package io.trino.plugin.opa;

import com.fasterxml.jackson.databind.JsonNode;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.opa.HttpClientUtils;
import io.trino.plugin.opa.OpaQueryException;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SystemSecurityContext;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.stream.Stream;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Named;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;

/* loaded from: input_file:io/trino/plugin/opa/TestOpaBatchAccessControlFiltering.class */
public class TestOpaBatchAccessControlFiltering {
    private static final URI OPA_SERVER_URI = URI.create("http://my-uri/");
    private static final URI OPA_BATCH_SERVER_URI = URI.create("http://my-uri/batchAllow");
    private final Identity requestingIdentity = Identity.ofUser("source-user");
    private final SystemSecurityContext requestingSecurityContext = TestHelpers.systemSecurityContextFromIdentity(this.requestingIdentity);

    @MethodSource({"io.trino.plugin.opa.TestOpaBatchAccessControlFiltering#subsetProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testFilterViewQueryOwnedBy(HttpClientUtils.MockResponse mockResponse, List<Integer> list) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        ImmutableList of = ImmutableList.of(Identity.ofUser("user-one"), Identity.ofUser("user-two"), Identity.ofUser("user-three"));
        Assertions.assertThat(createOpaAuthorizer.filterViewQueryOwnedBy(this.requestingIdentity, of)).containsExactlyInAnyOrderElementsOf(getSubset(of, list));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"FilterViewQueryOwnedBy\",\n    \"filterResources\": [\n        {\n            \"user\": {\n                \"user\": \"user-one\",\n                \"groups\": []\n            }\n        },\n        {\n            \"user\": {\n                \"user\": \"user-two\",\n                \"groups\": []\n            }\n        },\n        {\n            \"user\": {\n                \"user\": \"user-three\",\n                \"groups\": []\n            }\n        }\n    ]\n}"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaBatchAccessControlFiltering#subsetProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testFilterCatalogs(HttpClientUtils.MockResponse mockResponse, List<Integer> list) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        ImmutableList of = ImmutableList.of("catalog_one", "catalog_two", "catalog_three");
        Assertions.assertThat(createOpaAuthorizer.filterCatalogs(this.requestingSecurityContext, new LinkedHashSet((Collection) of))).containsExactlyInAnyOrderElementsOf(getSubset(of, list));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"FilterCatalogs\",\n    \"filterResources\": [\n        {\n            \"catalog\": {\n                \"name\": \"catalog_one\"\n            }\n        },\n        {\n            \"catalog\": {\n                \"name\": \"catalog_two\"\n            }\n        },\n        {\n            \"catalog\": {\n                \"name\": \"catalog_three\"\n            }\n        }\n    ]\n}"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaBatchAccessControlFiltering#subsetProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testFilterSchemas(HttpClientUtils.MockResponse mockResponse, List<Integer> list) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        ImmutableList of = ImmutableList.of("schema_one", "schema_two", "schema_three");
        Assertions.assertThat(createOpaAuthorizer.filterSchemas(this.requestingSecurityContext, "my_catalog", new LinkedHashSet((Collection) of))).containsExactlyInAnyOrderElementsOf(getSubset(of, list));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"FilterSchemas\",\n    \"filterResources\": [\n        {\n            \"schema\": {\n                \"schemaName\": \"schema_one\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"schema\": {\n                \"schemaName\": \"schema_two\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"schema\": {\n                \"schemaName\": \"schema_three\",\n                \"catalogName\": \"my_catalog\"\n            }\n        }\n    ]\n}"), createMockHttpClient.getRequests(), "/input/action");
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaBatchAccessControlFiltering#subsetProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testFilterTables(HttpClientUtils.MockResponse mockResponse, List<Integer> list) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        ImmutableList build = ImmutableList.builder().add(new SchemaTableName("schema_one", "table_one")).add(new SchemaTableName("schema_one", "table_two")).add(new SchemaTableName("schema_two", "table_one")).build();
        Assertions.assertThat(createOpaAuthorizer.filterTables(this.requestingSecurityContext, "my_catalog", new LinkedHashSet((Collection) build))).containsExactlyInAnyOrderElementsOf(getSubset(build, list));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"FilterTables\",\n    \"filterResources\": [\n        {\n            \"table\": {\n                \"tableName\": \"table_one\",\n                \"schemaName\": \"schema_one\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"table\": {\n                \"tableName\": \"table_two\",\n                \"schemaName\": \"schema_one\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"table\": {\n                \"tableName\": \"table_one\",\n                \"schemaName\": \"schema_two\",\n                \"catalogName\": \"my_catalog\"\n            }\n        }\n    ]\n}"), createMockHttpClient.getRequests(), "/input/action");
    }

    private static Function<String, HttpClientUtils.MockResponse> buildHandler(Function<String, String> function) {
        return str -> {
            return new HttpClientUtils.MockResponse((String) function.apply(str), 200);
        };
    }

