package io.trino.security;

import com.google.common.collect.ImmutableSet;
import com.google.inject.multibindings.OptionalBinder;
import io.trino.Session;
import io.trino.metadata.SystemSecurityMetadata;
import io.trino.spi.security.Identity;
import io.trino.testing.AbstractTestQueryFramework;
import io.trino.testing.DistributedQueryRunner;
import io.trino.testing.QueryRunner;
import io.trino.testing.TestingSession;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/security/TestSystemSecurityMetadata.class */
public class TestSystemSecurityMetadata extends AbstractTestQueryFramework {
    private final TestingSystemSecurityMetadata securityMetadata = new TestingSystemSecurityMetadata();

    private void reset() {
        this.securityMetadata.reset();
    }

    protected QueryRunner createQueryRunner() throws Exception {
        return DistributedQueryRunner.builder(TestingSession.testSessionBuilder().setCatalog("blackhole").setSchema("default").build()).setAdditionalModule(binder -> {
            OptionalBinder.newOptionalBinder(binder, SystemSecurityMetadata.class).setBinding().toInstance(this.securityMetadata);
        }).setNodeCount(1).build();
    }

    @Test
    public void testNoSystemRoles() {
        reset();
        assertQueryReturnsEmptyResult("SHOW ROLES");
        assertQueryReturnsEmptyResult("SHOW CURRENT ROLES");
        assertQueryReturnsEmptyResult("SHOW ROLE GRANTS");
        assertQueryReturnsEmptyResult("SELECT * FROM system.information_schema.applicable_roles");
    }

    @Test
    public void testRoleCreationAndDeletion() {
        reset();
        assertQueryReturnsEmptyResult("SHOW ROLES");
        assertQuerySucceeds("CREATE ROLE role1");
        assertQuery("SHOW ROLES", "VALUES 'role1'");
        assertQuerySucceeds("DROP ROLE role1");
        assertQueryReturnsEmptyResult("SHOW ROLES");
    }

    @Test
    public void testRoleGrant() {
        reset();
        Session user = user("alice", new String[0]);
        Session user2 = user("alice", "role1");
        assertQuerySucceeds("CREATE ROLE role1");
        assertQueryFails(user, "SET ROLE role1", "Access Denied: Cannot set role role1");
        assertQuery(user, "SHOW ROLES", "VALUES 'role1'");
        assertQueryReturnsEmptyResult(user, "SHOW CURRENT ROLES");
        assertQueryReturnsEmptyResult(user, "SHOW ROLE GRANTS");
        assertQueryReturnsEmptyResult(user, "SELECT * FROM system.information_schema.applicable_roles");
        assertQueryFails(user2, "SHOW ROLES", "Access Denied: Cannot set role role1");
        assertQueryFails(user2, "SHOW CURRENT ROLES", "Access Denied: Cannot set role role1");
        assertQueryFails(user2, "SHOW ROLE GRANTS", "Access Denied: Cannot set role role1");
        assertQueryFails(user2, "SELECT * FROM system.information_schema.applicable_roles", "Access Denied: Cannot set role role1");
        assertQuerySucceeds("GRANT role1 TO USER alice");
        assertQuerySucceeds(user, "SET ROLE role1");
        assertQuery(user, "SHOW ROLES", "VALUES 'role1'");
        assertQuery(user, "SHOW CURRENT ROLES", "VALUES 'role1'");
        assertQuery(user, "SHOW ROLE GRANTS", "VALUES 'role1'");
        assertQuery(user, "SELECT * FROM system.information_schema.applicable_roles", "SELECT 'alice', 'USER', 'role1', 'NO'");
        assertQuery(user2, "SHOW ROLES", "VALUES 'role1'");
        assertQuery(user2, "SHOW CURRENT ROLES", "VALUES 'role1'");
        assertQuery(user2, "SHOW ROLE GRANTS", "VALUES 'role1'");
        assertQuery(user2, "SELECT * FROM system.information_schema.applicable_roles", "SELECT 'alice', 'USER', 'role1', 'NO'");
        assertQuerySucceeds("REVOKE role1 FROM USER alice");
        assertQuery(user, "SHOW ROLES", "VALUES 'role1'");
        assertQueryReturnsEmptyResult(user, "SHOW CURRENT ROLES");
        assertQueryReturnsEmptyResult(user, "SHOW ROLE GRANTS");
        assertQueryReturnsEmptyResult(user, "SELECT * FROM system.information_schema.applicable_roles");
        assertQueryFails(user2, "SHOW ROLES", "Access Denied: Cannot set role role1");
        assertQueryFails(user2, "SHOW CURRENT ROLES", "Access Denied: Cannot set role role1");
        assertQueryFails(user2, "SHOW ROLE GRANTS", "Access Denied: Cannot set role role1");
        assertQueryFails(user2, "SELECT * FROM system.information_schema.applicable_roles", "Access Denied: Cannot set role role1");
        assertQuerySucceeds("DROP ROLE role1");
    }

    @Test
    public void testTransitiveRoleGrant() {
        reset();
        Session user = user("alice", new String[0]);
        Session user2 = user("alice", "role2");
        assertQuerySucceeds("CREATE ROLE role1");
        assertQuerySucceeds("CREATE ROLE role2");
        assertQuerySucceeds("GRANT role1 TO USER alice");
        assertQueryFails(user2, "SHOW ROLES", "Access Denied: Cannot set role role2");
        assertQuerySucceeds("GRANT role2 TO ROLE role1");
        assertQuery(user, "SHOW ROLES", "VALUES 'role1', 'role2'");
        assertQuery(user, "SHOW CURRENT ROLES", "VALUES 'role1', 'role2'");
        assertQuery(user, "SHOW ROLE GRANTS", "VALUES 'role1'");
        assertQuery(user2, "SELECT * FROM system.information_schema.applicable_roles", "VALUES ('alice', 'USER', 'role1', 'NO'),('role1', 'ROLE', 'role2', 'NO')");
        assertQuerySucceeds("REVOKE role2 FROM ROLE role1");
        assertQueryFails(user2, "SHOW ROLES", "Access Denied: Cannot set role role2");
        assertQuerySucceeds("REVOKE role1 FROM USER alice");
        assertQuerySucceeds("DROP ROLE role1");
    }

    private static Session user(String str, String... strArr) {
        return TestingSession.testSessionBuilder().setIdentity(Identity.forUser(str).withEnabledRoles(ImmutableSet.copyOf(strArr)).build()).build();
    }
}
