package com.facebook.presto.hive.security.ranger;

import com.facebook.airlift.http.client.HttpStatus;
import com.facebook.airlift.http.client.testing.TestingHttpClient;
import com.facebook.airlift.http.client.testing.TestingResponse;
import com.facebook.presto.common.RuntimeStats;
import com.facebook.presto.common.Subfield;
import com.facebook.presto.spi.QueryId;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.WarningCollector;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.ConnectorIdentity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.PrincipalType;
import com.facebook.presto.spi.security.Privilege;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableListMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.io.ByteStreams;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:com/facebook/presto/hive/security/ranger/TestRangerBasedAccessControl.class */
public class TestRangerBasedAccessControl {
    public static final ConnectorTransactionHandle TRANSACTION_HANDLE = new ConnectorTransactionHandle() { // from class: com.facebook.presto.hive.security.ranger.TestRangerBasedAccessControl.1
    };
    public static final AccessControlContext CONTEXT = new AccessControlContext(new QueryId("query_id"), Optional.empty(), Optional.empty(), WarningCollector.NOOP, new RuntimeStats());

    @Test
    public void testTablePriviledgesRolesNotAllowed() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("default-allow-all.json", "user_groups.json");
        assertDenied(() -> {
            createRangerAccessControl.checkCanRevokeTablePrivilege(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, Privilege.SELECT, new SchemaTableName("foodmart", "test"), new PrestoPrincipal(PrincipalType.ROLE, "role"), true);
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanGrantTablePrivilege(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, Privilege.SELECT, new SchemaTableName("foodmart", "test"), new PrestoPrincipal(PrincipalType.ROLE, "role"), true);
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanCreateRole(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, "schemaName", Optional.empty());
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanDropRole(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, "schemaName");
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanGrantRoles(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, ImmutableSet.of(""), ImmutableSet.of(new PrestoPrincipal(PrincipalType.ROLE, "role")), true, Optional.empty(), "");
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanSetRole(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, "schemaName", "");
        });
    }

    @Test
    public void testDefaultAccessAllowedNotChecked() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("default-allow-all.json", "user_groups.json");
        createRangerAccessControl.checkCanShowTablesMetadata(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, "schemaName");
        createRangerAccessControl.checkCanSetCatalogSessionProperty(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, "schemaName");
        createRangerAccessControl.checkCanCreateSchema(TRANSACTION_HANDLE, user("anyuser"), CONTEXT, "schemaName");
        createRangerAccessControl.checkCanShowSchemas(TRANSACTION_HANDLE, user("anyuser"), CONTEXT);
    }

    @Test
    public void testDefaultTableAccessIfNotDefined() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("default-allow-all.json", "user_groups.json");
        createRangerAccessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("admin"), CONTEXT, new SchemaTableName("test", "test"));
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("test", "test"), ImmutableSet.of());
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
        createRangerAccessControl.checkCanRenameTable(TRANSACTION_HANDLE, user("admin"), CONTEXT, new SchemaTableName("test", "test"), new SchemaTableName("test1", "test1"));
        createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("bobschema", "bobtable"));
        createRangerAccessControl.checkCanDeleteFromTable(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("bobschema", "bobtable"));
        createRangerAccessControl.checkCanCreateViewWithSelectFromColumns(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("bobschema", "bobtable"), ImmutableSet.of());
    }

    @Test
    public void testTableOperations() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("default-schema-level-access.json", "user_groups.json");
        createRangerAccessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanRenameTable(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"), new SchemaTableName("foodmart", "test1"));
        createRangerAccessControl.checkCanDropTable(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanDropSchema(TRANSACTION_HANDLE, user("alice"), CONTEXT, "foodmart");
        createRangerAccessControl.checkCanAddColumn(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanDropColumn(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanRenameColumn(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"));
        assertDenied(() -> {
            createRangerAccessControl.checkCanRenameTable(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"), new SchemaTableName("foodmart", "test1"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanDropTable(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanDropSchema(TRANSACTION_HANDLE, user("joe"), CONTEXT, "foodmart");
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanAddColumn(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanDropColumn(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanRenameColumn(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"), ImmutableSet.of(new Subfield("column1")));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanCreateTable(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanRenameTable(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"), new SchemaTableName("foodmart", "test1"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanDropTable(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanAddColumn(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanDropColumn(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanRenameColumn(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
    }

    @Test
    public void testSelectUpdateAccess() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("default-table-select-update.json", "user_groups.json");
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"), ImmutableSet.of(new Subfield("column1")));
        createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("alice"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"), ImmutableSet.of(new Subfield("column1")));
        createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "test"));
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"), ImmutableSet.of(new Subfield("column1")));
        assertDenied(() -> {
            createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "test"));
        });
    }