    @Test
    public void testFilterColumns() {
        SchemaTableName schemaTableName = SchemaTableName.schemaTableName("my_schema", "table_one");
        SchemaTableName schemaTableName2 = SchemaTableName.schemaTableName("my_schema", "table_two");
        ImmutableMap buildOrThrow = ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_one", "table_two_column_two")).put(SchemaTableName.schemaTableName("my_schema", "table_three"), ImmutableSet.of("table_three_column_one", "table_three_column_two")).buildOrThrow();
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, (Function<JsonNode, HttpClientUtils.MockResponse>) jsonNode -> {
            String str;
            String asText = jsonNode.at("/input/action/filterResources/0/table/tableName").asText();
            boolean z = -1;
            switch (asText.hashCode()) {
                case -1988197771:
                    if (asText.equals("table_one")) {
                        z = false;
                        break;
                    }
                    break;
                case -1988192677:
                    if (asText.equals("table_two")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    str = "{\"result\": [0, 1]}";
                    break;
                case true:
                    str = "{\"result\": [1]}";
                    break;
                default:
                    str = "{\"result\": []}";
                    break;
            }
            return new HttpClientUtils.MockResponse(str, 200);
        }));
        Map filterColumns = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient).filterColumns(this.requestingSecurityContext, "my_catalog", buildOrThrow);
        RequestTestUtilities.assertStringRequestsEqual((Set) Stream.of((Object[]) new String[]{"table_one", "table_two", "table_three"}).map(str -> {
            return "{\n    \"operation\": \"FilterColumns\",\n    \"filterResources\": [\n        {\n            \"table\": {\n                \"tableName\": \"%s\",\n                \"schemaName\": \"my_schema\",\n                \"catalogName\": \"my_catalog\",\n                \"columns\": [\"%s_column_one\", \"%s_column_two\"]\n            }\n        }\n    ]\n}\n".formatted(str, str, str);
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
        Assertions.assertThat(filterColumns).containsExactlyInAnyOrderEntriesOf(ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_two")).buildOrThrow());
    }

    @MethodSource({"io.trino.plugin.opa.TestOpaBatchAccessControlFiltering#subsetProvider"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testFilterFunctions(HttpClientUtils.MockResponse mockResponse, List<Integer> list) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        ImmutableList build = ImmutableList.builder().add(new SchemaFunctionName("my_schema", "function_one")).add(new SchemaFunctionName("my_schema", "function_two")).add(new SchemaFunctionName("my_schema", "function_three")).build();
        Assertions.assertThat(createOpaAuthorizer.filterFunctions(this.requestingSecurityContext, "my_catalog", new LinkedHashSet((Collection) build))).containsExactlyInAnyOrderElementsOf(getSubset(build, list));
        RequestTestUtilities.assertStringRequestsEqual(ImmutableSet.of("{\n    \"operation\": \"FilterFunctions\",\n    \"filterResources\": [\n        {\n            \"function\": {\n                \"catalogName\": \"my_catalog\",\n                \"schemaName\": \"my_schema\",\n                \"functionName\": \"function_one\"\n            }\n        },\n        {\n            \"function\": {\n                \"catalogName\": \"my_catalog\",\n                \"schemaName\": \"my_schema\",\n                \"functionName\": \"function_two\"\n            }\n        },\n        {\n            \"function\": {\n                \"catalogName\": \"my_catalog\",\n                \"schemaName\": \"my_schema\",\n                \"functionName\": \"function_three\"\n            }\n        }\n    ]\n}"), createMockHttpClient.getRequests(), "/input/action");
    }

    @Test
    public void testEmptyFilterColumns() {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, jsonNode -> {
            return TestHelpers.OK_RESPONSE;
        });
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        SchemaTableName schemaTableName = SchemaTableName.schemaTableName("my_schema", "table_one");
        Map filterColumns = createOpaAuthorizer.filterColumns(this.requestingSecurityContext, "my_catalog", ImmutableMap.builder().put(schemaTableName, ImmutableSet.of()).put(SchemaTableName.schemaTableName("my_schema", "table_two"), ImmutableSet.of()).buildOrThrow());
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
        Assertions.assertThat(filterColumns).isEmpty();
    }

