package io.trino.plugin.opa;

import com.fasterxml.jackson.databind.JsonNode;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.opa.FunctionalHelpers;
import io.trino.plugin.opa.HttpClientUtils;
import io.trino.plugin.opa.OpaQueryException;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.Identity;
import io.trino.spi.security.SystemSecurityContext;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Stream;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/plugin/opa/TestOpaBatchAccessControlFiltering.class */
public class TestOpaBatchAccessControlFiltering {
    @Test
    public void testFilterViewQueryOwnedBy() {
        assertAccessControlMethodBehaviour((opaAccessControl, systemSecurityContext, set) -> {
            return opaAccessControl.filterViewQueryOwnedBy(systemSecurityContext.getIdentity(), set);
        }, Identity.ofUser("user-one"), Identity.ofUser("user-two"), Identity.ofUser("user-three"), ImmutableSet.of("{\n    \"operation\": \"FilterViewQueryOwnedBy\",\n    \"filterResources\": [\n        {\n            \"user\": {\n                \"user\": \"user-one\",\n                \"groups\": []\n            }\n        },\n        {\n            \"user\": {\n                \"user\": \"user-two\",\n                \"groups\": []\n            }\n        },\n        {\n            \"user\": {\n                \"user\": \"user-three\",\n                \"groups\": []\n            }\n        }\n    ]\n}"));
    }

    @Test
    public void testFilterCatalogs() {
        assertAccessControlMethodBehaviour((v0, v1, v2) -> {
            return v0.filterCatalogs(v1, v2);
        }, "catalog_one", "catalog_two", "catalog_three", ImmutableSet.of("{\n    \"operation\": \"FilterCatalogs\",\n    \"filterResources\": [\n        {\n            \"catalog\": {\n                \"name\": \"catalog_one\"\n            }\n        },\n        {\n            \"catalog\": {\n                \"name\": \"catalog_two\"\n            }\n        },\n        {\n            \"catalog\": {\n                \"name\": \"catalog_three\"\n            }\n        }\n    ]\n}"));
    }

    @Test
    public void testFilterSchemas() {
        assertAccessControlMethodBehaviour((opaAccessControl, systemSecurityContext, set) -> {
            return opaAccessControl.filterSchemas(systemSecurityContext, "my_catalog", set);
        }, "schema_one", "schema_two", "schema_three", ImmutableSet.of("{\n    \"operation\": \"FilterSchemas\",\n    \"filterResources\": [\n        {\n            \"schema\": {\n                \"schemaName\": \"schema_one\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"schema\": {\n                \"schemaName\": \"schema_two\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"schema\": {\n                \"schemaName\": \"schema_three\",\n                \"catalogName\": \"my_catalog\"\n            }\n        }\n    ]\n}"));
    }

    @Test
    public void testFilterTables() {
        assertAccessControlMethodBehaviour((opaAccessControl, systemSecurityContext, set) -> {
            return opaAccessControl.filterTables(systemSecurityContext, "my_catalog", set);
        }, new SchemaTableName("schema_one", "table_one"), new SchemaTableName("schema_one", "table_two"), new SchemaTableName("schema_two", "table_one"), ImmutableSet.of("{\n    \"operation\": \"FilterTables\",\n    \"filterResources\": [\n        {\n            \"table\": {\n                \"tableName\": \"table_one\",\n                \"schemaName\": \"schema_one\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"table\": {\n                \"tableName\": \"table_two\",\n                \"schemaName\": \"schema_one\",\n                \"catalogName\": \"my_catalog\"\n            }\n        },\n        {\n            \"table\": {\n                \"tableName\": \"table_one\",\n                \"schemaName\": \"schema_two\",\n                \"catalogName\": \"my_catalog\"\n            }\n        }\n    ]\n}"));
    }