    @Test
    public void testColumnLevelAccess() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("default-table-column-access.json", "user_groups.json");
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("joe"), CONTEXT, new SchemaTableName("foodmart", "salary"), ImmutableSet.of(new Subfield("salary_paid"), new Subfield("overtime_paid")));
        assertDenied(() -> {
            createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("bob"), CONTEXT, new SchemaTableName("foodmart", "salary"), ImmutableSet.of(new Subfield("currency_id"), new Subfield("overtime_paid")));
        });
    }

    @Test
    public void testRoleBasedAccess() {
        ConnectorAccessControl createRangerAccessControl = createRangerAccessControl("ranger-role-based-access.json", "user_groups.json");
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("raj"), CONTEXT, new SchemaTableName("default", "customer"), ImmutableSet.of(new Subfield("column1")));
        createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("raj"), CONTEXT, new SchemaTableName("default", "customer"));
        createRangerAccessControl.checkCanDropTable(TRANSACTION_HANDLE, user("raj"), CONTEXT, new SchemaTableName("default", "customer"));
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("maria"), CONTEXT, new SchemaTableName("default", "orders"), ImmutableSet.of(new Subfield("column1")));
        createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("maria"), CONTEXT, new SchemaTableName("default", "orders"));
        createRangerAccessControl.checkCanDropTable(TRANSACTION_HANDLE, user("maria"), CONTEXT, new SchemaTableName("default", "orders"));
        assertDenied(() -> {
            createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("maria"), CONTEXT, new SchemaTableName("default", "customer"), ImmutableSet.of(new Subfield("column1")));
        });
        createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("sam"), CONTEXT, new SchemaTableName("default", "lineitem"), ImmutableSet.of(new Subfield("column1")));
        createRangerAccessControl.checkCanInsertIntoTable(TRANSACTION_HANDLE, user("sam"), CONTEXT, new SchemaTableName("default", "lineitem"));
        createRangerAccessControl.checkCanDropTable(TRANSACTION_HANDLE, user("sam"), CONTEXT, new SchemaTableName("default", "lineitem"));
        assertDenied(() -> {
            createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("sam"), CONTEXT, new SchemaTableName("default", "customer"), ImmutableSet.of(new Subfield("column1")));
        });
        assertDenied(() -> {
            createRangerAccessControl.checkCanSelectFromColumns(TRANSACTION_HANDLE, user("sam"), CONTEXT, new SchemaTableName("default", "supplier"), ImmutableSet.of(new Subfield("column1")));
        });
    }

    private static ConnectorIdentity user(String str) {
        return new ConnectorIdentity(str, Optional.empty(), Optional.empty());
    }

    private ConnectorAccessControl createRangerAccessControl(String str, String str2) {
        String str3 = "com.facebook.presto.hive.security.ranger/" + str;
        String str4 = "com.facebook.presto.hive.security.ranger/" + str2;
        return new RangerBasedAccessControl(new RangerBasedAccessControlConfig().setRangerHttpEndPoint("http://test").setRangerHiveServiceName("dummy"), new TestingHttpClient(request -> {
            String path = request.getUri().getPath();
            if (path.contains("/service/plugins/policies/download")) {
                return makeHttpResponse(ByteStreams.toByteArray(getClass().getClassLoader().getResourceAsStream(str3)));
            }
            if (path.contains("/service/xusers/users")) {
                return makeHttpResponse(ByteStreams.toByteArray(getClass().getClassLoader().getResourceAsStream(str4)));
            }
            if (path.contains("/service/roles/roles/user")) {
                return path.contains("raj") ? makeHttpResponse("[\"admin_role\"]".getBytes(StandardCharsets.UTF_8)) : path.contains("maria") ? makeHttpResponse("[\"etl_role\"]".getBytes(StandardCharsets.UTF_8)) : path.contains("sam") ? makeHttpResponse("[\"analyst_role\"]".getBytes(StandardCharsets.UTF_8)) : makeHttpResponse("[\"dev_role\"]".getBytes(StandardCharsets.UTF_8));
            }
            throw new IllegalStateException("Testing client is not configured correctly");
        }));
    }

    private TestingResponse makeHttpResponse(byte[] bArr) {
        ImmutableListMultimap.Builder builder = ImmutableListMultimap.builder();
        builder.put("Content-Type", "application/json");
        return new TestingResponse(HttpStatus.OK, builder.build(), bArr);
    }

    private static <T> T jsonParse(File file, Class<T> cls) {
        try {
            BufferedReader bufferedReader = new BufferedReader(new FileReader(file));
            ObjectMapper objectMapper = new ObjectMapper();
            objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
            return (T) objectMapper.readValue(bufferedReader, cls);
        } catch (IOException e) {
            throw new IllegalArgumentException(String.format("Invalid JSON file '%s'", file.getPath()), e);
        }
    }

    private static void assertDenied(Assert.ThrowingRunnable throwingRunnable) {
        Assert.assertThrows(AccessDeniedException.class, throwingRunnable);
    }
}