    @MethodSource({"io.trino.plugin.opa.FilteringTestHelpers#emptyInputTestCases"})
    @ParameterizedTest(name = "{index}: {0}")
    public void testEmptyRequests(BiFunction<OpaAccessControl, SystemSecurityContext, Collection> biFunction) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, jsonNode -> {
            return TestHelpers.OK_RESPONSE;
        });
        Assertions.assertThat(biFunction.apply(TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient), this.requestingSecurityContext)).isEmpty();
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
    }

    @MethodSource({"io.trino.plugin.opa.FilteringTestHelpers#prepopulatedErrorCases"})
    @ParameterizedTest(name = "{index}: {0} - {1}")
    public void testIllegalResponseThrows(BiFunction<OpaAccessControl, SystemSecurityContext, ?> biFunction, HttpClientUtils.MockResponse mockResponse, Class<? extends Throwable> cls, String str) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, mockResponse));
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, createMockHttpClient);
        Assertions.assertThatThrownBy(() -> {
            biFunction.apply(createOpaAuthorizer, this.requestingSecurityContext);
        }).isInstanceOf(cls).hasMessageContaining(str);
        Assertions.assertThat(createMockHttpClient.getRequests()).isNotEmpty();
    }

    @Test
    public void testResponseOutOfBoundsThrows() {
        OpaAccessControl createOpaAuthorizer = TestHelpers.createOpaAuthorizer(OPA_SERVER_URI, OPA_BATCH_SERVER_URI, TestHelpers.createMockHttpClient(OPA_BATCH_SERVER_URI, RequestTestUtilities.buildValidatingRequestHandler(this.requestingIdentity, 200, "{\"result\": [0, 1, 2]}")));
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.filterCatalogs(this.requestingSecurityContext, ImmutableSet.of("catalog_one", "catalog_two"));
        }).isInstanceOf(OpaQueryException.QueryFailed.class);
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.filterSchemas(this.requestingSecurityContext, "some_catalog", ImmutableSet.of("schema_one", "schema_two"));
        }).isInstanceOf(OpaQueryException.QueryFailed.class);
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.filterTables(this.requestingSecurityContext, "some_catalog", ImmutableSet.of(new SchemaTableName("some_schema", "table_one"), new SchemaTableName("some_schema", "table_two")));
        }).isInstanceOf(OpaQueryException.QueryFailed.class);
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.filterColumns(this.requestingSecurityContext, "some_catalog", ImmutableMap.builder().put(new SchemaTableName("some_schema", "some_table"), ImmutableSet.of("column_one", "column_two")).buildOrThrow());
        }).isInstanceOf(OpaQueryException.QueryFailed.class);
        Assertions.assertThatThrownBy(() -> {
            createOpaAuthorizer.filterViewQueryOwnedBy(this.requestingIdentity, ImmutableSet.of(Identity.ofUser("identity_one"), Identity.ofUser("identity_two")));
        }).isInstanceOf(OpaQueryException.QueryFailed.class);
    }

    private static Stream<Arguments> subsetProvider() {
        return Stream.of((Object[]) new Arguments[]{Arguments.of(new Object[]{Named.of("All-3-resources", new HttpClientUtils.MockResponse("{\"result\": [0, 1, 2]}", 200)), ImmutableList.of(0, 1, 2)}), Arguments.of(new Object[]{Named.of("First-and-last-resources", new HttpClientUtils.MockResponse("{\"result\": [0, 2]}", 200)), ImmutableList.of(0, 2)}), Arguments.of(new Object[]{Named.of("Only-one-resource", new HttpClientUtils.MockResponse("{\"result\": [2]}", 200)), ImmutableList.of(2)}), Arguments.of(new Object[]{Named.of("No-resources", new HttpClientUtils.MockResponse("{\"result\": []}", 200)), ImmutableList.of()})});
    }

    private <T> List<T> getSubset(List<T> list, List<Integer> list2) {
        ArrayList arrayList = new ArrayList();
        Iterator<Integer> it = list2.iterator();
        while (it.hasNext()) {
            int intValue = it.next().intValue();
            if (intValue < 0 || intValue >= list.size()) {
                throw new IllegalArgumentException("Invalid subset of items provided");
            }
            arrayList.add(list.get(intValue));
        }
        return arrayList;
    }
}
