClient.getRequests(), "/input/action");
    }

    private static Stream<Arguments> tableColumnOperationFailureTestCases() {
        return TestHelpers.createFailingTestCases(tableColumnOperationTestCases());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaAccessControl#tableColumnOperationFailureTestCases"})
    @ParameterizedTest(name = "{index}: {0} - {2}")
    public void testTableColumnOperationsFailure(String str, FunctionalHelpers.Consumer4<OpaAccessControl, SystemSecurityContext, CatalogSchemaTableName, Set<String>> consumer4, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str2) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("my_catalog", "my_schema", "my_table");
        ImmutableSet of = ImmutableSet.of("my_column");
        Assertions.assertThatThrownBy(() -> {
            consumer4.accept(createOpaAuthorizer, this.requestingSecurityContext, catalogSchemaTableName, of);
        }).isInstanceOf(cls).hasMessageContaining(str2);
    }

    @Test
    public void testCanSetCatalogSessionProperty() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, TestHelpers.OK_RESPONSE));
        TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient).checkCanSetCatalogSessionProperty(this.requestingSecurityContext, "my_catalog", "my_property");
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"SetCatalogSessionProperty\",\n    \"resource\": {\n        \"catalogSessionProperty\": {\n            \"catalogName\": \"my_catalog\",\n            \"propertyName\": \"my_property\"\n        }\n    }\n}\n"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestHelpers#allErrorCasesArgumentProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testCanSetCatalogSessionPropertyFailure(HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.checkCanSetCatalogSessionProperty(this.requestingSecurityContext, "my_catalog", "my_property");
        }).isInstanceOf(cls).hasMessageContaining(str);
    }

    @Test
    public void testFunctionResourceActions() {
        CatalogSchemaRoutineName catalogSchemaRoutineName = new CatalogSchemaRoutineName("my_catalog", "my_schema", "my_routine_name");
        assertAccessControlMethodBehaviour(new TestHelpers.ThrowingMethodWrapper(opaAccessControl -> {
            opaAccessControl.checkCanExecuteProcedure(TEST_SECURITY_CONTEXT, catalogSchemaRoutineName);
        }), ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"functionName\": \"my_routine_name\"\n        }\n    }\n}".formatted("ExecuteProcedure")));
        assertAccessControlMethodBehaviour(new TestHelpers.ThrowingMethodWrapper(opaAccessControl2 -> {
            opaAccessControl2.checkCanCreateFunction(TEST_SECURITY_CONTEXT, catalogSchemaRoutineName);
        }), ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"functionName\": \"my_routine_name\"\n        }\n    }\n}".formatted("CreateFunction")));
        assertAccessControlMethodBehaviour(new TestHelpers.ThrowingMethodWrapper(opaAccessControl3 -> {
            opaAccessControl3.checkCanDropFunction(TEST_SECURITY_CONTEXT, catalogSchemaRoutineName);
        }), ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"functionName\": \"my_routine_name\"\n        }\n    }\n}".formatted("DropFunction")));
        assertAccessControlMethodBehaviour(new TestHelpers.ReturningMethodWrapper(opaAccessControl4 -> {
            return Boolean.valueOf(opaAccessControl4.canExecuteFunction(TEST_SECURITY_CONTEXT, catalogSchemaRoutineName));
        }), ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"functionName\": \"my_routine_name\"\n        }\n    }\n}".formatted("ExecuteFunction")));
        assertAccessControlMethodBehaviour(new TestHelpers.ReturningMethodWrapper(opaAccessControl5 -> {
            return Boolean.valueOf(opaAccessControl5.canCreateViewWithExecuteFunction(TEST_SECURITY_CONTEXT, catalogSchemaRoutineName));
        }), ImmutableSet.of("{\n    \"operation\": \"%s\",\n    \"resource\": {\n        \"function\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"functionName\": \"my_routine_name\"\n        }\n    }\n}".formatted("CreateViewWithExecuteFunction")));
    }

