package io.trino.plugin.opa;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.opa.HttpClientUtils;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.TrinoPrincipal;
import java.net.URI;
import java.util.Optional;
import java.util.function.Consumer;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/plugin/opa/TestOpaAccessControlPermissionManagementOperations.class */
public class TestOpaAccessControlPermissionManagementOperations {
    private static final URI OPA_SERVER_URI = URI.create("http://my-uri/");

    @Test
    public void testTablePrivilegeGrantingOperationsDeniedOrAllowedByConfig() {
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("some_catalog", "some_schema", "some_table");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "some_user");
        testOperationAllowedOrDeniedByConfig(opaAccessControl -> {
            opaAccessControl.checkCanGrantTablePrivilege(TestConstants.TEST_SECURITY_CONTEXT, Privilege.CREATE, catalogSchemaTableName, trinoPrincipal, false);
        });
        testOperationAllowedOrDeniedByConfig(opaAccessControl2 -> {
            opaAccessControl2.checkCanRevokeTablePrivilege(TestConstants.TEST_SECURITY_CONTEXT, Privilege.CREATE, catalogSchemaTableName, trinoPrincipal, false);
        });
        testOperationAllowedOrDeniedByConfig(opaAccessControl3 -> {
            opaAccessControl3.checkCanDenyTablePrivilege(TestConstants.TEST_SECURITY_CONTEXT, Privilege.CREATE, catalogSchemaTableName, trinoPrincipal);
        });
    }

    @Test
    public void testSchemaPrivilegeGrantingOperationsDeniedOrAllowedByConfig() {
        CatalogSchemaName catalogSchemaName = new CatalogSchemaName("some_catalog", "some_schema");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "some_user");
        testOperationAllowedOrDeniedByConfig(opaAccessControl -> {
            opaAccessControl.checkCanGrantSchemaPrivilege(TestConstants.TEST_SECURITY_CONTEXT, Privilege.CREATE, catalogSchemaName, trinoPrincipal, false);
        });
        testOperationAllowedOrDeniedByConfig(opaAccessControl2 -> {
            opaAccessControl2.checkCanRevokeSchemaPrivilege(TestConstants.TEST_SECURITY_CONTEXT, Privilege.CREATE, catalogSchemaName, trinoPrincipal, false);
        });
        testOperationAllowedOrDeniedByConfig(opaAccessControl3 -> {
            opaAccessControl3.checkCanDenySchemaPrivilege(TestConstants.TEST_SECURITY_CONTEXT, Privilege.CREATE, catalogSchemaName, trinoPrincipal);
        });
    }

    @Test
    public void testCanCreateRoleAllowedOrDeniedByConfig() {
        testOperationAllowedOrDeniedByConfig(opaAccessControl -> {
            opaAccessControl.checkCanCreateRole(TestConstants.TEST_SECURITY_CONTEXT, "some_role", Optional.empty());
        });
    }

    @Test
    public void testCanDropRoleAllowedOrDeniedByConfig() {
        testOperationAllowedOrDeniedByConfig(opaAccessControl -> {
            opaAccessControl.checkCanDropRole(TestConstants.TEST_SECURITY_CONTEXT, "some_role");
        });
    }

    @Test
    public void testCanGrantRolesAllowedOrDeniedByConfig() {
        ImmutableSet of = ImmutableSet.of("role_one", "role_two");
        ImmutableSet of2 = ImmutableSet.of(new TrinoPrincipal(PrincipalType.USER, "some_principal"));
        testOperationAllowedOrDeniedByConfig(opaAccessControl -> {
            opaAccessControl.checkCanGrantRoles(TestConstants.TEST_SECURITY_CONTEXT, of, of2, true, Optional.empty());
        });
    }

    @Test
    public void testShowRolesAlwaysAllowedRegardlessOfConfig() {
        testOperationAlwaysAllowedRegardlessOfConfig(opaAccessControl -> {
            opaAccessControl.checkCanShowRoles(TestConstants.TEST_SECURITY_CONTEXT);
        });
    }

    @Test
    public void testShowCurrentRolesAlwaysAllowedRegardlessOfConfig() {
        testOperationAlwaysAllowedRegardlessOfConfig(opaAccessControl -> {
            opaAccessControl.checkCanShowCurrentRoles(TestConstants.TEST_SECURITY_CONTEXT);
        });
    }

    @Test
    public void testShowRoleGrantsAlwaysAllowedRegardlessOfConfig() {
        testOperationAlwaysAllowedRegardlessOfConfig(opaAccessControl -> {
            opaAccessControl.checkCanShowRoleGrants(TestConstants.TEST_SECURITY_CONTEXT);
        });
    }

    private static void testOperationAllowedOrDeniedByConfig(Consumer<OpaAccessControl> consumer) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, jsonNode -> {
            return null;
        });
        OpaAccessControl createAuthorizer = createAuthorizer(true, createMockHttpClient);
        OpaAccessControl createAuthorizer2 = createAuthorizer(false, createMockHttpClient);
        consumer.accept(createAuthorizer);
        Assertions.assertThatThrownBy(() -> {
            consumer.accept(createAuthorizer2);
        }).isInstanceOf(AccessDeniedException.class).hasMessageContaining("Access Denied:");
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
    }

    private static void testOperationAlwaysAllowedRegardlessOfConfig(Consumer<OpaAccessControl> consumer) {
        HttpClientUtils.InstrumentedHttpClient createMockHttpClient = TestHelpers.createMockHttpClient(OPA_SERVER_URI, jsonNode -> {
            return null;
        });
        OpaAccessControl createAuthorizer = createAuthorizer(true, createMockHttpClient);
        OpaAccessControl createAuthorizer2 = createAuthorizer(false, createMockHttpClient);
        consumer.accept(createAuthorizer);
        consumer.accept(createAuthorizer2);
        Assertions.assertThat(createMockHttpClient.getRequests()).isEmpty();
    }

    private static OpaAccessControl createAuthorizer(boolean z, HttpClientUtils.InstrumentedHttpClient instrumentedHttpClient) {
        return OpaAccessControlFactory.create(ImmutableMap.builder().put("opa.policy.uri", OPA_SERVER_URI.toString()).put("opa.allow-permission-management-operations", String.valueOf(z)).buildOrThrow(), Optional.of(instrumentedHttpClient), Optional.of(TestConstants.SYSTEM_ACCESS_CONTROL_CONTEXT));
    }
}
