package com.facebook.presto.security;

import com.facebook.airlift.http.server.BasicPrincipal;
import com.facebook.presto.common.CatalogSchemaName;
import com.facebook.presto.common.QualifiedObjectName;
import com.facebook.presto.common.Subfield;
import com.facebook.presto.connector.informationSchema.InformationSchemaConnector;
import com.facebook.presto.connector.system.SystemConnector;
import com.facebook.presto.metadata.Catalog;
import com.facebook.presto.metadata.CatalogManager;
import com.facebook.presto.metadata.InMemoryNodeManager;
import com.facebook.presto.metadata.MetadataManager;
import com.facebook.presto.spi.CatalogSchemaTableName;
import com.facebook.presto.spi.ConnectorId;
import com.facebook.presto.spi.PrestoException;
import com.facebook.presto.spi.QueryId;
import com.facebook.presto.spi.SchemaTableName;
import com.facebook.presto.spi.WarningCollector;
import com.facebook.presto.spi.connector.Connector;
import com.facebook.presto.spi.connector.ConnectorAccessControl;
import com.facebook.presto.spi.connector.ConnectorTransactionHandle;
import com.facebook.presto.spi.security.AccessControl;
import com.facebook.presto.spi.security.AccessControlContext;
import com.facebook.presto.spi.security.AccessDeniedException;
import com.facebook.presto.spi.security.ConnectorIdentity;
import com.facebook.presto.spi.security.Identity;
import com.facebook.presto.spi.security.PrestoPrincipal;
import com.facebook.presto.spi.security.Privilege;
import com.facebook.presto.spi.security.SystemAccessControl;
import com.facebook.presto.spi.security.SystemAccessControlFactory;
import com.facebook.presto.testing.TestingConnectorContext;
import com.facebook.presto.tpch.TpchConnectorFactory;
import com.facebook.presto.transaction.InMemoryTransactionManager;
import com.facebook.presto.transaction.TransactionBuilder;
import com.facebook.presto.transaction.TransactionManager;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Collection;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:com/facebook/presto/security/TestAccessControlManager.class */
public class TestAccessControlManager {
    private static final Principal PRINCIPAL = new BasicPrincipal("principal");
    private static final String USER_NAME = "user_name";
    private static final String QUERY_TOKEN_FIELD = "query_token";
    private static final String QUERY_ID = "query_id";

    /* loaded from: input_file:com/facebook/presto/security/TestAccessControlManager$DenyConnectorAccessControl.class */
    private static class DenyConnectorAccessControl implements ConnectorAccessControl {
        private DenyConnectorAccessControl() {
        }

        public void checkCanSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<Subfield> set) {
            AccessDeniedException.denySelectColumns(schemaTableName.toString(), (Collection) set.stream().map(subfield -> {
                return subfield.getRootName();
            }).collect(ImmutableSet.toImmutableSet()));
        }

        public void checkCanCreateSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
            throw new UnsupportedOperationException();
        }

        public void checkCanDropSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
            throw new UnsupportedOperationException();
        }

        public void checkCanRenameSchema(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str, String str2) {
            throw new UnsupportedOperationException();
        }

        public void checkCanCreateTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanDropTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanRenameTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, SchemaTableName schemaTableName2) {
            throw new UnsupportedOperationException();
        }

        public void checkCanAddColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanDropColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanRenameColumn(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanInsertIntoTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanDeleteFromTable(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanUpdateTableColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
            throw new UnsupportedOperationException();
        }

        public void checkCanCreateView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanDropView(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName) {
            throw new UnsupportedOperationException();
        }

        public void checkCanCreateViewWithSelectFromColumns(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, SchemaTableName schemaTableName, Set<String> set) {
            throw new UnsupportedOperationException();
        }

        public void checkCanSetCatalogSessionProperty(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, String str) {
            throw new UnsupportedOperationException();
        }

        public void checkCanGrantTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
            throw new UnsupportedOperationException();
        }

        public void checkCanRevokeTablePrivilege(ConnectorTransactionHandle connectorTransactionHandle, ConnectorIdentity connectorIdentity, AccessControlContext accessControlContext, Privilege privilege, SchemaTableName schemaTableName, PrestoPrincipal prestoPrincipal, boolean z) {
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:com/facebook/presto/security/TestAccessControlManager$TestSystemAccessControlFactory.class */
    private static class TestSystemAccessControlFactory implements SystemAccessControlFactory {
        private final String name;
        private Map<String, String> config;
        private Optional<Principal> checkedPrincipal;
        private String checkedUserName;
        private String checkedQuery;

        public TestSystemAccessControlFactory(String str) {
            this.name = (String) Objects.requireNonNull(str, "name is null");
        }

        public Map<String, String> getConfig() {
            return this.config;
        }

        public Optional<Principal> getCheckedPrincipal() {
            return this.checkedPrincipal;
        }

        public String getCheckedUserName() {
            return this.checkedUserName;
        }

        public String getCheckedQuery() {
            return this.checkedQuery;
        }