    @Test
    public void testFilterColumns() {
        SchemaTableName schemaTableName = SchemaTableName.schemaTableName("my_schema", "table_one");
        SchemaTableName schemaTableName2 = SchemaTableName.schemaTableName("my_schema", "table_two");
        ImmutableMap buildOrThrow = ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_one", "table_two_column_two")).put(SchemaTableName.schemaTableName("my_schema", "table_three"), ImmutableSet.of("table_three_column_one", "table_three_column_two")).buildOrThrow();
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_BATCH_URI, RequestTestUtilities.buildValidatingRequestHandler(TestConstants.TEST_IDENTITY, (Function<JsonNode, HttpClientUtils.MockResponse>) jsonNode -> {
            String str;
            String asText = jsonNode.at("/input/action/filterResources/0/table/tableName").asText();
            boolean z = -1;
            switch (asText.hashCode()) {
                case -1988197771:
                    if (asText.equals("table_one")) {
                        z = false;
                        break;
                    }
                    break;
                case -1988192677:
                    if (asText.equals("table_two")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    str = "{\"result\": [0, 1]}";
                    break;
                case true:
                    str = "{\"result\": [1]}";
                    break;
                default:
                    str = "{\"result\": []}";
                    break;
            }
            return new HttpClientUtils.MockResponse(str, 200);
        }));
        Map filterColumns = TestHelpers.createOpaAuthorizer(TestConstants.OPA_SERVER_URI, TestConstants.OPA_SERVER_BATCH_URI, createMockHttpClient).filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", buildOrThrow);
        RequestTestUtilities.assertStringRequestsEqual((Set) Stream.of((Object[]) new String[]{"table_one", "table_two", "table_three"}).map(str -> {
            return "{\n    \"operation\": \"FilterColumns\",\n    \"filterResources\": [\n        {\n            \"table\": {\n                \"tableName\": \"%s\",\n                \"schemaName\": \"my_schema\",\n                \"catalogName\": \"my_catalog\",\n                \"columns\": [\"%s_column_one\", \"%s_column_two\"]\n            }\n        }\n    ]\n}\n".formatted(str, str, str);
        }).collect(ImmutableSet.toImmutableSet()), createMockHttpClient.getRequests(), "/input/action");
        Assertions.assertThat(filterColumns).containsExactlyInAnyOrderEntriesOf(ImmutableMap.builder().put(schemaTableName, ImmutableSet.of("table_one_column_one", "table_one_column_two")).put(schemaTableName2, ImmutableSet.of("table_two_column_two")).buildOrThrow());
    }

    @Test
    public void testEmptyFilterColumns() {
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl -> {
            return opaAccessControl.filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", ImmutableMap.of()).entrySet();
        });
        SchemaTableName schemaTableName = SchemaTableName.schemaTableName("my_schema", "table_one");
        ImmutableMap buildOrThrow = ImmutableMap.builder().put(schemaTableName, ImmutableSet.of()).put(SchemaTableName.schemaTableName("my_schema", "table_two"), ImmutableSet.of()).buildOrThrow();
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl2 -> {
            return opaAccessControl2.filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", buildOrThrow).entrySet();
        });
    }

    @Test
    public void testFilterColumnErrorCases() {
        TestHelpers.assertBatchAccessControlMethodThrowsForIllegalResponses(opaAccessControl -> {
            opaAccessControl.filterColumns(TestConstants.TEST_SECURITY_CONTEXT, "my_catalog", ImmutableMap.of(new SchemaTableName("some_schema", "some_table"), ImmutableSet.of("column_one", "column_two")));
        });
    }