    @Test
    public void testCanExecuteTableProcedure() {
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("my_catalog", "my_schema", "my_table");
        assertAccessControlMethodBehaviour(new TestHelpers.ThrowingMethodWrapper(opaAccessControl -> {
            opaAccessControl.checkCanExecuteTableProcedure(TEST_SECURITY_CONTEXT, catalogSchemaTableName, "my_procedure");
        }), ImmutableSet.of("{\n    \"operation\": \"ExecuteTableProcedure\",\n    \"resource\": {\n        \"table\": {\n            \"catalogName\": \"my_catalog\",\n            \"schemaName\": \"my_schema\",\n            \"tableName\": \"my_table\"\n        },\n        \"function\": {\n            \"functionName\": \"my_procedure\"\n        }\n    }\n}"));
    }

    @Test
    public void testRequestContextContentsWithKnownTrinoVersion() {
        testRequestContextContentsForGivenTrinoVersion(Optional.of(new TestHelpers.TestingSystemAccessControlContext("12345.67890")), "12345.67890");
    }

    @Test
    public void testRequestContextContentsWithUnknownTrinoVersion() {
        testRequestContextContentsForGivenTrinoVersion(Optional.empty(), "UNKNOWN");
    }

    private void testRequestContextContentsForGivenTrinoVersion(Optional<SystemAccessControlFactory.SystemAccessControlContext> optional, String str) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, jsonNode -> {
            return TestHelpers.OK_RESPONSE;
        });
        OpaAccessControlFactory.create(ImmutableMap.of("opa.policy.uri", OPA_SERVER_URI.toString()), Optional.of(createMockHttpClient), optional).checkCanExecuteQuery(Identity.forUser("test_user").withGroups(ImmutableSet.of("some_group")).build());
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"action\": {\n        \"operation\": \"ExecuteQuery\"\n    },\n    \"context\": {\n        \"identity\": {\n            \"user\": \"test_user\",\n            \"groups\": [\"some_group\"]\n        },\n        \"softwareStack\": {\n            \"trinoVersion\": \"%s\"\n        }\n    }\n}".formatted(str)), createMockHttpClient.getRequests(), "/input");
    }

    private static void assertAccessControlMethodBehaviour(TestHelpers.MethodWrapper methodWrapper, Set<String> set) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(TEST_IDENTITY, TestHelpers.OK_RESPONSE));
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient2 = TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(TEST_IDENTITY, TestHelpers.NO_ACCESS_RESPONSE));
        Assertions.assertThat(methodWrapper.isAccessAllowed(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient))).isTrue();
        Assertions.assertThat(methodWrapper.isAccessAllowed(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, createMockHttpClient2))).isFalse();
        Assertions.assertThat(createMockHttpClient.getRequests()).containsExactlyInAnyOrderElementsOf(createMockHttpClient2.getRequests());
        RequestTestUtilities.assertStringRequestsEqual(set, createMockHttpClient.getRequests(), "/input/action");
        assertAccessControlMethodThrowsForIllegalResponses(methodWrapper);
    }

    private static void assertAccessControlMethodThrowsForIllegalResponses(TestHelpers.MethodWrapper methodWrapper) {
        assertAccessControlMethodThrowsForResponse(methodWrapper, TestHelpers.UNDEFINED_RESPONSE, OpaQueryException.PolicyNotFound.class, "did not return a value");
        assertAccessControlMethodThrowsForResponse(methodWrapper, TestHelpers.BAD_REQUEST_RESPONSE, OpaQueryException.OpaServerError.class, "returned status 400");
        assertAccessControlMethodThrowsForResponse(methodWrapper, TestHelpers.SERVER_ERROR_RESPONSE, OpaQueryException.OpaServerError.class, "returned status 500");
        assertAccessControlMethodThrowsForResponse(methodWrapper, TestHelpers.MALFORMED_RESPONSE, OpaQueryException.class, "Failed to deserialize");
    }

    private static void assertAccessControlMethodThrowsForResponse(TestHelpers.MethodWrapper methodWrapper, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, TestHelpers.createMockHttpClient(OPA_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(TEST_IDENTITY, mockResponse)));
        Assertions.assertThatThrownBy(() -> {
            methodWrapper.isAccessAllowed(createOpaAuthorizer);
        }).isInstanceOf(cls).hasMessageContaining(str);
    }
}