        public String getName() {
            return this.name;
        }

        public SystemAccessControl create(Map<String, String> map) {
            this.config = map;
            return new SystemAccessControl() { // from class: com.facebook.presto.security.TestAccessControlManager.TestSystemAccessControlFactory.1
                public void checkCanSetUser(Identity identity, AccessControlContext accessControlContext, Optional<Principal> optional, String str) {
                    TestSystemAccessControlFactory.this.checkedPrincipal = optional;
                    TestSystemAccessControlFactory.this.checkedUserName = str;
                }

                public void checkQueryIntegrity(Identity identity, AccessControlContext accessControlContext, String str) {
                    if (!str.equals(identity.getExtraCredentials().get(TestAccessControlManager.QUERY_TOKEN_FIELD))) {
                        AccessDeniedException.denyQueryIntegrityCheck();
                    }
                    TestSystemAccessControlFactory.this.checkedUserName = identity.getUser();
                    TestSystemAccessControlFactory.this.checkedPrincipal = identity.getPrincipal();
                    TestSystemAccessControlFactory.this.checkedQuery = str;
                }

                public void checkCanAccessCatalog(Identity identity, AccessControlContext accessControlContext, String str) {
                }

                public void checkCanSetSystemSessionProperty(Identity identity, AccessControlContext accessControlContext, String str) {
                    throw new UnsupportedOperationException();
                }

                public void checkCanSelectFromColumns(Identity identity, AccessControlContext accessControlContext, CatalogSchemaTableName catalogSchemaTableName, Set<String> set) {
                    if (catalogSchemaTableName.getCatalogName().equals("secured_catalog")) {
                        AccessDeniedException.denySelectTable(catalogSchemaTableName.toString());
                    }
                }

                public Set<String> filterCatalogs(Identity identity, AccessControlContext accessControlContext, Set<String> set) {
                    return set;
                }
            };
        }
    }

    @Test(expectedExceptions = {PrestoException.class}, expectedExceptionsMessageRegExp = "Presto server is still initializing")
    public void testInitializing() {
        new AccessControlManager(InMemoryTransactionManager.createTestTransactionManager()).checkCanSetUser(new Identity(USER_NAME, Optional.of(PRINCIPAL)), new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP), Optional.empty(), "foo");
    }

    @Test
    public void testNoneSystemAccessControl() {
        AccessControlManager accessControlManager = new AccessControlManager(InMemoryTransactionManager.createTestTransactionManager());
        accessControlManager.setSystemAccessControl("allow-all", ImmutableMap.of());
        accessControlManager.checkCanSetUser(new Identity(USER_NAME, Optional.of(PRINCIPAL)), new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP), Optional.empty(), USER_NAME);
    }

    @Test
    public void testReadOnlySystemAccessControl() {
        Identity identity = new Identity(USER_NAME, Optional.of(PRINCIPAL));
        QualifiedObjectName qualifiedObjectName = new QualifiedObjectName("catalog", "schema", "table");
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager);
        AccessControlContext accessControlContext = new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP);
        accessControlManager.setSystemAccessControl("read-only", ImmutableMap.of());
        accessControlManager.checkCanSetUser(identity, accessControlContext, Optional.of(PRINCIPAL), USER_NAME);
        accessControlManager.checkCanSetSystemSessionProperty(identity, accessControlContext, "property");
        TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanSetCatalogSessionProperty(transactionId, identity, accessControlContext, "catalog", "property");
            accessControlManager.checkCanShowSchemas(transactionId, identity, accessControlContext, "catalog");
            accessControlManager.checkCanShowTablesMetadata(transactionId, identity, accessControlContext, new CatalogSchemaName("catalog", "schema"));
            accessControlManager.checkCanSelectFromColumns(transactionId, identity, accessControlContext, qualifiedObjectName, ImmutableSet.of(new Subfield("column")));
            accessControlManager.checkCanCreateViewWithSelectFromColumns(transactionId, identity, accessControlContext, qualifiedObjectName, ImmutableSet.of("column"));
            ImmutableSet of = ImmutableSet.of("catalog");
            Assert.assertEquals(accessControlManager.filterCatalogs(identity, accessControlContext, of), of);
            ImmutableSet of2 = ImmutableSet.of("schema");
            Assert.assertEquals(accessControlManager.filterSchemas(transactionId, identity, accessControlContext, "catalog", of2), of2);
            ImmutableSet of3 = ImmutableSet.of(new SchemaTableName("schema", "table"));
            Assert.assertEquals(accessControlManager.filterTables(transactionId, identity, accessControlContext, "catalog", of3), of3);
        });
        try {
            TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId2 -> {
                accessControlManager.checkCanInsertIntoTable(transactionId2, identity, accessControlContext, qualifiedObjectName);
            });
            Assert.fail();
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testSetAccessControl() {
        AccessControlManager accessControlManager = new AccessControlManager(InMemoryTransactionManager.createTestTransactionManager());
        TestSystemAccessControlFactory testSystemAccessControlFactory = new TestSystemAccessControlFactory("test");
        accessControlManager.addSystemAccessControlFactory(testSystemAccessControlFactory);
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        accessControlManager.checkCanSetUser(new Identity(USER_NAME, Optional.of(PRINCIPAL)), new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP), Optional.of(PRINCIPAL), USER_NAME);
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedUserName(), USER_NAME);
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedPrincipal(), Optional.of(PRINCIPAL));
    }