    @Test
    public void testFilterFunctions() {
        assertAccessControlMethodBehaviour((opaAccessControl, systemSecurityContext, set) -> {
            return opaAccessControl.filterFunctions(systemSecurityContext, "my_catalog", set);
        }, new SchemaFunctionName("my_schema", "function_one"), new SchemaFunctionName("my_schema", "function_two"), new SchemaFunctionName("my_schema", "function_three"), ImmutableSet.of("{\n    \"operation\": \"FilterFunctions\",\n    \"filterResources\": [\n        {\n            \"function\": {\n                \"catalogName\": \"my_catalog\",\n                \"schemaName\": \"my_schema\",\n                \"functionName\": \"function_one\"\n            }\n        },\n        {\n            \"function\": {\n                \"catalogName\": \"my_catalog\",\n                \"schemaName\": \"my_schema\",\n                \"functionName\": \"function_two\"\n            }\n        },\n        {\n            \"function\": {\n                \"catalogName\": \"my_catalog\",\n                \"schemaName\": \"my_schema\",\n                \"functionName\": \"function_three\"\n            }\n        }\n    ]\n}"));
    }

    private static <T> void assertAccessControlMethodBehaviour(FunctionalHelpers.Function3<OpaAccessControl, SystemSecurityContext, Set<T>, Collection<T>> function3, T t, T t2, T t3, Set<String> set) {
        assertFilteringAccessControlMethodDoesNotSendRequests(opaAccessControl -> {
            return (Collection) function3.apply(opaAccessControl, TestConstants.TEST_SECURITY_CONTEXT, ImmutableSet.of());
        });
        ImmutableSet of = ImmutableSet.of(t, t2, t3);
        for (FunctionalHelpers.Pair pair : ImmutableList.builder().add(FunctionalHelpers.Pair.of("{\"result\": []}", ImmutableList.of())).add(FunctionalHelpers.Pair.of("{\"result\": [0]}", ImmutableList.of(t))).add(FunctionalHelpers.Pair.of("{\"result\": [1]}", ImmutableList.of(t2))).add(FunctionalHelpers.Pair.of("{\"result\": [2]}", ImmutableList.of(t3))).add(FunctionalHelpers.Pair.of("{\"result\": [0, 2]}", ImmutableList.of(t, t3))).add(FunctionalHelpers.Pair.of("{\"result\": [1, 2]}", ImmutableList.of(t2, t3))).add(FunctionalHelpers.Pair.of("{\"result\": [0, 1, 2]}", ImmutableList.of(t, t2, t3))).build()) {
            HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_BATCH_URI, RequestTestUtilities.buildValidatingRequestHandler(TestConstants.TEST_IDENTITY, 200, (String) pair.first()));
            Assertions.assertThat(function3.apply(TestHelpers.createOpaAuthorizer(TestConstants.OPA_SERVER_URI, TestConstants.OPA_SERVER_BATCH_URI, createMockHttpClient), TestConstants.TEST_SECURITY_CONTEXT, of)).containsExactlyInAnyOrderElementsOf((Iterable) pair.second());
            RequestTestUtilities.assertStringRequestsEqual(set, createMockHttpClient.getRequests(), "/input/action");
        }
        Consumer consumer = opaAccessControl2 -> {
            function3.apply(opaAccessControl2, TestConstants.TEST_SECURITY_CONTEXT, of);
        };
        TestHelpers.assertBatchAccessControlMethodThrowsForIllegalResponses(consumer);
        TestHelpers.assertAccessControlMethodThrows(() -> {
            consumer.accept(TestHelpers.buildBatchAuthorizerWithPredefinedResponse(new HttpClientUtils.MockResponse("{\"result\": [0, 1, 2, 3]}", 200)));
        }, OpaQueryException.QueryFailed.class, "Failed to query OPA backend");
    }

    private static void assertFilteringAccessControlMethodDoesNotSendRequests(Function<OpaAccessControl, Collection<?>> function) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(TestConstants.OPA_SERVER_BATCH_URI, jsonNode -> {
            return TestConstants.OK_RESPONSE;
        });
        Assertions.assertThat(function.apply(TestHelpers.createOpaAuthorizer(TestConstants.OPA_SERVER_URI, TestConstants.OPA_SERVER_BATCH_URI, createMockHttpClient))).isEmpty();
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
    }
}