    @Test
    public void testCheckQueryIntegrity() {
        AccessControlManager accessControlManager = new AccessControlManager(InMemoryTransactionManager.createTestTransactionManager());
        AccessControlContext accessControlContext = new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP);
        TestSystemAccessControlFactory testSystemAccessControlFactory = new TestSystemAccessControlFactory("test");
        accessControlManager.addSystemAccessControlFactory(testSystemAccessControlFactory);
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        String str = "test_query";
        accessControlManager.checkQueryIntegrity(new Identity(USER_NAME, Optional.of(PRINCIPAL), ImmutableMap.of(), ImmutableMap.of(QUERY_TOKEN_FIELD, "test_query"), ImmutableMap.of(), Optional.empty(), Optional.empty()), accessControlContext, "test_query");
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedUserName(), USER_NAME);
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedPrincipal(), Optional.of(PRINCIPAL));
        Assert.assertEquals(testSystemAccessControlFactory.getCheckedQuery(), "test_query");
        Assert.assertThrows(AccessDeniedException.class, () -> {
            accessControlManager.checkQueryIntegrity(new Identity(USER_NAME, Optional.of(PRINCIPAL), ImmutableMap.of(), ImmutableMap.of(QUERY_TOKEN_FIELD, str + " modified"), ImmutableMap.of(), Optional.empty(), Optional.empty()), accessControlContext, str);
        });
    }

    @Test
    public void testNoCatalogAccessControl() {
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager();
        AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager);
        accessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of(new Subfield("column")));
        });
    }

    @Test(expectedExceptions = {PrestoException.class}, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from columns \\[column\\] in table or view schema.table")
    public void testDenyCatalogAccessControl() {
        CatalogManager catalogManager = new CatalogManager();
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager(catalogManager);
        AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager);
        accessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        accessControlManager.addCatalogAccessControl(registerBogusConnector(catalogManager, createTestTransactionManager, accessControlManager, "catalog"), new DenyConnectorAccessControl());
        TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP), new QualifiedObjectName("catalog", "schema", "table"), ImmutableSet.of(new Subfield("column")));
        });
    }

    @Test(expectedExceptions = {PrestoException.class}, expectedExceptionsMessageRegExp = "Access Denied: Cannot select from table secured_catalog.schema.table")
    public void testDenySystemAccessControl() {
        CatalogManager catalogManager = new CatalogManager();
        TransactionManager createTestTransactionManager = InMemoryTransactionManager.createTestTransactionManager(catalogManager);
        AccessControlManager accessControlManager = new AccessControlManager(createTestTransactionManager);
        accessControlManager.addSystemAccessControlFactory(new TestSystemAccessControlFactory("test"));
        accessControlManager.setSystemAccessControl("test", ImmutableMap.of());
        registerBogusConnector(catalogManager, createTestTransactionManager, accessControlManager, "connector");
        accessControlManager.addCatalogAccessControl(new ConnectorId("connector"), new DenyConnectorAccessControl());
        TransactionBuilder.transaction(createTestTransactionManager, accessControlManager).execute(transactionId -> {
            accessControlManager.checkCanSelectFromColumns(transactionId, new Identity(USER_NAME, Optional.of(PRINCIPAL)), new AccessControlContext(new QueryId(QUERY_ID), Optional.empty(), Optional.empty(), WarningCollector.NOOP), new QualifiedObjectName("secured_catalog", "schema", "table"), ImmutableSet.of(new Subfield("column")));
        });
    }

    private static ConnectorId registerBogusConnector(CatalogManager catalogManager, TransactionManager transactionManager, AccessControl accessControl, String str) {
        ConnectorId connectorId = new ConnectorId(str);
        Connector create = new TpchConnectorFactory().create(str, ImmutableMap.of(), new TestingConnectorContext());
        InMemoryNodeManager inMemoryNodeManager = new InMemoryNodeManager();
        MetadataManager createTestMetadataManager = MetadataManager.createTestMetadataManager(catalogManager);
        ConnectorId createSystemTablesConnectorId = ConnectorId.createSystemTablesConnectorId(connectorId);
        catalogManager.registerCatalog(new Catalog(str, connectorId, create, ConnectorId.createInformationSchemaConnectorId(connectorId), new InformationSchemaConnector(str, inMemoryNodeManager, createTestMetadataManager, accessControl, ImmutableList.of()), createSystemTablesConnectorId, new SystemConnector(createSystemTablesConnectorId, inMemoryNodeManager, create.getSystemTables(), transactionId -> {
            return transactionManager.getConnectorTransaction(transactionId, connectorId);
        })));
        return connectorId;
    }
}
